Solved

Blacklisting issues, ACL help please (Cisco Router, Exchange 2010)

Posted on 2013-10-30
11
307 Views
Last Modified: 2014-04-30
Having a few issues with email bouncing due to the our external IP constantly being blacklisted.  All network PCs and servers have been chacked for malware and viruses (all have up-to-date AV).  Exchange server is not an open relay.

We do not have an rDNS or an SPF record and that is on my list to sort out but everything's worked fine for the past 3yrs, so not sure why it shouldn't now.

Eitherway, I'm trying to restrict outbound SMPT traffic to allow exchange server traffic only (no PCs trying to spam).  I have created the following ACL outbound on the WAN interface, it just seems strange that I'm getting matches on line 20 but not line 10:

Extended IP access list NO_SPAM
    10 permit tcp host 172.16.17.33 any eq smtp
    20 permit tcp host 81.149.56.229 any eq smtp (343 matches)
    30 deny tcp any any eq smtp log-input
    40 permit ip any any (66146 matches)

172.16.17.33 = exchange server IP
x.x.x.x = external WAN IP

Why would the traffic be origionating from the WAN interface, surely it should be coming from the exchange server IP.

Interestingly, before I entered line 20, mail wasn't working and I was getting the following logging messages:

*Oct 29 18:14:32.819: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14936) (Vlan1 0015.5d11.0b2f) -> 94.100.176.20(25), 1
packet
BRIST-RTR(config-if)#
*Oct 29 18:14:40.943: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14939) (Vlan1 0015.5d11.0b2f) -> 37.209.208.18(25), 1
packet
BRIST-RTR(config-if)#
*Oct 29 18:14:42.583: %SEC-6-IPACCESSLOGP: list 150 denied tcp x.x.x.x(14693) (Vlan1 0015.5d11.0b2f) -> 144.76.136.216(25), 1
 packet

Any ideas ??
0
Comment
Question by:andrewprouse
  • 6
  • 4
11 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39612614
If you're running NAT the blocking won't work as the internal addresses won't be seen by the external interface.  I would create (or update) an ACL for NAT (if you're running it).

So, you might have something like...

ip access-list extended BLOCK_SMTP_OUT
 permit tcp host 172.16.17.33 any eq smtp
 deny tcp any any eq smtp
 permit ip any any


Like I say, instead of applying that to the internal interface though, apply it to the NAT statement.  This will stop any SMTP traffic from hosts which aren't the Exchange server being NAT'ed, so it won't get to the internet.  Exchange SMTP traffic will get NAT'ed though so that will still work.

ip nat inside source list BLOCK_SMTP_OUT interface <EXTERNAL> overload
0
 
LVL 26

Expert Comment

by:Soulja
ID: 39613055
The reason you had to add line 20 was because you were blocking your wan ip from communication SMTP in line 30. The server inside address nats to your wan ip, so if you are blocking the outbound smtp traffic of any, you are blocking your wan ip.

Also Craig's ACL looks good. I would however, apply it inbound on your internal router interface. That way that traffic would get blocked before it even get's to the NAT process, and leave the nat acl's for traffic matching.
0
 

Author Comment

by:andrewprouse
ID: 39617434
Thanks guys (both of you).  I've implemented Craig's ACL inbound on the VLAN1 interface.  Strangely, I'm not actually getting any matches against line 20 (deny tcp any any eq smtp).

I thought that our blacklisting issue was caused by an infected PC (inside the LAN) sending SPAM email.  Obviously not.  I've chacked all servers for malware (especially the exchange server), any other ideas?

Cheers, Andy
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39617508
What blacklist are you on?
0
 

Author Comment

by:andrewprouse
ID: 39618496
We keep appearing on the SpamHaus CBL (among others), but this is the most frequent.
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39618666
Spamhaus CBL doesn't just include SMTP exploits.  It will list hosts where any virus-type activity is noticed.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39618669
Here's the scoop from the CBL website...
What is the CBL?

The CBL takes its source data from very large mail server (SMTP) installations. Some of these are pure spamtrap servers, and some are not.

The CBL only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate, Bagle call-back proxies etc) and dedicated Spam BOTs (such as Cutwail, Rustock, Lethic etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, dictionary mail harvesters etc.

The CBL does not list based upon the volume of email from a given IP address.
0
 

Author Comment

by:andrewprouse
ID: 39633810
I'm stuck now.  With the above ACL in place which block SMTP out (other than from Exchange server) all was good for 3 days, now we're blacklisted again on SpamHause CBL.

I have personally virus checked all servers and machines, nothing found.

Any ideas?
0
 

Author Comment

by:andrewprouse
ID: 39634156
Info attched from the CBL delisting process.
CBL-Info.docx
0
 

Accepted Solution

by:
andrewprouse earned 0 total points
ID: 39638236
Any ideas?

We're still constantly being re-listed. I'm worried that we may be permanently blacklisted.

Any help would be much appreciated. Cheers
0
 

Author Closing Comment

by:andrewprouse
ID: 40031515
me
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

947 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now