Solved

NAT Address Blacklisted

Posted on 2006-06-26
3
450 Views
Last Modified: 2011-10-03
Looks like my NAT/PAT address has been blacklisted.

I have 10 vlans on my 6513 with a FWSM. Most of these VLANS are desktops. These desktops are PAT'ed to on address on my FWSM.
That address is showing up as blacklisted for SMTP.

One of my theories why is a developer using desktop to mass mail or a virus/worm doing some mass mailing from my desktop community.
We have our Exchange server statically NAT'ed and that address is in the same subnet but has not been blacklisted. This handles all approved email.

I need some direction on how I can find the desktops, if any, that are spewing SMTP to the internet on the PAT address.
 
I can sniff all outbound traffic on my external VLAN but it is too much traffic and the sniffer file becomes too large to work with in addition I am not sure when the suspect traffic is being sent.

I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing any mass smtp mailing....

Any ideas would be helpful.

I was thinking of trying to only sniff the traffic for SMTP using a VACL and then spanning that VLAN to the sniffer but I can't think of how to do that...or if there is any easier way.

Thanks,
Mike
0
Comment
Question by:mmahaney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 125 total points
ID: 16986577
Use Ethereal for sniffing and put a capture filter for port 25 only, also you can filter out your exchange IP address.

This will force ethereal to capture only SMTP traffic from desktop only and not from exchange.

Then you can easily identify the machine who is sending the SMTP traffic.




0
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 125 total points
ID: 16986641

mmahaney-

You are correct in your statement:

> "I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing   any mass smtp mailing...."

1. You should in fact block all outbound traffic with a destination port of 25.  This will allow you to begin removal from the blacklists.
2. Setup a SYSLOG application, to monitor the logs in real time from the firewall/router, etc (wherever you blocked port 25)
3. Check logs for the culprit machines.

I suggest the Kiwi products, they are great.  Run the "log viewer" against the logs that the SYSLOG viewer generates (a .txt file on your local PC) and you can search using whatever terms you need - and then they are highlighted for easy finding.

Thanks,

Justin

-------------LINKS-----------------

Kiwi SYSLOG Viewer:
http://www.kiwisyslog.com/syslog-info.php

Kiwi log viewer:
http://www.kiwisyslog.com/log-viewer-info.php


0
 

Author Comment

by:mmahaney
ID: 16986714
Good tips from both.
Once again I over thought it....not being real familar with Ethereal failed to see that I could filter what I captured, thought I could only filter after the capture was complete.

Thanks as always,
Mike
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question