Port 25 SMTP logging - need help

Discussion in 'LnS English Forum' started by cyb_2009, Jul 26, 2009.

Thread Status:
Not open for further replies.
  1. cyb_2009

    cyb_2009 Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    13
    I have just loaded LnS to try out, using the default settings. I've allowed the specific app sthat I know to get to the web, and that's all so far. Nothing in my log area yet.

    I have a problem where a very tricky to detect/remove spambot is sending out burst of spams on Port 25 SMTP, at random time intervals. I would like to be able to log Port 25 outgoing events specifically and block specific apps from using it but allow my emailer (Outlook) access until I can find the tools to detect and remove the offending malware. I am a newbie in the world of firewalls and creating rules/filters i.e. never done it.

    I like LnS light footprint of system resources so far. :thumb: Thanks for any help and I did try doing some searches in this forum and not much luck yet.
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Hi Again!

    1) Lets setup LNS for you open the main GUI window a click on the Options tab then click the Advance options tab and check all the boxes in that (miscellaneous window) after click on the DLLs tab an enable the DLL detection then close the 2 windows that you opened.

    2) Go to the Internet filtering tab and click load and click on enhanced rule set and click open, now it is setup to show anything trying to connect to the web.

    Hope you see the problem program trying to connect to the web!!

    Here is the thread I was looking for and found to setup LNS.
    https://www.wilderssecurity.com/showthread.php?t=83498

    The best thing you should do is Join Log'N'Rock in my siggy line and go to http://www.lognrock.com/forum/index.php?showforum=5 forum and they will help find any malware that you might have and help you clean it!

    TH
     
    Last edited: Jul 26, 2009
  3. cyb_2009

    cyb_2009 Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    13
    Thanks again TH :thumb:

    I did all the things you mentioned to setup LnS and I will look over that thread too.
     
  4. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,011
    Location:
    Ontario, Canada
    Your welcome!

    Cheers,

    TH
     
  5. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    For this to work as you wish, you would need to make some serious changes in your ruleset, as I understand you are using the default one.
    You would first need to delete/disable the "Authorize most common Internet services" rule which is quite open and will allow connection to any remote port. Next create a client rule for each service you are using (http, POP, SMTP, FTP). Set the SMTP rule for logging and add Outlook executable to it, so only Outlook can connect through port 25. Now your spambot can do nothing.
    If you have troubles with this procedure, ask.
     
  6. cyb_2009

    cyb_2009 Registered Member

    Joined:
    Jul 25, 2009
    Posts:
    13
    Thanks Seer, I will give that a try. Right now I am running the enhanced ruleset setup as TH outlined above.
     
  7. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    @Seer
    I agree with your procedure but I have one question. From my understanding how LooknStop work, while Outlook is connected and the rule is active then every application which have internet permission can connect through port 25, am I right?

    Maybe is a good idea to add restriction to SMTP port only for Outlook (in application rules) and block access to that port for other applications?
     
  8. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Basically yes, but there are ways to restrict that.

    Take a look at my post on tying an executable to a specific rule here.
     
  9. wrathchild

    wrathchild Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    170
    Location:
    Neoplantesis
    I mean in Application filtering not in Internet filtering, because in Application filtering you can restrict allowed application to specific TCP or UDP port(s) too. In Internet filtering you can tie application to trigger specific rule but when application is active (and rule is active) then every allowed application in Application filtering can connect using that rule.

    So maybe is a better idea not to delete/disable the "Authorize most common Internet services" rule but in Application filtering blocking access to port 25 for suspicious application(s). In look'n'stop help file is a good explanation how to do that.
     
    Last edited: Jul 29, 2009
  10. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    What you say makes sense, but I would like Frederic to confirm this. What will be the use of such rule if it doesn't whitelist only the application that is activating it? So when I start Outlook, then all apps can use the rule? Hmmm... I'm not sure I like this.

    If the above is true, you are certainly right.
     
Thread Status:
Not open for further replies.