Tuesday, March 19, 2013

HTTP Attack Resulted in RBL Listing

Today one of my customers was listed on the SpamHaus XBL list.  The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

My customer had all client workstations access the Internet from the same public IP address as what the Exchange 2010 server relayed email from.  Workstations did not connect to the Internet through a proxy, just sandard network address translation (NAT).

My customer did block TCP25 Outbound (SMTP Traffic) from all hosts on the network but the internal IP address of there Exchange 2010 server.  Despite this my customer was still added to the XBL.SpamHaus.org blocklist and as a result had difficulties sending and receiving email from many companies especially because SpamHaus is one of the more popular blocklists.

This was because a few workstations on their network was infected with the Pushdo trojan which was performing denial of service (DOS) attacks against target web servers.

Below is the reason why we were RBLed extracted from the SpamHaus.org website:

To get around this problem we changed the outgoing IP address of email, ensured a PTR record exists for the new IP address, updated the Sender Policy Framework (SPF)  TXT record on the DNS zone.  Finally we updated the port forward on the router and MX records to ensure all mail relay went through a dedicated email.

So what did we learn from this?
  • If possible always use a dedicated public IP address for relaying mail (if possible)
  • Use a proxy server for your users to surf the net and block HTTP/HTTPS and other ports if possible outbound to the Internet.
Regarding the Pushdo botnet, we got around to cleaning that up too to ensure my customers network was not used to DOS innocent web servers on the net.

No comments:

Post a Comment