Solved

How do I Blocked all outgoing SMTP traffic from everywhere but the Exchange server on the firewall

Posted on 2009-04-06
9
813 Views
Last Modified: 2013-11-30
I have been blacklisted on CBL. I've installed and ran all updates on all 50 workstations. I've ran all malwarebytes, and AV on all computers. I have a sonicwall pro 1260. I'm not sure how to block all outgoing smtp traffic on the sonicwall. I've gotten delist twice for more than 24 hours now I'm back on it. What else do I need to do. Please help.
On my firewall - services under my mail services I have: 
 

IMAP4 143

POP3 110

SMTP 25

SSI 993

Open in new window

0
Comment
Question by:s0nic
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 5

Expert Comment

by:Mechanic_Kharkov
ID: 24082255
But if You will block outgoing smtp traffic, Your users could not send any email! Do You really wanna this?
0
 

Author Comment

by:s0nic
ID: 24082387
From what I read I need to block all ports except for to and from my emails correct?
0
 
LVL 7

Expert Comment

by:garethh86
ID: 24082468
You need to set ip restrictions on your SMTP server, it sounds like your an open relay. Set SMTP ip restrict to 127.0.0.1 and your server ip address, also add any other servers in your network that need to relay mail through your exchange server.
0
 
LVL 3

Expert Comment

by:cubeeq
ID: 24082478
I suppose the Exchange will initiate smtp traffic on 127.0.0.1. So why not to block all traffic to port 25 originating in intranet (192.168., 10.)? In case your clients use ordinary smtp port on Exchange block all traffic with remote address, port 25 and origin in intranet.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:s0nic
ID: 24082556
I'm confused. How do I go about doing that?
0
 
LVL 7

Accepted Solution

by:
garethh86 earned 250 total points
ID: 24083803
Go into exchange system manager:

Servers ->select your exchange server
protocols
smtp
right click default smtp server click properties
Click the Acess Tab and then click relay.
select 'only the list below'
enter an ip of 127.0.0.1
then enter the IP address assigned to your server
Enter any other server IP addresses (if any) that also need to relay through this server.
check the allow computers that authenticate successfully to relay box.

You do not need to add all of your workstation IP addresses.

Also make double sure none of the workstations or servers are infected with a virus that is sending mail as these machines are allowed to relay, but it just sounds like you've left this open and your smtp server is being used to route spam. Machines search the internet, much like these black list sites for servers that are open relays and then use them to send spam.

Hope this helps!
0
 
LVL 3

Expert Comment

by:cubeeq
ID: 24084728
I would not allow to relay any client in this case so as to isolate the problem. Exchange clients do not talk to smtp either. And install Wireshark and use it on intranet network interface on server with filter such as "dst port 25". You will be able to discover who is talking on smtp.
0
 

Author Comment

by:s0nic
ID: 24089233
Ok so I did all of the above. I hope that helped. Now it states:

It will be one of the following scenarios:
1) It's a NAT firewall, in which case it is a NAT
   in front of a machine that is infected with spam
   sending spamware.
2) It's directly infested with spam sending spamware.

This IP has or is NAT'ing for a pharma2 BOT infection

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.  Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.
I have a sonicwall pro1260
0
 

Author Closing Comment

by:s0nic
ID: 31567273
Thanks once I did that it appeared on my firewall that someone was trying to use my port 25 for SMTP.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
bit defender blocks good applications 2 52
Dealing with Locky ransomware... 13 76
Virus Kronos 4 65
ransomware virus 21 80
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now