How to find a spam agent

From Netmon

How To Find a Spam Agent on Your Network

If you suspect a workstation on your network is sending spam, you can use Netmon to find which workstation is the culprit. Spam is sent over port 25 to various mail servers on the internet.

Note that you need to have your Netmon device sniffing traffic from your switch for this to work. Netmon needs visibility on your network traffic to complete this HOWTO. For instructions on setting up traffic sniffing, see http://wiki.netmon.ca/index.php/User_Guide:Monitoring_Network_Activity#How_Netmon_Monitors_Network_Traffic

Click on the Reports icon in the Netmon toolbar. From the Reports screen, choose the Bandwidth Consumption Report. Build the report with the following information:

By running this report you will see how much traffic was sent from each computer on your network over port 25. Order the report by the 'Total' column to see which computers have the highest amount of traffic sent. The computer at the top of the list is most likely the culprit. You may see your mail server (for example, a Microsoft Exchange server) near the top of the list. This is legitimate traffic. You are looking for a workstation which is sending a lot of traffic.

To drill down and see exactly which connections the workstation has been making, run a Network Activity Report, specify the workstation's IP address, and specify port 25. If you see a large list of connections to internet mail servers, this is definitely the culprit.

For more information about the Bandwidth Consumption Report or the Network Activity report, see http://wiki.netmon.ca/index.php/User_Guide:Netmon_Reports