Find Computer on Network that is Send Out Spam With SonicWallSo you have a network. One of the devices on the network is sending out spam at an amazing rate. How do you find and locate the misbehaving computer?
If you have a SONICWALL, you can look at the current connections across all your devices at any given time.
- -login to SONICWALL.
- -click SYSTEM > DIAGNOSTICS
- -find the DIAGNOSTIC TOOL area.
- -change the dropdown to CONNECTIONS-MONITOR
This will show all the connections from the outside network to the inside network and vise-versa. You are looking for any connection with a DESTINATION PORT of 25. Should be pretty obvious as it will be the IP ADDRESS that is NOT your internal mail server. It will be the IP ADDRESS that is a client machine (laptop/desktop).
But this only shows the current active connections. What if the laptop went home? What if you want to search through the logs for the day?
- -login to SONICWALL.
- -click LOG > VIEW
- -find PRIORITY
- -change to ALERT
- -click APPLY FILTERS
This should show a list of ALERTS in the last 24 hours or so. Carefully look through them to see if anything is sending to PORT 25.
What's interesting is that in a typical situation the logs typically look like this:
| Time | Priority | Category | Message | Source | Destination |
| 32:13.7 | Alert | Intrusion Prevention | Possible port scan detected | 199.96.57.6, 443, X1 | 10.1.10.206, 56114, X5 |
The destination and port number are easily available.
In my situation, the log look like this:
| 46:26.9 | Alert | Intrusion Prevention | Possible SYN Flood on IF X0 - src: 10.1.10.123:63383 dst: 66.236.42.7:25 | <blank> | <blank> |
| 46:30.6 | Alert | Intrusion Prevention | SYN-Flooding machine on IF X0 - xx:xx:bb:62:2c:95 with SYN rate of 1001/sec blacklisted | <blank> | <blank> |
The destination isn't in the DESTINATION column but rather in the MESSAGE column.
Regardless, with this information, I now know that client 10.1.10.123 is the machine causing an issue.