I'm throwing this out to see if anyone has any comments. Any input would be appreciated.
This isn't a Linux problem, but I am hoping to use Linux to solve a problem.
It's like this: there is a host on the internal network (most likely a Windows virus-infected machine) spewing spam.
I think I can solve this problem by blocking all outgoing SMTP traffic except for authenticated SMTP traffic. This way, those with a legitimate reason/need to access Port 25 will be given a password and can still use it, but a virus-infected machine with its own SMTP engine will not get out of the internal network. Additionally, I would like to set up some kind of logging to help identify the culprit. Anybody have any suggestions on what firewall can help me achieve this?
And, am I correct in my belief that the zombie computer will make use of its own SMTP engine (and thus be blocked, because it will not know to authenticate), rather than hijacking and using a local mail client like Outlook or (gasp!) Outlook Express?
Any ideas or comments welcome.
Spyware and other forms of malware will generally use their own smtp server within their code. What I would do is ensure that all of the machines are clean (use adaware and spybot and whatever your AV software can do), and monitor all machines somehow. What I have done in the past is block almost everything. I allowed http, https, smtp (only on the mail server), pop, imap, and any special ports that cannot be changed for softwares (like updaters that use weird configurations). Really, though, a good firewall strategy is ideal here. Your webserver should not need http or https, nor ftp or telnet, so block that there too, regardless of whether or not the service is running.
I found that OpenBSD can do this real well, and alot simpler to setup. I had created IP address groups that had similar priveledges and setup the DHCP server to give static IPs for specific MACs so they could have special priveledges. Then those groups get rules applied to them. Read up on pf.conf for details on the structure of the script and soforth. Iptables can do the job, but its much more of a strain (to me at least).