Solved

Blacklisting issues, ACL help please (Cisco Router, Exchange 2010)

Posted on 2013-10-30
11
304 Views
Last Modified: 2014-04-30
Having a few issues with email bouncing due to the our external IP constantly being blacklisted.  All network PCs and servers have been chacked for malware and viruses (all have up-to-date AV).  Exchange server is not an open relay.

We do not have an rDNS or an SPF record and that is on my list to sort out but everything's worked fine for the past 3yrs, so not sure why it shouldn't now.

Eitherway, I'm trying to restrict outbound SMPT traffic to allow exchange server traffic only (no PCs trying to spam).  I have created the following ACL outbound on the WAN interface, it just seems strange that I'm getting matches on line 20 but not line 10:

Extended IP access list NO_SPAM
    10 permit tcp host 172.16.17.33 any eq smtp
    20 permit tcp host 81.149.56.229 any eq smtp (343 matches)
    30 deny tcp any any eq smtp log-input
    40 permit ip any any (66146 matches)

172.16.17.33 = exchange server IP
x.x.x.x = external WAN IP

Why would the traffic be origionating from the WAN interface, surely it should be coming from the exchange server IP.

Interestingly, before I entered line 20, mail wasn't working and I was getting the following logging messages:

*Oct 29 18:14:32.819: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14936) (Vlan1 0015.5d11.0b2f) -> 94.100.176.20(25), 1
packet
BRIST-RTR(config-if)#
*Oct 29 18:14:40.943: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14939) (Vlan1 0015.5d11.0b2f) -> 37.209.208.18(25), 1
packet
BRIST-RTR(config-if)#
*Oct 29 18:14:42.583: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14693) (Vlan1 0015.5d11.0b2f) -> 144.76.136.216(25), 1
 packet

Any ideas ??
0
Comment
Question by:andrewprouse
  • 6
  • 4
11 Comments
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
If you're running NAT the blocking won't work as the internal addresses won't be seen by the external interface.  I would create (or update) an ACL for NAT (if you're running it).

So, you might have something like...

ip access-list extended BLOCK_SMTP_OUT
 permit tcp host 172.16.17.33 any eq smtp
 deny tcp any any eq smtp
 permit ip any any


Like I say, instead of applying that to the internal interface though, apply it to the NAT statement.  This will stop any SMTP traffic from hosts which aren't the Exchange server being NAT'ed, so it won't get to the internet.  Exchange SMTP traffic will get NAT'ed though so that will still work.

ip nat inside source list BLOCK_SMTP_OUT interface <EXTERNAL> overload
0
 
LVL 26

Expert Comment

by:Soulja
Comment Utility
The reason you had to add line 20 was because you were blocking your wan ip from communication SMTP in line 30. The server inside address nats to your wan ip, so if you are blocking the outbound smtp traffic of any, you are blocking your wan ip.

Also Craig's ACL looks good. I would however, apply it inbound on your internal router interface. That way that traffic would get blocked before it even get's to the NAT process, and leave the nat acl's for traffic matching.
0
 

Author Comment

by:andrewprouse
Comment Utility
Thanks guys (both of you).  I've implemented Craig's ACL inbound on the VLAN1 interface.  Strangely, I'm not actually getting any matches against line 20 (deny tcp any any eq smtp).

I thought that our blacklisting issue was caused by an infected PC (inside the LAN) sending SPAM email.  Obviously not.  I've chacked all servers for malware (especially the exchange server), any other ideas?

Cheers, Andy
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
What blacklist are you on?
0
 

Author Comment

by:andrewprouse
Comment Utility
We keep appearing on the SpamHaus CBL (among others), but this is the most frequent.
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Spamhaus CBL doesn't just include SMTP exploits.  It will list hosts where any virus-type activity is noticed.
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
Here's the scoop from the CBL website...
What is the CBL?

The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not.

The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.

The CBL does not list based upon the volume of email from a given IP address.
0
 

Author Comment

by:andrewprouse
Comment Utility
I'm stuck now.  With the above ACL in place which block SMTP out (other than from Exchange server) all was good for 3 days, now we're blacklisted again on SpamHause CBL.

I have personally virus checked all servers and machines, nothing found.

Any ideas?
0
 

Author Comment

by:andrewprouse
Comment Utility
Info attched from the CBL delisting process.
CBL-Info.docx
0
 

Accepted Solution

by:
andrewprouse earned 0 total points
Comment Utility
Any ideas?

We're still constantly being re-listed. I'm worried that we may be permanently blacklisted.

Any help would be much appreciated. Cheers
0
 

Author Closing Comment

by:andrewprouse
Comment Utility
me
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now