Link to home
Start Free TrialLog in
Avatar of ethernet69
ethernet69

asked on

Exchange server blacklisted because of spam

I’m having a problem with one of best clients pertaining to them being blacklisted and they are now having increasingly more trouble sending e-mail, which is getting rejected from the receiving server with NDRs indicating those rejections. They just made us aware of the first user having this issue yesterday, and we’ve done a vulnerability scan on the server already, and it looks clean. It appears that some machine on their network (I don’t think it’s the server, but cannot be sure) is sending Spam, and they have been blacklisted by SpamHaus, SpamCop and Barracuda so far, and I think those are the ones that MOST companies use for their Real-time Block Lists (RBLs).

I ran malware bytes on the server and did not come up with anything.

Something to note:  One of the workstations on their internal network was infected with a particularly nasty virus the other day, which I *think* was removed successfully.
Avatar of KevinTHayashi
KevinTHayashi
Do you have a firewall in place?
1. Be sure to block outbound port 25 for all clients on your firewall
2. Do Malware and Virus scans on all of the computers on the network
3. Make sure that the you do not allow relaying on your SMTP connection in Exchange for your local network clients.
4. make sure that you only allow outbound port 25 on your firwewall for the server only.
5. Temporarily configure SmartHosts to forward outbound email through your Service Providers SMTP server.
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of KevinTHayashi
KevinTHayashi
Also, once you know that you network is clean, you will have to contact the blocking organization. SPAMHAUS, etc and ask them to remove your IP from the list.  This is usually a painful process and requires that you "Donate" to their cause to help speed up the removal process.
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
You should not have to pay to get de-listed.  You can if you want to, but there is no need.
Most blacklists sites will either de-list you upon request, or de-list you after a week (at most). Some sites you cannot contact and those are the ones that no-one uses anyway (e.g., Tiopan).
Avatar of zaransage
zaransage
Typically the providers which are blocking you will have a form to request removal from their black list- until that time make very sure you do not have any more viruses on your systems infected. If you do, you risk being blocked perminantly if you are sending spam while or right after making requests to be deblacklisted. Put wireshark on a system between your router and your stations and look for signs that a station is still causing problems. If you discover one, disconnect that station and look for others. Clean all and once while you make the requests and put them back on online only once you have confirmed they are not causing a problem. Try using multiple anti-virus / anti-spyware systems (not at the same time) to clean your infected system.
Avatar of ethernet69
ethernet69

ASKER

re: AlanHardisty

Here's the report from the MX Toolbox relay check/super tool:

"Not an open relay.
 0 seconds - Good on Connection time
 5.460 seconds - Warning on Transaction time
 OK - <IP Address> resolves to <FQDN>
 OK - Reverse DNS matches SMTP Banner

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 <domainname - obscured> Hello [IP Address - obscured] [62 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com....Sender OK [62 ms]
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay for test@example.com [5148 ms]
QUIT
221 2.0.0 <domain name> Service closing transmission channel [78 ms]"

Avatar of technomic
technomic
Flag of United States of America image
Also, one other thing to remember when you are blacklisted is that it is very important to identify and resolve the issue of why you ended up in the black list in teh first place. If you ask to be delisted but the issue itself is not resolved, you will probably end up back on the same list as well as on a few others....
So don't just request to get delisted, you need to resolve the original problem of why you were blacklisted. Also, if you are not using POP or IMAP, you can probably disable those too....
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
Good - not an open relay.  Could still be an authenticated relay though.
What do the Blacklists sites advise as to why you are listed?
If you want to post your IP address, I can obscure it for you immediately afterwards.
Alan
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
Okay - the only one I see that gives a reason is SpamCop and this is what they say:
"System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)"
That smells awfully like a virus / worm on your systems, but you may have resolved the problems as you are not on any other major blacklists sites that I can see.
Also, worth noting:
"If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 13 hours."
and
"System has been listed for 31 hours"
FYI - you also have configuration issues with your domain.
  1. Multiple MX records pointing to the same IP address
  2. Your mailserver responds as yourdomain.com which resolves to IP 123.123.123.123
  3. Your MX records are setup as alt and mail.yourdomain.com but they resolve to the IP you posted.  They should all match.
Essentially, you need to change the FQDN for your mail server to mail.yourdomain.com and lose the alt.yourdomain.com MX record as it is superfluous.
Avatar of ethernet69
ethernet69

ASKER

Thanks Alan...that's SUPER helpful. The time that the listing shows (31 hours) matches almost perfectly with the time when the CEO (!!!) of the company opened a virus (not sure HOW she did it yet...; I will be taking away their users workstation admin rights, and they can log on with an "install" account only to install software). Given the idea that we have likely cleaned the infection AND that I will change their firewall appliance to only allow port 25 traffic from their server internally, this will hopefully resolve the issue.

The alt domain record is a relic/left-over from when they used to operate out of their home a few years ago. I will either remove that or set it to the same IP.
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
No problems - the Alt record points to the same IP as mail - you just don't need both and you need to change the FQDN on the Exchange Server (unless you are Exchange 2007 / 2010).
If you are Exchange 2003, then it should be changed.
Avatar of ethernet69
ethernet69

ASKER

This client is on Ex2003 (SBS) -- does it have to be changed, or is it recommended?
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
I would change it otherwise you may have outbound mail-flow issues unless you send all mail to a Smart-Host, but it should still be changed in case you change to using DNS delivery and don't want another headache later.
Open up Exchange System Manager, drill down to your SMTP Virtual Server, right-click onto it, then choose properties, click on the Delivery Tab and then on the Advanced Button and change yourdomain.com to mail.yourdomain.com. Job done.
By default - SBS always just puts yourdomain.com !
Avatar of ethernet69
ethernet69

ASKER

Thanks. Do I take any risk by checking the box for "Perform reverse DNS lookup for incoming messages"? Or is that ok, or even desirable?
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
There is no major risk.  It will slow down incoming mail slightly.
Have a read of the following MS Article please:
http://support.microsoft.com/kb/297412
It is not a massively useful option IMHO.
Avatar of ethernet69
ethernet69

ASKER

Ok, thanks Alan. That is exactly why I had turned it on. How CAN I reject mail from servers on my client's Exchange 2003 server, where the PTR/Reverse DNS lookup fails, and the mail is most likely sent from a spambot or spoofed domain?
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
You can use the In-Built Intelligent Message Filtering to filter spam or simply use a 3rd party tool such as Vamsoft ORF - www.vamsoft.com which is priced at $239 per server and is excellent at removing spam (I use it myself and have installed it for most of my customers servers).
How to use the in-built (free) tools:
http://www.petri.co.il/block_spam_with_exchange_2003.htm &
http://www.petri.co.il/block_spam_with_exchange_2003_imf.htm 
Avatar of ethernet69
ethernet69

ASKER

Alan always gives top-notch advice, and I appreciate having him as a valued resource when I have server issues with my clients.
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image
Many thanks - I appreciate your kind words (and the points too) : )
Alan