Archive

Posts Tagged ‘Capsa 7’

How to detect an email worm with Capsa network analyzer 7?

July 22nd, 2010 No comments

In networking, an email worm is a computer worm which can copy itself to the shared folder in system. And it will keep sending infected emails to stochastic email addresses. In this way, it spreads fast via SMTP mail servers. An email worm can send lots of infected emails in a very short time and it will never stop unless it’s removed. It will cause a large traffic and make the system go slowly. Sometimes it even makes the mail server crash. This article aims to teach you how to detect an email worm with Capsa network analyzer 7.

About Capsa 7

Capsa 7 is the flagship product of Colasoft. It is based on the second-generation Colasoft Packet Analysis Engine (CSPAE), which substantially improved the data processing speed and guaranteed the analysis performance in large traffic networks. Some unique features and ideas are introduced to Capsa 7, like Network Profile, this function allows user to set and save network profiles for different environments (departments, clients), making their analysis more customized, accurate and efficient. Another prominent feature is Analysis Profile which provides flexible, extensible and effective analysis performance based on user’s analysis objectives.

Step 1 of detecting an email worm with Capsa network analyzer 7: Diagnosis tab

In the Diagnosis tab we can see all the network issues automatically detected by Capsa network analyzer 7 , also some causes and solutions are suggested.
diagnosis-tab

If there is a host infected with an email worm, we should be able to see SMTP events in the application layer like this:
diagnosis-events

Step 2 of detecting an email worm with Capsa network analyzer 7: Locate the source IP

Possibly the source IP is the host infected with an email worm as it is sending too many emails in a short period of time with SMTP. So let’s locate the source IP in the Node Explorer window with the Locate shortcut in the right-click menu.

Step 3 of detecting an email worm with Capsa network analyzer 7: Log tab

Check if the host is sending emails to a large number of recipients in a very short period of time. If so, we can determine the host is infected with an email worm and should be handled immediately. We should be able to see logs in the tab like this:
log-tab

No doubt the final step is to isolate the host and kill the email worm with some AV software.So, I’m sure you already got how to detect an email worm with Capsa network analyzer 7. A free trail of Capsa network analyzer 7 is avaliable at http://www.colasoft.com/.