[isalist] Re: Possible to Filter inbound publishing rules by source (remote) IP?
- From: "Crockett, Gregory" <Gregory.Crockett@xxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sun, 15 Jun 2008 18:11:13 -0500
Good point. I block DNS in addition to SMTP. Thor's lists dropped a lot of
spamers from abroad. Now, to get the spammers from the allowed countries --
GFI is hard at work. To get by the port-scanners, looks like I need to change
my SMTP IP address every X days, weeks, months, etc. Nah, too much work --
I'll continue as is. Can ISA track the port-scanners, dump their IP's into a
set that's there to block dynamacially?
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Sun 6/15/2008 1:42 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Possible to Filter inbound publishing rules by source
(remote) IP?
http://www.ISAserver.org
-------------------------------------------------------
While blocking DNS is one way to block some SPAM, it's not the complete answer.
You also have to block inbound SMTP from untrusted sources, because many
spammers and script kiddies don't use DNS; they simply port-scan for SMTP
listeners and share what they find with their friends.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Crockett, Gregory
Sent: Saturday, June 14, 2008 3:34 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Possible to Filter inbound publishing rules by source
(remote) IP?
http://www.ISAserver.org
-------------------------------------------------------
I use Thor's computer sets -- I also block their dns access. I see more DNS
blocks from Taiwan, and others than SMTP -- (if you do not know my phone number
you can not call me.) I'm working with F5 to block DNS request, from
particular continents, or countries, before they hit ISA.
Sent from my mobile email.
-----Original Message-----
From: Joe Pochedley <joepochedley@xxxxxxxxx>
Sent: Monday, June 09, 2008 12:42 PM
To: isalist@xxxxxxxxxxxxx <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Possible to Filter inbound publishing rules by source
(remote) IP?
Hahah... Thanks, Jim.
FWIW, the computer set worked flawlessly. Now all the SMTP connections
from others who aren't supposed to be sending us SMTP mail are blocked
at the FW.
In watching the firewall log now, I can easily pick out all the SMTP
traffic that's not supposed to come through... Never ceases to amaze
how these connections from various DHCP pools (DSL, cable, whatever) at
carriers in Brazil, Tiawan, etc are just spewing this stuff out... All
the wasted bandwidth and zombiefied PC's.... *sigh*
Joe P
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, June 06, 2008 10:21 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Possible to Filter inbound publishing rules by
source (remote) IP?
I guess e need to have another round of <duh> moments to make Joe feel
better about himself - I'll start.
I filed a bug some months ago because every time I applied an ISA patch
through an external RDP session, I'd lose the session and would have to
jump on the console to complete the installation. Needless to say, this
would drop ISATools.org until I could go home.
Just this week, it suddenly occurred to me why this failed and yes; it's
"by design", and not entirely that of ISA Server.
I don't use system policies to allow RDP from the Internet. Instead, I:
1. server-publish to the internal IP
2. use custom ports for the listener
3. bind TS to the internal NIC only
When the ISA services stop, so do any server publishing or web
listeners.
Although system policies provide for inbound RDP in lockdown mode,
because I didn't allow TS to bind to the external NIC, I was breaking
myself whenever I'd try to update ISA from "outside".
Needless to say, the bug has been closed as "no repro"...
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Joe Pochedley
Sent: Friday, June 06, 2008 6:00 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Possible to Filter inbound publishing rules by
source (remote) IP?
Thanks, Jim.
For some reason I was so focused on Networks that I forgot about
computer sets (and the fact that you can specify address ranges in a
computer set). Duh on my part.
I'll just blame the lapse in memory on having worked 14 hours yesterday
(not wholly on this issue, mostly on our Exchange upgrade)... But if I
haven't learned the lesson "if you can't figure it out late in the
evening, stop and look at it again in the morning" by now, then I
probably never will. J
Thanks again.
Joe P
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Friday, June 06, 2008 1:22 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Possible to Filter inbound publishing rules by
source (remote) IP?
Yes.
You create a computer set and populate it with the addresses and subnets
as specified in the EHS admin page.
Then you apply this computer set to the SMTP server publishing rule
"From" tab.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Joe Pochedley
Sent: Thursday, June 05, 2008 8:06 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Possible to Filter inbound publishing rules by source
(remote) IP?
Hopefully an easy one for the ISA gurus...
Recently we signed up for Microsoft's Frontbridge spam filtering
service. As part of the setup, the MX record of our company has been
changed to Microsoft's service... (Like PostINI and other hosted
filtering services.)
Microsoft recommends only allowing inbound SMTP connections from their
list of servers. This seems like a good idea, as I still see spam
coming direct into our IP (old MX record) and not being routed through
the service even though it's been more than a month since I changed the
MX records...
Unfortunately, I can't find a way to make the publishing rule bend to my
will and only accept incoming SMTP connections only from the authorized
IP addresses. Can it be done? If so would someone be kind enough to
point me in the right direction?
Running ISA 2006 here.
Joe Pochedley
Network & Telecommunications Manager
The North American Mfg. Co.
email: JoePochedley@xxxxxxxxx
All mail to and from this domain is scrutinized by GFI.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is scrutinized by GFI.
Other related posts:
