when your setting up the watchguard rule to only allow port 25 from your mail server, also check log deny on the rule. You can then set it up to email you every time the rule is tripped. That will notify you when it happens and from what ip address.
Matt - Original message - Sounds like you may have an infected client o... Sent from Gmail for mobile On 7/28/08, Tim Evans <[EMAIL PROTECTED]> wrote: > Sounds like you may have an infected client on your network that is > sending outbound spam. Block port 25 at the firewall for all but > authorized systems (mail server). Set the mail server so that it only > accepts mail from your exchange server. That should get things cleared > up enough so that you'll stay off the blacklists and give you some time > to hunt for the guilty party. > > > > > > ...Tim > > > > From: Paul Everett [mailto:[EMAIL PROTECTED] > Sent: Monday, July 28, 2008 2:35 PM > To: NT System Admin Issues > Subject: blacklists > > > > We've been finding ourself on some blacklists since last week and have > basically shut us down. Specifically Spamhaus and Barracuda's. > > I'm not sure if I have an infected computer on my network sending spam > or not. I've requested my ip removed from the blacklists several times, > but after a day or two I'm back on. I've got a window to post this > question before it happens again. Here's what I have. > > One Domain, two locations connected via PTP T1 (Adtrans). All Internet > access is at one location where I have my Mail Server 2003 (Ninja) and a > Watchguard Firewall. All clients (about 200) running Symantec AV. > > I don't have really the tools or knowledge to run any packet capture > software (or anything else) to determine if I have an owned machine, but > while I am working on that is there any way to close my firewall to > outbound mail traffic while still letting my Exchange out? Do infected > computers send email thru port 25 like Exchange? If so, can I block > that port and change the port Exchange uses to send? If so, how? > > This may take me awhile, but I'd like to stay off the blacklists in the > mean time. > > > > One thing I've done is installed Zone Alarm on my pc to see if I can > catch any of my local computers scanning my network. After the install > it asked if I wanted my Outlook to act as a Server. The info button > showed that it should be ok to do, but I said "no". My email seems to > be working but I keep getting notifications that ZA is blocking internet > access to my computer from my mail server. This is probably nothing. > > > > Thanks for any suggestions. > > Paul Everett > IS Dept. > Lee Mental Health Center > 239-791-1551 > > "Lee Mental Health Center, Inc. providing services through Ruth Cooper > Center for Behavioral Health Care and VISTA Behavioral Crisis Services. > Visit our website at www.leementalhealth.org > <blocked::http://www.leementalhealth.org/> to learn more." > > Confidentiality Notice: This e-mail message, including any attachments, > is for the sole use of the intended recipient(s) and may contain > confidential and privileged information. Any unauthorized review, use, > disclosure, or distribution is prohibited. If you are not the intended > recipient, please contact the sender by reply e-mail and destroy all > copies of the original message, including attachments. > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ -- Sent from Gmail for mobile | mobile.google.com ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
