My IP always listed in blacklist…
-
Hi,
I have a lan with som PC's infected so i Wan IP is often listed in blacklist.
This cause many problems to my mail server…I try to:
- Change public IP on my mail server so, with nat I have server on a public IP and LAN on another
- Block outbound smtp traffic from my LAN except mail server
But I always stay on that blacklist.
The mail server is a Mac, i'm pretty shure it's ok and not compromise...Sure, the first thing is cleaning all my PC's but a firewall level, it's nothing i can do?
Thanks in advance...
-
Blacklists don't change over night in respect to removing IPs. You need to contact the maintainer of the blacklist to get removed.
Usually IPs will stay on a blacklist for years. -
I would recommend the following process:
- Install (and keep up to date) good AV on all systems. If you can't afford to spend any money on this then Avast is worth using.
- Ensure all systems and applications are kept up to date with patches
- Remove all infections, possibly by erasing and rebuilding all systems
- Confirm your network is clean
- Contact the blacklist maintainer a week later, asking for removal
Note that your IP will always be listed in the DUL and similar lists that list end-user IP ranges.
-
Blacklists don't change over night in respect to removing IPs. You need to contact the maintainer of the blacklist to get removed.
Usually IPs will stay on a blacklist for years.Just a tought: I have 8 public IP: I use unoe of these for LAN navigation on internet.
Today i move my mailserver to another IP (not listed in mxtoolbox.com) with NAT 1:1.But suddenly, just few minutes later I have that IP blacklisted!
It's very strage, how can it be that infected pc's use this new public IP? weird…
-
@Cry:
I would recommend the following process:
- Install (and keep up to date) good AV on all systems. If you can't afford to spend any money on this then Avast is worth using.
This a scheduled task, but not depend on me.
I'm responsible only for the corporate firewall and I need to implement some techniques to limited the damages…@Cry:
- Ensure all systems and applications are kept up to date with patches
I think this is done.
@Cry:
- Remove all infections, possibly by erasing and rebuilding all systems
- Confirm your network is clean
Scheduled
@Cry:
- Contact the blacklist maintainer a week later, asking for removal
Ok, after all scheduled operations…
@Cry:
Note that your IP will always be listed in the DUL and similar lists that list end-user IP ranges.
Thanks
-
This a scheduled task, but not depend on me.
I'm responsible only for the corporate firewall and I need to implement some techniques to limited the damages…In that case, there are 3 things you can do:
- Block all outbound ports by default
- Configure the pfSense host to act as the LAN's DNS server and a proxy server
- Configure a mail server if email is required and allow only it to send and receive email (SMTP 25/TCP), ensure it filters all inbound and outbound email for malware and spam
-
It sounds like your mail server is an open relay… or your IP subnet is blocked. It's common for customers on RR/TWC and Verizon to be on subnets marked as DHCP subnets. I've had several customers have this happen and it seems to be showing up more and more often. The only resolution is get your ISP to change your subnet, change your ISP or make your ISP give you a smart host to relay off of. (and dont let them charge you for it)
-
It sounds like your mail server is an open relay… or your IP subnet is blocked. It's common for customers on RR/TWC and Verizon to be on subnets marked as DHCP subnets. I've had several customers have this happen and it seems to be showing up more and more often. The only resolution is get your ISP to change your subnet, change your ISP or make your ISP give you a smart host to relay off of. (and dont let them charge you for it)
I'm sure that the server is not an open relay, maybe changing the subnet can solve the problem but only temporary, beacause if the pc's technicians don't eradicate the virus or spambot, we will soon IP blacklist again…
I think the best that i can do for now it's close all traffica outbound except for my server mail and prox all traffic through pfsense.
Thanks.
-
@Cry:
In that case, there are 3 things you can do:
- Block all outbound ports by default
- Configure the pfSense host to act as the LAN's DNS server and a proxy server
- Configure a mail server if email is required and allow only it to send and receive email (SMTP 25/TCP), ensure it filters all inbound and outbound email for malware and spam
1 + 2: what it's the goal to proxy all traffic outbound?
The spambot or trojan can't communicate directly through internet ad will be blocked? -
1 + 2: what it's the goal to proxy all traffic outbound?
The spambot or trojan can't communicate directly through internet ad will be blocked?The goal is to control all the outbound connections, ideally by not allowing any direct outbound traffic. By forcing all outbound traffic through a proxy you can manage it better, and log it all. If you install an email server and configure it to scan for (and block) spam and malware then that should stop any spambots.
By forcing all outbound email through a single, managed, email server and all other outbound traffic through a proxy (or opening a single port for for a single computer where the program can't work through a proxy) you can log everything. Once you've got those logs you have to go through them to find the problems and deal with them. It'll take time and effort to do that.
