Find PC sending spam

[fortage]

Cisco 1720
There is a rouge PC sending spam and I'd like to determine the ip of the PC. I've already created an access list denying port 25 on all IPs except the mail server. What are the commands to find which pc is sendning on port 25?

Thanks

 

[BuckWeet]

best thing to do is use a sniffer attached before the firewall..


or depending on your firewall, put a capture filter on the firewall itself..

 

[fortage]

This is a remote facility and would prefer to log from the router. Is it possible?

 

[avilov]

just add logging to your access list. that should show all IP addreses trying to connect to port 25

 

[fortage]

I enabled logging "ip accounting output-packets" on the F0 int but it does not show the port. Can you provide the commands to do this?

 

[avilov]

just add "log" at the end of that acl

something like

access-list 101 deny tcp x.x.x. y.y.y.y any eq 25 log

 

[fortage]

do I then enable ip accounting acces-violations on F0?

 

[avilov]

you don't need an accounting enabled. all you need is ACL applyed to the interface.

like

ip access-group 101 in (or out depending on interface)


after that just watch the log

 

[jneiberger]

Or, you could turn on NetFlow switching on that interface, then do a "show ip cache flow" and look for traffic on port 25. Actually, it will show as port 19 because the port numbers in that display are in hexadecimal.

 

[watchguardmonkey]

or if your running NAT, just do a sh ip nat tran* and this will show inside pc IP's and the port they are sending.