Protection From Worms Isn’t Just for Dogs

Protecting Against Email Worms for Real! (For ASA folks)

I received a call today from my local ISP who politely informed me that my organization was spamming others with Viagra and Free Money spam. Many who are reading this will say “yup, worm”. And those who just said that were right.

Now in my case I was notified by my carrier of the issue, however others may have a different set of symptoms alerting them. They may start out with users complaining that the people that they have been emailing are not getting the message. You might even send out a test message from your machine to your side business hobby site and get the message. You might even go so far as to say “I just got through fine; it is probably an issue with their mail service”. As the day goes on more and more users are complaining that it seems random email recipients are not getting their messages. Then finally someone with a hosted email filter forwards an email to you saying that you have been blacklisted!

WHAT?

Yup. From here you Google “blacklist check” and run through the standard routine, checking your domain against dnsbl, spamhaus, and the like. (or you can skip that and click on the aforementioned links). There you may find some interesting red “X”s. Well what now?

If you have an ASA, it is as simple as logging into the GUI. Once it is up click the “Monitoring” button at the top of the page.

Once there choose Logging at the bottom of the navigation panel on the left side of the page.

 

Then select Real-Time Log Viewer in the navigation pane, in the main window choose “Debugging” as the Logging Level with a buffer limit of 1000. Then click the “View Button”. This will open the Real-Time Log Viewer window where you will have the opportunity to view all the traffic hitting the Firewall.

Watch or for traffic with a Source IP inside your network and a Destination Port of 25.

Now that you know who is causing the issue, go ahead and run your normal cleanup on that PC, I personally like MalwareBytes, but you can use whatever you are comfortable with.

Now that you have the issue resolved on the actual culprit, you should protect your network from this happening again. If you have an ASA or a PIX you can log into the CLI and run the following commands (xxx.xxx.xxx.xxx represents your actual mail server(s) :

access-list inside-in extended permit tcp host xxx.xxx.xxx.xxx any eq smtp

access-list inside-in extended permit tcp host xxx.xxx.xxx.yyy any eq smtp

access-list inside-in extended deny tcp any any eq smtp

access-list inside-in extended permit ip any any

access-group inside-in in interface outside

 

line 1 allows mail server 1 to use smtp outbound

line 2 allows mail server 2 to use smtp outbound

line 3 blocks all other outbound mail traffic

line 4 allows all other outbound traffic

line 5 applies these rules to the inside interface on traffic coming into it

 

Now if you have an smtp server in your DMZ which handles all your inbound and outbound smtp connections (Like an Exchange Front End or Edge Access Server) and have applications like printers or network monitors sending email traffic to it you will need to add the following (where zzz.zzz.zzz.zzz represents your smtp server in the DMZ):

 

access-list inside-in line 3 extended permit tcp any host zzz.zzz.zzz.zzz eq 25

 

(note if this is your scenario, you can probably get away with eliminating lines 1 and 2)

 

At this point you need to test to make sure it worked. Open a command prompt and telnet to a mail server you know of, here are some of Yahoo’s

 

g.mx.mail.yahoo.com   98.137.54.238
a.mx.mail.yahoo.com   67.195.168.31
b.mx.mail.yahoo.com   74.6.136.65 66.196.82.7

 

The command will look like this

telnet g.mx.mail.yahoo.com  25

If you get a reply back you have made a mistake somewhere, it should say:

Now, log into your mail server (or SMTP relay server) and run the command again, this time it should look like this:

If you did not get results similar to these, try, try, again. Fiddle with it and you will get it, you should be pretty close as it is. Last step is to contact all those places that blacklisted you and follow their instructions to clear your name. You are now (more or less) safe from being harassed by your ISP or being blacklisted, that is unless you really are a dirty, hardcore spammer.

Sean Fretenborough

Advertisements

~ by lavazzza on November 18, 2009.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: