Anyway to Find Possible Rogue or Unauthorized SMTP Server

automationstation
automationstation used Ask the Experts™
on
Network with about 250 nodes, ISA Server 2006, Exchange 2003... users are getting a lot of spam. I have Intelligent Message Filter running and an Untangle (open source) firewall device supposedly blocking a lot of spam.

I think I have a machine on the inside of the network possibly sending out the spam inside the firewall. Two Questions:

1) Anyway or any utility I can use to find this possible culprit short of going desk to desk?

2) Can I use Group Policy, ISA Server or any other tool on the network to block any SMTP traffic except that which is generated by the Exchange Server?

... I am open for suggestions... users are getting tired of wading through the BS spam.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Hi,

You will need to enforce this on your firewall, as viruses etc can circumvent policies/security setup on your workstations. To block all outbound port 25 except from the mail server:

----
Often administrators would like to block all outbound port 25 except from the mail server. To do so first you must remove the outbound port 25 policy rule so that outbound port 25 traffic goes through the rack in question. Then you need to create a rule to block all port 25 traffic with Destination Interface External then you need to create a rule just above that passes outbound port 25 traffic where the client is your email server. Beware, this means that mail coming from your mail server now goes through the rack and may be scanned by Spam Blocker, Phish Blocker, etc. Alternatively, You can add a rule in firewall blocking all port 25 traffic and then add a policy manager rule sending all outbound port 25 traffic from the email server to ">No Rack."
----
Source: http://wiki.untangle.com/index.php/Firewall#How_can_I_block_outbound_SMTP.3F

To find out which nodes are generating the SMTP traffic, you can either enable logging on the above rule on your firewall or sniff the traffic in between your network and the firewall with using a hub or switch with span/mirror port capabilities and a packet analyzer such as Packetyzer. Using the log on your firewall will be easier.

Source: http://forums.untangle.com/networking/8916-block-outgoing-smtp-except-email-server.html

Commented:
If you are using ISA as your outbound default gateway, you'll want to setup the outbound SMTP block there and enable logging to find out the source IP addresses.
Totally agree with incera.  Also, run a report and see what devices on the inside are try to make outbound TCP 25 connections out the external interface.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Do you know where to look in that ISA Report for this? I can see SMTP totals but not detail. Or are you suggesting I look at the top users?

Author

Commented:
I am currently using the ISA Server 2006 (trial) as the main firewall and then passing traffic through an Untangle server running in Bridge mode. I am contemplating removing the ISA Server and just using the Untangle box for everything.

Internet <-> ISA server <-> Untangle <-> Switch to Private network
Commented:
ISA is primarily nice because of its integration with Active Directory. If you are not taking advantage of this functionality, your Untangle box would be adequate.

In order to see the SMTP traffic reaching your ISA, run a query on your ISA server log. To display records with the default filter, click the Logging tab, and then on the Tasks tab, select Start Query. Create a custom filter for SMTP by setting the Destination Port to SMTP/25.

Author

Commented:
Thanks for the help... used the isa logging to gain some insight. Ended up removing the ISA firewall and installed an Untangle box. Used incera's post to configure SMTP traffic on port 25 only from the exchange server. Working great. Within 2 hours, the untangle box has already blocked over 1,000 spam messages.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial