Solved

How do I Blocked all outgoing SMTP traffic from everywhere but the Exchange server on the firewall

Posted on 2009-04-06
9
822 Views
Last Modified: 2013-11-30
I have been blacklisted on CBL. I've installed and ran all updates on all 50 workstations. I've ran all malwarebytes, and AV on all computers. I have a sonicwall pro 1260. I'm not sure how to block all outgoing smtp traffic on the sonicwall. I've gotten delist twice for more than 24 hours now I'm back on it. What else do I need to do. Please help.
On my firewall - services under my mail services I have: 
 
IMAP4 143
POP3 110
SMTP 25
SSI 993

Open in new window

0
Comment
Question by:s0nic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 5

Expert Comment

by:Mechanic_Kharkov
ID: 24082255
But if You will block outgoing smtp traffic, Your users could not send any email! Do You really wanna this?
0
 

Author Comment

by:s0nic
ID: 24082387
From what I read I need to block all ports except for to and from my emails correct?
0
 
LVL 7

Expert Comment

by:garethh86
ID: 24082468
You need to set ip restrictions on your SMTP server, it sounds like your an open relay. Set SMTP ip restrict to 127.0.0.1 and your server ip address, also add any other servers in your network that need to relay mail through your exchange server.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 3

Expert Comment

by:cubeeq
ID: 24082478
I suppose the Exchange will initiate smtp traffic on 127.0.0.1. So why not to block all traffic to port 25 originating in intranet (192.168., 10.)? In case your clients use ordinary smtp port on Exchange block all traffic with remote address, port 25 and origin in intranet.
0
 

Author Comment

by:s0nic
ID: 24082556
I'm confused. How do I go about doing that?
0
 
LVL 7

Accepted Solution

by:
garethh86 earned 250 total points
ID: 24083803
Go into exchange system manager:

Servers ->select your exchange server
protocols
smtp
right click default smtp server click properties
Click the Acess Tab and then click relay.
select 'only the list below'
enter an ip of 127.0.0.1
then enter the IP address assigned to your server
Enter any other server IP addresses (if any) that also need to relay through this server.
check the allow computers that authenticate successfully to relay box.

You do not need to add all of your workstation IP addresses.

Also make double sure none of the workstations or servers are infected with a virus that is sending mail as these machines are allowed to relay, but it just sounds like you've left this open and your smtp server is being used to route spam. Machines search the internet, much like these black list sites for servers that are open relays and then use them to send spam.

Hope this helps!
0
 
LVL 3

Expert Comment

by:cubeeq
ID: 24084728
I would not allow to relay any client in this case so as to isolate the problem. Exchange clients do not talk to smtp either. And install Wireshark and use it on intranet network interface on server with filter such as "dst port 25". You will be able to discover who is talking on smtp.
0
 

Author Comment

by:s0nic
ID: 24089233
Ok so I did all of the above. I hope that helped. Now it states:

It will be one of the following scenarios:
1) It's a NAT firewall, in which case it is a NAT
   in front of a machine that is infected with spam
   sending spamware.
2) It's directly infested with spam sending spamware.

This IP has or is NAT'ing for a pharma2 BOT infection

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.  Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.
I have a sonicwall pro1260
0
 

Author Closing Comment

by:s0nic
ID: 31567273
Thanks once I did that it appeared on my firewall that someone was trying to use my port 25 for SMTP.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question