Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do I Blocked all outgoing SMTP traffic from everywhere but the Exchange server on the firewall

Posted on 2009-04-06
9
Medium Priority
?
828 Views
Last Modified: 2013-11-30
I have been blacklisted on CBL. I've installed and ran all updates on all 50 workstations. I've ran all malwarebytes, and AV on all computers. I have a sonicwall pro 1260. I'm not sure how to block all outgoing smtp traffic on the sonicwall. I've gotten delist twice for more than 24 hours now I'm back on it. What else do I need to do. Please help.
On my firewall - services under my mail services I have: 
 
IMAP4 143
POP3 110
SMTP 25
SSI 993

Open in new window

0
Comment
Question by:s0nic
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 5

Expert Comment

by:Mechanic_Kharkov
ID: 24082255
But if You will block outgoing smtp traffic, Your users could not send any email! Do You really wanna this?
0
 

Author Comment

by:s0nic
ID: 24082387
From what I read I need to block all ports except for to and from my emails correct?
0
 
LVL 7

Expert Comment

by:garethh86
ID: 24082468
You need to set ip restrictions on your SMTP server, it sounds like your an open relay. Set SMTP ip restrict to 127.0.0.1 and your server ip address, also add any other servers in your network that need to relay mail through your exchange server.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 3

Expert Comment

by:cubeeq
ID: 24082478
I suppose the Exchange will initiate smtp traffic on 127.0.0.1. So why not to block all traffic to port 25 originating in intranet (192.168., 10.)? In case your clients use ordinary smtp port on Exchange block all traffic with remote address, port 25 and origin in intranet.
0
 

Author Comment

by:s0nic
ID: 24082556
I'm confused. How do I go about doing that?
0
 
LVL 7

Accepted Solution

by:
garethh86 earned 750 total points
ID: 24083803
Go into exchange system manager:

Servers ->select your exchange server
protocols
smtp
right click default smtp server click properties
Click the Acess Tab and then click relay.
select 'only the list below'
enter an ip of 127.0.0.1
then enter the IP address assigned to your server
Enter any other server IP addresses (if any) that also need to relay through this server.
check the allow computers that authenticate successfully to relay box.

You do not need to add all of your workstation IP addresses.

Also make double sure none of the workstations or servers are infected with a virus that is sending mail as these machines are allowed to relay, but it just sounds like you've left this open and your smtp server is being used to route spam. Machines search the internet, much like these black list sites for servers that are open relays and then use them to send spam.

Hope this helps!
0
 
LVL 3

Expert Comment

by:cubeeq
ID: 24084728
I would not allow to relay any client in this case so as to isolate the problem. Exchange clients do not talk to smtp either. And install Wireshark and use it on intranet network interface on server with filter such as "dst port 25". You will be able to discover who is talking on smtp.
0
 

Author Comment

by:s0nic
ID: 24089233
Ok so I did all of the above. I hope that helped. Now it states:

It will be one of the following scenarios:
1) It's a NAT firewall, in which case it is a NAT
   in front of a machine that is infected with spam
   sending spamware.
2) It's directly infested with spam sending spamware.

This IP has or is NAT'ing for a pharma2 BOT infection

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.  Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.
I have a sonicwall pro1260
0
 

Author Closing Comment

by:s0nic
ID: 31567273
Thanks once I did that it appeared on my firewall that someone was trying to use my port 25 for SMTP.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
When you’re making plans to join the modern business race, you should analyze various details that may affect your results. Nowadays, millions of businesses are trying to grow into established and appreciated professional enterprises.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question