IP Blacklisted, a computer on network is infected and emitting email spam.

Steve Hood
Steve Hood used Ask the Experts™
on
Hi , our public UP is being blacklisted by CBL.

Reason given: This IP is infected (or NATting for a computer that is infected) with an botnet that is emitting email spam. The infection is probably sendsafe.

I'm assuming that one o the 25 or so computers in my network is infected.

Question: Is there a way usnijg the Sonicwall to determine in a machine is acting as an SMTP server and sending out spam email?

My SonicWall is a new model NSA 2600 with updated SonicOC
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Fractional CTO
Distinguished Expert 2018
Commented:
First thing to do is block all outgoing SMTP (port 25) traffic, otherwise your ISP may shutdown all IPs associated with your machine.

Also there are other actions you should block too, like port 433 UDP traffic, as this is another attack emitted by hacked machines.

Once you have all outgoing traffic blocked, then you can clean your machine without concern of your ISP bringing down your machine.
Dr. KlahnPrincipal Software Engineer
Commented:
I'm sure the Sonicwall can do it, but while you're waiting for that procedure ...

If you don't mind pushing some useful software out to each machine, then install Microsoft TCP View on each system.  Run it on each system and see which one has numerous outgoing connections to remote port 25.  That'll be the guilty party.

https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial