Solved

How do I Blocked all outgoing SMTP traffic from everywhere but the Exchange server on the firewall

Posted on 2009-04-06
9
815 Views
Last Modified: 2013-11-30
I have been blacklisted on CBL. I've installed and ran all updates on all 50 workstations. I've ran all malwarebytes, and AV on all computers. I have a sonicwall pro 1260. I'm not sure how to block all outgoing smtp traffic on the sonicwall. I've gotten delist twice for more than 24 hours now I'm back on it. What else do I need to do. Please help.
On my firewall - services under my mail services I have: 
 

IMAP4 143

POP3 110

SMTP 25

SSI 993

Open in new window

0
Comment
Question by:s0nic
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 5

Expert Comment

by:Mechanic_Kharkov
ID: 24082255
But if You will block outgoing smtp traffic, Your users could not send any email! Do You really wanna this?
0
 

Author Comment

by:s0nic
ID: 24082387
From what I read I need to block all ports except for to and from my emails correct?
0
 
LVL 7

Expert Comment

by:garethh86
ID: 24082468
You need to set ip restrictions on your SMTP server, it sounds like your an open relay. Set SMTP ip restrict to 127.0.0.1 and your server ip address, also add any other servers in your network that need to relay mail through your exchange server.
0
 
LVL 3

Expert Comment

by:cubeeq
ID: 24082478
I suppose the Exchange will initiate smtp traffic on 127.0.0.1. So why not to block all traffic to port 25 originating in intranet (192.168., 10.)? In case your clients use ordinary smtp port on Exchange block all traffic with remote address, port 25 and origin in intranet.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:s0nic
ID: 24082556
I'm confused. How do I go about doing that?
0
 
LVL 7

Accepted Solution

by:
garethh86 earned 250 total points
ID: 24083803
Go into exchange system manager:

Servers ->select your exchange server
protocols
smtp
right click default smtp server click properties
Click the Acess Tab and then click relay.
select 'only the list below'
enter an ip of 127.0.0.1
then enter the IP address assigned to your server
Enter any other server IP addresses (if any) that also need to relay through this server.
check the allow computers that authenticate successfully to relay box.

You do not need to add all of your workstation IP addresses.

Also make double sure none of the workstations or servers are infected with a virus that is sending mail as these machines are allowed to relay, but it just sounds like you've left this open and your smtp server is being used to route spam. Machines search the internet, much like these black list sites for servers that are open relays and then use them to send spam.

Hope this helps!
0
 
LVL 3

Expert Comment

by:cubeeq
ID: 24084728
I would not allow to relay any client in this case so as to isolate the problem. Exchange clients do not talk to smtp either. And install Wireshark and use it on intranet network interface on server with filter such as "dst port 25". You will be able to discover who is talking on smtp.
0
 

Author Comment

by:s0nic
ID: 24089233
Ok so I did all of the above. I hope that helped. Now it states:

It will be one of the following scenarios:
1) It's a NAT firewall, in which case it is a NAT
   in front of a machine that is infected with spam
   sending spamware.
2) It's directly infested with spam sending spamware.

This IP has or is NAT'ing for a pharma2 BOT infection

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.  Once you have done this, you can use your firewall logs to detect which machines are infected/compromised.
I have a sonicwall pro1260
0
 

Author Closing Comment

by:s0nic
ID: 31567273
Thanks once I did that it appeared on my firewall that someone was trying to use my port 25 for SMTP.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is Usenet? There are many different opinions on exactly what Usenet is an isn't. Many opinions are incorrect simply out of ignorance. The Wikipedia listing about Usenet does a good job of explaining it, so instead of repeating it all here I wi…
There was an incident about the POP3 issue for the double read receipts and delivery receipts in Exchange 2013.  There was huge research been done and found solution for the duplicate mails. Especially when the user gets  duplicate mails.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now