I am working on a Microsoft Exchange 2003 email server. Our mail server has a terrible spam problem, and I have a suspicion that one of our computers is infected by a spambot. What I'm trying to do is figure out which computer within our network is generating spam using wireshark.
What I tried doing is filtering the packets to TCP only, and then filtering the results down to tcp.port == 25 (port 25 is the SMTP port). Unfortunately I don't think that I have the filters set up right.
After filtering the data, the only "Source" ip from our network ip address was the mail exchange server itself. I'm thinking that either I set up the filters wrong, or that our mail server is the spambot (the latter seems unlikely).
Could someone help me figure out how to correctly filter Wireshark so that I can see all network packets going to port 25? Either that or let me know a better way to detect our network spambot
Thanks a lot for the help!