Solved

Blacklisting issues, ACL help please (Cisco Router, Exchange 2010)

Posted on 2013-10-30
11
310 Views
Last Modified: 2014-04-30
Having a few issues with email bouncing due to the our external IP constantly being blacklisted.  All network PCs and servers have been chacked for malware and viruses (all have up-to-date AV).  Exchange server is not an open relay.

We do not have an rDNS or an SPF record and that is on my list to sort out but everything's worked fine for the past 3yrs, so not sure why it shouldn't now.

Eitherway, I'm trying to restrict outbound SMPT traffic to allow exchange server traffic only (no PCs trying to spam).  I have created the following ACL outbound on the WAN interface, it just seems strange that I'm getting matches on line 20 but not line 10:

Extended IP access list NO_SPAM
    10 permit tcp host 172.16.17.33 any eq smtp
    20 permit tcp host 81.149.56.229 any eq smtp (343 matches)
    30 deny tcp any any eq smtp log-input
    40 permit ip any any (66146 matches)

172.16.17.33 = exchange server IP
x.x.x.x = external WAN IP

Why would the traffic be origionating from the WAN interface, surely it should be coming from the exchange server IP.

Interestingly, before I entered line 20, mail wasn't working and I was getting the following logging messages:

*Oct 29 18:14:32.819: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14936) (Vlan1 0015.5d11.0b2f) -> 94.100.176.20(25), 1
packet
BRIST-RTR(config-if)#
*Oct 29 18:14:40.943: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14939) (Vlan1 0015.5d11.0b2f) -> 37.209.208.18(25), 1
packet
BRIST-RTR(config-if)#
*Oct 29 18:14:42.583: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14693) (Vlan1 0015.5d11.0b2f) -> 144.76.136.216(25), 1
 packet

Any ideas ??
0
Comment
Question by:andrewprouse
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39612614
If you're running NAT the blocking won't work as the internal addresses won't be seen by the external interface.  I would create (or update) an ACL for NAT (if you're running it).

So, you might have something like...

ip access-list extended BLOCK_SMTP_OUT
 permit tcp host 172.16.17.33 any eq smtp
 deny tcp any any eq smtp
 permit ip any any


Like I say, instead of applying that to the internal interface though, apply it to the NAT statement.  This will stop any SMTP traffic from hosts which aren't the Exchange server being NAT'ed, so it won't get to the internet.  Exchange SMTP traffic will get NAT'ed though so that will still work.

ip nat inside source list BLOCK_SMTP_OUT interface <EXTERNAL> overload
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39613055
The reason you had to add line 20 was because you were blocking your wan ip from communication SMTP in line 30. The server inside address nats to your wan ip, so if you are blocking the outbound smtp traffic of any, you are blocking your wan ip.

Also Craig's ACL looks good. I would however, apply it inbound on your internal router interface. That way that traffic would get blocked before it even get's to the NAT process, and leave the nat acl's for traffic matching.
0
 

Author Comment

by:andrewprouse
ID: 39617434
Thanks guys (both of you).  I've implemented Craig's ACL inbound on the VLAN1 interface.  Strangely, I'm not actually getting any matches against line 20 (deny tcp any any eq smtp).

I thought that our blacklisting issue was caused by an infected PC (inside the LAN) sending SPAM email.  Obviously not.  I've chacked all servers for malware (especially the exchange server), any other ideas?

Cheers, Andy
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 46

Expert Comment

by:Craig Beck
ID: 39617508
What blacklist are you on?
0
 

Author Comment

by:andrewprouse
ID: 39618496
We keep appearing on the SpamHaus CBL (among others), but this is the most frequent.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39618666
Spamhaus CBL doesn't just include SMTP exploits.  It will list hosts where any virus-type activity is noticed.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39618669
Here's the scoop from the CBL website...
What is the CBL?

The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not.

The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.

The CBL does not list based upon the volume of email from a given IP address.
0
 

Author Comment

by:andrewprouse
ID: 39633810
I'm stuck now.  With the above ACL in place which block SMTP out (other than from Exchange server) all was good for 3 days, now we're blacklisted again on SpamHause CBL.

I have personally virus checked all servers and machines, nothing found.

Any ideas?
0
 

Author Comment

by:andrewprouse
ID: 39634156
Info attched from the CBL delisting process.
CBL-Info.docx
0
 

Accepted Solution

by:
andrewprouse earned 0 total points
ID: 39638236
Any ideas?

We're still constantly being re-listed. I'm worried that we may be permanently blacklisted.

Any help would be much appreciated. Cheers
0
 

Author Closing Comment

by:andrewprouse
ID: 40031515
me
0

Featured Post

Backup Solution for AWS

Read about how CloudBerry Backup fully integrates your backups with Amazon S3 and Amazon Glacier to provide military-grade encryption and dramatically cut storage costs on any platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question