[ngw] non-NDS users sending outbound
DEGerisch at co.tulare.ca.us
Thu Apr 15 15:55:07 UTC 2010
I think what Kevin is saying, is to have the router block incoming port 25 from your internal network to the GWIA.
In my environment, it is rare for a user level workstation to need to send SMTP mail. Our GIS guy has an app that does it, but that is about 50 PCs out of 4,500. Wholesale blocking of SMTP is likely not appropriate for the network the servers are on.
>>> Maurice <mauricep at cds-cumberland.org> 04-14-2010 12:24 >>>
All the traffic appears to be at the GWIA level, when I ran my report
for PO usage there's a listing without a GW User Domain or GW User PO
identifier but the total listed matches the offending User in the
What setting for the GWIA can I change to stop this type of relay???
Currently I have Prevent Message relaying checked, with a few exceptions
(that we've had for years) for Servers that produce e-mail notifications.
How would blocking port 25 at the Router level help my GWIA with
Child Development Services - Cumberland County
50 Depot Road
Falmouth, ME 04105
"Linux -- it's not just for breakfast anymore..."
CONFIDENTIALITY NOTICE: This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited. Thank you.
On 04/14/2010 12:29 PM, Kevin Parris wrote:
> Is the malware output going through the POA, as in is the malware using the GW Client to make the connection? Or is the malware finding your GWIA and using direct SMTP to drop off the garbage for relaying?
> If the latter, set your firewall rules to block port 25 outbound from your internal network.
>>>> Maurice <mauricep at cds-cumberland.org> 04/14/10 12:03 PM >>>
> Over the course of the last week or so I've been dealing with a
> reoccurring problem.
> Basically someone on the network is getting infected at the PC level
> with malware, then that malware using my GWIA sends out a ton of junk
> until I can jump in and stop it...
> My first warning of trouble is a staff that checks the Sent folder often
> and will report a Pending piece of mail, then I'll check the GWAVA
> 3rd/Send folder an it will have thousands of entries...
> At this point I'll review a few samples and go from there...
> I also import the ACCT data file each morning into a database that
> allows reporting - Chris Premo of the Medical Board of CA wrote it...
> The generated report will list the offending sender - always a non-NDS
> ID - I then look at the top 5 in this list and we review those PC for
> Once I have the naming for the offending sender I then add it to GWAVA
> and all is good for a while.
> Is there a way on the PO, MTA or GWIA level to stop any outbound e-mail
> that isn't connected to a known NDS ID?
> What tools are other running GroupWise 7.0.2HP to avoid this problem?
> Also, are any of you running something to Filter for malware on the
> Router or between your Router and internal network; Untangle, Cisco
> add-ons, etc.?
More information about the ngw