Blocking Spammers with the IBM Firewall

By:  Bob Cancilla
Title:  AS/400 Internet Practioner
Date:  12/08/1998 - 07:08 PM (UCT)

Copied from IBM's AS/400 Firewall website with IBM's permission.



Some Firewall for AS/400 customers have noticed that their firewalls are being used by unscrupulous mail spammers. Since the Firewall mail relay is very good at forwarding mail to its intended destination, spammers take advantage of this feature by sending mail to the firewall which it then forwards on to its intended destination. By "bouncing" mail off of a firewall, the spammers are able to send mail to a larger number of individuals more quickly.

The Firewall, the AS/400 system and the entire customer network remain secure in spite of this denial of service attack.

However, having one's firewall used for third party mail relay is not desirable because it can use a great deal of communication bandwidth and firewall processing time. Also one does not want to be associated in any way with the material that is being forwarded since it is often pornographic and of questionable legality. Some companies maintain lists of third party mail relays and block all mail received from them. If the IP address of a Firewall for AS/400 is placed on this list, all mail, including legitimate mail, will be blocked from reaching a number of mail servers on the Internet.

You can determine if a firewall is being used by a spammer by displaying the mail log. Use the SBMNWSCMD command to "type e:
. The subject line of spam mail will usually be self-evident.

There are work-arounds that customers may wish to employ. The next section describes one of these work-arounds which has been successfully implemented for a customer.


The goal of the work-around is to prevent the firewall itself from sending e-mail to the Internet and thus blocking the third-party relay of mail. Incoming mail from the Internet continues to be processed as in the past, with the firewall mail relay sending it on to the secure mail server. Outgoing mail however is now sent directly to Internet mail servers from the AS/400 or other secure mail server.

This work-around will only work if:

  • The secure and the non-secure domain names are the same.
  • The AS/400, or other secure mail server, can be assigned a registered IP address.

If your AS/400 mail server already has a registered Internet address (e.g. it is also your web server), then proceed with the following instructions. If not, then you will need to assign a valid IP address to the server and adjust the subnets and routing at the firewall and router appropriately. The technical tip for how to place a web server behind the firewall has the same addressing and routing steps as those required here.

Work-around configuration steps:

  1. Configure the AS/400 mail server to send mail directly to Internet mail servers.

    • a. Ensure that the AS/400 can resolve names of hosts on the Internet. Do a PING The PING will fail but it still should resolve the host name. If the host name cannot be resolved then you need to correct your use of domain name servers.
    • b. Change the SMTP attributes (CHGSMTPA command) to specify firewall = *NO and mail router = *NONE.
    • c. End and restart the SMTP server.

  2. Configure the firewall to permit the AS/400 mail server to send mail directly to the Internet and block third-party relay.

    • a. Set IP Forwarding = Permit on the firewall.
    • b. Adding the following two filter rules near the bottom of the filter rule file just prior to the ending defenses.

      action(permit) from(AS/400-registered-ip-address) to(any) protocol(tcp ge 1024/eq 25) interface(both) routing(route) direction(both) fragment(y) log(n) description("Permit mail request packets from AS/400 to the Internet")

      action(permit) from(any) to(AS/400-registered-ip-address) protocol(tcp/ack eq 25/ge 1024) interface(both) routing(route) direction(both) fragment(y) log(n) description("Permit mail response packets to the AS/400 from the Internet.")

    • c. Add the following filter rule as part of the general defenses (i.e. after rule #10).

      action(deny) from(firewall-nonsecure-ip-address) to(any) protocol(tcp any/eq 25) interface(non-secure) routing(local) direction(outbound) fragment(y) log(y) description("Block relay to Internet servers.")

    • d. Restart the filters on the firewall.



Return to the Home Page

© Copyright 1998, 1999 by IGNITe/400sm
This page last updated on: Sun Jun 27 20:55:29 1999