This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Black listed server

Hi,

I have had a web server continuously marked in cbl.abuseat.org blacklist. I can't find which one it is... I know that I can block the port 25, but I would like to know wich one is the spammer....

Any ideias how to find it in logs?

Best regards.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    What is the firmware version on your firewall, and do you use email protection on your firewall? If yes, what is the SMTP deployment mode? 

    I would also suggest you check if SMTP relay is allowed on the WAN zone or not under Administration > Device access. 

    Thanks,

  • Hi ,

    The firmaware version is SFOS 18.0.4 MR-4.

    The device acts as a Mail Transfer Agent (MTA).

    I have a Host based relay list. Neither of the hosts are in the WAN zone. Maybe I should disable the SMTP relay in WAN zone, right?

    I think the problem is in one rule that allow outbound traffic to the port 465 and 587 of a list of networks (gmail, microsoft, etc) . I already enabled the checkbox "scan smtp" but still being listed... Some hosts are webservers, maybe one are compromised. 

    Thank you for reply.

  • I am not able to understand, what you exactly mean.

    So your firewall drops spam emails in the first place. Do you assume its a false positive and its one of your webserver or what is your detailed issue? 

    __________________________________________________________________________________________________________________

  • Sorry, I will give more information.

    Network configuration:
    - 2 public ips;
    - DMZ zone for primary servers natted by public ip 1. Local email server are in DMZ zone.
    - Lan1 for local users natted by public ip 2. SMTP ports blocked by default by AntiVirus (Exceptions for some apps: outlook, thunderbird, etc).
    - Lan2 for secondary servers natted by public ip 2.

    SMTP ports to WAN are open to local email server, and blocked to all hosts, except to some networks like gmail or microsoft (to allow local users to use gmail or hotmail SMTP).

    The ip blocked in blacklist is the public ip 2 with this error:

    A device (computer, server, mobile phone, etc), or an app on a device that is using xxx.public.ip.2 is infected, insecure or compromised. It is making SMTP connections with forged HELO values on port 25.
    The observed forged HELO value was xxxx. The most recent detection occurred at: January 20 2021, 11:05:00 UTC (+/- 5 minutes)

    I suspect that the problem is in Lan2 but I cant find any record related in the log viewer... 

    What is the file for firewall log in console? I can't find it in /log. Maybe with grep expressions I can find it more easeally.

    Thanks.

  • Basically do not open Port 25 for anybody. Its from a security view bad practice to do so. 

    User Email tools uses 465/587 SMTP for users. Port 25 should be only be used by MTAs. 

    Because thats exactly what happen, if you open Port 25 for users. 

    __________________________________________________________________________________________________________________

  • As you were told already, port 25 should be open only from servers that supervise the email coming from that server. For example, if you send it through other MTA such as Sophos, its ok. If you have AV with email control on that server, that OK. you should have a rule that blocks smtp out with the exclusion of the protected nat machines.

  • As suggested, here the thinks that I did:

    • I blocked all host to access to the port 25 except the 2 mail server.
    • Configured all server to use a relay host with one of the internal mail server.
    • To users that want use external mail servers, opened the port 587 and 465.
    • Will monitor mail log in the internals mail servers.

    Still 2 questions:

    • I had to disable the scan SMTP in the rule of the internal mails servers because the SNAT rule. I have 2 SNAT rules to decide which external ip use in each mail server. Exist some way to do the scan in the sophos and make a SNAT based on the origin of packet?
    • Exist some way to read firewall log in console?

    Thanks.