Finding spammer on own network

  • Hi,

    I have PFSense running on a network and two days ago people started sending reports that emails can't be sent anymore. Yesterday evening I also got a report form the ISP that there are apparently large numbers of spam being sent from inside the network.
    Now my question is, is there any way of that PFSense could assist me in finding the spammer?
    Could I set a rule to pass traffic on port 25 and enable logging so that I could see where the spammer is? I checked he traffic graph and I can't seem to see any divination from normal traffic.

    Any idea?

    Thanks for the help and bye

  • Yes you can, but I think a better approach would be to place Untangle inbetween.  That gives you spam protection in both ways.  Oftenly SPAM from inside your network is not originated from your network, but likely your email server has become a (open) relay.

    Untangle can run in a bridge mode on a separate system.  YOu can get it from SourceForge of simple at


  • Darkstat might be helpful. NTOP is also helpful, but it's not 100% stable.
    I block all outgoing SMTP traffic, except from an alias list containing mail servers. That should be simple if you are in a business environment.

  • Unfortunately the mail server is hosted elsewhere so when users send email they connect to the ISPs smtp server and send via that server (not my idea). But the ISP has informed me that there is a significant increase in email traffic and as a precaution have blocked access to their smtp server. Now the problem is I'm not sure that there even is an infected machine on the LAN but rather the past few days the department has been informing their clients of some changes and have been sending large quantities of mail (happens once or twice a year) witch could have been interpreted as a significant increase of mail traffic.
    That is why I would like to see if there is a way to trap traffic to see if in fact there is some sort of virus on one of the machines on the LAN or if the whole thing is a mistake.

    I'll try with NTOP and Darkstat. I hope I'll figure out what is the problem.

    Thanks again.


  • If your users are behind your PFSense box, Untangle can track in and outbound SMTP, POP3, and IMAP (and all other protocols).

    Hope that helps….


  • I use pflowd and ManageEngines Netflow Analyzer which gives you 2 free collectors.  This will analyze all traffic passing through you wan connection in and out.  It will allow you to analyze all traffic coming in and out by IP or port/application and sort them to see which IP is sending the most traffic out and to which IP.  This will allow you to analyze if all traffic is going to your ISP and also from which IP's.  The traffic flow is updated on a per minute basis but the port and IP info is updated approximately every 10 minutes.  I am now running this at each of my customer sites and has really helped me analyze over time who are the heavy users on my network.

    ![smtp filter.PNG](/public/imported_attachments/1/smtp filter.PNG)
    ![smtp filter.PNG_thumb](/public/imported_attachments/1/smtp filter.PNG_thumb)

  • Hi,

    I was actually able to find the spammer quite easily since there was only one machine on the network running the whole time(the CEO's pc) and that had never been checked by anyone and it was the logical choice. And it was the right one.

    But kapara please tell me more about this method you used with pflowd and ManageEngines. Does it run on PFS, or a separate system and how do you get it to run.

    Thanks for the help.

  • Install pfflowd package, Install manageengines netflow analyzer on a server or PC.  Configure pfflowd to point to the ip of the machine with netflow analyzer.  make sure both are set to use port 9996.  Traffic should begin to show up in PC after about 10 minutes.  Make sure to unblock port 9996 on PC if using software firewall ie windows firewall.  Create an IP group for your subnet or you will not see both outbound and inbound throughput.  Set in/out bandwidth for interface and ip group.

Log in to reply