?
Solved

NAT Address Blacklisted

Posted on 2006-06-26
3
Medium Priority
?
451 Views
Last Modified: 2011-10-03
Looks like my NAT/PAT address has been blacklisted.

I have 10 vlans on my 6513 with a FWSM. Most of these VLANS are desktops. These desktops are PAT'ed to on address on my FWSM.
That address is showing up as blacklisted for SMTP.

One of my theories why is a developer using desktop to mass mail or a virus/worm doing some mass mailing from my desktop community.
We have our Exchange server statically NAT'ed and that address is in the same subnet but has not been blacklisted. This handles all approved email.

I need some direction on how I can find the desktops, if any, that are spewing SMTP to the internet on the PAT address.
 
I can sniff all outbound traffic on my external VLAN but it is too much traffic and the sniffer file becomes too large to work with in addition I am not sure when the suspect traffic is being sent.

I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing any mass smtp mailing....

Any ideas would be helpful.

I was thinking of trying to only sniff the traffic for SMTP using a VACL and then spanning that VLAN to the sniffer but I can't think of how to do that...or if there is any easier way.

Thanks,
Mike
0
Comment
Question by:mmahaney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 500 total points
ID: 16986577
Use Ethereal for sniffing and put a capture filter for port 25 only, also you can filter out your exchange IP address.

This will force ethereal to capture only SMTP traffic from desktop only and not from exchange.

Then you can easily identify the machine who is sending the SMTP traffic.




0
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 500 total points
ID: 16986641

mmahaney-

You are correct in your statement:

> "I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing   any mass smtp mailing...."

1. You should in fact block all outbound traffic with a destination port of 25.  This will allow you to begin removal from the blacklists.
2. Setup a SYSLOG application, to monitor the logs in real time from the firewall/router, etc (wherever you blocked port 25)
3. Check logs for the culprit machines.

I suggest the Kiwi products, they are great.  Run the "log viewer" against the logs that the SYSLOG viewer generates (a .txt file on your local PC) and you can search using whatever terms you need - and then they are highlighted for easy finding.

Thanks,

Justin

-------------LINKS-----------------

Kiwi SYSLOG Viewer:
http://www.kiwisyslog.com/syslog-info.php

Kiwi log viewer:
http://www.kiwisyslog.com/log-viewer-info.php


0
 

Author Comment

by:mmahaney
ID: 16986714
Good tips from both.
Once again I over thought it....not being real familar with Ethereal failed to see that I could filter what I captured, thought I could only filter after the capture was complete.

Thanks as always,
Mike
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question