Stop spam from our LAN

[remus]

Hi All,

Our email domain has recently been blacklisted for detected high traffic spam.

It is mostly likely a virus/trojan, as I found one and cleaned it from a computer a day before we were blacklisted. (I've had the blacklisting lifted)

I think we need to install something between the network switch and the modem that can detect stuff like this and block the computer if detected.

Any suggestions ?

[hiro]

Because one guy with his udp/rtp video streaming shit overloaded the network consistently I blocked all outgoing connections by default and only have few exceptions: there's a squid proxy for web browsing on windows machines, a voip pbx, a mail server and a well-behaving bittorrent downloader, accessible to all users on the router. Viruses that communicate over HTTP/HTTPS can of course still operate over this network, but they can't send SMTP mails, scan networks, or attack anything else but HTTP servers directly.

This all made me a 24/7 babysitter

[genec]

1) Only allow highly trusted systems (your mail filter system) to send from your IP range.  Block others by default at your firewall.
2) Filter outbound email to prevent a compromised account from spamming.

For many years, the network I work with had #1.  During a migration to a new mail filter (as a separate appliance, utilized by the mail system as a smart host), outbound filtering was never turned back on.  When 1 account was compromised, it generated over 100k messages in around 8 hours, quadruple the typical weekly volume.  I checked various blacklists and found nothoing.  Days later I hear that 1 domain blacklisted our system which was easy to resolve (submit request and unblocked within ~4 hours).

[remus]

We have no mail server on site, we use smtp to our isp mail server.

We have no firewall on site, we use a mix of windows xp and windows 7 machines. Plus a few microcore file servers.

I've had no network admin training so am not sure what direction to take

[genec]

So at that point, it's just dropping a firewall in that filters and as a part of it, block SMTP unless it's to your ISP's system.

Your best bet is finding a good friend or affordable consultant.  There are appliances to do this sort of thing and some are quite affordable.

[remus]

I see that microcore 3.8.4 has iptables.tcz available, I recon I'll have a look at learning how it works in a vm.

Thanks for the suggestion.

Google has revealed many iptables tutorials.

[genec]

4.x also has iptables.  There are also numerous distros and systems that could help provide this functionality in a more friendly format.