This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We got blacklisted by Spamhaus!

Hello all,

Today we got blacklisted by Spaumhaus. 

Our setup:

We have many companies sharing one big building and we have not "control" over all the companies but each and every one of the computers inside of the building will go through our Sophos UTM.

We are quite sure that one of the computers inside this building is infected by some sort of virus that is sending spam.

Is there a way to identify this computer by studying the Sophos UTM log-files?

Thanks for any help! :)



This thread was automatically locked due to age.
  • Hello Kurt,

    are you using Email Protection at all?

    If not, are you allowing SMTP from inside to outside generally for all clients?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hello jprusch and thanks for your reply!

    As it were anyone could use SMTP from the inside to outside we have now blocked this so that only our Exchange-server and RDS-servers are allowed

    We are now whitelisted all over so that part is good.

    We would still like to identify the one responsible and would like to use the UTM logs for this if at all possible?

  • Hello Kurt,

    that's a good measure for now and hopefully you should stay unlisted.

    If your former firewall rule(s) had set the checkbox to "Log Traffic" (in "Advanced" settings), then you should be able to investigate in the archived firewall logs of the "Firewall" log.

    If you didn't check this box, that's it.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Thanks again for your reply.

    I would assume that the offending computer is still trying to send spam, and will continue to do so untill the virus is removed.....wont this be visible somewhere in the logs?

  • Of course you will see new attempts to send from a non-admitted system from now on. These will pop up as DROP in "Live Log" under "Network Protection/Firewall".

    I thought you wanted to invetigate the past.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Hei Kurt and welcome to the UM Community!

    The other place you can see traffic is on the 'Bandwidth Usage' tab of 'Logging & Reporting >> Network Usage'.  For example:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks again jprusch and BAlfson for your help!

    I was wrong. Seems its not a computer located (permanently) in our bulding that was causing this since the spamming has stopped. We are now pretty conviced that it must have been a visitor using our Wifi network.

    We will segment the guest network even more and ensure that it gets its own wan ip.

    We would still like to identify these types of situations and my question is if there is any way of setting up rules and have triggers at some threshold that would email us if the threshold is met?

    Ie; If x number of SMTP within x number of minutes -> send email warning

    ?

  • It is basically already bad practice to allow SMTP Port 25 for Guests.

    Port 25 is nearly dead for client to server communication. 

    Client to Server (transmitting a mail) is only 465 and 587. 

    Port 25 is nowadays only MTA (Server to Server) communication. 

     

    I would not allow Port 25 to be communicated through my gateway. 

    __________________________________________________________________________________________________________________

  • Thanks LuCar Toni - while I appreciate your input/reply I really do, it does not answer my question.

  • Hello,

    I totally agree to LuCar Toni, opening port 25 is a bad habit. You shouldn't do that anymore, even in a guest network.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.