Hi,
On Thu, Feb 25, 2010 at 5:50 PM, Eric Shubert <[email protected]> wrote:
> Peter Peltonen wrote:
>>
>> I have a qmailtoaster in a quite big LAN. One of the computers in the
>> LAN is sending spam. How do I find out which host is to blame?
>>
>> And would someone have an iptables rule that would prevent this (the
>> server is acting as a NAT gateway as well)? The hosts in the LAN
>> should be allowed to contact only the ISP's SMTP server. From the
>> qmailtoaster only email generated from the server itself (for example
>> from Squirrelmail it is running) should be allowed to be sent further.
>>
>> Best,
>> Peter
>>
>
> Hey Peter,
>
> There are likely to be several ways you could construct rules for iptables
> that would remedy your situation. In a nutshell, it sounds like you want to
> disallow port 25 traffic from the LAN to the outside world, and log any
> attempts that do so you can identify the offending host.
>
> Conceptually, you'd say "if the input interface is the lan, and the out
> interface is the wan, and the destination port is 25, then log and reject
> it". I think the iptables rule(s) would look like this:
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 25 -j LOG
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --dport 25 -j DROP
> Be sure to substitute the appropriate device names for eth0 and eth1. In
> this example, eth0 would be the lan and eth1 the wan.
>
> I'm not an iptables expert, but I'm reasonably sure this will do what you're
> looking for. Please post back your results.
>
I decided to take another route finding out the spammer, using
wireshark. On the router machine:
tshark -a "duration:3595" -f "tcp port 25 and net 192.168.0.0/24 and
not host isps.smtp.net and not host qmailtoasters.addrhere.net" -i
eth1 > tshark.log
gave me a quite nice overview which hosts were trying to reach out
other SMTP hosts than the legitimate ones. I have this now in a cron
script which emails me the log file if it has any content.
Cheers,
Peter
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
