First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Finding a device sending spam emails

  • retag add tags

There is a device in out home network periodically sending spam emails. Our internet provider blocked our internet access due to this reason. I scanned all devices with diferent malware scanners but couldn't find the responsible device. The provider cannot tell us which one it is. All I know is the date and time the emails are sent. Is there a possibility to track the traffic and, given we know date and time, find out which device was active at that sepcific time?

Accolon's avatar
1
Accolon
asked 2019-04-15 09:14:39 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

Take a capture with Wireshark and then filter with tcp.port == 25. That should show you any SMTP traffic.

Edit: @grahamb is correct here. I should have specified that you would need to take this capture on the upstream device, whichever that is. Without some networking/IT background, this will be difficult for you to accomplish

If you are not versed in networking / IT, you may want to talk to a friend or hire a consultant, as getting your internet access back will likely require hands-on expertise.

Ross Jacobs's avatar
71
Ross Jacobs
answered 2019-04-15 11:39:12 +0000, updated 2019-04-15 11:51:29 +0000
edit flag offensive 0 remove flag delete link
more

Comments

1

This would only work if they can capture on EVERY device, or capture on the typical home router\modem\access point, which generally isn't an option.

grahamb's avatar grahamb (2019-04-15 11:46:56 +0000) edit
more
  • delete
add a comment see more comments
0

In a typical home environment this is not that easy to accomplish as you'll have a single combined router\modem\access point that you are unable to capture on. You could try to capture on each device as suggested in the answer from @Ross Jacobs, but that won't work for mobile devices.

If you are able, installing alternative firmware such as OpenWrt on the router\modem will allow you to capture on the router\modem, but that's not a trivial operation.

grahamb's avatar
23.8k
grahamb
answered 2019-04-15 11:45:45 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you very much for the answers. Just the moment I read the firest one, ESET found a troyjan accessing outlook. So I hope I got rid of the problem now.

Accolon's avatar Accolon (2019-04-15 14:33:54 +0000) edit
more
  • delete

Unfortunately that was not the problem. When I check all abuse notifications, I see the the account was barred every seven days. So the next time would be tomorrow, 19.6.2019. Is there any possibility the record the traffic in the home network to find out which device is active the next time the account is blocked?

Accolon's avatar Accolon (2019-06-18 11:29:04 +0000) edit
more
  • delete

As noted in my answer, you'll need to capture on a device that passes all the traffic, which is usually the modem\router\AP in a home environment, and the generic manufacturer's software isn't able to do this. Can you explain a little more about your environment?

grahamb's avatar grahamb (2019-06-18 13:23:04 +0000) edit
more
  • delete

I took a screenshot of the enviroment. But unfortunately cannot upload as I have less than 60 points...

Accolon's avatar Accolon (2019-06-18 14:35:43 +0000) edit
more
  • delete

link text

Where it says "Kabelgebundene Geräte" which means attached by cable is because they are connected via accesspoint (Lancom AP). They are actually connected wireless.

Accolon's avatar Accolon (2019-06-18 14:38:45 +0000) edit
more
  • delete
add a comment see more comments
0

One way can be to disconnect one device for one or two days around that date and see if emails are still send. If yes, then proceed with the next device. Time consuming... But if you deal with that error every step brings you closer is a good step.

Another maybe better way could be to buy you a cheap managed switch (e.g. https://www.amazon.de/Netgear-GS105E-...) and connect your LAN devices to that switch. Then you can connect this switch to your Router. After that you can define a mirror port for this Uplink and then you capture your traffic.

A third way is the proposal of @Graham or you can replace your router by a fritz box which also has build in capture functions.

Christian_R's avatar
2.1k
Christian_R
answered 2019-06-19 20:22:52 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer