I have “some” of my clients, meaning few of them, with infected computers, sending spam, on 25.
Is it possible to block all port 25 traffic, thus denying mail spamming, and at the same time to allow pop3/smtp clients to send mail on port 26, for example, and redirect that port to port 25 on exit, so that the mail server somewhere doesn’t have to be reconfigured ?
So, to review:
deny all traffic on 25
allow for legit clients reconfiguration of client, for sending on port 26 (or something), an redirect that port to port 25 on mail server.
If there is any other way to do it, I’m open to hear it.
I am doing this because clients use different mail servers, and I can’t force them all to use my mail server. (That would be too easy… )
I’ve done that. outgroing tcp 25 conenctions are dropped but i’ve set dst nat for incoming tcp 25 connections and forwarded all of them to local mail server. That means user do not have to change smtp settings, whatewer outgoing smtp they set, connections would end up on local smtp server.
Well, that’s not exactly what i want…
I just want them to set another port on thunderbird, and that port to be forwarded to the distant server’s 25 port. That for the local traffic leaving for port 25 to be blocked, but the rest, for the configured port, to leave the network and fly free…
Yes, of course you could do that with:
-redirect incoming traffic on port tcp-26 (for example, not port 25/stmp), and just pls to specify src-address-list on your M/T ROS, and on your incoming mailserver in lan/private segment to allow the specific ip-address to allow smtp relaying. May help …
why not put an automatic mail redirect to your mail server in (on port 25) then setup a throttling process… eg 10 emails per hour then restriction and/or temporary blacklisting.
That way anyone thats using gmail or whatever can still send out using those email servers (taking a load off you) while users who are currently connected don’t have to make changes to settings just so they can send emails from your network. (People with laptops would find this an incessant pain)
SMPT receive only happens on server, so all other traffic that goes in your network, that is not going to SMTP server can be dropped and clients that abuse SMTP can be warned and afterwards disconnected.
from LAN > to Internal Mailserver:
-use SMTP authentication in your mailserver, where it means that users from Outlook/Mozilla/etc must using their POP3 username and passwd when sending email
-only permit trusted ip to send email without validation to your mailserver
from Internet > to internal MailServer:
-using plug-in such Spamassassin, DKIM, SPF, Commtech to protect against spam
-using integrated antivirus combined with antispam at the server level where the newest technology using heuristic to cut-off the spam/virus without receiving the email
-using SSL SMTP if necessary, or diferent MSA such as port tcp-587
Clients ARE using other servers that my own.
I do not want them to stop using them.
I can see what clients are using smtp, and i can allow them to use it, and block for the rest. But if the mail server changes address, I have to change the address too. On about 25 routers, it’s not that easy to monitor each client’s mail server for changes.
This way, I put an announce that for ALL mail servers using smtp on 25, the client should be configured to use port xxx. Hope the worm won’t read it.
I have few people with laptops, that are connected to other networks also, so they have to reconfigure it.
As for GWISA: the dst-nat should look like this, right ?
add chain=dstnat protocol=tcp dst-port=26 action=dst-nat to-ports=25 comment="Redirect mail from 26 to 25" disabled=no
Here I assume I configured client to use port 26.
Well, dst-nat asks for to-addresses. And that’s what I can’t seem to figure out how to put it. Is it a way to do it, instead of putting 0.0.0.0, wich for me doesn’t work ?
If anybody tries this, makes it work, and confirms it works, I’ll try on other computers. Now I only have one here to test it, and no message leaves it… If anybody has any other idea on how to do it… I’m open to suggestions. If anything else fails, I’ll have to do a count on mails, and stop it to a certain number…
We implement daily mail quotas on our mail servers (not strictly - just by default) per IP on our network to cut down on unnecessary virus & spam mailing activity. If abusive activity continues, they get blacklisted. Users get a specific network-generated error message which almost always helps clients detect virus/spyware activity early on, so it performs a dual role.
I would say it’s a better method than port mapping - less hassle for clients, only one point of control for you and no chance of clever malware finding a way out.
This can be a real threat to you, as you can eventually be blacklisted…
Well… mail quotas. How exactly implemented : by number of messages, connections, or overall traffic on 25 ?
And how do you put them to get a message ?
I mean, I did tried blacklisting them with an example taken from here, somewhere, and that’s it. I put expire on list after 24 hour, and after that, it’s all back.
I have some redirects on port 80, but how do you put it for port 25, for the user to know he is probably spamming, without manual intervention ?
I just have some clients who don’t have infected computers but they still got on the black list, I don’t know why. I probably have to try different values it the rules above.
connection-limit=30,32 - this allows up to 29 connections, according to documentation
limit=50,5
limit ( integer | time | integer ) - restricts packet match rate to a given limit. Usefull to reduce the
amount of log messages
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
According to documentation, 50,5 means up to 50 packets per second and 5 packets in a burst. Is there some better tweak setting?
)
