Monitor SMTP Traffic
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Monitor SMTP Traffic

  1. #1
    Junior Member
    Join Date
    Jul 2004
    Posts
    11

    Monitor SMTP Traffic

    I am an ISP having difficulties with SPAM messages being bounced back to me that are apparently coming from my server or are being spoofed. (I am running Red Hat, apache, etc.)

    Does anyone know of a good tool whereby I could monitor traffic through SMTP and search it later? I can manually sit there and watch it but don't really want to. I'd like to be able to just search the results each day for particular strings common to these errant messages.

    Thanks for any suggestions.

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I guess it depends on what you want to do, but you could use something like tcpdump, setting the filters to only record 'tcp and port 25', do it verbosely, and save it in PCAP format. You could then look at it in something like ethereal... is that what you had in mind?
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Junior Member
    Join Date
    Jul 2004
    Posts
    11
    Yes, I believe so. Forgive my ignorance on the matter.

    Will this allow me to search the text of the emails that have come through for the particular string that I am interested in?

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Assuming your system is able to see all traffic on your network (if you have a hub or this is the only system, then yes it can see all the traffic) and assuming you have it looking at the entire packet, yes you would be able to see all content of the email, be it binary or a simple string (it may take work to get the binary, depending on how it was attached to the email).

    Something like the following should work:

    tcpdump -vvv -w output 'tcp and port 25'


    Make sure you have plenty of disk space and make sure to keep an eye on the filesize. Also make sure that you have permission to do this as it can raise privacy/legal issues, depending on your environment. It will be saved as a binary file and this file can either be read by tcpdump at a later time for analysis or can be loaded by something like ethereal to do a little more in-depth decoding.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Junior Member
    Join Date
    Jul 2004
    Posts
    11
    I'm on a VPS and apparently the tcpdump command has been disabled... ergh... any other suggestions other than get a dedicated server

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    I am not familiar with what 'VPS' stands for, regardless, if you don't have root then you won't be able to monitor the interface. If you don't have your own system or access to the network (as in devices, switches, routers, etc), then you should report it to someone with the access to do the monitoring properly and according to the rules, terms of use, and regulations of your network provider. Otherwise, you could wind up getting in alot of trouble very quickly.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Junior Member
    Join Date
    Jul 2004
    Posts
    11
    a VPS means "Virtual Private Server"

    It's a setup whereby multiple people can share a dedicated server and have limited root access. I can do a lot in bash, but apparently tcpdump isn't one of them... I have the ability to read every email in the queue right now, but that would be a really tedious affair, so I was looking for a simpler method.

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    Because you are using a "V" server, you should still be able to edit the mail server config.
    Which mail server are you using?
    You can probably use something like a procmail recipe to have all outgoing mail
    sent to a mailbox and have it delivered to the intended destination.
    Keep in mind there are privacy concerns to this and if it's not already part of your
    SLA (Service Level Agreement), you may be opeing yourself up to legal problems.

    Do you use any sort of SMTP authentication? Maybe you can use a combination of time
    stamps and log entries to try to narrow down which users might be your problem.

    If you don't already use any sort of SMTP authentation, you have several options open
    to you.

    POP Before SMTP is an example.
    For Sendmail I have used this in the past.
    http://sourceforge.net/projects/poprelay

    Easy to configure and does not require client to edit their smtp authentication settings which
    is nice if you have many users.

  9. #9
    Junior Member
    Join Date
    Jul 2004
    Posts
    11
    I use Exim.

    Could you explain Pop before SMTP?

  10. #10
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Croaking,
    I'm not entirely sure these kinds of programs are what you're looking for, but take a look at these two and let me know if it's close to what you have in mind.
    Mail Box Dispatcher
    Spamihilator
    Both seem to offer a text filter so you can look for specific words within the body of an email.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides