on 2-25-2009 10:32 AM mxc spake the following: > Hi there, > > We have a machine on the network that has been infected and is sending out > spam. The people responsible say the machine has been cleaned and > disconnected from the network but this is not the case. It seems they don't > know what they are doing and I have decided to rather block the client at > the firewall. Endian had transparent smtp proxy enabled. > > I added the following IPTables rule > > iptables -I INPUT 1 -s 192.168.12.12 -j DROP > and > iptables -I FORWARD 1 -s 192.168.12.12 -j DROP > > > But this has failed to stop the client from connecting and sending spam. > What am I missing?
Are the rules far enough up the chain to hit? Or is that address hitting above them? Can you physically or remotely just remove it from the switch port? IE... Maybe you can't access the machine, but do you have access to the switch closet? Or if you have a dhcp server, assign the system to a different subnet, or an invalid router address. Personally I would go and physically have the cable disconnected until it is resolved. Your management needs to realize how important this is. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
_______________________________________________ Efw-user mailing list Efw-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/efw-user