PREVENT YOUR COMPUTER FROM BEING A SPAM-BOT USING PORT-BLOCKING ON YOUR ROUTER

Along with building new computers, and selling customized software solutions, I am often faced with the task for which Ruggiero AV Services was originally created - repairing computers for friends, family members, and clients.  Most of the time these repairs are not hardware-related, but rather related to the operating system (read: Windows).  And being that Windows has a fair amount of the market share, with Mac OS being a close second, most of my software-related fixes include malware removal.  Sometimes I don't know what specific malware I am dealing with UNTIL I run an anti-spyware and/or anti-virus scan, and most of the time that includes connecting the problem machine to my private network so that I can update the latest definitions, and then run a scan knowing I'll detect the latest threats.  Problem is, malware may use the window of time a given system is connected to a netwok to spread.  While I haven't had a virus transfer itself from a client's "infected" computer to one of my own via my private network, twice I have had "public network" issues after repairing a machine, most noteably in the area of e-mail.  

My personal ISP happens to be Comcast Cable; when this business began, its services also ran off this provider.  Ruggiero AV Services now utilizes a dedicated and isolated multi-server network in multiple geographic locations, so we are not tied to one ISP.  However, the fact that I have Comcast for personal use plays into the e-mail issue I describe. At least two times, a piece of malware on a client computer contained a built-in mail server, which instantly spewed out multiple SPAM e-mails without my knowledge.  This stopped my ability to send outgoing e-mail through Comcast's mail servers.   Some tech-saavy friends may be thinking, yeah so just change your outgoing mail servers to ones that are not Comcast-run; and I would - also, Comcast themselves offers a workaround to continue using their servers.  I'll explain in a second.  What Comcast ends up doing if they think you are a spam-bot is to shut off your ability to send ANYTHING over OUTGOING MAIL PORT 25.  This applies even on servers that are NOT run by Comcast.  The theory is that most malware sends bogus mail on that common port, so by blocking it at the network level, they are stopping the spread of the malware itself.  If you want to continue using Comcast for outgoing mail, you must set your outgoing mail port to 587.   It was only recently that I sucessfully discovered and implemented my OWN version of what Comcast did to me.  After calling their "security" department and explaining myself, I was able to get my ability to send over port 25 restored.  Then, I diligently went to work investigating the settings of my home network router.  My trick will NOT help you if you are a single-computer user with your modem hooked directly into your machine, but if you do have a router, the idea is to look into the settings that control access to the network or port blocking.  This is not the same as port forwarding, although the port-blocking or access control settings may be in the same area as your port forwarding section.

PRE-REQUISITES:
1. You must have a fairly recent router - not all support access control.   
2.  Your computers must be set for DHCP and have "reservations" set up in the router's configuration.  This may work with static IP addresses, but a DHCP reservation works easier, as you will see later.    
3.  You must have a limited DHCP scope to assign to "visiting" computers.    

I am going to go over the steps to set up the Dlink DIR-655 router for personal port blocking.

1.   Log into the router with the admin user and password.

 
2.  At the top, click SETUP, then NETWORK SETTINGS

Make sure the DHCP server is enabled.  Set the last digits in the range from 10 to 15.  For example, if your router's address is 192.168.0.1, the DHCP server range should be 192.168.0.10 - 192.168.0.15.  That's assuming you have LESS THAN 5 computers.  It can be more or less.  Always increment the number by one or two to allow for additions later.

3.  Restart all connected computers and return to the DLink router setup pages.  You should see your computers listed under DHCP Clients.

4,  Click RESERVE, and adjust any settings in the DHCP RESERVATION section.  Save your settings, and reboot the router.

5,  Once all of your network computers have a reserved IP address, we can move to setting up access control.  Click ADVANCED at the top, and ACCESS CONTROL on the left.   The policy table will be empty, not showing any machines, unlike what you see below.

6.  Click ENABLE ACCESS CONTROL, then ADD POLICY

7.  Click NEXT, then type a short policy name - for example PORT25 BLOCK.

8.  Click NEXT, keep the policy schedule at ALWAYS and click NEXT again.

 

9.  Under ADDRESS TYPE click OTHER MACHINES, click OK, and click NEXT.

10.  Choose BLOCK SOME ACCESS, APPLY PORT FILTERS and click NEXT.

11.  Enable the first check box.  Under NAME, put Port 25. 

12.  Keep the IP range the way it is, and change the protocol to TCP.

13.  Change DEST PORT START and DEST PORT END to 25.   Click SAVE.

Now we have essentially blocked port 25 from ALL computers on our network.  If that is your intention, you may stop here.  However, if you wish to override the block for certain machines, follow the below example.

• Type a new policy name - for example PORT25 OVERRIDE.
• Click NEXT, keep the policy schedule at ALWAYS and click NEXT again.
• Under ADDRESS TYPE click IP.  Choose a "reserved" computer from the list, and click OK.
• Repeat that for each computer you know is on your LAN.
• At the bottom of your screen, click OK, and click NEXT.
• Choose BLOCK SOME ACCESS, APPLY PORT FILTERS and click NEXT.
• Enable the first check box.  Under NAME, put Port 25. 
• Keep the IP range the way it is, and change the protocol to TCP.
• Change DEST PORT START and DEST PORT END each to a bogus port number that is not in use, like 1234..
• Click SAVE.
• Reboot the router, and your computers.  

To test your settings, use the following at a command prompt:

  telnet smtp.comcast.net 25   

On your "reserved" computers, you should get a response in the form of a single line that shows where the server is coming from.  For example:  

220 OMTA05.comcast.net comcast ESMTP server ready  

On ANY OTHER MACHINE you connect, like a friend's machine, the request should TIME OUT or not connect at all.  This is what you want.  This way you may continue to use your [hopefully protected] computers as normal, but any new machines will not be able to access port 25.  If you add new machines to your lan that you WANT to access port 25, you'll need to add a reseveration, and add the computer to the PORT 25 OVERRIDE policy.  

CLICK HERE TO GO BACK TO THE PAGE YOU CAME FROM
OR
CLICK HERE TO RETURN TO  RUGGIERO AV SERVICES HOME