Wireshark-users: Re: [Wireshark-users] Tracking a PC with spam

From: Kurt Buff <kurt.buff@xxxxxxxxx>
Date: Thu, 29 Sep 2016 13:50:04 -0700
Jason,

You're likely using the wrong tool for this effort.

Assuming the spam is heading outside of your org, I'd look at your
firewall - and block port the relevant ports outbound for anything
except your designated internal mail servers (these would be ports 25,
587 and the various IMAP/POP ports). Then look at the denies in your
firewall logs.

If somehow the spambot is using your internal email infrastructure to
relay the spam, it's time to look at your server logs, and see which
machine is doing the spamming.

Kurt

On Thu, Sep 29, 2016 at 10:31 AM, Jason Kepple
<jkepple@xxxxxxxxxxxxxxxxxxx> wrote:
> Hi, I'm new to wireshark. In our organization we have a users account that
> is sending out a lot of spam everyday. Can I use wireshark to find out which
> PC is sending these emails? I tried setting one of our Switches ports to
> Mirror mode so I could capture all the packets being sent from our PCs on
> that switch. Because we have multiple switches I thought this might narrow
> it down. However, I'm not sure what I'm looking for. What filter should I
> use to only see email packets?
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    https://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe