Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
0
Helpful
3
Replies

Basic IOS Filtering Question

meredda
Level 1
Level 1

‎06-24-2002 01:18 PM - edited ‎03-08-2019 11:06 PM

Hi,

I have a fairly basic question. We have a very small network, but have seen spam on the rise recently. It comes from a limited number of domains and I would like to block it at the Router level, so my email server does not even need to see it. However, I've added (what I think are) the appropriate access-list lines and email from those subnets still seems to be passing through. Can someone help. An example of the line that I have is:

access-list 101 deny ip 207.33.16.0 0.0.0.255 any

(I think this blocks ips in the range 207.33.16.0 - 207.33.16.255).

Also, if there is a better (but free) way of blocking incoming spam traffic at the router level, I would love to hear it. We run MS Exchange and it's filtering seems completely inept.

Thanks for any help.

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎06-24-2002 08:01 PM

The access-list you show would drop all traffic from 207.33.16.0-255, assuming you have it applied INBOUND on your outside interface, for example:

int serial 0

description Interface to Internet

ip access-group 101 in

Keep in mind though that at the end of every access-list, there's an implicit "deny all", so if you just have the above line in your ACL, it will actually block ALL traffic. A better way to do this would be to just filter SMTP traffic with the following:

access-list 101 deny tcp 207.33.16.0 0.0.0.255 any eq smtp

access-list 101 permit ip any any

Having said that, this is still not a very good way to block spam, since the spam could be coming from any number of different SMTP servers on the Internet. There is really no good way to block it from the router unfortunately, you're better off doing it from your internal mail gateway.

0 Helpful

meredda
Level 1
Level 1
In response to gfullage

‎06-25-2002 05:50 AM

Thanks for the reply. Yes - I have this set inbound on my outside interface.....Hmm, I wonder if it has anything to do with the other filters I have....to be more complete, here is an extended smaple. My email server ip is 198.234.234.5 (not real) in this example.

access-list 101 deny ip 207.33.16.0 0.0.0.255

access-list 101 permit tcp any any established

access-list 101 permit udp any host 198.234.234.5 eq smtp

access-list 101 permit ip any host 198.234.234.5

So - do the last three cancel out the first one - or should this configuration work? I'll look into the firewall product as well.

The reasons I want to block it at the router are (a) it seems to be coming from a reasonably well defined set of spammers and (b) the filtering in MS Exchange (my email server) is just terrible. I started with Exchange filtering and it has just had a 0% success rate. My next step is to purchase a mail spam protection system, but I'm trying to avoid that if I can.

(Plus, it always help to learn more about the capabilities and configuration of the router).

0 Helpful

yusuff
Cisco Employee
Cisco Employee

‎06-25-2002 12:11 AM

Well, on a router, there are several ways to do this, but most elegant would be using IOS Firewall IDS technique which also takes care of spam attacks, (but the IOS FW image is not free)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/iosfw2/ios_ids.htm#xtocid96

Also you could look into CAR to limit the bandwidth for SMTP traffic, below is not exactly a sample config, but just to give you an idea how to use CAR;

http://www.cisco.com/warp/public/63/car_rate_limit_icmp.html

HTH

R/Yusuf

0 Helpful
Customers Also Viewed These Support Documents