Block SMTP - SpamBot



  • One of my clients has been listed on Spamhouse

    This IP is infected (or NATting for a computer that is infected) with the cutwail spambot. In other words, it's participating in a botnet.

    I've passed through all computers (15) and can't find who's spamming through port 25. (I used netstat).

    I decided to create a firewall rule and see the logs to see the faulting machine.

    I don't see any traffic going on port 25 in the logs. I suspect my rules to be wrong. Each 4 hours the error is refreshed on http://cbl.abuseat.org/ meaning that I'm still infected.

    It was last detected at 2014-04-09 16:00 GMT (+/- 30 minutes), approximately 1 hours, 30 minutes ago.

    Here's my config :
    http://i.imgur.com/NSHP97b.jpg

    Any help would be appreciated. Thanks,

    Ben



  • Rules are processed from the top down, first match applies. So the default allow LAN to any rule is letting everything through. Move that rule to the end, so that your special rules for port 25 have effect first.



  • Resolved ! I can see who's my spammer ! ;D

    Thanks for you quick reply.



  • HI I'm wondering if you found your spammer.
    We have the same problem, our hosting provider keeps blocking us (from sending incorrect credential more than 15 times/30min)
    And I cant find who's sending.
    Would be interested in your finding.

    Cheers
    Q



  • I had the same worries. In our network the clients (software developers) all have local admin permissions so they may install anything they want.

    To prevent spam I had added the rule on LAN interface seen in attachment and had made good experiences with it.
    This blocks any SMTP connections from LAN except that from our internal mail server and to any host except an permitted external SMTP server.

    Put such rule on the top of LAN net rule set and enable logging. So you will get the IPs of clients who sent mails to forbidden hosts.



  • Moderator

    The best option is to have a dedicated WAN IP for the mail server.

    Next best option is to create the Rules to block smtp and smtps outbound from any other IPs except for the mail server.