Solved

NAT Address Blacklisted

Posted on 2006-06-26
3
449 Views
Last Modified: 2011-10-03
Looks like my NAT/PAT address has been blacklisted.

I have 10 vlans on my 6513 with a FWSM. Most of these VLANS are desktops. These desktops are PAT'ed to on address on my FWSM.
That address is showing up as blacklisted for SMTP.

One of my theories why is a developer using desktop to mass mail or a virus/worm doing some mass mailing from my desktop community.
We have our Exchange server statically NAT'ed and that address is in the same subnet but has not been blacklisted. This handles all approved email.

I need some direction on how I can find the desktops, if any, that are spewing SMTP to the internet on the PAT address.
 
I can sniff all outbound traffic on my external VLAN but it is too much traffic and the sniffer file becomes too large to work with in addition I am not sure when the suspect traffic is being sent.

I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing any mass smtp mailing....

Any ideas would be helpful.

I was thinking of trying to only sniff the traffic for SMTP using a VACL and then spanning that VLAN to the sniffer but I can't think of how to do that...or if there is any easier way.

Thanks,
Mike
0
Comment
Question by:mmahaney
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 125 total points
ID: 16986577
Use Ethereal for sniffing and put a capture filter for port 25 only, also you can filter out your exchange IP address.

This will force ethereal to capture only SMTP traffic from desktop only and not from exchange.

Then you can easily identify the machine who is sending the SMTP traffic.




0
 
LVL 9

Accepted Solution

by:
NYtechGuy earned 125 total points
ID: 16986641

mmahaney-

You are correct in your statement:

> "I am sure I can block this traffic with an access list on the egress router or a security policy on my FWSM but I would like to find out what workstation may be doing   any mass smtp mailing...."

1. You should in fact block all outbound traffic with a destination port of 25.  This will allow you to begin removal from the blacklists.
2. Setup a SYSLOG application, to monitor the logs in real time from the firewall/router, etc (wherever you blocked port 25)
3. Check logs for the culprit machines.

I suggest the Kiwi products, they are great.  Run the "log viewer" against the logs that the SYSLOG viewer generates (a .txt file on your local PC) and you can search using whatever terms you need - and then they are highlighted for easy finding.

Thanks,

Justin

-------------LINKS-----------------

Kiwi SYSLOG Viewer:
http://www.kiwisyslog.com/syslog-info.php

Kiwi log viewer:
http://www.kiwisyslog.com/log-viewer-info.php


0
 

Author Comment

by:mmahaney
ID: 16986714
Good tips from both.
Once again I over thought it....not being real familar with Ethereal failed to see that I could filter what I captured, thought I could only filter after the capture was complete.

Thanks as always,
Mike
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
creating SVI on layer 3 switch 1 55
Network setup between buildings 4 60
Port to open for RDP connection to VM in DMZ ? 5 69
X2 to x0 on sonicwall tz200 1 19
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question