Re-Listed on Blacklist, even AFTER closing port 25.

As i mentioned in my original post. Port 25 has been closed via the SonicWall in the WAN to LAN access rules setting. I closed the port when we were originally blacklisted. Here we are again :P.

The SonicWall has built-in anti spam. It isn't licensed though, will look into that tomorrow.

25, 26, 587, and 2525 seem to be COMMON SMTP ports. Anyone can set up an SMTP server on any port and start sending out emails.

Whats to stop the virus from using a different port? Anyone can set up an SMTP server and start sending out mails...

As mentioned, Network Solutions seems to be the only email host having a problem. We are INDEED on a few blacklists though. I have verified this using MXToolbox. They seem to block the ORIGINATING IP of the emails rather then the SMTP server sending them out. Thus making this a bigger headache...

LAN to WAN needs to be blocked.  Port 25 traffic from the local network (the office building) must not be allowed to the outside world.

Allowing (or not allowing) port 25 traffic into the building doesn't get you on (or off) any blacklists.  WAN to LAN blocking of port 25 isn't going to help solve the problem.

You wrote:  Anyone can set up an SMTP server and start sending out mails...
That is why outgoing traffic on port 25 needs to be shut down, except for legitimate mail servers

(It is true that you can send out spam using any port you like, but mail servers typically listen on port 25.  So, if a spammer were to use some other port to send out spam, his spam would go nowhere - mail servers are not configured to listen on every port, they do use port 25, which is the port used for SMTP traffic)

As for the Sonicwall's spam filtering - it might be able to help, but most firewalls block/filter incoming mail, they typically are not able to block/filter outgoing mail.  And outgoing mail is what you need to control.  Make sure the Sonicwall has this capability before you commit to licensing this feature.

Ops, that was a typo on my part. I have denied access on port 25 from LAN to WAN.

I will edit my origination post to prevent further misunderstandings.

Port 25 is closed for OUTGOING connections. I have tested this using various tools but also configuring a mail client to use port 25. It is unable to connect.

If you have blocked outgoing port 25 traffic, then all you have left to do now is cleanup the mess.

(If you have the time, it would be a good idea to have some kind of monitoring on the network to see where this s#@! originally came from.  Even though shutting down outgoing port 25 stops the spam from leaving your network, the zombie PC is still trying to send, and is bombarding your Sonicwall with port 25 traffic)

Unfortunately for you, this means you should contact these block lists, and request removal.  Most of them do not make this an easy process.  If you do not do this, then your IP address will eventually drop out of the dynamic block lists in time.

This problem came up last Wednesday-Thursday. By Friday we had been removed from the blacklists, and by Saturday, everything was fine and working as it should.

Here we are on Tuesday right back where we started.

Port 25 was closed Friday. It has been closed since and is closed right now.

Also, when firewalls are overwhelmed, they normally have two options: block all traffic, or pass all traffic.  In either case you should be able to enable/view log files and address the issue directly.

I guess the next place to look is at the exceptions.  Who is allowed to use port 25 to the outside world?  Is it a single IP address, or a whole subnet?  (Exceptions should only be made for specific IP addresses, not whole subnets)
(This could get a little tricky, asking a tenant whether his mail server is secure or not.  And, he might not even know if it isn't.  Plus, most likely they aren't going to invite you to take a look and see)

Port 25 is blocked for everyone, the entire network. Only place it is not blocked is from a copier in the copy room. Tenants occasionally use this to scan a document and email it to themselves. I have checked this though and on average it is used maybe 3 times a day.

Within the SonicWall, i have port 25 on LAN to WAN set to DENY ACCESS on ANY CONNECTION
I also have it set to ALLOW port 25 on the copier's IP, and that IP only.

Like i have said, i have tested all this and port 25, outbound, really really is closed.

Perhaps the agency that blacklisted you can provide a log of malicious traffic from your public ip to confirm that port 25 was the only attack destination port.  If so, they should have no more issues with your network.

Well, if port 25 traffic is blocked for everyone, then what does it matter if that IP address is on a blacklist?  :-)

The only thing that is negatively impacted now then is the printer.  It will be blocked by many email systems regardless of whether it is on any block lists because it most likely does not have a reverse DNS record.  

As previously mentioned, Network Solutions is the only email provider having an issue with us. They reference at least 2 of the blacklists we are listed on, and update their security accordingly.

Port 25 IS closed for all IP's other then the copy room printer, which works fine for everything with the exception of those using network solutions. As the email being sent by the copier originates from the buildings blacklisted IP.

The printer, I suppose, could be your villain.

"Port 25 is blocked for everyone, the entire network. Only place it is not blocked is from a copier in the copy room. Tenants occasionally use this to scan a document and email it to themselves. I have checked this though and on average it is used maybe 3 times a day."
08/05/09 01:49 AM, ID: 25021254

No one reads what i write :P

Every word. Both postings.  You too huh?

I guess the next step is to look at which block lists your IP address is on, and see why the printer made it to their list.  Most of them have some kind of interface that *might* have a list of reasons why your IP is listed.  Some of them do have a way for you to request to be removed (as you are probably familiar with by now).  

I suspect that the main reason (unless your printer has been pwned by a virus - unlikely, just kidding) for ending up on those blacklists is because of a lack of a reverse DNS record, or the "From" address that it is using.  You might be able to get your ISP to create a reverse DNS record for you, but I don't know what you can do about the "From" address.

I seriously hope you were able to tell that I was talking about the copier when I said printer.

Um, yeah, copier, not printer.  My bad.

The lines blur these days - copier, printer, mopier.


Just out of curiosity,what does the copier use as its "From" address?

Its set up to use an email provided by our ISP. It must use SMTP port 25, as the copier setup menus don't allow you to change it.

Maybe your ISP can help out by providing an SMTP proxy (smart host) for your copier to send mail through?

To answer a question of yours from earlier, what stops a program from sending smrtp on a different port is just programming and tcp knowledge.  The stmp server has to know to listen on certain ports for certain protocols.  Since 25 and 587 are standard, it would be a waste of time to have email sending to port numbers of other protocols...the server would terminate the connection based on tcp providing unexpected information.  I would look to the black-lister for a malicious traffic report.  Then adjust your network, refute the report, or both.