Yesterday when the Novarg / Mydoom virus broke out we configured our NTOP system to watch for port 25 traffic only. The logic being that any system generating large amounts of port 25 SMTP traffic and showing up with a large number of users attributed to the machine, was likely infected with an E-mail worm using source e-mail address spoofing.
Within 10 minutes of changing the filter we spotted our first internal infection (an thankfully our only one). We were able to contact the system owner and have them unplug the system from the network within minutes of the infection, helping limit the damage. Great job everyone. Thanks! -- J. Eric Josephson Director of Network and System Operations 978-720-2159 mailto:[EMAIL PROTECTED] _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
