Is it possible to monitor all outbound emails from our office? We don't host any websites, but the devs will have local sites setup, and all staff use Oulook and other email clients. Something is sending out spam - we've just seen we're blacklisted ... but I need to pipoint who and what in the office of 25 computers is doing it!
Any suggestions totally welcome! I'm using MX64, MS220 and MR32 kit here.
How do you know that spam is originating from your network? Is it solely due to the blacklisting?
Where does your mail server live? Is it local or hosted?
Also, what's the subnet size on your WAN links? If that subnet includes more clients than just you, and you only know from being blacklisted... it could be someone else's bad behavior.
Hey Nash! Thanks for the quick reply 🙂
How do we know? I looked up our external IP at https://www.abuseat.org/
We don't have mail servers in the office at the blacklisted IP - all mail is hosted on O365 in the cloud.
The IP address covers just our office and nothing else - does that answer your question? Eeek!
You could allow specific legitimate devices access to SMTP ports. (Often necessary on printers that scan to email.)
You could then block all SMTP ports outbound for everything else.
If something breaks, then the owner of the broken object can work with you to evaluate and resolve.
I would do a packet capture with the filter "port 25" on your MX LAN interface. Do a long one. They will show up devices sending using port 25.
Another easy approach is to use traffic analysis. Although this means switch, it is the same process to turn on for your MX.
Wait a while for the statistics to build. Then go "Network Wide/Traffic analytics". You'll probably see a category talking about SMTP or email. Click on that. The list you see now is the hosts sending SMTP. The host sending heaps more than any other host is the problem.