Tiny Core Linux

Off-Topic => Off-Topic - Tiny Core Lounge => Topic started by: remus on May 20, 2013, 12:35:13 AM

Title: Stop spam from our LAN
Post by: remus on May 20, 2013, 12:35:13 AM: Hi All,

Our email domain has recently been blacklisted for detected high traffic spam.

It is mostly likely a virus/trojan, as I found one and cleaned it from a computer a day before we were blacklisted. (I've had the blacklisting lifted)

I think we need to install something between the network switch and the modem that can detect stuff like this and block the computer if detected.

Any suggestions ?
Title: Re: Stop spam from our LAN
Post by: hiro on May 20, 2013, 07:28:25 AM: Because one guy with his udp/rtp video streaming shit overloaded the network consistently I blocked all outgoing connections by default and only have few exceptions: there's a squid proxy for web browsing on windows machines, a voip pbx, a mail server and a well-behaving bittorrent downloader, accessible to all users on the router. Viruses that communicate over HTTP/HTTPS can of course still operate over this network, but they can't send SMTP mails, scan networks, or attack anything else but HTTP servers directly.

This all made me a 24/7 babysitter :)
Title: Re: Stop spam from our LAN
Post by: genec on May 20, 2013, 07:36:10 PM: 1) Only allow highly trusted systems (your mail filter system) to send from your IP range. Block others by default at your firewall.
2) Filter outbound email to prevent a compromised account from spamming.

For many years, the network I work with had #1. During a migration to a new mail filter (as a separate appliance, utilized by the mail system as a smart host), outbound filtering was never turned back on. When 1 account was compromised, it generated over 100k messages in around 8 hours, quadruple the typical weekly volume. I checked various blacklists and found nothoing. Days later I hear that 1 domain blacklisted our system which was easy to resolve (submit request and unblocked within ~4 hours).
Title: Re: Stop spam from our LAN
Post by: remus on May 20, 2013, 08:08:59 PM: We have no mail server on site, we use smtp to our isp mail server.

We have no firewall on site, we use a mix of windows xp and windows 7 machines. Plus a few microcore file servers.

I've had no network admin training so am not sure what direction to take :(
Title: Re: Stop spam from our LAN
Post by: genec on May 20, 2013, 08:14:09 PM: So at that point, it's just dropping a firewall in that filters and as a part of it, block SMTP unless it's to your ISP's system.

Your best bet is finding a good friend or affordable consultant. There are appliances to do this sort of thing and some are quite affordable.
Title: Re: Stop spam from our LAN
Post by: remus on May 21, 2013, 12:02:48 AM: I see that microcore 3.8.4 has iptables.tcz available, I recon I'll have a look at learning how it works in a vm.

Thanks for the suggestion.

Google has revealed many iptables tutorials.
Title: Re: Stop spam from our LAN
Post by: genec on May 25, 2013, 08:53:25 AM: 4.x also has iptables. There are also numerous distros and systems that could help provide this functionality in a more friendly format.