Security Basics mailing list archives
Re: SMTP behind NAT
From: bartlettNSF <bartlettNSF () comcast net>
Date: Sat, 09 May 2009 22:20:00 -0700
Tariq Naik wrote:
Hi, My name is Tariq Naik, and I'm a Symantec Consultant. While I'm not writing on behalf the company in any official capacity, I wanted to point out that there is a ROI in being a good Netizen. It saves your upload bandwidth. It will also prevent your resources like SMTP servers for being black listed which might if true result in your genuineoutbound mails being blocked.Regards, Tariq -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Murda Mcloud Sent: Thursday, May 07, 2009 6:57 AM To: gillettdavid () fhda edu; 'Georg Pichler' Cc: security-basics () securityfocus com Subject: RE: SMTP behind NATEgress filtering is part of being a "good netizen". If something that doesn't belong has gotten into your network, it's nice to not bethe vector that spreads it to others.Hear, hear. I hadn't really thought of it along those lines, David-being the selfish mug that I am. Quite zen, when I think about it. Interconnectedness of all beings these days; in an electronic sense atleast.or blocking legitimate activity.And these days, I am even worried by legit activity, in terms of the potential for damage. Firewalls aren't going to protect me if my kids download malicious files via msn etc. But having limits(firewalls/proxies etc) on outgoing traffic may alert me to that and also can cut down the attack space in the first place. How many 'legit' sites have been found to be hosting malicious files? I can imagine that there are many corporate LAN's spamming the world. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on theexam, with zero fluff!http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteNeed to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Hello list.I agree that "Egress filtering is part of being a "good netizen". We often forget to watch what we are sending and pay more attention to what is being sent to our networks. I'm guilty of this as well. I've learned to schedule time to view my IDS/firewall logs, system access, and web/email filter logs on a daily basis. I figured if our department puts forth the effort what we learn can be shared to provide security for others, and vice versa. I recently learned of the site http://www.robtex.com/. It provides a detailed map of domains and what hosts are being used to send and receive on behalf of certain system and application protocols. It helped us figure out what machine was sending spam email from our domain. It didn't name the machine itself, but it did point us in the direction to the particular email server the spam was associated to.
If you want to see the spam from the world. Just look at your spamfilter logs. We get hit constantly all day long. I was really curious as to just how much it was, our filter truncates repeated messages and doesn't report the number of messages received from a blocked address, so I put an IDS set only to detect POP, SMTP, and IMAP traffic on the external (mirrored) port of our router. I got more then bargained for by doing that. My IDS could not keep up with the number of hits we got and was dropping more packets than it was seeing. I think it force the poor machine into seizure's, thus it halted and powered off after a little over 3 hours. I will do this again, but only in limited amounts of time and only when I have better hardware.
-- Stephen Bartlett, B.S.INFOSEC, CSSM, CSA, ISSO, CISO, CSC, CRA Assistant Systems Administrator
------------------------------------------------------------------------ This list is sponsored by: InfoSec InstituteNeed to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
Current thread:
- RE: SMTP behind NAT, (continued)
- RE: SMTP behind NAT Michael.Randazzo (May 01)
- Re: SMTP behind NAT Laurens Vets (May 01)
- Message not available
- Re: SMTP behind NAT Georg Pichler (May 04)
- Re: SMTP behind NAT Aaron Howell (May 04)
- RE: SMTP behind NAT Murda Mcloud (May 05)
- Re: SMTP behind NAT Georg Pichler (May 06)
- RE: SMTP behind NAT Murda Mcloud (May 06)
- RE: SMTP behind NAT David Gillett (May 07)
- RE: SMTP behind NAT Murda Mcloud (May 07)
- RE: SMTP behind NAT Tariq Naik (May 08)
- Re: SMTP behind NAT bartlettNSF (May 11)
- Re: SMTP behind NAT Georg Pichler (May 04)