|
Question : Relisting at CBL and Spamhaus.org
|
|
Relisted continuously at CBL and Spamhaus. Typically this is a HELO response problem, but that was fixed and working. Now CBL says I must have something sending spurious email from my external IP address and is treating it as a NAT'd IP. How can I shut down all access to port 25 on the firewall except to my Exchange Server, and monitor my internal network to see what IP is trying to send on this port? Is this the only scenario that could be at work here? I have had the folowing suggestions:
You should carefully review your current SMTP service configuration, both with the effective ISA server access policy. The most appropriate configuration is the following: - your internal SMTP relay accepts emails from the internal hosts only (IP restriction); - your internal SMTP relay asks for user authentication, so only existing users could send emails; - your internal SMTP relay does protect itself from mass-mailing (for example, by allowing no more than X mails at a given time frame) and does logging - that would help you to detect the source of mass-mailing; - your ISA server does not allow the outbound SMTP to any of your internal hosts, except the designated SMTP relay.
How do I accomplish these tasks? Thanks in advance, TJ
|
|
Answer : Relisting at CBL and Spamhaus.org
|
|
contechcorp, As I mentioned before... it could be a workstation on your network... If you are using NAT on your internet border you most likely have all your workstation and server traffic appearing to be from the same host from the Internet's point of view.
You really need to get a packet sniffer on your internet link... You need to find out exactly who all is sending SMTP traffic so that you can take it out of the puzzle.
I did a bit on research on your ISA 2004 product... and it really doesn't look much like a firewall to me. It appears to be more of a signature based traffic filtering system / quasi stateful firewall. So your point seems correct that it is impossible to block SMTP because that does not appear to be how the ISA product is designed to work.
I would seriously suggest you get a proper router for future... Somthing where you can create access control lists to explicitly allow and deny traffic down to the protocol by sender/receiver/port/etc. Any if you can't afford a hardware one, try somthing like Bibliophage suggests... there are a slew of products out there that will provide you a proper firewall and some are free.
-Cheers, Peter.
|
|
|
|