[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Blacklisting issues, ACL help please (Cisco Router, Exchange 2010)

Posted on 2013-10-30
11
Medium Priority
?
315 Views
Last Modified: 2014-04-30
Having a few issues with email bouncing due to the our external IP constantly being blacklisted.  All network PCs and servers have been chacked for malware and viruses (all have up-to-date AV).  Exchange server is not an open relay.

We do not have an rDNS or an SPF record and that is on my list to sort out but everything's worked fine for the past 3yrs, so not sure why it shouldn't now.

Eitherway, I'm trying to restrict outbound SMPT traffic to allow exchange server traffic only (no PCs trying to spam).  I have created the following ACL outbound on the WAN interface, it just seems strange that I'm getting matches on line 20 but not line 10:

Extended IP access list NO_SPAM
    10 permit tcp host 172.16.17.33 any eq smtp
    20 permit tcp host 81.149.56.229 any eq smtp (343 matches)
    30 deny tcp any any eq smtp log-input
    40 permit ip any any (66146 matches)

172.16.17.33 = exchange server IP
x.x.x.x = external WAN IP

Why would the traffic be origionating from the WAN interface, surely it should be coming from the exchange server IP.

Interestingly, before I entered line 20, mail wasn't working and I was getting the following logging messages:

*Oct 29 18:14:32.819: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14936) (Vlan1 0015.5d11.0b2f) -> 94.100.176.20(25), 1
packet
BRIST-RTR(config-if)#
*Oct 29 18:14:40.943: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14939) (Vlan1 0015.5d11.0b2f) -> 37.209.208.18(25), 1
packet
BRIST-RTR(config-if)#
*Oct 29 18:14:42.583: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14693) (Vlan1 0015.5d11.0b2f) -> 144.76.136.216(25), 1
 packet

Any ideas ??
0
Comment
Question by:andrewprouse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39612614
If you're running NAT the blocking won't work as the internal addresses won't be seen by the external interface.  I would create (or update) an ACL for NAT (if you're running it).

So, you might have something like...

ip access-list extended BLOCK_SMTP_OUT
 permit tcp host 172.16.17.33 any eq smtp
 deny tcp any any eq smtp
 permit ip any any


Like I say, instead of applying that to the internal interface though, apply it to the NAT statement.  This will stop any SMTP traffic from hosts which aren't the Exchange server being NAT'ed, so it won't get to the internet.  Exchange SMTP traffic will get NAT'ed though so that will still work.

ip nat inside source list BLOCK_SMTP_OUT interface <EXTERNAL> overload
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39613055
The reason you had to add line 20 was because you were blocking your wan ip from communication SMTP in line 30. The server inside address nats to your wan ip, so if you are blocking the outbound smtp traffic of any, you are blocking your wan ip.

Also Craig's ACL looks good. I would however, apply it inbound on your internal router interface. That way that traffic would get blocked before it even get's to the NAT process, and leave the nat acl's for traffic matching.
0
 

Author Comment

by:andrewprouse
ID: 39617434
Thanks guys (both of you).  I've implemented Craig's ACL inbound on the VLAN1 interface.  Strangely, I'm not actually getting any matches against line 20 (deny tcp any any eq smtp).

I thought that our blacklisting issue was caused by an infected PC (inside the LAN) sending SPAM email.  Obviously not.  I've chacked all servers for malware (especially the exchange server), any other ideas?

Cheers, Andy
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 47

Expert Comment

by:Craig Beck
ID: 39617508
What blacklist are you on?
0
 

Author Comment

by:andrewprouse
ID: 39618496
We keep appearing on the SpamHaus CBL (among others), but this is the most frequent.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39618666
Spamhaus CBL doesn't just include SMTP exploits.  It will list hosts where any virus-type activity is noticed.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 39618669
Here's the scoop from the CBL website...
What is the CBL?

The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not.

The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.

The CBL does not list based upon the volume of email from a given IP address.
0
 

Author Comment

by:andrewprouse
ID: 39633810
I'm stuck now.  With the above ACL in place which block SMTP out (other than from Exchange server) all was good for 3 days, now we're blacklisted again on SpamHause CBL.

I have personally virus checked all servers and machines, nothing found.

Any ideas?
0
 

Author Comment

by:andrewprouse
ID: 39634156
Info attched from the CBL delisting process.
CBL-Info.docx
0
 

Accepted Solution

by:
andrewprouse earned 0 total points
ID: 39638236
Any ideas?

We're still constantly being re-listed. I'm worried that we may be permanently blacklisted.

Any help would be much appreciated. Cheers
0
 

Author Closing Comment

by:andrewprouse
ID: 40031515
me
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question