Hunting a spamming computer on the network

I just got a call from a client of mine. They say their ISP has alerted them that one of the computers on their network is sending out spam.

How do I hunt that computer down?

The computer is on a network that is merely a bunch of switches all going back to a Linksys router running Tomato with QOS turned on. I can't remember if I turned on statistics, or if that would even help.

What kind of traffic should I look out for, and how do I look out for it? Is there a way to find out the MAC address of the computer in question and block it? All the users on this network are students spread out across 4 floors and a few dozen rooms, so it's nearly impossible to go to each computer and investigate. I'm hoping that I can block the computer in question entirely, and then that student will come complaining that they don't have internet.

But how can I do that?

Spam usually flows though STMP's port 22. Tomato should let you identify which computer is spewing out emails if they're doing it while you're watching.

Once you've got a MAC address, I'm not sure if Tomato will let you block it or not.

With four floors of students going thorugh NAT, I'm amazed the RIAA/MPAA havn't come knocking at your door for reasons other than spam.

Tomato can definitely do this part. "Access Restriction" - just create a rule that applies at all times and specify that it's for a specific machine and then type in the MAC address.

The logging is going to be more difficult. You can turn on logging for outbound traffic, but it's going to get huge very quickly with that many connections. You'll want to save the log data remotely and then I suppose you can search through it for signs of the abuse.

If you're running managed switches you may want to do some of the setup before the traffic even gets to the router.

SMTP is 25, SSH is port 22.

Also check for ports 587 and 465. These are remote ports you want to look for; that is, the port being used by the remote mail server, not the port being used by the spamming client.

You should be able to find these with Tomato pretty easily. Just create a QoS classification specifying those three ports (25, 587, and 465), then "View Details" of the class you assigned them to. Not all email connections are going to be spam, so find a single computer that has a lot of connections going on.

Once you have the IP address, go to any computer on the same LAN and ping the IP address. Then run "arp -a" and find the mapping between IP and MAC. If you have disparate computers, it might be useful to discover the NIC's manufacturer.

If you had managed switches, it would be pretty easy to find the exact port the computer is connected to, but I don't know if your switches are managed.

I do sort of the opposite. I block all traffic outgoing on 25 and make an explicit exception for the mail server. Same for all common protocols, really. Even though NAT rules aren't defined for any services, it's just too easy and prevents too many exploits not to do. Then again, I am pretty draconian in my blocking of zip files. If it's under 500k, it's blocked.

Yeah, I try to be as unobtrusive as possible.

I'm sure your users appreciate it. Whenever I see a gateway configured to disallow zip files I always think to myself that the admin is either too lazy to care, or they don't know what they're doing. In either cases I worry for the security of the network.

There's nothing wrong with blocking client access to port 25 completely however and using 587 instead with authentication (or even SSL). I think most ISPs around these parts have already gone at least the route of allowing mail only on 587.

But none of this is going to be relevant to Matt since I don't believe he's running a mail server. It's likely the ISP he mentioned already employs these precautions and other security measures. He needs only to find out the machine on his network responsible for the excessive mailings.

And therein lies another potential problem. Matt mentioned the ISP complained about spam, but was it based on content, quantity or both? It's going to be very difficult to isolate the responsible party if the content is spam but the quantity falls within the typical mail use for other users on his network.

Lazy isn't the word. Overworked is. Keep in mind, Not only am I in charge of the network, I'm also in charge of 450 computers, 500 voip phones, 45 copy machines, 75 fax machines, 200 printers, 17 servers, integrating our new financial package with our 20 year old financial package, installing a new security system (access control doors), etc... While at the same time fighting political struggles where morons in other departments are trying to push their data entry onto your department, and the administration is tending to agree with them.

So before you think I'm lazy, think instead that there are more important things for me to worry about than zip files, 99% of which are viruses.

That's an excellent point. I'm not sure exactly what the ISP told them. All I was told was "someone in the building is sending spam messages." That's incredibly vague and unhelpful, but I don't blame my contacts at the facility. That's been a problem with this ISP before (Speakeasy) where they just inform us of something with no information, and tell us to take care of it. Hey, these are 80 college-aged kids. Chances are at least one of them is going to know their way around the computer enough to do what they want, but that's all it takes to bring down the connection for everyone. It would be extremely helpful to be able to identify the troublemaker.

I've told Tomato's QoS to give zero priority to bittorrent and filesharing traffic, but who knows how effective that is. I have much less of a clue how to tackle this spam issue.

But thanks for the input, everyone. I'll try to sift through it all and see if I can figure it out. I'm new to most of the world of networking. Hell, I crimped my first network cable this week for another client Just never had to do that before...

Can you run tcpdump on router? "tcpdump port 25" will show all SMTP traffic. Just look for the machine sending lots...

Once you have the IP, you should be able to get a NetBIOS name and that should be enough to identify it.