Open proxy put our IP on blacklists
Apparently, one of my customers or someone around has fooled my poor pfSense firewall into acting as an open mail proxy:
Sender has sent to LashBack Unsubscribe Probe accounts
How do I prevent this? The only thing running on this box is pfSense. I did install antivirus, should I also install mailscanner?
Any hints or help would be appreciated.
Cannot see how's this related to pfSense. Someone is spamming from your LAN.
Hats off to you for defending pfSense. Unfortunately, I'm not attacking it. I'm simply asking how to prevent this from happening. Is there a tool I can install on pfSense which will limit the spamming activity?
You are providing no relevant information at all about your environment… impossible to advise. Sure you can block outgoing connections to TCP/25 except for your internal mailserver destination.
Relevant information? Let me ask you something slick. Do people see you coming and suddenly need to be somewhere else, because you sure as hell nitpick a lot. OK, RELEVANT INFORMATION:
I have a network, it's a LAN. There is a pfSense firewall between this LAN and the big scary world.
Someone within that LAN is spamming emails.
Is there some pfSense package that can detect and limit mass mailings going out of the network?
Of course, you already knew all of that, but you're one of those guys that makes most of his posts by picking at questions that don't need picking. Nag, nag nag. Pain in the ass, in other words. ;)
Are you entertained? lol
Relevant information about your environment, just FYI, would include things such as whether the machines behind the firewall are under you control or not (your "customers"), what kind of OS do they run, what are they used for and how's the LAN segmented (like, LAN, DMZ, …. - since obviously blocking outgoing mail from your company mailserver will get you a well-deserved kick in the butt), etc. etc. etc.
Starting a thread with misleading subject, totally misleading description of the issue (" fooled my poor pfSense firewall into acting as an open mail proxy", ORLY, there's no mailserver available on pfSense by default), then getting pissed off right after someone points out that you do not make any sense and finally asking for a quick instant answer on "how do I solve spam problem" without providing any information whatsoever will obviously get you nowhere. (And FYI, this is primarily a router/firewall by design, not an antispam box. See the packages list/forum section for addon packages that'd fit your purpose. And no, antivirus does NOT stop spam either. Perhaps you need to start with some basics.)
Eh, dude... have a nice day. Outta here. ::)
Relevant ~= Necessary
It's a straightforward question. And the very fact that someone on my LAN is spamming people either by design or because of an infection on their machine, I would think, would lead you to deduce all else. I'm amused rather than pissed off, as I always am, by those who fire back a series of questions automatically, in an attempt to point out how clever they are. If you were interested in being clever, you'd have figured out the answers to most of your questions on your own. And those answers would have been more than enough to drop a hint or point me in the right direction as to possible solutions. Remember, that's all I asked for, not an engineered solution.
Dude understanding your environment is key to helping you.
But since you don't need a engineered solution - he gave you a couple of solutions already. Best one is block 25 outbound, there you go fixed! Nothing on your lan will be sending mail directly anywhere = no spam lists.
I never understand how people think they can ask questions without details and then actually want help. Do you take your car to the mechanic and just say its BROKE? Does the mechanic then say sure it will be $125 pick it up tmrw. Or does he ask questions, and then where he has an advantage is he can actually inspect the car looking for what might be wrong.
Since you don't want to give even the slightest clue to the make up your environment - maybe you will let us in to look around ourselves, then we will be better suited to help you.. A quick sniff on the lan interface or even a firewall rule to log traffic outbound out 25 would tell you if something other than your mail server is sending email directly.
But since you want to us to just freaking guess – I guess that your exchange server is infected, I say wipe it clean.. All users will loose all mail - but they most likely just had viruses in them anyway. So delete all and start over - how is that for a non engineered solution to your problem without squat to work with.. Is that the sort of help you were after? ;)
"even the slightest clue…"
As for his 'solution'... completely block port 25... how does anyone check their email from within the LAN? That's a 'solution'? Tribalism... pure tribalism.
Since you guys want to act as though concrete is the same as gray matter, let me take you at your word:
LAN station ---> LOTS of emails all the time ---> pfSense sees this and chokes it.
Stop me if I'm going too fast for you.
By the way, going by the avatars, I see that I might have disturbed your personal time with Marvel Comics. My apologies.
As for his 'solution'… completely block port 25... how does anyone check their email from within the LAN? That's a 'solution'? Tribalism... pure tribalism.
- first, I said "except for your internal mailserver destination.", so you need to improve your reading skills
- second, you do NOT check mail via SMTP
- third, you do NOT block LAN traffic this way even for SMTP, since it just does not go thru the firewall.
So, to conclude:
- you should NOT manage any mailserver whatsoever
- you should go back to basics and do some reading
- and perhaps you should get banned from the forum as well for stupid trolling.
Now, really off. Go help yourself. In case you ever grow up and start wondering why you upset people with attitude like this, How To Ask Questions The Smart Way is a good starting point.
"LAN station –-> LOTS of emails all the time ---> pfSense sees this and chokes it."
And we went over this already, multiple times now. You create a firewall rule on pfsense, lan station does not talk to the internet on smtp 25, so it can not send spam.. Am I going to fast for you?
I also suggested simple sniff or rule on pfsense, watch said traffic and see what lan station is sending on 25 to internet (spam) and then go clean said station.
The problem it seems is even the most basic of suggestions is above your understanding. So I assume your lashing out because you do not understand?? So here I will post some pictures that you might get.
So as you see created a rule that allows your mailserver to talk out on smtp - this is the protocol mail servers use to send mail to each other. As already mentioned, clients do not use this protocol to get mail. They would use pop or imap for example, these are different ports. Now even a client sending normal mail as a client would send it over a SSL/TLS port and would send to only 1 host. Not directly to mail servers for whatever hosting domain your sending too. Only your mailserver on your lan should do this. So this first picture shows rules allowing your mailserver to send mail on 25, but no other lan stations can. the little i on the rule says its being logged. If you look in the log you will see lan stations trying to send mail directly on 25 - most likely SPAM, clean those machines or tell the user to stop sending spam on purpose, etc.
2nd picture is how you could just sniff the traffic on your network looking for the IP(s) send mail out on 25 so you could clean them.
Since we don't really know anything about your network, what "mailserver" do you use on your lan - do you even have a mailserver? Maybe all your users access their mail from hotmail over the internet? We have no clue because answering some simple basic questions is too difficult? We should just magically know the details we need to help find a solution for you?
If your mail server is sending the spam, because users send it the server and then the server sends it on then you would need to run some software on your mail server - but again not a clue to what your actually running so impossible for us to suggest something.
You guys are way more patient than me. Looking at this dude's other posts, I would have given him info on where to shove it a few posts ago.
Its not always about the the OP, other people read these thread that might actually learn something or ask a question correctly next time - providing info that is needed to help vs calling the people trying to help you names ;)