Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 3404 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We got blacklisted by Spamhaus!

Kurt F

Hello all,

Today we got blacklisted by Spaumhaus. 

Our setup:

We have many companies sharing one big building and we have not "control" over all the companies but each and every one of the computers inside of the building will go through our Sophos UTM.

We are quite sure that one of the computers inside this building is infected by some sort of virus that is sending spam.

Is there a way to identify this computer by studying the Sophos UTM log-files?

Thanks for any help! :)



This thread was automatically locked due to age.
Parents
  • 0

    Hello Kurt,

    are you using Email Protection at all?

    If not, are you allowing SMTP from inside to outside generally for all clients?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Hello jprusch and thanks for your reply!

    As it were anyone could use SMTP from the inside to outside we have now blocked this so that only our Exchange-server and RDS-servers are allowed

    We are now whitelisted all over so that part is good.

    We would still like to identify the one responsible and would like to use the UTM logs for this if at all possible?

  • 0 in reply to Kurt F

    Hello Kurt,

    that's a good measure for now and hopefully you should stay unlisted.

    If your former firewall rule(s) had set the checkbox to "Log Traffic" (in "Advanced" settings), then you should be able to investigate in the archived firewall logs of the "Firewall" log.

    If you didn't check this box, that's it.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Thanks again for your reply.

    I would assume that the offending computer is still trying to send spam, and will continue to do so untill the virus is removed.....wont this be visible somewhere in the logs?

  • 0 in reply to Kurt F

    Of course you will see new attempts to send from a non-admitted system from now on. These will pop up as DROP in "Live Log" under "Network Protection/Firewall".

    I thought you wanted to invetigate the past.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Kurt F

    Hei Kurt and welcome to the UM Community!

    The other place you can see traffic is on the 'Bandwidth Usage' tab of 'Logging & Reporting >> Network Usage'.  For example:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Kurt F

    Hei Kurt and welcome to the UM Community!

    The other place you can see traffic is on the 'Bandwidth Usage' tab of 'Logging & Reporting >> Network Usage'.  For example:

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML