How do I detect outgoing spam?

By davidt ·
I'm running the network for a small business on an SBS2003 server, using a cable modem and a NetGear RP614 switch/firewall. Is there an inexpensive way to see if any of my (20) clients are inadvertantly spamming (like looking for suspiciously high smtp packets)? I keep everything and everyone fully patched, but from time-to-time a user will disable their AV or spy-detection software (we can't afford a global policy-based solution).

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Try the Network monitor Wireshark

by Jacky Howe In reply to How do I detect outgoing ...

I've been able to isolate Systems that have been infected by using it on the SBS2003 server. Read the documentation.

<a href=" " target="_blank"><u>Wireshark</u></a>

<a href=" " target="_blank"><u>Wireshark Documentation</u></a>

Collapse -

Yes, I've heard of it

by davidt In reply to Try the Network monitor W ...

I'll give that a try

Collapse -

A quickstart

by Jacky Howe In reply to Yes, I've heard of it

Open WireShark and select Capture from the Toolbar. Click Start on the Ethernet Controller. If the infected System is active it should be easy enough to detect. You may just have to keep an eye on it for awhile. Either select Capture, Stop or presss Ctrl+e to end the capture.

Collapse -

If you are using Exchange on the SBS Server

by OH Smeg Moderator In reply to How do I detect outgoing ...

You could always look in the Out Boxes of the individual workstations on the Exchange Server to see what is being sent.

Though my first option would be to check the Network Load with something like Wireshark.

It really depends on how the network is configured here as to how to proceed.


Collapse -

Now this is interesting

by davidt In reply to If you are using Exchange ...

But I never considered it because I do track incoming and outgoing email volume. But wouldn't a bot use its own SMTP delivery subsystem with different fake addresses? I wouldn't think exchange would catch that...what are your thoughts?

Collapse -

Well it all depends where the Spam is originating

by OH Smeg Moderator In reply to Now this is interesting

If it's coming from a Workstation all outgoing mail has to pas through the Exchange Server as that should be the only way out of the LAN for it to go.

Of course if the Server itself is infected that's a different story but that shouldn't happen unless someone is using the server like a workstation.


Collapse -

I archive all in / out mail to an SQL server

by The 'G-Man.' In reply to How do I detect outgoing ...

perhaps you should investigate similar?

Collapse -


by davidt In reply to I archive all in / out ma ...

You're talking to a poor, lowly MCP here. How do you capture all the mail? I already know every email that enters or exits through Exchange - but is some of the smtp or pop mail bypassing it? That's my main question.

Collapse -


by SPC_TCOL In reply to How do I detect outgoing ...

You could restrict users from disabling the AV.
There are different solution for this problem.
With the users here, that could do this, I tell them that I will reimage there HDD every night, after i caught them disabling the AV. This works very well.

Related Discussions

Related Forums