Good point. I block DNS in addition to SMTP. Thor's lists dropped a lot of spamers from abroad. Now, to get the spammers from the allowed countries -- GFI is hard at work. To get by the port-scanners, looks like I need to change my SMTP IP address every X days, weeks, months, etc. Nah, too much work -- I'll continue as is. Can ISA track the port-scanners, dump their IP's into a set that's there to block dynamacially? ________________________________ From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison Sent: Sun 6/15/2008 1:42 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? http://www.ISAserver.org ------------------------------------------------------- While blocking DNS is one way to block some SPAM, it's not the complete answer. You also have to block inbound SMTP from untrusted sources, because many spammers and script kiddies don't use DNS; they simply port-scan for SMTP listeners and share what they find with their friends. Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Crockett, Gregory Sent: Saturday, June 14, 2008 3:34 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? http://www.ISAserver.org ------------------------------------------------------- I use Thor's computer sets -- I also block their dns access. I see more DNS blocks from Taiwan, and others than SMTP -- (if you do not know my phone number you can not call me.) I'm working with F5 to block DNS request, from particular continents, or countries, before they hit ISA. Sent from my mobile email. -----Original Message----- From: Joe Pochedley <joepochedley@xxxxxxxxx> Sent: Monday, June 09, 2008 12:42 PM To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx> Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? Hahah... Thanks, Jim. FWIW, the computer set worked flawlessly. Now all the SMTP connections from others who aren't supposed to be sending us SMTP mail are blocked at the FW. In watching the firewall log now, I can easily pick out all the SMTP traffic that's not supposed to come through... Never ceases to amaze how these connections from various DHCP pools (DSL, cable, whatever) at carriers in Brazil, Tiawan, etc are just spewing this stuff out... All the wasted bandwidth and zombiefied PC's.... *sigh* Joe P From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, June 06, 2008 10:21 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? I guess e need to have another round of <duh> moments to make Joe feel better about himself - I'll start. I filed a bug some months ago because every time I applied an ISA patch through an external RDP session, I'd lose the session and would have to jump on the console to complete the installation. Needless to say, this would drop ISATools.org until I could go home. Just this week, it suddenly occurred to me why this failed and yes; it's "by design", and not entirely that of ISA Server. I don't use system policies to allow RDP from the Internet. Instead, I: 1. server-publish to the internal IP 2. use custom ports for the listener 3. bind TS to the internal NIC only When the ISA services stop, so do any server publishing or web listeners. Although system policies provide for inbound RDP in lockdown mode, because I didn't allow TS to bind to the external NIC, I was breaking myself whenever I'd try to update ISA from "outside". Needless to say, the bug has been closed as "no repro"... Jim From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Pochedley Sent: Friday, June 06, 2008 6:00 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? Thanks, Jim. For some reason I was so focused on Networks that I forgot about computer sets (and the fact that you can specify address ranges in a computer set). Duh on my part. I'll just blame the lapse in memory on having worked 14 hours yesterday (not wholly on this issue, mostly on our Exchange upgrade)... But if I haven't learned the lesson "if you can't figure it out late in the evening, stop and look at it again in the morning" by now, then I probably never will. J Thanks again. Joe P From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Friday, June 06, 2008 1:22 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP? Yes. You create a computer set and populate it with the addresses and subnets as specified in the EHS admin page. Then you apply this computer set to the SMTP server publishing rule "From" tab. Jim From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Joe Pochedley Sent: Thursday, June 05, 2008 8:06 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Possible to Filter inbound publishing rules by source (remote) IP? Hopefully an easy one for the ISA gurus... Recently we signed up for Microsoft's Frontbridge spam filtering service. As part of the setup, the MX record of our company has been changed to Microsoft's service... (Like PostINI and other hosted filtering services.) Microsoft recommends only allowing inbound SMTP connections from their list of servers. This seems like a good idea, as I still see spam coming direct into our IP (old MX record) and not being routed through the service even though it's been more than a month since I changed the MX records... Unfortunately, I can't find a way to make the publishing rule bend to my will and only accept incoming SMTP connections only from the authorized IP addresses. Can it be done? If so would someone be kind enough to point me in the right direction? Running ISA 2006 here. Joe Pochedley Network & Telecommunications Manager The North American Mfg. Co. email: JoePochedley@xxxxxxxxx All mail to and from this domain is scrutinized by GFI. ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is scrutinized by GFI.