Jump to content

jeffslife

Members
  • Content Count

    6
  • Joined

  • Last visited

Community Reputation

0 Neutral

About jeffslife

  • Rank
    Newbie
  1. jeffslife

    Need serious help...

    Alas, I continue to fail. Somehow back on the list... Ubuntu version is 6.06 LTS
  2. jeffslife

    Need serious help...

    Hey guys. No, I can't really explain... heh. Sorry. I re-wrote some of the IPTABLES rules and we've been anti-virusing and anti-malware-tooling like mad. Seems as though the logging isn't working quite right for some reason. I have a very specific rule in there to log anything that has anything to do with port 25 (and a couple other ports), but when I try to test anything on it, attempts never show up in the logs (the data over 25 successfully gets blocked though). And yah, I checked to make sure IPTABLES logs were being sent to syslog. I'm hoping all the cleaned machines and the part of the firewall re-written will at least keep us unblocked while we continue to "put out the fires". Thanks again for all the help. Hopefully you won't hear from me again, eh?
  3. jeffslife

    Need serious help...

    Hey guys, I can't thank you enough for all the replies and help you're giving me. I've been blazing everywhere trying to solve this. We thought we were taking care of it finally, but alas, we are back on your ban list (and others I imagine). The problem with the port 25 thing in IPTABLES is that it's still a little over my head. I've been reading like crazy, but the guy that worked here before I did set this whole scri_pt up, and his method seems very custom, and unlike every other example out there. I tried to follow the SpamHaus example of limiting port 25 to only the email server, but when added their code, no mail was coming in or out. Most documentation that I can find talks about the INPUT, FORWARD, and OUTPUT chains, but the guy that wrote this thing has many PREROUTING rules in here that I don't really understand fully yet. The relative lines are these (10.0.100.4 is the email server's internal ip, 159.250.29.171 is external): iptables -A PREROUTING -t nat -d 159.250.29.171 -i $EXTDEV -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.100.4 iptables -A FORWARD -d 10.0.100.4 -j ACCEPT I tried adding some LOG, and then DROP entries for port 25 in the FORWARD and OUTPUT sections, but it seemed to kill everything (since I don't really understand the PREROUTING thing as much as I need to). Thanks again for all the replies, I really appreciate it.
  4. jeffslife

    Need serious help...

    Of course I followed it. It does not appear to give me any information I can use other than how long I've been blocked. Indeed I'm not "finding anything". Hence the request for help. Firewall is in place, it's an Ubuntu machine, firewall is all IPTABLES. I've been logging as much traffic as I can and going over syslog and any other log that I think might help, but as I've said, I'm obviously not as good at this as you guys, hence the help. I DON'T know where to look on top of what I've said (monitoring ports). We host the mail server on our network, it's also an Ubuntu machine. Postfix/CourierIMAP. All of our employees use the web interface (squirrelmail). There are wireless points around the building, that are all passworded and only certain machines have access to them. The banned IP in question is our T1 line, and there aren't a lot of people on it, it is where our email server resides. mail.mtrsd.k12.ma.us is an old email server that is no longer in use. It's still there but all of its mail functions have been stopped. The server in question is that Ubuntu machine I just mentioned at mail.mohawkschools.org I've just been reading the stickies in this forum, and in my limited capabilities in this situation, I am unable to use them to any further advantage. Yah, I've been testing my efforts mostly on that particular page. We did find that one machine that was sending massive traffic on Port 25 (that page mentions blocking/monitoring 25) and that's how we picked that one up. I do not see any other machines attempting to use port 25 at all (aside from the mail server itself). We have AVG 8.0 on every machine that is connected to the network where the mail server is, and as of this writing, no massive amounts of trojans/viruses have been found. None of the machines have any email clients set up (thunderbird, outlook).
  5. jeffslife

    Need serious help...

    Oops! Forgive me, my brain is fried on the subject. Return error on outgoing mail: 550-"JunkMail rejected - mohawk.mtrsd.k12.ma.us (mail.mohawkschools.org) 550-[159.250.29.8]:45506 is in an RBL, see Blocked - see 550 http://www.spamcop.net/bl.shtml?159.250.29.8 (in reply to RCPT TO command) Also, I'd love more than anything to read an FAQ, which one are you referring to?
  6. jeffslife

    Need serious help...

    Hello! Obviously I am posting here because my school's network I work for has been blocked by this (and several other) lists. I don't really know what to do anymore. We've cleaned up virus machines, I've been scanning packets on known trouble ports (eg. 25) for hours, and I've found nothing... I don't know where else to look for the problem. I've run every open relay test I can find out on the net, and the email server has passed every single one. There was ONE machine that was sending massive port 25 traffic and was heavily virus infected, but we unplugged it immediately and wiped the drive out, and that machine still isn't even plugged in anywhere. But several lists (including this one) keep re-blacklisting for some reason, spam I'm guessing, and I just don't know where else to look anymore. Any help would be greatly appreciated. I'm not here to dispute the block, it sounds like a legitimate block, but I can't seem to find the source... Business is really at a stand still, important e-mails that need to be sent are not getting out, would really appreciate some assistance. Thank you.
×