What I am very concerned about is that I may have a computer, logged in to my network (behind my firewall and therefore directly connected to my LAN) that may have a bug or virus that is trying to route mail using its own SMTP engine to propagate itself. I do not use NETBios and I don't even have WINS turned on as all of my PCs are W2K or WinXP. DNS does not have anything static assigned to 10.0.0.10 and my DHCP server would not have assigned this address as it's pool of addresses do not even begin until 10.0.0.75.
So my question is, what tool or utility can I use to determine what node on my network is using the IP Address of 10.0.0.10 and pretending to be an SMTP server?
Use Network Monitor on your mail server, this will give you the MAC address of the machine that is using this IP address. It sounds like the attacking machine is using IP Spoofing to mask its source address, so in all likelihood it's actually _not_ a machine with that source IP. The MAC address will allow you to track down which machine is actually sending the rogue SMTP packets.
This was first published in December 2003