TKGreen
asked on
Symantec mail security for SMTP 5.0.1 Blacklisting
I am running Symantec Mail Security for SMTP 5.0.1 on Windows Server 2003. I have recently been put on a blacklist because of SPAM. I have removed my servers from the list and one was added back. I ran the malicious software removal tool on the systems and nothing was found. I did find some viruses in the bamail queue which I have removed. Not sure if some of my settings on the Secure mail gateway are correct.
R,
Keith
R,
Keith
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How did you manage to solve the problem?
The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:
1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracud
2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).
3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:
http://www.arbornetworks.com/
http://www.genienrm.com/
http://www.narus.com/
http://www.lancope.com/
http://www.flukenetworks.com/
4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance, http://www.towerdata.com/services/email/deliverability/repcheck.html
5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client. Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.
6) FW/Router Logs: You need to enable logging of any rule that allow outbound SMTP traffic, so you can later check the source of any suspicious spam traffic from inside-to-outside.
You should use a combination of sniffers and port scanners to detect spam bots, Check the following
1) Wireshark, download it from (http://www.wireshark.org/download.html)
You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).
2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).
Here how to sniff port 25:
#tcpick -i eth0 -C -bCU -T1 "port 25"
3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)
here how to scan for port 25 (change 202.21.192.1/24 with your network range)
#nmap -sS 202.21.192.1/24 -p 25
4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)
Here how to sniff port 25
#tcpdump -i eth0 port 25
A Symantec Certified Specialist @ your service