Security Basics mailing list archives
Re: Spamcop issue
From: Dennis Dayman <dennis () thenose net>
Date: Fri, 12 Sep 2008 18:12:40 -0400
+1 that. block port 25 from desktop network. If users have a need to access outside mail servers to send though, make them use port 587
-Dennis On Sep 12, 2008, at September 12,8:28 AM, Landriault, Yan wrote:
A good practice would be to Firewall Outbound SMTP connections...Your clients should probably go through your mail server to send mail, so why let SMTP outbound open? This will also prevent your public IP/subnet from getting blacklisted because some road warrior got a spambot installed somewhere...-----Original Message-----From: listbounce () securityfocus com [mailto:listbounce () securityfocus com ] On Behalf Of David GillettSent: 11 septembre 2008 12:46 To: 'marco'; security-basics () securityfocus com Subject: RE: Spamcop issue Unless things have changed drastically lately, SpamCop doesn't do anything to block spam sources, it just makes it easy for recipients to complain to the folks responsible. And if you know you're being a spam source, and are choosing not to clean it up at this time, then receiving complaints submitted via SpamCop is "Doing the Right Thing".... I recently caught a spambot on our network. One of the things I watch for is ICMP Unreachables, and I noticed that one of our stations was getting some every few minutes from a couple of servers in Hong Kong. Since the ICMP packet contains the headers of the packet that prompted it, I was able to see that these servers were rejecting SMTP connection attempts. That's kind of odd, since internal email clients should be sending to our enterprise SMTP server.... Time to crank up my sniffer and see what else this station is doing. Hmmm, HTTP connection over some high port number, downloading some several kilobyte binary thing, then SMTP connections to about fifty remote servers.... The two in Hong Kong are refusing the connection. Many of the others are accepting the TCP connect, but at the SMTP level are saying "We won't accept messages from you." Oh, there's one that's accepting a message: yadda yadda VIAGRA yadda.... Block outbound SMTP directly from that machine until Tech Services reports that it has been cleaned. Oh yeah, and block/log that "HTTP" connection, too, in case the same entity has compromised other machines on our network. David Gillett-----Original Message----- From: marco [mailto:marco () spaz org] Sent: Wednesday, September 10, 2008 4:29 PM To: security-basics () securityfocus com Subject: Spamcop issue Anyone dealt with trying to get whitelisted with them. You are allowed a freebie, but If the spam problem continues, you don't get a second shot. Or better yet, any good tools out there to get rid of spam bugs and/or trojans...or at least scan a workstation to see if there is one or similar Or maybe good tips on how to see if someone is using a particular user's account or outgoing domain to send out spams? Etc... I have some ideas, but can't think straight right now, too busy with other projects. Sure I can use multiple mail gateways for now until I locate the issue...but ya know.. thanks -m----------------------------------((((((((((((((((((((0))))))) )))))))))))))))))))))))) " He who gives up liberty for security ends up with neither". - Benjamin Franklin* "....i can't stop you, but maybe the earth can....." -anonymous activist "My other computer is your Windows box" "......we ArE frequency generators...." " If liberty means anything at all, it means the right to tell people what they do not want to hear. " - George Orwell "......in C we will see what we see......." -my very first Programming teacher, Claude Comair ³.....Without some risks, there is no liberty, only subservience....² "....the last time we mixed religion & politics, peoplewere burnedat the stake..."----- techNotics techNotics.info noizey mac technology 510.684.1550 ----- holdfastrecordings.com missgawker.org
Current thread:
- Spamcop issue marco (Sep 11)
- RE: Spamcop issue David Gillett (Sep 11)
- RE: Spamcop issue Landriault, Yan (Sep 12)
- Re: Spamcop issue Dennis Dayman (Sep 16)
- RE: Spamcop issue Landriault, Yan (Sep 12)
- RE: Spamcop issue David Gillett (Sep 11)