# Finding a device sending spam emails

There is a device in out home network periodically sending spam emails. Our internet provider blocked our internet access due to this reason. I scanned all devices with diferent malware scanners but couldn't find the responsible device. The provider cannot tell us which one it is. All I know is the date and time the emails are sent. Is there a possibility to track the traffic and, given we know date and time, find out which device was active at that sepcific time?

edit retag close merge delete

Sort by » oldest newest most voted

One way can be to disconnect one device for one or two days around that date and see if emails are still send. If yes, then proceed with the next device. Time consuming... But if you deal with that error every step brings you closer is a good step.

Another maybe better way could be to buy you a cheap managed switch (e.g. https://www.amazon.de/Netgear-GS105E-...) and connect your LAN devices to that switch. Then you can connect this switch to your Router. After that you can define a mirror port for this Uplink and then you capture your traffic.

A third way is the proposal of @Graham or you can replace your router by a fritz box which also has build in capture functions.

more

In a typical home environment this is not that easy to accomplish as you'll have a single combined router\modem\access point that you are unable to capture on. You could try to capture on each device as suggested in the answer from @Ross Jacobs, but that won't work for mobile devices.

If you are able, installing alternative firmware such as OpenWrt on the router\modem will allow you to capture on the router\modem, but that's not a trivial operation.

more

Thank you very much for the answers. Just the moment I read the firest one, ESET found a troyjan accessing outlook. So I hope I got rid of the problem now.

( 2019-04-15 14:33:54 +0000 )edit

Unfortunately that was not the problem. When I check all abuse notifications, I see the the account was barred every seven days. So the next time would be tomorrow, 19.6.2019. Is there any possibility the record the traffic in the home network to find out which device is active the next time the account is blocked?

( 2019-06-18 11:29:04 +0000 )edit

As noted in my answer, you'll need to capture on a device that passes all the traffic, which is usually the modem\router\AP in a home environment, and the generic manufacturer's software isn't able to do this. Can you explain a little more about your environment?

( 2019-06-18 13:23:04 +0000 )edit

I took a screenshot of the enviroment. But unfortunately cannot upload as I have less than 60 points...

( 2019-06-18 14:35:43 +0000 )edit

Where it says "Kabelgebundene Geräte" which means attached by cable is because they are connected via accesspoint (Lancom AP). They are actually connected wireless.

( 2019-06-18 14:38:45 +0000 )edit

Take a capture with Wireshark and then filter with tcp.port == 25. That should show you any SMTP traffic.

Edit: @grahamb is correct here. I should have specified that you would need to take this capture on the upstream device, whichever that is. Without some networking/IT background, this will be difficult for you to accomplish

If you are not versed in networking / IT, you may want to talk to a friend or hire a consultant, as getting your internet access back will likely require hands-on expertise.

more

1

This would only work if they can capture on EVERY device, or capture on the typical home router\modem\access point, which generally isn't an option.

( 2019-04-15 11:46:56 +0000 )edit