Spamcop

Hello group,

we are having a problem with a public IP address on our perimeter router being blocked by spamcop, which is affecting some of our Canopy clients.

Has anyone found a solution to determining which SM is generating the spam?

I’m pretty sure that someone must have some malware infecting their PC as the spam is mostly about Viagra sales! :lol:

However, this is seriously affecting some of our other clients.

Any help would be appreciated.

Best regards

Sam

So, it sounds like you must have a border NAT router that translates internal customer IPs to your external perimeter IPs. Your NAT router must tell you what translations it made for this to be useful.

What I would do is:

1. Install OpenBSD on the perimeter
2. Configure it for NAT
3. Install pfflowd on your perimeter
4. Install flowd on another box (with lots of disk space)
5. Setup newsyslog.conf on the other box to rotate flowd capture logs

Now, when you have a problem, you can use flowd-reader or other netflow analysis tools to see what was happening.

If your users get dynamically assigned IPs behind the NAT, then you will also need to record your DHCP leases and AP bridging tables every 20 minutes or so to track down which MAC address was what IP address, during what time.

flowd: http://www.mindrot.org/projects/flowd/
pfflowd: http://www.mindrot.org/projects/pfflowd/

You can get a nice PC Engines 500 MHz board and case, suitable for routing protocols, pfflowd, and much more for around $130 USD with various ethernet and mini-pci slots.

pcengines: http://www.pcengines.ch/

Read about OpenBSD’s networking features on the OpenBSD web site.

papers: http://www.openbsd.org/papers/
faq: http://www.openbsd.org/faq/

Last, but not least, you can install OpenBSD on to a small or large flash with flashdist:

flashdist: http://www.nmedia.net/flashdist/

Flashdist also comes with ready to run binary images.

You can just filter outbound SMTP before it has a chance to leave your network if you have a firewall. If you don’t have a firewall, a simple decent server setup to bridge between DMZ/Edge running Linux w/iptables could solve this (temporarily) until you get a permanent solution in there such as an Astaro appliance or something similar.