• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3164
  • Last Modified:

How to identify spam-sending workstations, and block outgoing (smtp) non-company email?

The IP address of the company I work for has been added to a spam blacklist (bl.spamcop.net). I've determined that the cause is almost certainly one or more workstations somewhere in the company that are infected with a virus or trojan and sending out this spam. We've received bounced emails from other email servers informing us about the blacklist, which show the primary company IP as the one which is blacklisted.

A brief overview of how we are setup:
- Internet and email traffic for all of the company's offices are routed through a central server, and pass through a "Sonicwall Pro 2040 Enhanced" firewall.
- We have NOD32 anti-virus installed on all workstations, laptops, and servers.
- Email is not handled on-site. Our mail server is actually on an external dedicated server (which runs the company website), running Linux, cPanel, etc. The mail is a simple pop3/smtp setup (no Exchange server), using standard ports 25 and 110. Employees are setup with Outlook. The external mail server's IP is not blacklisted, only the company's outward facing IP.

What I'm seeking is advice on how to 1) Use the Sonicwall or another tool if needed to pin down the responsible workstations that are sending out the spam email so they can be cleaned, and 2) In a way that won't interrupt normal company email usage, block all email from being sent out through the network that does not go through our own mail server (which as mentioned, is on a server that is external to the company network). I've spent several hours carefully looking through all of the settings and options for the Sonicwall, and have not yet discovered how to proceed. I'd like to correctly address the source of the problem before requesting to be removed from the blacklist.

Thanks in advance for your assistance! :)
  • 2
1 Solution
1. You can monitor active connections on the Sonicwall so you should be able to determind the source of the SMTP outbreak.
     Firewall > Connections Monitor
2. Create a ZONE for your external providers SMTP server and then create an access rule to only allow SMTP traffic to that destination. IP

cacomputerguyAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now