From: Ahmed Al-Ghawas (ghawas@xxxxxxxxxxxxxx)
Date: Thu Aug 01 2002 - 03:43:35 GMT-3
Guys,
We have been attacked by a worm that uses IE as an SMTP engine and forwards
itself to any available address book on a users machine to the default mail
server (On our case it's the Exchange Server).
Therefore, to reduce the load on the exchange server and since outlook clients
does not rely on SMTP connection to the Exchange server, I have decided to
block all outbound traffic to the server VLAN.
Here is what I did:
Clients are on several VLANS 1-20
Server is on VLAN2
Interface VLAN2
ip address x.x.x.x
ip access-group 111 out
!
access-list 111 deny tcp any host x.x.x.x eq smtp log (Where x.x.x.x is the
Exchange Server IP address)
access-list 111 permit IP any any
After applying the list I was still able to telnet from other VLANS to port 25
on the Exchange Server!!!
I even tried using an inbound access list on the client VLANS, but with no
luck. However, the permit statement matches several packets!
The router is an MSFC on a 6550 CAT Switch
Any help would be much appreciated
Thanks,
Ahmed
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:13 GMT-3