[ngw] non-NDS users sending outbound
joe.acquisto at gmail.com
Thu Apr 15 16:00:29 UTC 2010
The idea is to keep "unauthorized" clients from connecting to port 25
on gwia. Block everyone and allow
only whom you choose to allow.
On Linux, one can do this on the box itself, with iptables. We do
In NetWare, it is a bit more painful, using TCPCON, say, but still do-able.
That way, "the network" can be left alone and the box itself protected.
On Thu, Apr 15, 2010 at 11:55 AM, David Gerisch
<DEGerisch at co.tulare.ca.us> wrote:
> I think what Kevin is saying, is to have the router block incoming port 25 from your internal network to the GWIA.
> In my environment, it is rare for a user level workstation to need to send SMTP mail. Our GIS guy has an app that does it, but that is about 50 PCs out of 4,500. Wholesale blocking of SMTP is likely not appropriate for the network the servers are on.
> David Gerisch
>>>> Maurice <mauricep at cds-cumberland.org> 04-14-2010 12:24 >>>
> All the traffic appears to be at the GWIA level, when I ran my report
> for PO usage there's a listing without a GW User Domain or GW User PO
> identifier but the total listed matches the offending User in the
> Outbound report.
> What setting for the GWIA can I change to stop this type of relay???
> Currently I have Prevent Message relaying checked, with a few exceptions
> (that we've had for years) for Servers that produce e-mail notifications.
> How would blocking port 25 at the Router level help my GWIA with
> outbound e-mail?
> -Maurice Pelletier
> Child Development Services - Cumberland County
> 50 Depot Road
> Falmouth, ME 04105
> 207-781-8881 (voice)
> 207-781-8855 (fax)
> "Linux -- it's not just for breakfast anymore..."
> CONFIDENTIALITY NOTICE: This communication (including any attachments) may contain privileged or confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this communication and/or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited. Thank you.
> On 04/14/2010 12:29 PM, Kevin Parris wrote:
>> Is the malware output going through the POA, as in is the malware using the GW Client to make the connection? Or is the malware finding your GWIA and using direct SMTP to drop off the garbage for relaying?
>> If the latter, set your firewall rules to block port 25 outbound from your internal network.
>>>>> Maurice <mauricep at cds-cumberland.org> 04/14/10 12:03 PM >>>
>> Over the course of the last week or so I've been dealing with a
>> reoccurring problem.
>> Basically someone on the network is getting infected at the PC level
>> with malware, then that malware using my GWIA sends out a ton of junk
>> until I can jump in and stop it...
>> My first warning of trouble is a staff that checks the Sent folder often
>> and will report a Pending piece of mail, then I'll check the GWAVA
>> 3rd/Send folder an it will have thousands of entries...
>> At this point I'll review a few samples and go from there...
>> I also import the ACCT data file each morning into a database that
>> allows reporting - Chris Premo of the Medical Board of CA wrote it...
>> The generated report will list the offending sender - always a non-NDS
>> ID - I then look at the top 5 in this list and we review those PC for
>> Once I have the naming for the offending sender I then add it to GWAVA
>> and all is good for a while.
>> Is there a way on the PO, MTA or GWIA level to stop any outbound e-mail
>> that isn't connected to a known NDS ID?
>> What tools are other running GroupWise 7.0.2HP to avoid this problem?
>> Also, are any of you running something to Filter for malware on the
>> Router or between your Router and internal network; Untangle, Cisco
>> add-ons, etc.?
> ngw mailing list
> ngw at ngwlist.com
More information about the ngw