[ previous ] [ next ] [ threads ]
 From:  "James W. McKeand" <james at mckeand dot biz>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] DNS Blacklist
 Date:  Thu, 27 Jan 2005 16:41:29 -0500
mono at centrum dot sk wrote:
> Hi,
> i have a network of xx PCs with one public IP, where all PCs are
> behind a NAT. 
> But our public IP is listed in BlackList on SORBS /     
> http://www.dnsbl.sorbs.net/. Is possible to find out whoch compoter
> in network caused this? Which compoter is smap attacker? From MONO
> logs in GUI i don;t anything.  
> Can help me anybody?
> Thanx.
> Robo.K.

Your public IP can be listed for several reasons. One is that you have
SMTP to the public IP NATed to a machine that is an open relay.
Another is that your provider may be listed to prevent SPAM
(provider's "official" story) or to prevent users from setting up
their own servers (IMO, provider's real reason) 

Setup a block and log rule on the m0n0wall for port 25. You may need
to create a pass rule for your mail server (if you have one) before
the block rule to allow legitimate email to go out. So the order of
rules on the LAN interface should be:

Pass SMTP from mail server to any
Block and log SMTP from LAN subnet to any
Pass any from LAN subnet to any

Hope this helps...

James W. McKeand