Home page logo

basics logo Security Basics mailing list archives

RE: Malware detection
From: John Hebert <jhebert () bizdps com>
Date: Thu, 19 Jul 2012 13:39:29 +0000

From: Andreas Lindkvist [mailto:lindkvist.andreas () gmail com] 
Sent: Thursday, July 19, 2012 3:26 AM
To: John Hebert
Subject: Re: Malware detection


I read the FW-howto and also alot of comments in this communication and it is important to mention that you are not 
safe from SPAM-issues just by restricting the SMTP/TCP port-25 to >your mail server. It is also as important to 
regulate the relay-ACL on that perticular server. Some mail servers have sloppy or non-existing restrictions for 
SMTP-relay which coverts >the  restrictions in any kind of IP-filtering.

I completely agree.  While most spam-sending bots have their own SMTP engine or use MAPI calls to get the job done, 
probing for an open mail relay on the local network's not out of the question.  Additonally, one can subscribe to an 
outbound email filtering service and restrict outbound SMTP from just the mail server to just the filter's smarthost.  
That will force every message to go through the filter prior to hitting the Internet at large.  If an inbound filtering 
service is used, restricting inbound SMTP to just the filter's smarthost will prevent external relay attempts.


On Wed, Jul 18, 2012 at 8:26 PM, John Hebert <jhebert () bizdps com> wrote:
From: mwamba chishimba [mailto:bamwamba () gmail com]
Sent: Wednesday, July 18, 2012 2:11 PM
To: John Hebert
Cc: security-basics () securityfocus com
Subject: Re: Malware detection

Hi John,

Am running a linux based firewall/gateway(clearOS) which is also running as email server. Spamhaus has just blocked 
me because one of my PC's behind the firewall has a waledac >>spambot. I have about 70 Users on the network and 
picking out who the culprit is will be a daunting task as you can imagine. I've started installing malwareBytes on 
all the PC's. In the >meantime I want spamhaus to delist me as pursue the offender. I have installed wireshark to 
help me monitor traffic and on my firewall I have blocked all outgoing traffic except for >http(s). 

Please advise how else I can prevent spam from leaving my network thereby avoiding being blocked by spamhaus ever 

If you change your firewall to block all outgoing SMTP except from the mail server itself, any other computer won't be 
able to send spam anymore.  Once you do that, you'll be able to >look at the firewall logs to see which IP is having 
SMTP connections dropped.

Will that prevent you from being blacklisted ever again?  Well, technically, if your mail server or one of the 
accounts on it were to become compromised, it could be used for spam.  Short >of that, you're good to go.

I wrote up a vendor-neutral how-to for Spiceworks a little while ago that might help with your outbound firewall rules:
http://community.spiceworks.com/how_to/show/2901 - If anyone has anything to add, let me know and I'll update it.

Thank you in advance for everybody's help, greatly appreciated!

Kind Regards,

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]