RRAS port 25

Hi
Our IP address has been blacklisted.
I would like to block smtp traffic from the local PC's from getting out of
the network, with the exception of the mail servers of course. How exactly
do I do this in RRAS ?
We use SBS 2003 with exchange. IP range is 192.168.16.0. At the moment the
only rule that is set on NAT is on the internet NIC Outbound traffice Allow
All with exception 192.168.16.0 - Any Any
And is there a way to see which PC is causing the spam

Thanks in advance

 

Hello Leon,

The spam caming out of your network, is it originating form
user@yourdomain.com? or from some other source.
Because a user can still use your IP as a launch for distributing Spam with
out using you mail@doamin.com. Get a copy of teh spam message and look at
the complete header for clues,

Isaac

"Leon" <leon_cobra@hotmail.com> wrote in message
news:ukI9AVk3JHA.4344@TK2MSFTNGP05.phx.gbl...
> Hi
> Our IP address has been blacklisted.
> I would like to block smtp traffic from the local PC's from getting out
> of the network, with the exception of the mail servers of course. How
> exactly do I do this in RRAS ?
> We use SBS 2003 with exchange. IP range is 192.168.16.0. At the moment the
> only rule that is set on NAT is on the internet NIC Outbound traffice
> Allow All with exception 192.168.16.0 - Any Any
> And is there a way to see which PC is causing the spam
>
> Thanks in advance
>

 

"Leon" <leon_cobra@hotmail.com> wrote in message news:ukI9AVk3JHA.4344@TK2MSFTNGP05.phx.gbl...
> Hi
> Our IP address has been blacklisted.
> I would like to block smtp traffic from the local PC's from getting out of
> the network, with the exception of the mail servers of course. How exactly
> do I do this in RRAS ?
> We use SBS 2003 with exchange. IP range is 192.168.16.0. At the moment the
> only rule that is set on NAT is on the internet NIC Outbound traffice Allow
> All with exception 192.168.16.0 - Any Any
> And is there a way to see which PC is causing the spam
>
> Thanks in advance
>
>


On the SBS you can install an IP sniffer such as Microsoft NetMon, or any 3rd party sniffers such as Wireshark and monitor the internal NIC for port 25 traffic going to it.

As for blocking any internal machine spewing port 25 traffic, many of the current AV software have default features to block SMTP traffic, among other things. For example, all of my customers use McAfee Enterprise, and one of the default features is it prevents mass mailers on each client. It can be configured centrally or individually by rules and policies, or individually by overriding the rules on the client by an administrator. Of course the copy on the server has rules to allow the Exchange server to send out port 25, as well as McAfee GroupShieled for Exchange to control viruses, etc.

Otherwise, if you don't have any AV software on the client machines, or the versions you have do not have this feature (if so, I suggest upgrading for complete protection and peace of mind), you can create a rule on the internal NIC using RRAS filters to deny port 25 traffic going to the internal NIC.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay

 

How do I create a rule on the internal NIC using RRAS filters to deny port
25 traffic going to the internal NIC ?
Do I create it in inbound or outbound ? My domain IP is 192.168.16.0
Please give details


thanks


"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:ufnainn3JHA.1424@TK2MSFTNGP02.phx.gbl...
"Leon" <leon_cobra@hotmail.com> wrote in message
news:ukI9AVk3JHA.4344@TK2MSFTNGP05.phx.gbl...
> Hi
> Our IP address has been blacklisted.
> I would like to block smtp traffic from the local PC's from getting out
> of
> the network, with the exception of the mail servers of course. How exactly
> do I do this in RRAS ?
> We use SBS 2003 with exchange. IP range is 192.168.16.0. At the moment the
> only rule that is set on NAT is on the internet NIC Outbound traffice
> Allow
> All with exception 192.168.16.0 - Any Any
> And is there a way to see which PC is causing the spam
>
> Thanks in advance
>
>


On the SBS you can install an IP sniffer such as Microsoft NetMon, or any
3rd party sniffers such as Wireshark and monitor the internal NIC for port
25 traffic going to it.

As for blocking any internal machine spewing port 25 traffic, many of the
current AV software have default features to block SMTP traffic, among other
things. For example, all of my customers use McAfee Enterprise, and one of
the default features is it prevents mass mailers on each client. It can be
configured centrally or individually by rules and policies, or individually
by overriding the rules on the client by an administrator. Of course the
copy on the server has rules to allow the Exchange server to send out port
25, as well as McAfee GroupShieled for Exchange to control viruses, etc.

Otherwise, if you don't have any AV software on the client machines, or the
versions you have do not have this feature (if so, I suggest upgrading for
complete protection and peace of mind), you can create a rule on the
internal NIC using RRAS filters to deny port 25 traffic going to the
internal NIC.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

 

I am still new to this. I installed netmon 3.2. What filter do I use to
filter smtp packets. Do you have the steps ?

thanks


"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:ufnainn3JHA.1424@TK2MSFTNGP02.phx.gbl...
"Leon" <leon_cobra@hotmail.com> wrote in message
news:ukI9AVk3JHA.4344@TK2MSFTNGP05.phx.gbl...
> Hi
> Our IP address has been blacklisted.
> I would like to block smtp traffic from the local PC's from getting out
> of
> the network, with the exception of the mail servers of course. How exactly
> do I do this in RRAS ?
> We use SBS 2003 with exchange. IP range is 192.168.16.0. At the moment the
> only rule that is set on NAT is on the internet NIC Outbound traffice
> Allow
> All with exception 192.168.16.0 - Any Any
> And is there a way to see which PC is causing the spam
>
> Thanks in advance
>
>


On the SBS you can install an IP sniffer such as Microsoft NetMon, or any
3rd party sniffers such as Wireshark and monitor the internal NIC for port
25 traffic going to it.

As for blocking any internal machine spewing port 25 traffic, many of the
current AV software have default features to block SMTP traffic, among other
things. For example, all of my customers use McAfee Enterprise, and one of
the default features is it prevents mass mailers on each client. It can be
configured centrally or individually by rules and policies, or individually
by overriding the rules on the client by an administrator. Of course the
copy on the server has rules to allow the Exchange server to send out port
25, as well as McAfee GroupShieled for Exchange to control viruses, etc.

Otherwise, if you don't have any AV software on the client machines, or the
versions you have do not have this feature (if so, I suggest upgrading for
complete protection and peace of mind), you can create a rule on the
internal NIC using RRAS filters to deny port 25 traffic going to the
internal NIC.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

 

"Leon" <leon_cobra@hotmail.com> wrote in message news:%23TidW6o3JHA.4632@TK2MSFTNGP02.phx.gbl...
>I am still new to this. I installed netmon 3.2. What filter do I use to
> filter smtp packets. Do you have the steps ?
>
> thanks

The steps are somewhat involved. The following article should help with using NetMon.

How do I use Microsoft Network Monitor (Netmon.exe) to capture network traffic?
http://support.microsoft.com/?id=812953

Ace

 

"Leon" <leon_cobra@hotmail.com> wrote in message news:uR46Lzo3JHA.5728@TK2MSFTNGP03.phx.gbl...
> How do I create a rule on the internal NIC using RRAS filters to deny port
> 25 traffic going to the internal NIC ?
> Do I create it in inbound or outbound ? My domain IP is 192.168.16.0
> Please give details
>

You would create it inbound on the internal interface, which means traffic will be controlled coming from the internal network to the interface. The following article shows an example of setting up a filter on a RRAS interface to allow ICMP. You are working with port 25 traffic, so just make the adjustments. Understand the settings before making any changes.

Configuring RRAS Filters to Permit a One-Way Ping
http://support.microsoft.com/kb/181347

and another example with diagrams...

Chapter 3 - Administering Routing and Remote Access Service
http://technet.microsoft.com/en-us/library/cc751172.aspx

and another...
Configuring RRAS Packet Filters
http://tinyurl.com/qj2hnt

(or the full URL for the above link):
http://books.google.com/books?id=CN...t6XBBg&sa=X&oi=book_result&ct=result&resnum=3

Ace