Almost every day, we get a telephone call from a very concerned customer because the Internet address of their outgoing e-mail server has been placed on a public blacklist for sending spam. This often means that there is a security problem on their network, because most of our customers don't intentionally send unsolicited bulk email.
When a customer is unable to send e-mail from their own Internet address, they often ask us if they can relay their outgoing e-mail through our Internet address. We have to explain to the customer that they first need to resolve their security issue, but then they can take advantage of our outgoing e-mail filtering to relay their e-mail through a new Internet address while they work to get their old address delisted from the blacklists. Some steps are then required to implement our outgoing e-mail filtering. These steps involve locking down their network so that e-mail can only leave it when it's destined for the outgoing e-mail filter. Interestingly, the steps taken to implement our outgoing filtering are the same steps that are recommended for everyone to enhance their network's security.
Resolving your security issue
Ask the public blacklist for evidence of your spam. This is usually automated and can be retrieved by visiting the blacklist's Web site and entering your outgoing e-mail server's Internet address. The headers of the spam that was received should be available, which may indicate the network address of the computer on your network that relayed e-mail through your e-mail server. This can help you track down any workstation on your network where a spammer was actually sitting and sending spam. However, it's more likely that you may find the workstation that inadvertantly had malware installed that is sending out the spam without the user's knowledge.
If the spam actually went through your e-mail server, you should also be able to find spamming workstation's Internet address in the server's logs. You may even find that the Internet address that connected to your e-mail server isn't on your network because your e-mail server is openly relaying spam for unauthorized users. However, it's also possible that the e-mail server itself was compromised with some spam sending malware, so you won't find anything in the logs.
What can complicate things is if you use network address translation, and all of the computers on your network share the same public Internet address with the e-mail server. It would then be possible that the e-mail never went through your e-mail server at all, yet your e-mail server is being blacklisted simply because it shares the same public address as the spamming computer on your network. It could then be impossible to trace which host on your network sent the spam unless you have a network firewall with logs. If the spam is still being sent, you could enable logging on your network firewall to see which host is sending the spam e-mail. You should then take the computer that is sending the spam off of the network and have your security incident response person take a look.
If you do have the network address of the local computer, hopefully it is one that your network team recognizes. Otherwise, you may not be able to find the offending computer on your network without a lot of investigation, especially if you have a wireless network.
Locking down your network
It's very important that no computers on your network connect directly to the Internet. All of the computers should be behind a firewall. Many organizations already have a basic firewall and are heeding this advice. However, it's also important to force all outgoing e-mail through your e-mail server.
Rules should be created on the network firewall, regarding outgoing traffic, to allow your e-mail server to connect to the e-mail transport service on remote e-mail servers (TCP ports 25 and 465). The next step is to delete all other firewall rules that allow connectivity to remote e-mail transport services or create additional lower priority outgoing firewall rules that block all connectivity to remote e-mail servers. This ensures that only your network's outgoing e-mail server can send e-mail off of your network.
Making this simple change will prevent many spam sending malware from being able to get any e-mail off of your network. Although some malware is programmed to relay e-mail through your e-mail server, if this happens the e-mail will at least be in your e-mail server's logs. Additionally, you should enable logging on your network firewall for the rules that block any computers other than your e-mail server from sending e-mail off of your network. Keeping an eye on this log, or having the firewall alert you, can help detect policy violations, and possibly identify a security problem on the violating computer.
Once you have the firewall in place to only allow your e-mail server to deliver e-mail off of your network, make sure that your e-mail server is only relaying e-mail for properly authenticated users.
If you are going to implement an outgoing e-mail filter, your next step would be to have your e-mail server use the outgoing filter as a smarthost, which is just the industry name for a primary relay. Your e-mail server would then relay all of it's e-mail through the filter before the e-mail is sent off to its final destination. Your outgoing filtering will then help protect your network's reputation further by proxying your e-mail through a different Internet address and also by filtering your e-mail for known spam and viruses.
Just taking this simple step of locking down your outgoing e-mail can help prevent that panicked day where your network becomes the source for sending spam, tarnishing the reputation of your network and possibly preventing your users from sending legitimate e-mail necessary to your business.