Re: Unwanted SMTP traffic filtering

admin_2 · ‎05-12-2004

I'd like an example of a technique to block all mail except a certain list for passing thhrough the 2600 series router. The list of included addresses is only about 150.

Why?

Mail bombing and spam pass untouched through the router and firewall and are handed off to the email server for processing. Seems we are getting more than 80% content as undeliverable old and unused addresses in our domain.

I'd rather drop email at the entry port then let it wriggle through and clog up things.

Help with examples or point to url would be appreciated.

gfullage · ‎05-12-2004

You can't do this in an IOS router, nor in a PIX firewall. The router/PIX can be configured to block invalid SMTP commands, but not to block email to or from certain addresses. This type of thing is best handled by your email server, let your router route packets.

jeff.bankston · ‎05-13-2004

150 lines of deny statements to block those sites is do-able, yes, but you're going to impose a large cpu overhead with every single packet traversing the router. I'm forced to do this at my home network on an older 2621 facing my DSL connection, and I can easily see the effect of the long list and this is on a low volume network and I can see its impact.

I'd never do this in a high volume network, the router would be continually choking on utilization - best to use an email filter on the mail server, or perhaps create a null mailbox and redirect those unwanted emails to it and delete its contents periodically.

If you really, really, (did I say really?) think you want to take this approach, add in 10 lines of deny statement and monitor the router's utilization stats, then progressively add in a few more lines a few days later, re-monitor, etc. You'll eventually hit a point of congesting the router's performance, or even crashing it, trying to make it an smtp filter.

As the other gentleman stated, routers are designed to route packets; access lists are a necessary evil for moderated security controls. There are other devices out there designed to better handle UCE, if you can afford it.

-Jeff

epang · ‎05-15-2004

Why not redesign your email entry point with a mail gateway. This will allow you to customize a huge ACL list at the server level without clutering your edge router.

In the even your mail server is down, this gateway will act as a backup until your email server is back online. Once online, all emails stored will be pushed into the server from the gateway.

A popular mail gateway program for this purpose, is called IMGate.

..

ekess · ‎05-17-2004

I have gotten 3 replies so far.

All helpful.

I'd like to add just a tad bit more to clarify the problem.

allow clients list:

jill@dataprose.com

sue@dataprose.com

vpwannabe@dataprose.com

deny all other smtp traffic such as

administrator@dataprose.com

ad nauseum

...

I'm not really interested in denying spam mail from domains spoofed or not. as just allowing smtp traffic to designated people. Traffic at the firewall would diminish about 40%.

epang · ‎05-18-2004

When dealing with email, you are not dealing with single IP addresses. A single domain name can point to many clustered servers each with its own IP addresses.

If dataprose.com has only 1 MX record, then hard coding the IP address into a ACL will work. On the other hand, hotmail.com has approx 20 different IP addresses for the hotmail.com domain.

Again, if you want to manage email, use an application that is designed to handle email screening at both the envelop and domain level.

However, if you _must_ use your router, then concider using NBAR. You'll need IP Plus IOS, and have all smtp traffic filtered looking for specific string "administrator@dataprose.com" dropped.. Using NBAR will be generating alot of CPU cycles, you'll also need to max out your router's RAM..

Then again, this is a work around if you cant or wont invest the time in configuring your email server to properly filter emails at the domain level vs a router at the IP level.

Hope this helps..

jeff.bankston · ‎05-18-2004

That changes things considerably!!

You want mail filtering at the application layer, not spam/smtp in the perimeter. A router ACL is going to permit/deny the whole domain via its IP address for their domain or MX record, not individual users within that domain. I think someone mentioned a tool like IMGate that can help with your issue, I'm sure there's got to me mail filtering software that handles this.

Even the smtp spam controls in the FW-IDS router code doesn't do that, it just checks for illegal smtp commands and/or excess RCPT TO listings.

-Jeff

robsys · ‎07-31-2004

I'm attempting to block spammers by entering thier IP address in the deny statements of the PIX506 firewall. This is a monumental task! I have several large customers (1000 employee's +) with kinda the same setup (PIX / Exchange Server). I don't want to force all of the customers to purchase YET ANOTHER PIECE OF COMPUTER GEAR to filter spam. I think that is why they bought the high end firewall. My technique has been to monitor the incoming email traffic with Microsoft's NetMon (SMS version), with a capture filter designed to filter on the initial mail transfer message. Periodically, I stop the capture and run a NetMon "Expert" to show he top 50 users (the top email senders). I then look through the top ten or so (they usually REALLY stand out) to ensure it is spam .... then add the captured addresses to the firewall. We have an Access database the IP addresses are entered into, which in turn produces a report in the IOS deny format that we merge with the IOS's of other Firewalls.

Cumbersome I know ..... but until I find something better ?????

Here is my problem: 1) I would like a firewall / router appliance that supports uploading a deny list via some type of delimited file of IP addresses.

2) Some of the SPAMMERS still get through, even if on the Deny list ..... I'm totally stumped on how this can happen.

Bill Robinson

gwilsonb · ‎07-31-2004

I don't recall the name offhand but you can subscribe to a DNS based service which maintains a list of known open relays etc.

jtantsura · ‎08-01-2004

You could use a layer 7 switch to have a look at application layer info (username/domainname) which is expensive otherwise if you know what users/domains are allowed by configuring this on the mail server of your ISP which is easy and will save bandwidth and mail processing on your site you will get rid of the this problem.

Jeff

dhekimian · ‎08-15-2004

I'm coming into this a bit late, but I think this is the proper solution to your problem.

What your really looking for is a Mail Proxy. The best solution I've seen in a long while (and its also FREE) is called ASSP (Anti-Spam-SMTP-Proxy) http://assp.sourceforge.net/

ASSP does Realtime LDAP lookups (good for MS Exchange Environments), realtime Antivirus Scaning (using the Free ClamAV virus engine), SPAM blocking (based upon your own rule sets) and much more. You configure which options you want and don't want.

This doesn't add another SMTP server to your environment. It just act's like a proxy, it listens to the conversation between the sending server and your SMTP server and does real time analysis on the conversation.

Don't try to get your Router/Pix to do something its not ment to do.