tcpdump: how to monitor SMTP traffic abuse from LAN?

Question

I am the sysadm of a small enterprise.

Our company has quite loose security policies, despite my many recommendations... :-) I can't control what's installed on client desktops.

I would like to setup a monitor to be - at least - warned (by email, for example) that spam email is originated from our domain... (problem already happened in the past... :-()

I have currently come to this command:

tcpdump -v -s 1500 -i eth0 port 25 2> /dev/null | grep --line-buffered 'smtp: S' | perl -MPOSIX -pe 'print strftime "%F %T", localtime; print " "; s/(.*?\)) (.*?)\.\d+ \>(.*)/$2/;'

Which simply prints out each connection to port 25 (timestamp and client name).

Is there a reliable check I can perform on this output to identify SMTP abuse?

Or, are there better approaches to this problem?

Answer 1

We simply block SMTP at the firewall except for know good mail servers. Then all email leaving the network must go through the mail server and be authenticated by some user. If you don't host the mail server locally, you can simply block SMTP for everything and be done. At the mail server, your can more easily narrow in on who is sending spam if you're getting a report to that regard using the headers they provide.