Ask Your Question
0

Finding a device sending spam emails

asked 2019-04-15 09:14:39 +0000

Accolon gravatar image

There is a device in out home network periodically sending spam emails. Our internet provider blocked our internet access due to this reason. I scanned all devices with diferent malware scanners but couldn't find the responsible device. The provider cannot tell us which one it is. All I know is the date and time the emails are sent. Is there a possibility to track the traffic and, given we know date and time, find out which device was active at that sepcific time?

edit retag flag offensive close merge delete

3 Answers

Sort by » oldest newest most voted
0

answered 2019-06-19 20:22:52 +0000

One way can be to disconnect one device for one or two days around that date and see if emails are still send. If yes, then proceed with the next device. Time consuming... But if you deal with that error every step brings you closer is a good step.

Another maybe better way could be to buy you a cheap managed switch (e.g. https://www.amazon.de/Netgear-GS105E-...) and connect your LAN devices to that switch. Then you can connect this switch to your Router. After that you can define a mirror port for this Uplink and then you capture your traffic.

A third way is the proposal of @Graham or you can replace your router by a fritz box which also has build in capture functions.

edit flag offensive delete link more
0

answered 2019-04-15 11:45:45 +0000

grahamb gravatar image

In a typical home environment this is not that easy to accomplish as you'll have a single combined router\modem\access point that you are unable to capture on. You could try to capture on each device as suggested in the answer from @Ross Jacobs, but that won't work for mobile devices.

If you are able, installing alternative firmware such as OpenWrt on the router\modem will allow you to capture on the router\modem, but that's not a trivial operation.

edit flag offensive delete link more

Comments

Thank you very much for the answers. Just the moment I read the firest one, ESET found a troyjan accessing outlook. So I hope I got rid of the problem now.

Accolon gravatar imageAccolon ( 2019-04-15 14:33:54 +0000 )edit

Unfortunately that was not the problem. When I check all abuse notifications, I see the the account was barred every seven days. So the next time would be tomorrow, 19.6.2019. Is there any possibility the record the traffic in the home network to find out which device is active the next time the account is blocked?

Accolon gravatar imageAccolon ( 2019-06-18 11:29:04 +0000 )edit

As noted in my answer, you'll need to capture on a device that passes all the traffic, which is usually the modem\router\AP in a home environment, and the generic manufacturer's software isn't able to do this. Can you explain a little more about your environment?

grahamb gravatar imagegrahamb ( 2019-06-18 13:23:04 +0000 )edit

I took a screenshot of the enviroment. But unfortunately cannot upload as I have less than 60 points...

Accolon gravatar imageAccolon ( 2019-06-18 14:35:43 +0000 )edit

link text

Where it says "Kabelgebundene Geräte" which means attached by cable is because they are connected via accesspoint (Lancom AP). They are actually connected wireless.

Accolon gravatar imageAccolon ( 2019-06-18 14:38:45 +0000 )edit
0

answered 2019-04-15 11:39:12 +0000

Ross Jacobs gravatar image

updated 2019-04-15 11:51:29 +0000

Take a capture with Wireshark and then filter with tcp.port == 25. That should show you any SMTP traffic.

Edit: @grahamb is correct here. I should have specified that you would need to take this capture on the upstream device, whichever that is. Without some networking/IT background, this will be difficult for you to accomplish

If you are not versed in networking / IT, you may want to talk to a friend or hire a consultant, as getting your internet access back will likely require hands-on expertise.

edit flag offensive delete link more

Comments

1

This would only work if they can capture on EVERY device, or capture on the typical home router\modem\access point, which generally isn't an option.

grahamb gravatar imagegrahamb ( 2019-04-15 11:46:56 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-04-15 09:14:39 +0000

Seen: 198 times

Last updated: Jun 19