Colasoft Knowledge Base How to How to Detect Email Worm

How to Detect Email Worm

E-mail Print PDF

What Is an Email Worm

In networking, an email worm is a computer worm which can copy itself to the shared folder in system. And it will keep sending infected emails to stochastic email addresses. In this way, it spreads fast via SMTP mail servers.

What Is the Harm of Email Worm

An email worm can send lots of infected emails in a very short time and it will never stop unless it's removed. It will cause a large traffic and make the system go slowly. Sometimes it even makes the mail server crash.

How to Detect Email Worm

If you are suspicious that some hosts in your network is infected with an email worm, here is a process how we can detect email worm in network with Colasoft Packet Sniffer, step by step.

>Step 1. Download a free trial and deploy it properly.

>Step 2. Start a real-time capture.

>Step 3. Switch to the Diagnosis tab
In the Diagnosis tab we can see all the network issues automatically detected by Colasoft Packet Sniffer, also some causes and solutions are suggested.

If there is a host infected with an email worm, we should be able to see SMTP events in the application layer like this:

>Step 4. Locate the Source IP
Possibly the source IP is the host infected with an email worm as it is sending too many emails in a short period of time with SMTP. So let's locate the source IP in the Node Explorer window with the Locate shortcut in the right-click menu.

>Step 5. Switch to the Log tab
Check if the host is sending emails to a large number of recipients in a very short period of time. If so, we can determine the host is infected with an email worm and should be handled immediately. We should be able to see logs in the tab like this:

No doubt the final step is to isolate the host and kill the email worm with some AV software.

Also there will be some other process to detect email worm with Colasoft Packet Sniffer, this is the shortest one.

Last Updated on Wednesday, 16 February 2011 06:56  

Add comment


Security code
Refresh