mav425 Posted May 12, 2009 Posted May 12, 2009 I am working on a Microsoft Exchange 2003 email server. Our mail server has a terrible spam problem, and I have a suspicion that one of our computers is infected by a spambot. What I'm trying to do is figure out which computer within our network is generating spam using the program "Wireshark". What I tried doing is filtering the packets to TCP only, and then filtering the results down to tcp.port == 25 (port 25 is the SMTP port). Unfortunately I don't think that I have the filters set up right. After filtering the data, the only "Source" ip from our network ip address was the mail exchange server itself. I'm thinking that either I set up the filters wrong, or that our mail server is the spambot (the latter seems unlikely). Could someone help me figure out how to correctly filter Wireshark so that I can see all network packets going to port 25? Either that or let me know a better way to detect our network spambot http://forums.meulie.net/images/smilies/icon_razz.gif Thanks a lot for the help! Quote
starams5 Posted May 13, 2009 Posted May 13, 2009 Hi See if these links help. Wireshark: Frequently Asked Questions FrontPage - The Wireshark Wiki Quote
RandyL Posted May 13, 2009 Posted May 13, 2009 I have to agree with starams5 on this. This is an advanced piece of software that is meant to be used by administrators in a business environment. As such the developers are your best source of tech help on this. FAQS and forum support may be free but limited. Wireshark is also free but you can sign up for personal support. Be aware that this support will cost you and is based on a subscription. It's not cheap. In my own limited opinion network security in a business environment is serious business. Depending on your business a full time employee is often needed. If you think you are infected on a business server you should get an expert involved immediately lest you find yourself liable in civil matters. If your network is compromised for any reason you and your customers are in danger as your security is wanting. Get an expert not a free program. You suspect that your server is infected not just one computer. That makes some sense. Your entire netork could be infected. If so then a program that spys on activity is not going to help you. You need security enabled by an expert. I wish you luck but this is serious business. Quote We are all members helping other members. Please return here where you may be able to help someone else. After all, no one knows everything and you may have the answer that someone needs.Get help with computer problems. Join Free PC Help here Donations are welcome. Read Here
mav425 Posted May 13, 2009 Author Posted May 13, 2009 Thanks for the responses. RandyL, I actually do not think that the problem is as serious as you think it is. After reading the wireshark FAQ that starams5 linked me I found the reason why I could only see the packets sourced from the server at not other computers on the network. I still believe that it's only 1 (or possibly a few) of our workgroup computers infected and not the server itself. I still haven't figured out how to get wireshark to receive data from all network computers though. I think that we might have to just hire someone to help us fix this problem, because I feel that I am over my head on this issue. And you are correct RandyL, this could very well be some serious business so it would probably be worth hiring someone to help us with this problem. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.