Question

Re-Listed on Blacklist, even AFTER closing port 25.

Asked by: VCSLI

Hello

I work in an office building. There are 36 tenants who rent offices within the building. They are all supplied with a common shared internet connection. (Everyone in the building uses the same connection.)
A few days ago, were were blacklisted. After contacting the lister, they agreed to remove us.

We are now listed again a few days later.
We have a SonicWall Pro 2040 Enhanced, and have closed port 25 from WAN to LAN.
Since there are many different tenants, everyone uses their own email service. Whether it be NetworkSolutions (the only people who have noticed a problem, and caused me to look into this initially), Bluehost, Gmail etc etc etc. Some people use the web interface, others use Outlook/Thunderbird. There are no central Exchange servers.

I am thinking perhaps spam is being sent out on a different port, other then 25.

What could be causing this? What can i do to prevent this from happening?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-04 at 22:46:39ID24627059
Tags

Hardware Firewall

,

Security

,

Network Maintenence

,

Spam

,

Email

,

Virus

Topics

Networking Hardware Firewalls

,

Network Operations

,

Miscellaneous Security

Participating Experts
2
Points
0
Comments
23

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. BlackList removal
    I have SBS2003 and we keep getting put on a blacklist for spam. The network has 10 pc and 1 server. How can I find out where the spam is coming from? Is their something I can log on my server?
  2. Blacklisting
    My corporate clients keep getting blacklisted and end up unable to send email for days or weeks at a time. A whole business not being able to send email is a huge problem as you can imagine. What devices and/or software can I implement to stop the blacklisting? My clients run...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: KaffiendPosted on 2009-08-05 at 00:29:51ID: 25020861

Spam is sent out on port 25.  There is probably one or more PCs in the building that has been infected with a virus and it is sending out spam.  Or worse, someone has a badly-configured mail server in the building.

To control this, you need to block port 25 traffic from the LAN to the WAN
(Those who have mail servers need to let you know so that you can make exceptions for them on the firewall)

Every one else will have to use some other port to send mail - port 587 is commonly used.



Another thing you can do is:
block port 25 outgoing, and install an effective spam filtering device that everyone can use as an SMTP proxy, and only allow that device to use port 25 to the outside world.

 

by: VCSLIPosted on 2009-08-05 at 00:37:23ID: 25020908

As i mentioned in my original post. Port 25 has been closed via the SonicWall in the WAN to LAN access rules setting. I closed the port when we were originally blacklisted. Here we are again :P.

The SonicWall has built-in anti spam. It isn't licensed though, will look into that tomorrow.

25, 26, 587, and 2525 seem to be COMMON SMTP ports. Anyone can set up an SMTP server on any port and start sending out emails.

Whats to stop the virus from using a different port? Anyone can set up an SMTP server and start sending out mails...

 

by: VCSLIPosted on 2009-08-05 at 00:40:04ID: 25020919

As mentioned, Network Solutions seems to be the only email host having a problem. We are INDEED on a few blacklists though. I have verified this using MXToolbox. They seem to block the ORIGINATING IP of the emails rather then the SMTP server sending them out. Thus making this a bigger headache...

 

by: KaffiendPosted on 2009-08-05 at 00:55:12ID: 25021008

LAN to WAN needs to be blocked.  Port 25 traffic from the local network (the office building) must not be allowed to the outside world.

Allowing (or not allowing) port 25 traffic into the building doesn't get you on (or off) any blacklists.  WAN to LAN blocking of port 25 isn't going to help solve the problem.

You wrote:  Anyone can set up an SMTP server and start sending out mails...
That is why outgoing traffic on port 25 needs to be shut down, except for legitimate mail servers

(It is true that you can send out spam using any port you like, but mail servers typically listen on port 25.  So, if a spammer were to use some other port to send out spam, his spam would go nowhere - mail servers are not configured to listen on every port, they do use port 25, which is the port used for SMTP traffic)

As for the Sonicwall's spam filtering - it might be able to help, but most firewalls block/filter incoming mail, they typically are not able to block/filter outgoing mail.  And outgoing mail is what you need to control.  Make sure the Sonicwall has this capability before you commit to licensing this feature.


 

by: VCSLIPosted on 2009-08-05 at 01:01:51ID: 25021044

Ops, that was a typo on my part. I have denied access on port 25 from LAN to WAN.

I will edit my origination post to prevent further misunderstandings.

Port 25 is closed for OUTGOING connections. I have tested this using various tools but also configuring a mail client to use port 25. It is unable to connect.

 

by: KaffiendPosted on 2009-08-05 at 01:19:12ID: 25021119

If you have blocked outgoing port 25 traffic, then all you have left to do now is cleanup the mess.

(If you have the time, it would be a good idea to have some kind of monitoring on the network to see where this s#@! originally came from.  Even though shutting down outgoing port 25 stops the spam from leaving your network, the zombie PC is still trying to send, and is bombarding your Sonicwall with port 25 traffic)

Unfortunately for you, this means you should contact these block lists, and request removal.  Most of them do not make this an easy process.  If you do not do this, then your IP address will eventually drop out of the dynamic block lists in time.

 

by: VCSLIPosted on 2009-08-05 at 01:26:07ID: 25021151

This problem came up last Wednesday-Thursday. By Friday we had been removed from the blacklists, and by Saturday, everything was fine and working as it should.

Here we are on Tuesday right back where we started.

Port 25 was closed Friday. It has been closed since and is closed right now.

 

by: c01000100Posted on 2009-08-05 at 01:32:08ID: 25021174

Also, when firewalls are overwhelmed, they normally have two options: block all traffic, or pass all traffic.  In either case you should be able to enable/view log files and address the issue directly.

 

by: KaffiendPosted on 2009-08-05 at 01:35:18ID: 25021189

I guess the next place to look is at the exceptions.  Who is allowed to use port 25 to the outside world?  Is it a single IP address, or a whole subnet?  (Exceptions should only be made for specific IP addresses, not whole subnets)
(This could get a little tricky, asking a tenant whether his mail server is secure or not.  And, he might not even know if it isn't.  Plus, most likely they aren't going to invite you to take a look and see)

 

by: VCSLIPosted on 2009-08-05 at 01:49:47ID: 25021254

Port 25 is blocked for everyone, the entire network. Only place it is not blocked is from a copier in the copy room. Tenants occasionally use this to scan a document and email it to themselves. I have checked this though and on average it is used maybe 3 times a day.

Within the SonicWall, i have port 25 on LAN to WAN set to DENY ACCESS on ANY CONNECTION
I also have it set to ALLOW port 25 on the copier's IP, and that IP only.

Like i have said, i have tested all this and port 25, outbound, really really is closed.

 

by: c01000100Posted on 2009-08-05 at 02:10:01ID: 25021346

Perhaps the agency that blacklisted you can provide a log of malicious traffic from your public ip to confirm that port 25 was the only attack destination port.  If so, they should have no more issues with your network.

 

by: KaffiendPosted on 2009-08-05 at 12:14:48ID: 25026956

Well, if port 25 traffic is blocked for everyone, then what does it matter if that IP address is on a blacklist?  :-)

The only thing that is negatively impacted now then is the printer.  It will be blocked by many email systems regardless of whether it is on any block lists because it most likely does not have a reverse DNS record.  

 

by: VCSLIPosted on 2009-08-05 at 12:17:47ID: 25026987

As previously mentioned, Network Solutions is the only email provider having an issue with us. They reference at least 2 of the blacklists we are listed on, and update their security accordingly.

Port 25 IS closed for all IP's other then the copy room printer, which works fine for everything with the exception of those using network solutions. As the email being sent by the copier originates from the buildings blacklisted IP.

 

by: c01000100Posted on 2009-08-05 at 12:36:49ID: 25027201

The printer, I suppose, could be your villain.

 

by: VCSLIPosted on 2009-08-05 at 12:41:11ID: 25027250

"Port 25 is blocked for everyone, the entire network. Only place it is not blocked is from a copier in the copy room. Tenants occasionally use this to scan a document and email it to themselves. I have checked this though and on average it is used maybe 3 times a day."
08/05/09 01:49 AM, ID: 25021254

No one reads what i write :P

 

by: c01000100Posted on 2009-08-05 at 13:00:23ID: 25027461

Every word. Both postings.  You too huh?

 

by: KaffiendPosted on 2009-08-05 at 13:29:47ID: 25027777

I guess the next step is to look at which block lists your IP address is on, and see why the printer made it to their list.  Most of them have some kind of interface that *might* have a list of reasons why your IP is listed.  Some of them do have a way for you to request to be removed (as you are probably familiar with by now).  

I suspect that the main reason (unless your printer has been pwned by a virus - unlikely, just kidding) for ending up on those blacklists is because of a lack of a reverse DNS record, or the "From" address that it is using.  You might be able to get your ISP to create a reverse DNS record for you, but I don't know what you can do about the "From" address.

 

by: c01000100Posted on 2009-08-05 at 13:47:13ID: 25027943

I seriously hope you were able to tell that I was talking about the copier when I said printer.

 

by: KaffiendPosted on 2009-08-05 at 21:42:40ID: 25030168

Um, yeah, copier, not printer.  My bad.

The lines blur these days - copier, printer, mopier.


Just out of curiosity,what does the copier use as its "From" address?

 

by: VCSLIPosted on 2009-08-05 at 21:46:32ID: 25030189

Its set up to use an email provided by our ISP. It must use SMTP port 25, as the copier setup menus don't allow you to change it.

 

by: KaffiendPosted on 2009-08-05 at 23:23:30ID: 25030551

Maybe your ISP can help out by providing an SMTP proxy (smart host) for your copier to send mail through?


 

by: c01000100Posted on 2009-08-06 at 01:49:06ID: 25031183

To answer a question of yours from earlier, what stops a program from sending smrtp on a different port is just programming and tcp knowledge.  The stmp server has to know to listen on certain ports for certain protocols.  Since 25 and 587 are standard, it would be a waste of time to have email sending to port numbers of other protocols...the server would terminate the connection based on tcp providing unexpected information.  I would look to the black-lister for a malicious traffic report.  Then adjust your network, refute the report, or both.

 

by: VCSLIPosted on 2009-08-06 at 07:22:00ID: 25033659

I have spoken with the building owner and we are going to switch network topologies.

Rather then this being ONE GIANT NETWORK with one IP, we're going to switch to a transparent NATt setup. (Everyone would have their own external IP). This would eliminate people's doing shady things, and causing problems for others.

While this isn't a solution to my problem per say, it will fix it.


20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...