How do I Blocked all outgoing SMTP traffic from everywhere but the Exchange server on the firewall

I have been blacklisted on CBL. I've installed and ran all updates on all 50 workstations. I've ran all malwarebytes, and AV on all computers. I have a sonicwall pro 1260. I'm not sure how to block all outgoing smtp traffic on the sonicwall. I've gotten delist twice for more than 24 hours now I'm back on it. What else do I need to do. Please help.
On my firewall - services under my mail services I have: 
 
IMAP4 143
POP3 110
SMTP 25
SSI 993

Open in new window

s0nicAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
garethh86Connect With a Mentor Commented:
Go into exchange system manager:

Servers ->select your exchange server
protocols
smtp
right click default smtp server click properties
Click the Acess Tab and then click relay.
select 'only the list below'
enter an ip of 127.0.0.1
then enter the IP address assigned to your server
Enter any other server IP addresses (if any) that also need to relay through this server.
check the allow computers that authenticate successfully to relay box.

You do not need to add all of your workstation IP addresses.

Also make double sure none of the workstations or servers are infected with a virus that is sending mail as these machines are allowed to relay, but it just sounds like you've left this open and your smtp server is being used to route spam. Machines search the internet, much like these black list sites for servers that are open relays and then use them to send spam.

Hope this helps!
0
 
Mechanic_KharkovCommented:
But if You will block outgoing smtp traffic, Your users could not send any email! Do You really wanna this?
0
 
s0nicAuthor Commented:
From what I read I need to block all ports except for to and from my emails correct?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
garethh86Commented:
You need to set ip restrictions on your SMTP server, it sounds like your an open relay. Set SMTP ip restrict to 127.0.0.1 and your server ip address, also add any other servers in your network that need to relay mail through your exchange server.
0
 
cubeeqCommented:
I suppose the Exchange will initiate smtp traffic on 127.0.0.1. So why not to block all traffic to port 25 originating in intranet (192.168., 10.)? In case your clients use ordinary smtp port on Exchange block all traffic with remote address, port 25 and origin in intranet.
0
 
s0nicAuthor Commented:
I'm confused. How do I go about doing that?
0
 
cubeeqCommented:
I would not allow to relay any client in this case so as to isolate the problem. Exchange clients do not talk to smtp either. And install Wireshark and use it on intranet network interface on server with filter such as "dst port 25". You will be able to discover who is talking on smtp.
0
 
s0nicAuthor Commented:
Ok so I did all of the above. I hope that helped. Now it states:

It will be one of the following scenarios:
1) It's a NAT firewall, in which case it is a NAT
   in front of a machine that is infected with spam
   sending spamware.
2) It's directly infested with spam sending spamware.

This IP has or is NAT'ing for a pharma2 BOT infection

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.  Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.
I have a sonicwall pro1260
0
 
s0nicAuthor Commented:
Thanks once I did that it appeared on my firewall that someone was trying to use my port 25 for SMTP.
0
All Courses

From novice to tech pro — start learning today.