I'm running the network for a small business on an SBS2003 server, using a cable modem and a NetGear RP614 switch/firewall. Is there an inexpensive way to see if any of my (20) clients are inadvertantly spamming (like looking for suspiciously high smtp packets)? I keep everything and everyone fully patched, but from time-to-time a user will disable their AV or spy-detection software (we can't afford a global policy-based solution).
This conversation is currently closed to new comments.
Open WireShark and select Capture from the Toolbar. Click Start on the Ethernet Controller. If the infected System is active it should be easy enough to detect. You may just have to keep an eye on it for awhile. Either select Capture, Stop or presss Ctrl+e to end the capture.
But I never considered it because I do track incoming and outgoing email volume. But wouldn't a bot use its own SMTP delivery subsystem with different fake addresses? I wouldn't think exchange would catch that...what are your thoughts?
You're talking to a poor, lowly MCP here. How do you capture all the mail? I already know every email that enters or exits through Exchange - but is some of the smtp or pop mail bypassing it? That's my main question.
You could restrict users from disabling the AV. There are different solution for this problem. With the users here, that could do this, I tell them that I will reimage there HDD every night, after i caught them disabling the AV. This works very well.
If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.
How do I detect outgoing spam?