block IPs

Posted on 2011-10-31
Last Modified: 2012-05-12
Dear ,

 we are Provide Internet to customers , we have ASA5580  and  cisco router but we see customers send spam to same site so I took email for many site our IP's it was blocked ?

so My question what  cisco device or another device  have solve my issue deny our customer send spam to internet to don't block our IP's !!

if I install IPS in ASA solve me issue !!
i want advice but we have more that 10 000 users

look our IP
 Spam Blacklist check for X.X.X.X: has not blacklisted this IP has not blacklisted this IP has not blacklisted this IP has blacklisted this IP and the response is has blacklisted this IP and the response is

 or this site do block to our IP's planning
Question by:memo12345678
    LVL 35

    Expert Comment

    by:Ernie Beek
    You could just block port 25 outgoing for everything except your mailserver.

    Author Comment

    it be difficult because some our customer have own mail server from outside .

    as I mention  I need device deny our customers send spam and Trojan to internet for doesn't block our IP's from outside .
    LVL 35

    Expert Comment

    by:Ernie Beek
    Well normally this is set up on the mailserver (spam blocking and virus scanning). And I would say that it is the duty of the customer itself to take measures for that. If one of my customers would be sending out spam I'd kindly ask them to take measures to prevent that. Otherwise I would be forced to block them until they do.

    Author Comment

    Dear ,

              we do NAT 10 000 private IP's to 512 Public IP's it is difficult to find who spend this spam mail the reason we took mail from outside after One day we didn't know who send this spam .
    LVL 35

    Expert Comment

    by:Ernie Beek

    Ok, get the picture.
    One question: what exactly do you mean by 'we took mail from outside' ?

    Author Comment

    from you receive mail from site that was sent spam say you block yours IP due to you send spam to us
    LVL 35

    Expert Comment

    by:Ernie Beek
    Eh, sorry I lost you there. Could you rephrase that?

    Author Comment


    Dear look this email I received

    From: []
    Sent: Thursday, September 29, 2011 9:50 PM
    To: jam camere
    Subject: [clean-mx-spam-95554537] abuse report about  X.X.X.X  - Thu, 29 Sep 2011 20:07:06 +0200

    Hello Abuse-Team,

    your Server with the IP:  X.X.X.X  has attacked one of our server on the service:
    "postfix"  on Time: Thu, 29 Sep 2011 20:07:06 +0200 The IP was automatically blocked for more than 10 minutes. To block an IP, it needs
    3 failed Logins, one match for "invalid user" or a 5xx-Error-Code (eg. Blacklist)!

    Please check the machine behind the IP X.X.X.X(unknown) and fix the problem.

    real-time data for this day available at: X.X.X.X

    You can parse this Mail with X-ARF-Tools (1. attachment = Details, 2. attachment = Logs).
    You found more Information about X-Arf under

    If you have a special x-arf email contact, please drop us a note.

    In the attachment of this mail you can find the original protocols of our systems.


    Gerhard W. Recher

    NETpilot GmbH

    Wilhelm-Riehl-Str. 13
    D-80687 Muenchen

    GSM: ++49 171 4802507

    Handelsregister Muenchen: HRB 124497

    PGP-KEY:   Fingerprint: A4E317B6DC6494DCC9616366A75AB34CDD0CE552 id: 0xDD0CE552

    attacked server:
    Helo:  X.X.X.X
    source-ip: X.X.X.X
    protocol: ESMTP
    instance: predata06.2b09.4e84b3ca.2d652.0
    size: 0
    reason: 6 -->570 Blocked by domain in helo is blacklistet<%s>:
    Evidences so far in total for this ip:1
    LVL 35

    Accepted Solution

    Ok. That's quite a tricky situation you got. I still say that it's also the responsibility of your clients to keep their networks safe and secure. And not to let them mess around and leave you with their problems. What I would do then is to tell them to designate one of their addresses for use with an email server. That way it is already easier to monitor (block port 25 for everything except those designated as being a mail server). So if one of their machines is corrupted it wouldn't be able to spam.
    To keep their mail traffic under control I would take a look at the asa CSC-SSM-20 module with a plus license (anti spam, anti spyware, antivirus, etc). I'm not 100% sure if this applies to your specific situation but you might want to ask cisco about that, not too experienced with those modules myself but I think that might be a good option.
    LVL 13

    Assisted Solution

    by:Greg Hejl
    scan the NAT range for the public IP and identify the mail servers that use the public IP.

    send the mail administrators the abuse message you received and the blacklist reports.

    you can also telnet to the servers you identify for their ehlo,  you may be able to find exactly which one.
    LVL 38

    Expert Comment

    This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
    Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now