How can I get more detailed logs to identify a rogue device using port 25?

How can I get more detailed logs to identify a rogue device using port 25?

How can I get more detailed logs to identify a rogue device using port 25?
How can I get more detailed logs to identify a rogue device using port 25?
2024-05-09 17:46:39
Model: Deco X50  
Hardware Version:
Firmware Version: 1.4.1

I'm trying to identify a device gone rogue - I suspect that something is being used as a proxy to fire out spam, possibly a cheap smart plug.

 

But... I can't find any way to block port 25 via the Deco app or web interface, or to get detailed enough logs to find out which device is to blame.

 

Any ideas?

 

 

  0      
  0      
#1
Options
4 Reply
Re:How can I get more detailed logs to identify a rogue device using port 25?
2024-05-10 06:38:49

  @FUPat 

Hi, Welcome to the community.

May I know how you found out that some devices might fire out spam or some similar via Post 25?

You could go to Deco APP>More>Advanced>NAT portforwarding>UPNP and make sure the UPMP has been disabled first.

Generally, a port should be closed by default on Deco. If you could provide more details about the potential security concern about port 25, I might be able to find more useful suggestions for you.

Thank you very much and best regards.

 

 

  0  
  0  
#2
Options
Re:How can I get more detailed logs to identify a rogue device using port 25?
2024-05-10 11:12:47

@David-TP Surely you mean that incoming ports are closed by default? That's not what I'm trying to do here.

 

My IP has been blacklisted by Spamhaus, they have provided examples of SMTP connections being made from my IP with falsified HELOs.

 

Either:

  1. A device on my network has been compromised and is trying to send spam as part of a proxy network, or
  2. My ISP is sharing my WAN IP between multiple subscribers and it's nothing to do with my network (they shouldn't, but they are awful - wouldn't surprise me).

 

What I'd like to be able to do is enable more detailed logging at the router somehow so that I can see when a device requests a port 25 connection. Then if it happens I could identify the device via the IP/MAC and sort it out. And it if didn't happen but Spamhaus were still recording dodgy activity then it points to option 2 above.

 

At the very least I'd like to be able to just block outgoing port 25 connections.

 

So far I can't seem to find a way to do either of these things - the Deco system is brilliant for the mesh side of things, but seems extremely limited in terms of advanced config options.

 

Please do let me know if you can think of a solution!

 

Thanks

  1  
  1  
#3
Options
Re:How can I get more detailed logs to identify a rogue device using port 25?
2024-05-11 02:23:44

  @FUPat 

Hi, thanks for the update.

Currently, there hasn't been a direct way on Deco to check which LAN device might use the SMTP email service via port 25. The system log on the web UI didn't record this information either. I have seen occasionally that some users deployed a Raspberry Pi in the LAN network to filter all the DNS entries.

 

I happened to see a similar case earlier about the Spamhaus warning. So I tend to think it is the second situation:

https://community.tp-link.com/us/home/forum/topic/663912

"My ISP is sharing my WAN IP between multiple subscribers and it's nothing to do with my network (they shouldn't, but they are awful - wouldn't surprise me)."

 

Thank you very much and best regards.

 

 

 

 

  0  
  0  
#4
Options
Re:How can I get more detailed logs to identify a rogue device using port 25?
2024-05-13 09:33:03

@David-TP I think the Raspbery Pi solution you're talking about is probably Pi-hole - which acts as a DNS proxy but would not do what I want to do in terms of logging (or blocking) outgoing requests to hosts using a particular port.

 

I could probably set something up with a Pi as a proxy between the main Deco and the wider internet, passing all traffic through it, but I'd need to do more research.

 

It's a shame the Deco system itself doesn't offer more advanced config, it's very basic.

  1  
  1  
#5
Options