Solved

NAT Address Blacklisted

Posted on 2006-06-26
3
444 Views
Last Modified: 2011-10-03
Looks like my NAT/PAT address has been blacklisted.

I have 10 vlans on my 6513 with a FWSM. Most of these VLANS are desktops. These desktops are PAT'ed to on address on my FWSM.
That address is showing up as blacklisted for SMTP.

One of my theories why is a developer using desktop to mass mail or a virus/worm doing some mass mailing from my desktop community.
We have our Exchange server statically NAT'ed and that address is in the same subnet but has not been blacklisted. This handles all approved email.

I need some direction on how I can find the desktops, if any, that are spewing SMTP to the internet on the PAT address.
 
I can sniff all outbound traffic on my external VLAN but it is too much traffic and the sniffer file becomes too large to work with in addition I am not sure when the suspect traffic is being sent.

I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing any mass smtp mailing....

Any ideas would be helpful.

I was thinking of trying to only sniff the traffic for SMTP using a VACL and then spanning that VLAN to the sniffer but I can't think of how to do that...or if there is any easier way.

Thanks,
Mike
0
Comment
Question by:mmahaney
3 Comments
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 125 total points
Comment Utility
Use Ethereal for sniffing and put a capture filter for port 25 only, also you can filter out your exchange IP address.

This will force ethereal to capture only SMTP traffic from desktop only and not from exchange.

Then you can easily identify the machine who is sending the SMTP traffic.




0
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 125 total points
Comment Utility

mmahaney-

You are correct in your statement:

> "I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing   any mass smtp mailing...."

1. You should in fact block all outbound traffic with a destination port of 25.  This will allow you to begin removal from the blacklists.
2. Setup a SYSLOG application, to monitor the logs in real time from the firewall/router, etc (wherever you blocked port 25)
3. Check logs for the culprit machines.

I suggest the Kiwi products, they are great.  Run the "log viewer" against the logs that the SYSLOG viewer generates (a .txt file on your local PC) and you can search using whatever terms you need - and then they are highlighted for easy finding.

Thanks,

Justin

-------------LINKS-----------------

Kiwi SYSLOG Viewer:
http://www.kiwisyslog.com/syslog-info.php

Kiwi log viewer:
http://www.kiwisyslog.com/log-viewer-info.php


0
 

Author Comment

by:mmahaney
Comment Utility
Good tips from both.
Once again I over thought it....not being real familar with Ethereal failed to see that I could filter what I captured, thought I could only filter after the capture was complete.

Thanks as always,
Mike
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now