Asus RT-AX88U Block port 25 outbound correct settings

[vrpunk]

A device on my network is using port 25 to send occasionally send spam (I have been informed by Spamhaus Project).
I have a static IP.
So before I start looking for the device (iphone/ipad/doorbell/smart plug etc) I have been told to stop all out going traffic on port 25 at the router level.

I have upgraded firmware to latest Asus version (not merlin).
My settings are in the Network Services Filter, see image below. Are these correct?

Secondly, any advice for settings / apps I can use to monitor / log outgoing traffic on the router for port25 to get the devices IP that is causing the issue, it only happens every 7-10 days.

Thanks in advance
Regards
Mark

 

[ColinTaylor]

My settings are in the Network Services Filter, see image below. Are these correct?

No. The source port range should be empty. Only the destination port should be set at 25.

 

[vrpunk]

Okay updated that, hopefully that should work. I can then start trying to trackdown the device that’s causing the issue.
regards
Mark

 

[Justinh]

@ColinTaylor do you know if the blocked requests would be in logs? That would help find the device quickly.

 

[ColinTaylor]

You could set Firewall - General > Logged packets type = Dropped. But then you're likely to see your log flooded with the normal internet noise hitting your firewall. So unless the problem is happening fairly constantly you're probably going to miss the specific packet amongst all the others.

Alternatively you could SSH into the router and issue your own logging firewall rule (see below). The problem here is if you reboot the router or apply any changes in the router's GUI this rule will be wiped out.

iptables -I FORWARD -i br0 -p tcp --dport 25 -j logdrop

EDIT: Sorry @Justinh I thought I was replying to the OP but then realised I wasn't.

 

[vrpunk]

This is the information from Spamhaus: (xxx is my static IP)
-----------------------
Why was this IP listed?
xxx.xxx.xxx.xxx has been classified as part of a proxy network. There is a type of malware using this IP that installs a proxy that can be used for nearly anything, including sending spam or stealing customer data. This should be of more concern than a Spamhaus listing, which is a symptom and not the problem.

The proxy is installed on a device - usually an Android mobile, firestick, smart doorbell, etc, but also iPads, and Windows computers - that is using your IP to send spam DIRECTLY to the internet via port 25: This is very often the result of third party "free" apps like VPNs, channel unlockers, streaming, etc being installed on someone's personal device, usually a phone.

Technical information
Important: If this IP operates as a mail server, it should look and behave like a mail server. The HELO currently used appears to be dynamic and that is behaviour commonly observed in malware/proxy networks.

Recent connections:

(IP, UTC timestamp, HELO value)

xxx.xxx.xxx.xxx 2024-03-03 20:05:00 goliath.geekstorage.com

Important points:

The HELOs are often dynamic-looking rDNS and usually claim to be from geographically very different networks OR spoofs of major brands.
They can include impossible HELOs like "gmail.com", "outlook.com", "comcast.net" - Gmail, Outlook and Comcast do not use these. These are all fake.
If the HELO does not make sense for the IP generating it, it should be looked at closely.
There is often more than one compromised device.
Guest networks should also be secured.
This is a simple explanation of how it can work: https://www.spamhaus.com/resource-center/when-doorbells-go-rogue/

Any devices with "free" VPNs, TV streaming, channel unlocking, or 3rd-party apps installed are the first things to check.

What should be done about it?
We very strongly recommend securing your firewall to not allow any packets outbound on port 25, except those coming from any email server(s) on your local network. Remote sending of email to servers on the Internet should still work if web-based, or configured properly to use port 587 using SMTP-AUTH. Guest networks should be secured too.
-----------------------

I presume the UTC timestamp is my local time in the UK? I know a lot of devices that were not on at 20:05 on the 3rd March.



I have turned on traffic manager on the router, also system Log > General Log doesn't look informative unless I'm interpreting it wrong.

I was on CGNAT originally so thought it was someone else, so I got a Static IP about two weeks a go and it started again, so I'm the culprit! IT always seemed to happen on a weekend.

Regards
Mark

 

[ColinTaylor]

@vrpunk Have you turned on AiProtection on your router? Is there anything in its logs?

 

[vrpunk]

No i haven't I would have a good read about it and turn it on.
Obviously, first thing is to stop the device sending out, so I don't keep getting blacklisted, secondly to find the culprit! Thanks for the advice.
Regards
Mark

 

[ColinTaylor]

You definitely want to turn on Two-Way IPS and Infected Device Prevention and Blocking. It's designed specifically for the situation you're in.

 

[steammonkey]

@vrpunk sorry for the late reply to this, but did you ever find out what the source was? Asking because I'm seeing the same thing and struggling to identify the cause, but assuming it's a compromised device/app of some kind that is connected to the network.

In my case it's tripping Spamhaus every 2 days or so and has the same HELO as you saw xxx.xxx.xxx.xxx 2024-03-27 10:00:00 goliath.geekstorage.com.

 

[coxhaus]

Any chance that the email was a spam? I thought port 25 is blocked by ISPs. I had to ask AT&T to open port 25 back when I ran an email server.
Most client email is port 110.