Hi, we do have some subnetworks for private computers, which are allowed to use there public smtp servers like msn, web.de or whatever with the users private accounts. All our own computers have to send mail trough our mailserver with user authentication. From time to time we are faced with the fact, that a virus infected private notebook sends spam and we are told by our ISP to take care :) What might be a good choice to allow clients to send unrestricted transparent mails (= use smtp(s)) but we can monitor? E.g. like a redirect or proxy for smtp? I like to know which private computer sends lot of mail. :) Thanks for any hint and suggestion. /G?tz -- G?tz Reinicke IT-Koordinator Tel. +49 7141 969 82 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke at filmakademie.de Filmakademie Baden-W?rttemberg GmbH Akademiehof 10 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: J?rgen Walter MdL Staatssekret?r im Ministerium f?r Wissenschaft, Forschung und Kunst Baden-W?rttemberg Gesch?ftsf?hrer: Prof. Thomas Schadt
On Wed, Jun 27, 2012 at 4:23 PM, G?tz Reinicke <goetz.reinicke at filmakademie.de> wrote:> Hi, > > we do have some subnetworks for private computers, which are allowed to > use there public smtp servers like msn, web.de or whatever with the > users private accounts. > > All our own computers have to send mail trough our mailserver with user > authentication. > > From time to time we are faced with the fact, that a virus infected > private notebook sends spam and we are told by our ISP to take care :) > > What might be a good choice to allow clients to send unrestricted > transparent mails (= use smtp(s)) but we can monitor? E.g. like a > redirect or proxy for smtp? > > I like to know which private computer sends lot of mail. :)Hi, 1. Many malware have their own smtp and can send spam directly. To overcome this, block port tcp 25 on your gateway, and only allow your mailserver.>From the firewall log then you will know which client is infected.2. In the case that the malware use your mailserver to send the spam, there are plugins to log how many email sent by which client. HTH -- http://linux3.arinet.org
On 27/06/12 18:23, G?tz Reinicke wrote:> I like to know which private computer sends lot of mail. :)You could get your firewall ACCEPT but LOG the outgoing 25 from anything but your mailhub. Have often wondered whether a transparent mail-proxy could be set up, similar to a transparent web-proxy, with your firewall catching all port 80 and redirecting to 8080 on your squid server. Never got around to seeing whether this was possible ... ... then again I agree with the others, blocking outgoing port 25 is the better idea, but only if it is not going to get you fired. Cheers, Kal -- Kahlil (Kal) Hodgson GPG: C9A02289 Head of Technology (m) +61 (0) 4 2573 0382 DealMax Pty Ltd (w) +61 (0) 3 9008 5281 Suite 1415 401 Docklands Drive Docklands VIC 3008 Australia "All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can't get them together again, there must be a reason. By all means, do not use a hammer." -- IBM maintenance manual, 1925