06-24-2002 01:18 PM - edited 03-08-2019 11:06 PM
Hi,
I have a fairly basic question. We have a very small network, but have seen spam on the rise recently. It comes from a limited number of domains and I would like to block it at the Router level, so my email server does not even need to see it. However, I've added (what I think are) the appropriate access-list lines and email from those subnets still seems to be passing through. Can someone help. An example of the line that I have is:
access-list 101 deny ip 207.33.16.0 0.0.0.255 any
(I think this blocks ips in the range 207.33.16.0 - 207.33.16.255).
Also, if there is a better (but free) way of blocking incoming spam traffic at the router level, I would love to hear it. We run MS Exchange and it's filtering seems completely inept.
Thanks for any help.
06-24-2002 08:01 PM
The access-list you show would drop all traffic from 207.33.16.0-255, assuming you have it applied INBOUND on your outside interface, for example:
int serial 0
description Interface to Internet
ip access-group 101 in
Keep in mind though that at the end of every access-list, there's an implicit "deny all", so if you just have the above line in your ACL, it will actually block ALL traffic. A better way to do this would be to just filter SMTP traffic with the following:
access-list 101 deny tcp 207.33.16.0 0.0.0.255 any eq smtp
access-list 101 permit ip any any
Having said that, this is still not a very good way to block spam, since the spam could be coming from any number of different SMTP servers on the Internet. There is really no good way to block it from the router unfortunately, you're better off doing it from your internal mail gateway.
06-25-2002 05:50 AM
Thanks for the reply. Yes - I have this set inbound on my outside interface.....Hmm, I wonder if it has anything to do with the other filters I have....to be more complete, here is an extended smaple. My email server ip is 198.234.234.5 (not real) in this example.
access-list 101 deny ip 207.33.16.0 0.0.0.255
access-list 101 permit tcp any any established
access-list 101 permit udp any host 198.234.234.5 eq smtp
access-list 101 permit ip any host 198.234.234.5
So - do the last three cancel out the first one - or should this configuration work? I'll look into the firewall product as well.
The reasons I want to block it at the router are (a) it seems to be coming from a reasonably well defined set of spammers and (b) the filtering in MS Exchange (my email server) is just terrible. I started with Exchange filtering and it has just had a 0% success rate. My next step is to purchase a mail spam protection system, but I'm trying to avoid that if I can.
(Plus, it always help to learn more about the capabilities and configuration of the router).
06-25-2002 12:11 AM
Well, on a router, there are several ways to do this, but most elegant would be using IOS Firewall IDS technique which also takes care of spam attacks, (but the IOS FW image is not free)
Also you could look into CAR to limit the bandwidth for SMTP traffic, below is not exactly a sample config, but just to give you an idea how to use CAR;
http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html
HTH
R/Yusuf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide