[Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

[gep2 at terabites.com]

>>> so I assume that the infected machine was using the companies own
>smtp server as a smarthost and that is why the entire company was
>inconvinienced. 

>> No. It was sending (apparently) using its own SMTP sending engine,
but behind the (single) NAT router and therefore from the 
Internet
side was indistinguishable (by IP address, anyhow) from 
any other
E-mails coming from within the entire company, from any of 
their
inhouse outgoing mail servers.

> Simple question... *WHY WAS THE ROUTER/GATEWAY NOT BLOCKING PORT 25 TO/FROM ALL MACHINES EXCEPT AUTHORIZED INTERNAL MTAS* ??? If your
client had taken that one simple step, none of this 
would've happened.

Several issues there.

First, they have at least three or four internal machines 
(out of only about 15) running mail servers. (These 
servers were basically used as a speed buffer/queue for 
outgoing mail only).

Second, their applications (running on many of their 
client machines) can be configured (and recently were, as 
a workaround) to send directly to outside mail servers.

Third, the primary machine involved with their infection 
was in fact one of the machines running not just a mail 
server, but a critical app which does legitimately send 
E-mails as a key part of its job.

Fourth, their NAT router/firewall was provided, installed, 
and maintained by their telephone company who had 
basically no knowledge or understanding of the company's 
internal IT systems. (This is a very common situation, 
both for home users and small businesses). Phone companies 
typically install these things, and walk away from them.

Obviously, I'm going to have to be more involved with 
actively administering their router, in the future.

Gordon Peterson
http://personal.terabites.com
1977-2007 Thirty year anniversary of local area networking