Security Question - Open Proxy

[lchyi]

I run a small network of computers approximately 15 machines big. My ISP is now telling me that we have an open proxy and I'm relaying spam. Is there a systematic way to go through and check for this? I'm completely bamboozled and my ISP isn't offering any suggestions to help fix. Do I start at each individual computer and run some scans or can I efficiently monitor for someone exploiting this port. We have a hardware firewall FVL328 from Netgear.

 

[n0cmonkey]

Check your firewall logs. Turn on logging for port 25 connections. See which machine is sending out the most email.

Setup a sniffer, see which system is sending out the most email.

Check your firewall logs for signs that a machine is connecting to common command and control (C&C) methods (like IRC).

Double check anti-virus and anti-spyware logs.

Scan all systems for an open port 25.

 

[Czar]

do what n0cmonkey suggests
and to scan the computers for the port do

telnet computerip 25

also run anti virus and spyware programs on all computers

and start by blocking all traffic on port 25 on the firewall

and if you have an excahnge server running as your mail server.. then its probably not set to allow authenticated connections only

 

[lchyi]

Thanks, I was hoping that there was something to check before I run all the necessary scans on a computer. I did block port 25, the only problem is that we run a spam mediator that requires it to have port forwarded to it so it can send mails. I set it up at 25 at first but just changed it to 30 (hopefully this won't pose the same problem, I don't know).

Well, I guess it's time to hunt and kill...