0

This is a follow-up to Our IP was listed by Spamhaus - how can we prevent this from happening again? - unfortunately, it is happening yet again.

I was thinking that people could have malware on their phones while using our wi-fi, so one thing to do would be to prevent e-mail traffic from going to/from anything that isn't our mail server.

Our router / firewall is an arcane slew of iptables rules, written before I came on the scene, so I just tinker with them here and there and hope not to break things. Here are the rules I put in hoping to restrict e-mail to just our server:

# Open ports on router for server/services (restricting outgoing e-mail to ouremailserver)
/sbin/iptables -A INPUT -p tcp --dport 25 ! -s private.subnetip.goes.here -j DROP
/sbin/iptables -A INPUT -p tcp --dport 110 ! -s private.subnetip.goes.here -j DROP
/sbin/iptables -A INPUT -p tcp --dport 143 ! -s private.subnetip.goes.here -j DROP

If this is incorrect, then I can fix it and hope the problem doesn't happen again. If it is correct, then I have to guess again (or gasp! figure out) where the real problem is.

Bonus! I just got the actual spam e-mail from Hotmail that actually got us blocked. Sure enough the sender IP is us but the hostname isn't one of ours. Is there a way to tell if it's really going through our network? Full dump of the .eml here: https://pastebin.com/hbp9EqyU

Will Matheson
  • 151
  • 1
  • 8
  • If 209.145.97.50 is your IP address then, yes, it went through that machine. – Michael Hampton Jun 22 '20 at 18:21
  • Then how come it doesn't have our hostname on it? Did I mess up the iptables commands? I'm not "mta.dom-31.phila" – Will Matheson Jun 22 '20 at 18:23
  • That name is the name provided to the remote mail server by the spammer. – Michael Hampton Jun 22 '20 at 19:06
  • Ok, but I don't understand how they were able to send e-mail out through our network, nor how to find out how. What a nightmare. I think I'm going to try moving our e-mail to one of our other IPs, one that isn't used for general internet access. – Will Matheson Jun 22 '20 at 20:48
  • Put logging in your firewall rules. The next time there is an attempt, you will be able to figure out where it came from. – Michael Hampton Jun 22 '20 at 20:50
  • Also, you should have firewall rules at both the host and network levels. It seems like you may have a compromised device on your network. If you're able, separate the random library WiFi from your 'real' network so they don't all go through the same IP. Update your gateway device to Ubuntu 18 and use UFW or give CentOS and firewalld a try, it's much better than those startup scripts for iptables. Make sure all traffic is proxied through the gateway device isn't somehow bypassing it (might explain why a capture doesn't see it) – duct_tape_coder Jun 22 '20 at 21:54
  • Well, this seems like a network reengineering project. Too much to get into with the learning curve and other priorities. I've just blocked port 25 on the wifi router for now. – Will Matheson Jun 22 '20 at 22:59

0 Answers0