Reading the stories of Windows workstations becoming members of a spam botnet becomes way less enjoyable when you’re faced with the same problem (one of my kids managed to install a Trojan). It took me a day to clean the infected computer (it would have been easier to just format it, but the repeated installation of the Windows XP + Office software is so boring), but I’ve learned a few interesting networking lessons in the process that I’ll document in the next days.
Let’s start with an easy one: once you discover one of your workstations is opening a lot of SMTP sessions, immediately block it on the firewall router (this access list will also help you verify that you've removed all spam-related infections). I’ve used the simplest access list possible; it blocks the outbound SMTP sessions from the infected workstation.
ip access-list extended Inside deny tcp host 192.168.200.198 any eq smtp log permit ip any any ! interface Vlan1 ip access-group Inside in
If you want a more sophisticated solution, you might log the outbound TCP sessions of the affected PC. The following access list blocks all outbound SMTP sessions and logs the SYN packets of outbound TCP sessions. DNS over UDP is allowed, but all other UDP is blocked. All other hosts are not affected (the permit ip any any at the end):
ip access-list extended InsideLog deny tcp host 192.168.200.198 any eq smtp log permit tcp host 192.168.200.198 any established permit tcp host 192.168.200.198 any log permit udp host 192.168.200.198 any eq domain deny udp host 192.168.200.198 any permit ip any any
Recent IOS releases support access list matching on individual bits in the TCP header. Using this functionality, you can match and log only TCP packets with SYN bit set (the rest of the TCP session is permitted due to permit ip any any at the end).
ip access-list extended InsideLog deny tcp host 192.168.200.198 any eq smtp log permit tcp host 192.168.200.198 any syn log permit udp host 192.168.200.198 any eq domain deny udp host 192.168.200.198 any permit ip any any