Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 979
  • Last Modified:

block IPs

Dear ,

 we are Provide Internet to customers , we have ASA5580  and  cisco router but we see customers send spam to same site so I took email for many site our IP's it was blocked ?

so My question what  cisco device or another device  have solve my issue deny our customer send spam to internet to don't block our IP's !!

if I install IPS in ASA solve me issue !!
i want advice but we have more that 10 000 users

look our IP
 Spam Blacklist check for X.X.X.X:

whois.rfc-ignorant.org has not blacklisted this IP
bl.spamcop.net has not blacklisted this IP
sbl.spamhaus.org has not blacklisted this IP
xbl.spamhaus.org has blacklisted this IP and the response is
zen.spamhaus.org has blacklisted this IP and the response is

 or this site do block to our IP's
http://pedromatias.co.uk/what-is-strategy-XXXX planning
2 Solutions
Ernie BeekExpertCommented:
You could just block port 25 outgoing for everything except your mailserver.
memo12345678Author Commented:
it be difficult because some our customer have own mail server from outside .

as I mention  I need device deny our customers send spam and Trojan to internet for doesn't block our IP's from outside .
Ernie BeekExpertCommented:
Well normally this is set up on the mailserver (spam blocking and virus scanning). And I would say that it is the duty of the customer itself to take measures for that. If one of my customers would be sending out spam I'd kindly ask them to take measures to prevent that. Otherwise I would be forced to block them until they do.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

memo12345678Author Commented:
Dear ,

          we do NAT 10 000 private IP's to 512 Public IP's it is difficult to find who spend this spam mail the reason we took mail from outside after One day we didn't know who send this spam .
Ernie BeekExpertCommented:

Ok, get the picture.
One question: what exactly do you mean by 'we took mail from outside' ?
memo12345678Author Commented:
from you receive mail from site that was sent spam say you block yours IP due to you send spam to us
Ernie BeekExpertCommented:
Eh, sorry I lost you there. Could you rephrase that?
memo12345678Author Commented:

Dear look this email I received

From: abuse@clean-mx.de [mailto:abuse@clean-mx.de]
Sent: Thursday, September 29, 2011 9:50 PM
To: jam camere
Subject: [clean-mx-spam-95554537] abuse report about  X.X.X.X  - Thu, 29 Sep 2011 20:07:06 +0200

Hello Abuse-Team,

your Server with the IP:  X.X.X.X  has attacked one of our server on the service:
"postfix"  on Time: Thu, 29 Sep 2011 20:07:06 +0200 The IP was automatically blocked for more than 10 minutes. To block an IP, it needs
3 failed Logins, one match for "invalid user" or a 5xx-Error-Code (eg. Blacklist)!

Please check the machine behind the IP X.X.X.X(unknown) and fix the problem.

real-time data for this day available at:

http://support.clean-mx.de/clean-mx/publog?ip= X.X.X.X

You can parse this Mail with X-ARF-Tools (1. attachment = Details, 2. attachment = Logs).
You found more Information about X-Arf under http://www.x-arf.org/specification.html

If you have a special x-arf email contact, please drop us a note.

In the attachment of this mail you can find the original protocols of our systems.


Gerhard W. Recher

NETpilot GmbH

Wilhelm-Riehl-Str. 13
D-80687 Muenchen

GSM: ++49 171 4802507

Handelsregister Muenchen: HRB 124497

w3: http://www.clean-mx.de
e-Mail:   mailto:abuse@clean-mx.de
PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552
Location: http://www.clean-mx.de/downloads/abuse-at-clean-mx.de.pub.asc

attacked server: relay3.netpilot.net
envelopesender: krwkkhwnvk@abingdonumc.org
enveloperecpient: employmenty41@whiskyworld.de
Helo:  X.X.X.X
source-ip: X.X.X.X
protocol: ESMTP
instance: predata06.2b09.4e84b3ca.2d652.0
size: 0
reason: 6 -->570 Blocked by http://www.clean-mx.de domain in helo is blacklistet<%s>:
Evidences so far in total for this ip:1
Ernie BeekExpertCommented:
Ok. That's quite a tricky situation you got. I still say that it's also the responsibility of your clients to keep their networks safe and secure. And not to let them mess around and leave you with their problems. What I would do then is to tell them to designate one of their addresses for use with an email server. That way it is already easier to monitor (block port 25 for everything except those designated as being a mail server). So if one of their machines is corrupted it wouldn't be able to spam.
To keep their mail traffic under control I would take a look at the asa CSC-SSM-20 module with a plus license (anti spam, anti spyware, antivirus, etc). I'm not 100% sure if this applies to your specific situation but you might want to ask cisco about that, not too experienced with those modules myself but I think that might be a good option.

Greg HejlPrincipal ConsultantCommented:
scan the NAT range for the public IP and identify the mail servers that use the public IP.

send the mail administrators the abuse message you received and the blacklist reports.

you can also telnet to the servers you identify for their ehlo,  you may be able to find exactly which one.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now