Solved

NAT Address Blacklisted

Posted on 2006-06-26
3
447 Views
Last Modified: 2011-10-03
Looks like my NAT/PAT address has been blacklisted.

I have 10 vlans on my 6513 with a FWSM. Most of these VLANS are desktops. These desktops are PAT'ed to on address on my FWSM.
That address is showing up as blacklisted for SMTP.

One of my theories why is a developer using desktop to mass mail or a virus/worm doing some mass mailing from my desktop community.
We have our Exchange server statically NAT'ed and that address is in the same subnet but has not been blacklisted. This handles all approved email.

I need some direction on how I can find the desktops, if any, that are spewing SMTP to the internet on the PAT address.
 
I can sniff all outbound traffic on my external VLAN but it is too much traffic and the sniffer file becomes too large to work with in addition I am not sure when the suspect traffic is being sent.

I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing any mass smtp mailing....

Any ideas would be helpful.

I was thinking of trying to only sniff the traffic for SMTP using a VACL and then spanning that VLAN to the sniffer but I can't think of how to do that...or if there is any easier way.

Thanks,
Mike
0
Comment
Question by:mmahaney
3 Comments
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 125 total points
ID: 16986577
Use Ethereal for sniffing and put a capture filter for port 25 only, also you can filter out your exchange IP address.

This will force ethereal to capture only SMTP traffic from desktop only and not from exchange.

Then you can easily identify the machine who is sending the SMTP traffic.




0
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 125 total points
ID: 16986641

mmahaney-

You are correct in your statement:

> "I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing   any mass smtp mailing...."

1. You should in fact block all outbound traffic with a destination port of 25.  This will allow you to begin removal from the blacklists.
2. Setup a SYSLOG application, to monitor the logs in real time from the firewall/router, etc (wherever you blocked port 25)
3. Check logs for the culprit machines.

I suggest the Kiwi products, they are great.  Run the "log viewer" against the logs that the SYSLOG viewer generates (a .txt file on your local PC) and you can search using whatever terms you need - and then they are highlighted for easy finding.

Thanks,

Justin

-------------LINKS-----------------

Kiwi SYSLOG Viewer:
http://www.kiwisyslog.com/syslog-info.php

Kiwi log viewer:
http://www.kiwisyslog.com/log-viewer-info.php


0
 

Author Comment

by:mmahaney
ID: 16986714
Good tips from both.
Once again I over thought it....not being real familar with Ethereal failed to see that I could filter what I captured, thought I could only filter after the capture was complete.

Thanks as always,
Mike
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question