looking for a computer sending out spam how do I find it using wireshark?

I am looking for a computer sending email, I have an IP of the source, I am trying to locate the machine. It is internal on our domain, we are using NAT. The emails are getting blocked, I am just trying to the computer, any ideas. All the posts I read, is to use wireshark. I have version 1.6.7

Thank you

coz

capture trace

asked 15 Jun '12, 07:56

Coz
1●1●1●1
accept rate: 0%

2 Answers:

oldest newest most voted

if you have the IP address of the machine, you don't necessarily need wireshark. There are several options:

If it's a windows machine:

run this command on a computer that is a member of the domain: nbtstat -a x.x.x.x. Maybe you can spot the computername or even a logged on user in the output (depends on some settings in the domain)
Mount the C drive of that machine and check the local copy of the domain profiles to figure out who is working on that computer: net use * \\x.x.x.x\c$. The domain admin account will give you access to that share.

If it's not a windows machine, or nbtstat did not help:

ping it from a computer in the same network: ping x.x.x.x
get the mac address: arp -a | find "x.x.x.x"
Go to your network admin and ask him to give you the port on the switch where that MAC address is connected to.
Follow the cable to the machine

Regards
Kurt

link

answered 15 Jun '12, 08:02

Kurt Knochner
8.0k●4●16●73
accept rate: 15%

edited 15 Jun '12, 08:12

Great Information but:

I have an IP of the source of the email, it's external (112.xxx.xxx.xxx). But I do not have the internal machine, which are (10.xxx.xxx.xxx). The emails are going through email server, but they are being blocked at the gateway. Like I said I have the source IP, someone might be telneting or remoting with the source IP. I am trying to locate machine that is being used on our network.

Thank you,

Coz

(15 Jun '12, 08:11) Coz

BTW: If you add a comment to my answer it will be easier to follow the conversation.

O.K. I thought the IP is on your LAN as you said: "it is internal on our domain".

Anyway, in that case you need Wireshark.

Run wireshark on a mirror port of your internal mail server. See here how to do that: http://wiki.wireshark.org/CaptureSetup/Ethernet
Run Wireshark with this capture filter "port 25" (see wiki, if you don't know how to do it)
Sniff until you think there is enough data (some minutes, maybe hours)
Analyze the data by looking for some string pattern you know to be in the spam mail. Use this display filter: tcp contains "string in spam mail"
As soon as you find a match, look at the source IP address in Wireshark. It it's not the mail server, it's the IP address of the spammer.

CONSTRAINT: if the spammer sends mail through MAPI (exchange), you need a different capture filter. Try SMTP (port 25) first and see what you find.

(15 Jun '12, 08:21) Kurt Knochner

thanks,

I will try that. Also sorry about the confusion on the post

Coz

(15 Jun '12, 09:41) Coz

0	If whatever machine is doing the NAT keeps a record of the internal-IP+port-to-external-IP+port mappings it has in effect at particular times, and you know what time the spam was sent, you could try using that. link answered 15 Jun '12, 10:40 Guy Harris ♦♦ 7.6k●1●18●98 accept rate: 15%

Your answer

toggle preview

community wiki

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

capture ×225
trace ×18

Asked: 15 Jun '12, 07:56

Seen: 2,819 times

Last updated: 15 Jun '12, 10:40

looking for a computer sending out spam how do I find it using wireshark?

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions