What tool or utility can I use to stop IP spoofing?
I'm running my mail server on a Windows 2000 SP4 server. Everything is working fine, but I've noticed recently that an SMTP server (or something pretending to be an SMTP server) keeps trying to connect and route mail to my real SMTP Mail server. This isnot a big deal normally, as I know many ways to block outside threats. But this particular "fake" SMTP server is identified as having an Internal IP Address of 10.0.0.10. There is only one NIC Card with one IP address assigned to my mail server (my mail server's IP address is 10.0.0.3), so I'm confident that my own server is not trying to route mail to itself.
What I am very concerned about is that I may have a computer, logged in to my network (behind my firewall and therefore directly connected to my LAN) that may have a bug or virus that is trying to route mail using its own SMTP engine to propagate itself. I do not use NETBios and I don't even have WINS turned on as all of my PCs are W2K or WinXP. DNS does not have anything static assigned to 10.0.0.10 and my DHCP server would not have assigned this address as it's pool of addresses do not even begin until 10.0.0.75.
So my question is, what tool or utility can I use to determine what node on my network is using the IP Address of 10.0.0.10 and pretending to be an SMTP server?
Use Network Monitor on your mail server, this will give you the MAC address of the machine that is using this IP address. It sounds like the attacking machine is using IP Spoofing to mask its source address, so in all likelihood it's actually _not_ a machine with that source IP. The MAC address will allow you to track down which machine is actually sending the rogue SMTP packets.
This was first published in December 2003