Nosso firewall falhou há três semanas e, enquanto ele estava sendo substituído, nós o colocamos na lista negra de spam "cbl.abuseat.org". Uma vez que instalamos o novo firewall e o configuramos, conseguimos ficar fora da lista. Agora, cerca de duas semanas depois, estamos listados novamente. Aqui estão as nossas informações de configuração e o que tentamos.
Win2K3 - Exchange 2003, que passa pelo firewall. O firewall foi configurado para negar todo o tráfego SMTP, exceto para o tráfego SMTP (originalmente não restrito à porta 25) do nosso servidor de troca. Nossas máquinas com 110 clientes XP estão rodando a McAfee e configuradas para não permitir o envio de tráfego SMTP (eu vi esse trabalho, então estou bastante confiante de que está funcionando). Isso foi bom o suficiente até ontem, quando estávamos na lista negra novamente.
Trabalhando com nosso fornecedor de firewall, agora só permitimos tráfego SMTP na porta 25 do servidor Exchange. Todos os outros tráfegos SMTP são impedidos de sair da nossa rede.
Parece que o correio estava saindo em portas estranhas, como .23111 do nosso servidor de troca, está correto (veja o primeiro conjunto de informações de log)? Mas não tenho certeza dos logs mais recentes se isso foi corrigido. Além disso, os bots de spam podem enviar spam através de um servidor Exchange na porta 25? Se assim for, pode ser parado sem encontrar o bot de spam? Estamos procurando o spam, mas ainda não tivemos sorte.
Obrigado por qualquer ajuda.
Eu executei o tcpdump e obtive as seguintes informações antes de fazermos as alterações mais recentes do firewall:
16:54.8 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [.], ack 263, win 65273, length 0
16:55.7 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [P.], ack 4221, win 14600, length 12
16:55.7 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [P.], ack 275, win 65261, length 6
16:56.0 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [P.], ack 4221, win 14600, length 12
16:56.0 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [.], ack 275, win 65261, length 0
16:56.1 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [P.], ack 4227, win 14600, length 21
16:56.1 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [F.], seq 296, ack 4227, win 14600, length 0
16:56.1 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [.], ack 297, win 65240, length 0
16:56.1 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [F.], seq 4227, ack 297, win 65240, length 0
16:56.6 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [.], ack 4228, win 14600, length 0
16:57.7 IP exchange-server.our-domain.com.23257 > pineapp.hcsmail.co m.25: Flags [S], seq 3560091943, win 65535, options [mss 1460,nop,nop,sackOK], length 0
16:58.0 IP pineapp.hcsmail.com.25 > exchange-server.our-domain.com.2 3257:00:00 Flags [S.], seq 3962637029, ack 3560091944, win 5840, options [mss 1380,nop,nop,sackOK], length 0
16:58.0 IP exchange-server.our-domain.com.23257 > pineapp.hcsmail.co m.25: Flags [.], ack 1, win 65535, length 0
16:58.1 IP pineapp.hcsmail.com.25 > exchange-server.our-domain.com.2 3257:00:00 Flags [P.], ack 1, win 5840, length 20
16:58.1 IP exchange-server.our-domain.com.23257 > pineapp.hcsmail.co m.25: Flags [P.], ack 21, win 65515, length 33
16:58.2 IP pineapp.hcsmail.com.25 > exchange-server.our-domain.com.2 3257:00:00 Flags [.], ack 34, win 5840, length 0
16:58.2 IP pineapp.hcsmail.com.25 > exchange-server.our-domain.com.2 3257:00:00 Flags [P.], ack 34, win 5840, length 20
Isso é o que eu recebi depois que o firewall mudou:
01:52.6 IP our-exchange.our-domain.com.17177 > our-domaincontroller.our-domain.com.53: 12044+ A? mail.painclinic-nw.com. (40)
01:52.6 IP our-exchange.our-domain.com.15727 > our-domaincontroller.our-domain.com.53: 12285+ A? mail.snyders-han.com. (38)
01:52.7 IP 99-53-214-98.lightspeed.genvil.sbcglobal.net.1770 > our-exchange.our-domain.com.443: Flags [.], ack 570, win 16380, length 0
01:52.9 IP 204-0.202-68.tampabay.res.rr.com.58065 > our-exchange.our-domain.com.443: Flags [P.], ack 1, win 17477, length 49
01:52.9 IP 204-0.202-68.tampabay.res.rr.com.58065 > our-exchange.our-domain.com.443: Flags [P.], ack 1, win 17477, length 197
01:52.9 IP our-exchange.our-domain.com.443 > 204-0.202-68.tampabay.res.rr.com.58065: Flags [.], ack 1503, win 64573, length 0
01:52.9 IP our-exchange.our-domain.com.443 > 204-0.202-68.tampabay.res.rr.com.58068: Flags [P.], ack 1, win 64649, length 149
01:52.9 IP ggadke.our-domain.com.1203 > our-exchange.our-domain.com.1025: Flags [.], ack 1, win 65016, length 1
01:52.9 IP our-exchange.our-domain.com.1025 > ggadke.our-domain.com.1203: Flags [.], ack 1, win 65269, length 0
01:52.9 IP dwhite.our-domain.com.1215 > our-exchange.our-domain.com.1025: Flags [.], ack 1631, win 65535, length 1
01:52.9 IP our-exchange.our-domain.com.1025 > dwhite.our-domain.com.1215: Flags [.], ack 2574, win 64590, length 0
01:52.9 IP vbejin.our-domain.com.1282 > our-exchange.our-domain.com.1025: Flags [.], ack 1, win 64548, length 1
01:52.9 IP our-exchange.our-domain.com.1025 > vbejin.our-domain.com.1282: Flags [.], ack 1, win 64769, length 0
01:53.0 IP 204-0.202-68.tampabay.res.rr.com.58065 > our-exchange.our-domain.com.443: Flags [P.], ack 1, win 17477, length 49
01:53.0 IP our-storagedevice.our-domain.com.123 > our-exchange.our-domain.com.123: NTPv3, symmetric active, length 68
01:53.0 IP our-exchange.our-domain.com.21059 > our-domaincontroller.our-domain.com.53: 34757+ PTR? 9.1.168.192.in-addr.arpa. (42)
01:53.0 IP our-domaincontroller.our-domain.com.53 > our-exchange.our-domain.com.21059: 34757* 1/0/0 PTR[|domain]
01:53.0 AR P, Request who-has our-storagedevice.our-domain.com tell our-exchange.our-domain.com, length 28
01:53.0 IP our-exchange.our-domain.com.123 > our-storagedevice.our-domain.com.123: NTPv3, Server, length 68
01:53.1 AR P, Reply our-storagedevice.our-domain.com is-at 00:15:17:22:b2:44 (oui Unknown), length 92
01:53.1 IP 99-53-214-98.lightspeed.genvil.sbcglobal.net.1775 > our-exchange.our-domain.com.443: Flags [P.], ack 1, win 17477, length 41
01:53.1 IP our-exchange.our-domain.com.443 > 204-0.202-68.tampabay.res.rr.com.58065: F
Aqui faz parte de um log SMTP do servidor do Exchange:
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 nossa troca - 25 - - 220 + Postini + ESMTP + 225 + y6_29_1c0 + pronto. + + CA + + negócios e + profissões + código + seção + 17538.45 + proíbe + usa + de + este + sistema + para + anúncios não solicitados + eletrônicos + e-mail +. 0 0 164 0 78 SMTP - - - -
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionCommand SMTPSVC1 nossa troca - 25 EHLO - our-exchange.Northwoods.com 0 0 4 0 78 SMTP - - - -
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 nossa troca - 25 - - 250 - Postini + diz + olá + volta 0 0 27 0 172 SMTP - - - -
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionCommand SMTPSVC1 nosso-exchange - 25 MAIL - DE: 0 0 4 0 172 SMTP - - - -
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 nossa troca - 25 - - 250 + Ok 0 0 6 0 250 SMTP - - - -
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionCommand SMTPSVC1 nossa troca - 25 RCPT - TO: 0 0 4 0 250 SMTP - - - -
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 nossa troca - 25 - - 250 + Ok 0 0 6 0 782 SMTP - - - -
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionCommand SMTPSVC1 nossa troca - 25 DATA - - 0 0 4 0 782 SMTP - - - -
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 nossa troca - 25 - - 354 + Feed + eu 0 0 11 0 860 SMTP - - - -
7/2/2010 17:36:17 64.18.6.14 OutboundConnectionResponse SMTPSVC1 nossa troca - 25 - - 250 + Obrigado 0 0 10 0 1657 SMTP - - - -
7/2/2010 17:36:17 64.18.6.14 OutboundConnectionCommand SMTPSVC1 nossa troca - 25 SAIR - - 0 0 4 0 1672 SMTP - - - -
7/2/2010 17:36:17 64.18.6.14 OutboundConnectionResponse SMTPSVC1 nossa troca - 25 - - 221 + Catch + você + mais tarde 0 0 19 0 1735 SMTP - - - -
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 nosso gateway de troca IP 0 EHLO - #NAME? 250 0 320 27 0 SMTP - - - -
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 nosso gateway de troca IP 0 MAIL - + DE: 250 0 108 95 0 SMTP - - - -
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 nosso gateway de troca IP 0 RCPT - + A: 250 0 41 38 0 SMTP - - - -
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 nosso gateway de troca IP 0 DATA - + < [email protected]> 250 0 141 22978 281 SMTP - - - -
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 nosso gateway de troca IP 0 QUIT - p01c11m094.mxlogic.net 240 515 75 4 0 SMTP - - - -