Help finding a spammer inside my network 1

[somedea]

I inherited a network where all of the users have admin rights on their PC's. I'm working on getting it locked down, but it's going to take a while to test all the apps and make sure they'll work with power user rights. In the meantime, someone is spamming out one of my IPs. It got listed on CBL for the second time. It's not my Exchange IP, it's the main network IP. I would very appreciate a pointer towards some FAQ or tools that will help me to figure out which PC it is. Also perhaps some tools to learn how to use telnet to test. Port 25 was open on the firewall, and I've locked that down except for the Exchange Server. That should stop the spam for now (I hope!), but I'm afraid whoever is infected will start spamming out the Exchange server next. Any help will be greatly appreciated.

 

[58sniper]

Verify that the Exchange server isn't set to rely (which it isn't be default).

[google]exchange 2003 relay[/google]

Pat Richard, MCSE MCSA:Messaging CNA
Microsoft Exchange MVP
Want to know how email works? Read for yourself -

http://www.ietf.org/rfc/rfc2821.txt

 

[Zelandakh]

Check your firewall logs for who is going out over p25. Def check the Exchange isn't allowing relay. Then you have it contained.

CBL can be contacted and will give you the machine name - they are quite helpful but expect a 24-48 hour response time.

 

[somedea]

Thanks for your replies. My Exchange server is not allowing relay, but the spam isn't going out on my Exchange Server's IP, it's going out on another IP address, the main network one, which means it could be coming from any PC on my network.
I didn't know I could contact CBL for help. I just sent them an e-mail request for more information. I hope they can identify the machine name.
My network addresses are assigned through DNS, so all I see in the firewall log is that same IP that was blacklisted, but no internal IP's or machine names. It's a Sonicwall firewall. I'm hoping to convince the powers that be to invest in something better soon.
If CBL can't help, because the IP address is NAT, do you have any other suggestions?

 

[Zelandakh]

They ought to come back with a machine name which ought to tie it down to one PC.

So on the sonicwall, stop outbound port 25. In fact, good time to review the firewall access rights - management might go for that. If you have another public IP, send email out on that, alter your MX records and/or your SPF record accordingly and you aren't a spammer any more . It is a get out of jail free card for you against CBL.

The firewall log ought to the port 25 outbound request and at least detail the internal IP. If not, CBL ought to come up trumps.

Perhaps a post in the sonicwall forum about setting up logging to catch the port 25 outbound traffic?

 

[somedea]

Thanks,Zelandakh. I've already done as you suggested and stopped all outbound traffic on port 25, and I'm clear with CBL. They have replied and were not able to give me a machine name, so I will try the sonicwall forum.