NetFort Tips & Tricks - Detecting spam originating from the network

  • 1
  • Idea
  • Updated 6 years ago
One of our customers recently told us how LANGuardian helped them with identifying a SPAM generator on their network.

He said he had used LANGuardian to identify an employees PC that was sending excessive amounts of emails in a too short period of time. With the help of LANGuardian they were quickly able to identify a host with unusually high DNS traffic and connecting to an external server over TCP port 25. The drilldown revealed this was a PC and were able to take the affected PC offline immediately.

LANGuardian has a number of mechanisms which will help you identify possible spammers on your network.

Security event analysis
One of the key security analysis reports on the LANGuardian is called “Security :: By Signature”. Systems that do excessive amounts of MX record lookups in a short time period, may generate an alert called 'DNS MX flood (possible SPAM)'. MX record lookups is a precursor to sending an email. This should not happen on systems, other than mail servers. Any client systems generating this alert are likely spammers and our recommendation would be to remove the system from the network as we have seen complete IP ranges blocked for this reason.

If you want to find out what systems are associated with the 'DNS MX flood (possible SPAM)' event use the [+] option and select Breakdown by source IP. To mark a particular signature click on the signature text for more options. The Action dropdown box allows you to email if its detected again or generate an SNMP trap event so that the information can be forwarded to other systems.

DPI decoder for SMTP messages
To check for specific Email subject lines use the Subject field of the "Email :: By Subject" report. The decoder allows you to see the sender, destination address and subject of all SMTP messages. By just looking at the subject fields you can pretty quickly identify if the system is sending spam or not.

Traffic analysis
The traffic analysis reports can be very useful for identifying SMTP traffic coming from systems that are not official SMTP servers. Run the "IP :: Top Clients" report and use TCP port 25 as the destination port. This will indicate the most active hosts accessing mail servers.

And, of course, please contact us any time if you have any questions about monitoring SMTP traffic on your network or indeed any other aspect of network monitoring with LANGuardian.
Photo of Aisling Brennan

Aisling Brennan, Official Rep

  • 393 Posts
  • 8 Reply Likes

Posted 6 years ago

  • 1

Be the first to post a reply!