[Dshield] SMTP question....

Josh Tolley josh at raintreeinc.com
Mon Aug 8 16:08:14 GMT 2005


Richard Golodner wrote:
>             We noticed that we have been placed on a blacklist at Spamcop
> and I am trying to figure out why. 

I've used two things, which may or may not be useable in your 
environment. First, a snort rule designed to fire on anything other than 
our mail server trying to send traffic on port 25 out to the rest of the 
world. This was in place for quite some time, and since our network is 
small, was triggered mostly by misconfigured applications and people 
trying to use email accounts other than the ones provided by the company.

The second was a firewall rule preventing outgoing traffic on port 25 
from anything but our mail server. I put this in place after we too were 
blacklisted because of an employee's infected laptop. This caused some 
headaches for the users mentioned above trying to use other accounts, 
but they soon learned to just live with it, particularly after being 
informed that their options were either to 1) have most of their 
business email rejected, or 2) have access to external email accounts.

When we were listed in spamcop, the snort rule was helpful for 
identifying the infected computer, and the firewall rule allowed the 
spamcop folks to quickly see that the offending traffic had been stopped.

--
Josh Tolley
Raintree Systems, Inc.
http://www.raintreeinc.com
Office Phone: (801) 293-3090
Corporate Office: (800) 333-1033




More information about the list mailing list