|
Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0
2007-03-04 12:19:40
so I assume that the infected machine was using the companies own
smtp server as a smarthost and that is why the entire company was
inconvinienced.
No. It was sending (apparently) using its own SMTP sending engine,
but behind the (single) NAT router and therefore from the
Internet
side was indistinguishable (by IP address, anyhow) from
any other
E-mails coming from within the entire company, from any of
their
inhouse outgoing mail servers.
Simple question... *WHY WAS THE ROUTER/GATEWAY NOT BLOCKING PORT 25 TO/FROM ALL
MACHINES EXCEPT AUTHORIZED INTERNAL MTAS* ??? If your
client had taken that one simple step, none of this
would've happened.
Several issues there.
First, they have at least three or four internal machines
(out of only about 15) running mail servers. (These
servers were basically used as a speed buffer/queue for
outgoing mail only).
Second, their applications (running on many of their
client machines) can be configured (and recently were, as
a workaround) to send directly to outside mail servers.
Third, the primary machine involved with their infection
was in fact one of the machines running not just a mail
server, but a critical app which does legitimately send
E-mails as a key part of its job.
Fourth, their NAT router/firewall was provided, installed,
and maintained by their telephone company who had
basically no knowledge or understanding of the company's
internal IT systems. (This is a very common situation,
both for home users and small businesses). Phone companies
typically install these things, and walk away from them.
Obviously, I'm going to have to be more involved with
actively administering their router, in the future.
Gordon Peterson
http://personal.terabites.com
1977-2007 Thirty year anniversary of local area networking
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
|
|