Adam D
asked on
CBL Blacklisting continues to happen
On Sunday 10/6/2013 at 4:00 p.m. CST our IP was blacklisted by CBL and they indicated we were infected with the ZeroAccess bot.
I ran the basic scans and found nothing.
I delisted our IP address and all was fine until today at 12:00 p.m. CST. Again we were blacklisted (1 day, 23 hours later) and again we were told it was the ZeroAccess bot.
I went to each machine physically (there are only 9 machines including two servers). I ran:
Norton Power Eraser
FixZeroAccess by Norton
Remove Rootkit by McAfee
Deep Scan by the installed VIPRE
Not one of them found ANY problem.
In addition I have a Cisco ASA firewall between the world and us and it is configured to ONLY allow SMTP port 25 traffic from the mail server - so no individual machine could be sending out mail by themselves.
I can understand one false positive, but two? I have delisted us again but if I keep doing this we will be permanently blacklisted.
I also cannot seem to find CBL's email address to contact them directly.
Thoughts?
Thanks.
I ran the basic scans and found nothing.
I delisted our IP address and all was fine until today at 12:00 p.m. CST. Again we were blacklisted (1 day, 23 hours later) and again we were told it was the ZeroAccess bot.
I went to each machine physically (there are only 9 machines including two servers). I ran:
Norton Power Eraser
FixZeroAccess by Norton
Remove Rootkit by McAfee
Deep Scan by the installed VIPRE
Not one of them found ANY problem.
In addition I have a Cisco ASA firewall between the world and us and it is configured to ONLY allow SMTP port 25 traffic from the mail server - so no individual machine could be sending out mail by themselves.
I can understand one false positive, but two? I have delisted us again but if I keep doing this we will be permanently blacklisted.
I also cannot seem to find CBL's email address to contact them directly.
Thoughts?
Thanks.
This one seems to be getting on the blacklist because the bot has been detected, not because it has sent spam.
I found it by watching the firewall traffic for hits to odd IP addresses.
Simon.
I found it by watching the firewall traffic for hits to odd IP addresses.
Simon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your replies.
There are laptops that come and go, no guest wireless so it could be a private employee machine. I had not tried telnetting from another machine previously and I found out the ACL I created was apparently incorrect because I was able to telnet.
This is an ASA 5505 and here is my current ACL. Please advise on the proper command to block anyone but the Exchange server IP, which is: 192.168.168.2 Unfortunately the ACL I just created blocks EVERYONE - so I am missing something.
==========================
x.x.x.x = outside public ip
access-list 101 extended permit tcp any host x.x.x.x eq www
access-list 101 extended permit tcp any host x.x.x.x eq smtp
access-list 101 extended permit tcp any host x.x.x.x eq pop3
access-list 101 extended permit tcp any host x.x.x.x eq 14238
access-list 101 extended permit tcp any host x.x.x.x eq 50000
access-list 101 extended permit tcp any any eq ftp
access-list acl_Outbound extended permit tcp host 192.168.168.2 eq smtp any eq smtp
access-list acl_Outbound extended deny tcp any eq smtp any eq smtp
access-group acl_Outbound out interface inside
access-group 101 in interface outside
access-group acl_Outbound out interface outside
==========================
As for the TDSS and ESET I will run those as well.
Thanks.
There are laptops that come and go, no guest wireless so it could be a private employee machine. I had not tried telnetting from another machine previously and I found out the ACL I created was apparently incorrect because I was able to telnet.
This is an ASA 5505 and here is my current ACL. Please advise on the proper command to block anyone but the Exchange server IP, which is: 192.168.168.2 Unfortunately the ACL I just created blocks EVERYONE - so I am missing something.
==========================
x.x.x.x = outside public ip
access-list 101 extended permit tcp any host x.x.x.x eq www
access-list 101 extended permit tcp any host x.x.x.x eq smtp
access-list 101 extended permit tcp any host x.x.x.x eq pop3
access-list 101 extended permit tcp any host x.x.x.x eq 14238
access-list 101 extended permit tcp any host x.x.x.x eq 50000
access-list 101 extended permit tcp any any eq ftp
access-list acl_Outbound extended permit tcp host 192.168.168.2 eq smtp any eq smtp
access-list acl_Outbound extended deny tcp any eq smtp any eq smtp
access-group acl_Outbound out interface inside
access-group 101 in interface outside
access-group acl_Outbound out interface outside
==========================
As for the TDSS and ESET I will run those as well.
Thanks.
ASKER
Any comments?
You would want to allow both smtp and 587 to the Exchange server. And also, block 25 on the "in" side of the inside interface. It's the local clients you do not want going out. Unless they need to go through ASA to get to your Exchange server.
https://supportforums.cisco.com/thread/2196114
https://supportforums.cisco.com/thread/2196114
ASKER
Thanks TMekeel. I modifed my acl_Outbound to the following
=======================
access-list acl_Outbound line 1 extended permit tcp host <allowed IP> eq smtp any eq smtp
access-list acl_Outbound line 2 extended deny tcp any eq smtp any eq smtp
access-list acl_Outbound line 3 extended permit ip any any
access-group acl_Outbound in interface inside
=======================
If I run "packet-tracer" on the firewall it shows the packet being dropped if not from the allowed IP and allowed from the allowed IP.
But if I run a command prompt on a non-authorized machine and enter:
telnet <outside smtp machine> 25
the outside smtp machine will answer.
So, is the rule working and if so why does the outside smtp machine answer my query on port 25?
Thanks.
=======================
access-list acl_Outbound line 1 extended permit tcp host <allowed IP> eq smtp any eq smtp
access-list acl_Outbound line 2 extended deny tcp any eq smtp any eq smtp
access-list acl_Outbound line 3 extended permit ip any any
access-group acl_Outbound in interface inside
=======================
If I run "packet-tracer" on the firewall it shows the packet being dropped if not from the allowed IP and allowed from the allowed IP.
But if I run a command prompt on a non-authorized machine and enter:
telnet <outside smtp machine> 25
the outside smtp machine will answer.
So, is the rule working and if so why does the outside smtp machine answer my query on port 25?
Thanks.
You are blocking smtp not port 25. So tcp over 25 works.
Block 25 port for the the machines/server execpt Exchange server. Only exchange server should have access to 25 on firewall.
If you have exchange 2007/2010 then enable receive connector log and send connector log and check the IP.