Port 25 SMTP logging - need help

I have just loaded LnS to try out, using the default settings. I've allowed the specific app sthat I know to get to the web, and that's all so far. Nothing in my log area yet.

I have a problem where a very tricky to detect/remove spambot is sending out burst of spams on Port 25 SMTP, at random time intervals. I would like to be able to log Port 25 outgoing events specifically and block specific apps from using it but allow my emailer (Outlook) access until I can find the tools to detect and remove the offending malware. I am a newbie in the world of firewalls and creating rules/filters i.e. never done it.

I like LnS light footprint of system resources so far. Thanks for any help and I did try doing some searches in this forum and not much luck yet.

 

Hi Again!

1) Lets setup LNS for you open the main GUI window a click on the Options tab then click the Advance options tab and check all the boxes in that (miscellaneous window) after click on the DLLs tab an enable the DLL detection then close the 2 windows that you opened.

2) Go to the Internet filtering tab and click load and click on enhanced rule set and click open, now it is setup to show anything trying to connect to the web.

Hope you see the problem program trying to connect to the web!!

Here is the thread I was looking for and found to setup LNS.
https://www.wilderssecurity.com/showthread.php?t=83498

The best thing you should do is Join Log'N'Rock in my siggy line and go to http://www.lognrock.com/forum/index.php?showforum=5 forum and they will help find any malware that you might have and help you clean it!

TH

 

Thanks again TH

I did all the things you mentioned to setup LnS and I will look over that thread too.

 

Your welcome!

Cheers,

TH

 

For this to work as you wish, you would need to make some serious changes in your ruleset, as I understand you are using the default one.
You would first need to delete/disable the "Authorize most common Internet services" rule which is quite open and will allow connection to any remote port. Next create a client rule for each service you are using (http, POP, SMTP, FTP). Set the SMTP rule for logging and add Outlook executable to it, so only Outlook can connect through port 25. Now your spambot can do nothing.
If you have troubles with this procedure, ask.

 

Thanks Seer, I will give that a try. Right now I am running the enhanced ruleset setup as TH outlined above.

 

@Seer
I agree with your procedure but I have one question. From my understanding how LooknStop work, while Outlook is connected and the rule is active then every application which have internet permission can connect through port 25, am I right?

Maybe is a good idea to add restriction to SMTP port only for Outlook (in application rules) and block access to that port for other applications?

 

Basically yes, but there are ways to restrict that.

Take a look at my post on tying an executable to a specific rule here.

 

I mean in Application filtering not in Internet filtering, because in Application filtering you can restrict allowed application to specific TCP or UDP port(s) too. In Internet filtering you can tie application to trigger specific rule but when application is active (and rule is active) then every allowed application in Application filtering can connect using that rule.

So maybe is a better idea not to delete/disable the "Authorize most common Internet services" rule but in Application filtering blocking access to port 25 for suspicious application(s). In look'n'stop help file is a good explanation how to do that.

 

What you say makes sense, but I would like Frederic to confirm this. What will be the use of such rule if it doesn't whitelist only the application that is activating it? So when I start Outlook, then all apps can use the rule? Hmmm... I'm not sure I like this.

If the above is true, you are certainly right.