[jfobart]

The webhost I use for my personal email (different company from my work site/email) has automatically put me on their blocklist because something from my network is hitting their server about 80-100x per minute. They can only pull the IP (which is the dedicated IP I have through AT&T) and the MAC address out of their log file.

So I have the MAC address that keeps hitting the webhost, but none of my machines NICs match that MAC address - so where else can I look? Or is there a utility I can use to scan all the MAC addresses on my network?

Here's a quick breadown of my setup:

AT&T dedicated IP -> AT&T provided 2Wire DSL modem -> Apple Time Capsule -> gigabit switch

On the switch I have the following devices:
1. G5 tower #1 (my desktop work machine)
2. G5 tower #2 (server in the closet, just a file server for local files, connected to a couple multidrive SATA boxes)
3. Dish Network HD DVR

Over wireless (via the Time Capsule) I have:
1. Macbook
2. Macbook Pro
3. iPhone

Now none of the wireless clients are constantly on, yet apparently the "hits" on the hosts servers are.... so I'm thinking that rules out the laptops and iPhone (because it leaves the house with me a lot for work).


Anybody have any ideas or suggestions? I appreciate your help... Thanks everyone!

[Tomchu]

Simply put, the MAC address is not something that will leave your internal network. Only your ISP-assigned IP address will be visible to the receiving end. I don't know what MAC address they're putting in their log files, but it's not anything of yours.

Does the IP they have match what you get when you go to something like whatismyip.com? If it is, then you probably have some kind of spam script running on one of your G5 towers, or someone is using your WiFi network. Disable the WiFi for a day or so and ask the admins on the other side if the spamming stopped. If it hasn't, then your towers are probably the culprits -- or the admins at your webhost are simply clueless and your network isn't actually at fault.

[seanc]

It sounds to me like there's a Windows host attached to your network, sending out spam by means of a virus/trojan.

Check to see if your IP address is on here: http://www.mxtoolbox.com/blacklists.aspx

[mduell]

IP could be spoofed.

Could be another client on your wireless network you don't know about.

The MAC they see could be the WAN side of your router.

It could be your mail client malfunctioning.

Run arp -a in terminal to see if your computer has had contact with that MAC.

[Tomchu]

Originally Posted by mduell 

IP could be spoofed.

Nope. Packets would make it back to the spoofed IP, which wasn't expecting them, and thus would discard them. The real attacker would never be able to finish the SMTP conversation.

Originally Posted by mduell 

The MAC they see could be the WAN side of your router.

Also wrong. Network devices only see/know the MAC addresses of devices on the same subnet. The 'from' MAC address field in every Ethernet frame making hops around the Internet gets replaced with that of the device of the last hop.

[mduell]

Originally Posted by Tomchu 

Nope. Packets would make it back to the spoofed IP, which wasn't expecting them, and thus would discard them. The real attacker would never be able to finish the SMTP conversation.

The "attack" the OP described sounded like a SYN flood, not a complete SMTP conversation.

[dimmer]

"I don't know what MAC address they're putting in their log files, but it's not anything of yours."

The only MAC address they'll see is from whatever the last hop router/switch their server is connected to. In other words, pretty much useless for any form of diagnosis. Most likely, something somewhere is sending out traffic with your IP address being faked / "spoofed". Nothing you can do about this. More worrisome is that your host thinks the MAC address is in some form or fashion important in this situation. I'd highly suggest finding another host who are a little more competent.

[dimmer]

BTW, to find out what MAC addresses are in use on your network, just run TCPdump and ping the broadcast address of your network.