Reject all mail packages on all ports (outgoing) on Ubuntu

Question

I just had a problem with our ISP; our internet connection was blocked because there was to much mail being send from our ip. The problem is that we all use gmail and that no mail is being send through the ISP SMTP server as far as we know (ISP blocks all traffic to port 25 if it is not on their server).

I blocked port 25 in advance, so no outgoing mail to that mail server can leave our network. But this does not reject mail send to ports on other servers.

What I would like to do is to find out what is sending those mails on our network. Is there a program that can identify mail packets and reject them using Ubuntu? Our Ubuntu router does not run a smtp server, by the way.

Answer 1

You might want to block all your smtp packages, this can be a real hassle, luckely there is l7-filter. It can block a lot of different protocols, you just have to install it on your gateway/firewall.

Answer 2

tcpdump is a useful tool for dumping packets off the network either to file, or to the screen, its generally available in the distro-packing repositories and is very well documented and tested for situations like this.

You can install tcpdump on the ubuntu router (apt-get install tcpdump), and configure it to watch for smtp traffic;

 # tcpdump -s0 -w/tmp/smtp_dump port 25
 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

you can review the file for which hosts are sending smtp traffic from another SSH session;

# tcpdump -qr /tmp/smtp_dump 
reading from file /tmp/smtp_dump, link-type EN10MB (Ethernet)
13:27:54.291884 IP g0801.hpl.com.33942 > pz-in-f27.1e100.net.smtp: tcp 0
13:27:54.315294 IP pz-in-f27.1e100.net.smtp > g0801.hpl.com.33942: tcp 0
13:27:54.315323 IP g0801.hpl.com.33942 > pz-in-f27.1e100.net.smtp: tcp 0
13:27:54.339110 IP pz-in-f27.1e100.net.smtp > g0801.hpl.com.33942: tcp 45
...

you can get more sophisticated output if you install wireshark to your local machine and download the dump files, or use tshark at the ssh command line.

warning: tcpdump will fill your disk in quick time if you have a lot of smtp traffic, so review the output file ls -lh /tmp/smtp_dump and stop the command with ctrl-c when you have a few MB of data to look at.

Interface options to tcpdump (-i eth0): if your router uses a different interface than eth0, then you might have to select it with the -i option e.g. tcpdump -i bond0 -s0 -w/tmp/smtp_dump port 25

Answer 3

Mail can also be sent on ports 465 and 587. (465 has been revoked but may still be in use.). Combined with abusing a proxy server, mail can even be sent on port 80 or 443 or 3128 (for squid) or many others.

Does your network have a single exit point to the internet? Do you have a firewall at that point?

If not, you will want that. If you have multiple exit points, you should have firewalls on each. (Possibly the same physical box.)

Set your firewalls to drop everything by default and allow through only the traffic you want.

If you don't know what your normal traffic is, you can add a logging line to the end of your firewall rules so that everything that isn't already matched gets logged.

Even if you manage to block the traffic using the firewall, you will still want to track down and stop what ever is sending the mail. If you don't know what process is sending it, the mail could easily be a compromised system or an open proxy or a web form that some spammer is abusing. I wouldn't want one of those in my network.

Answer 4

The best solution is probably to configure your mail clients to use the submission port (587) or SSMTP port (465) when sending outgoing mail, and then block all outgoing traffic to port 25. Most mail providers should allow access on these ports for submitting outgoing mail.