Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SMTP Traffic Monitoring Utility

Status
Not open for further replies.
MichiganRon

MichiganRon

MIS
Aug 27, 2001
502
US
Like most networks, my network has just a couple of IP addresses which should be generating SMTP traffic. Other IP addresses that generate SMTP traffic are probably infected with a virus.

I would like a utility which will monitor the SMTP traffic on my network and alert me when an unauthorized address starts sending SMTP packets.

Of course, I'd prefer it to be freeware, but this is not completely necessary.

Any suggestions?

Ron

“If you are irritated by every rub, how will you be polished?”

~ Mevlana Rumi


murof siht edisni kcuts m'I - PLEH
 
Sort by date Sort by votes

--------------------------------------------------------------------
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
 
Upvote 0 Downvote
Your firewall should only allow outbound SMTP from designated mail servers. So, if you log your clean up rule you should see dropped SMTP from infected machines in your logs.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Thanks [red]peterve[/red]. I'll check it out.

[red]iproute[/red]: This is great for outbound SMTP traffic, but it won't help for internal traffic. If an infected computer starts sending SMTP traffic to my mail server (both internal), the firewall won't catch it. We scan our mail for viruses, but if it's "0 day" virus, then it will propogate until the DAT updates are available.

<rant>Of course, this wouldn't be a problem if my users would JUST STOP OPENING THE FRICKING VIRUSES!!</rant> Sorry, but this is a "hot button" topic for me.

Anyway, thanks to both of you for your help.

If anyone else has a different suggestion, please contribute to the thread.

Ron

“If you are irritated by every rub, how will you be polished?”

~ Mevlana Rumi


murof siht edisni kcuts m'I - PLEH
 
Upvote 0 Downvote
If you are talking about zip files; why aren't you blocking all zip files below 50Kb ? That will take care of most 0day virusses; and why would someone zip a file if it is that small already...

What kind of mail server are you running ?
Do you have a firewall ?



--------------------------------------------------------------------
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
 
Upvote 0 Downvote
Add yourself to the Outlook or OE or whatever mail client as an address in the address book.

This simple measure will automaticly notify you if the SMTP service was hijacked.
 
Upvote 0 Downvote
Yes, we have a firewall. However, I am not in charge of administering it. I've asked to have all outbound SMTP traffic not from our mail server to be blocked; However it hasn't been done.

We use GroupWise, which is not normally as susceptible to viruses as Outlook/OE/Exchange.
peterve said:
and why would someone zip a file if it is that small already...
Click to expand...
As you're probably aware, you can never predict what a user will do or why they will do it. This is not an option that I can implement (politics).
bcastner said:
Add yourself to the Outlook or OE or whatever mail client as an address in the address book.

This simple measure will automaticly notify you if the SMTP service was hijacked.
Click to expand...
I don't know how your suggestion would help. We don't use Outlook/OE. In fact, it's not even installed on most computers. We use GroupWise. Most viruses are not written to be able to open the GroupWise address book. They get email addresses from other sources (mainly documents).

Anyway, thanks for both of your suggestions. However, I'm only looking for a way to monitor the SMTP traffic on my network. I have a pretty good grasp of the capabilities of our email server and I am limited by a "higher power" as to what I can/can't do with regard to blocking attachments.

Thanks again,
Ron

“If you are irritated by every rub, how will you be polished?”
~ Mevlana Rumi


murof siht edisni kcuts m'I - PLEH
 
Upvote 0 Downvote
If you find a solution to this please let me know. I have the same need exactly.

Thanks.
 
Upvote 0 Downvote
Thanks raztaboule. I will look into this. I am not a unix guru though.. So, hopefully I can figure it out.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

03Explorer
  • Locked
  • Question
Linux monitoring my own ASUS router (MRTG)
Replies
0
Views
205
03Explorer
03Explorer
mrbean2766
  • Locked
  • Question
Port Mirroring - Only LAN traffic mirrored!
Replies
3
Views
148
cmeagan656
cmeagan656
SamBones
  • Locked
  • Question
Home Network Monitoring
Replies
2
Views
140
MikeHalloran
MikeHalloran
r15gsy
  • Locked
  • Question
High traffic hitting my SMTP server from 216.139.246.155
Replies
2
Views
92
Noway2
Noway2
alishaheen
  • Locked
  • Question
Monitoring cisco SG300 Switch with Snmp
Replies
1
Views
145
vidya5678
vidya5678

Part and Inventory Search

Sponsor

Back
Top