[ngw] non-NDS users sending outbound

[Kevin Parris]

If the malware is using the GW client to do the sending via the POA then port 25 won't matter, and I don't think there are any filtering options at that level - I could easily be wrong on this point though.  But if the malware is using generic SMTP and happened to figure out that your GWIA will accept and relay the garbage, then blocking port 25 from the internal network will stop it.

Note that I suggested "block port 25 outbound from your internal network" there, not block 25 altogether.  The point is that in a shop using GroupWise for email there is not likely any business reason why anything inside your network should ever make an outgoing SMTP connection (people who want to use Thunderbird on the office computers to send email through their home ISP account, for example).  A GWIA server is typically in a firewall DMZ outside your end-user network, and must be able to open port 25 outbound to do what it does - but you can block port 25 on the interface between the inside and the DMZ.  The main objective is to help reduce the odds that your organization will become a spam zombie host - if the malware cannot make outbound connections then it can't send the garbage.  An infected machine that can't deliver spam is much better than an infected machine actively delivering spam from your network.

Have you been able to identify the particular malware and report it to your antivirus vendor so they can start catching it before it gets in?



>>> Maurice <mauricep at cds-cumberland.org> 04/14/10 3:24 PM >>>
All the traffic appears to be at the GWIA level, when I ran my report for PO usage there's a listing without a GW User Domain or GW User PO identifier but the total listed matches the offending User in the Outbound report.

What setting for the GWIA can I change to stop this type of relay??? Currently I have Prevent Message relaying checked, with a few exceptions (that we've had for years) for Servers that produce e-mail notifications.  

How would blocking port 25 at the Router level help my GWIA with outbound e-mail?



-Maurice Pelletier
Child Development Services - Cumberland County
50 Depot Road
Falmouth, ME 04105
207-781-8881 (voice)
207-781-8855 (fax)

www.cds-cumberland.org 


"Linux -- it's not just for breakfast anymore..."
-Moe


On 04/14/2010 12:29 PM, Kevin Parris wrote:
> Is the malware output going through the POA, as in is the malware using the GW Client to make the connection?  Or is the malware finding your GWIA and using direct SMTP to drop off the garbage for relaying?
>
> If the latter, set your firewall rules to block port 25 outbound from your internal network.
>
>   
>>>> Maurice <mauricep at cds-cumberland.org> 04/14/10 12:03 PM >>>
>>>>         
> Over the course of the last week or so I've been dealing with a
> reoccurring problem.
> Basically someone on the network is getting infected at the PC level
> with malware, then that malware using my GWIA sends out a ton of junk
> until I can jump in and stop it...
> My first warning of trouble is a staff that checks the Sent folder often
> and will report a Pending piece of mail, then I'll check the GWAVA
> 3rd/Send folder an it will have thousands of entries...
> At this point I'll review a few samples and go from there...
> I also import the ACCT data file each morning into a database that
> allows reporting - Chris Premo of the Medical Board of CA wrote it...
> The generated report will list the offending sender - always a non-NDS
> ID - I then look at the top 5 in this list and we review those PC for
> malware.
> Once I have the naming for the offending sender I then add it to GWAVA
> and all is good for a while.
>
> Is there a way on the PO, MTA or GWIA level to stop any outbound e-mail
> that isn't connected to a known NDS ID?
> What tools are other running GroupWise 7.0.2HP to avoid this problem?
>
>
> Also, are any of you running something to Filter for malware on the
> Router or between your Router and internal network; Untangle, Cisco
> add-ons, etc.?
>
>
>
> Thanks