Exchange 2003 is blacklisted (spamtrap mail???)
Hey all,
I've encountered al problem lately, at the beginning of the week I received several emails like this when sending mails...
Your message did not reach some or all of the intended recipients.
Subject: Test
Sent: 9/04/2006 14:37
The following recipient(s) could not be reached:
rec1@dom.com on 9/04/2006 14:37
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<mydomain.be #5.5.0 smtp;551 Mail from your IP is currently blocked based on RBL listing>
I've contacted my ISP and apparantly my IP has been blocked so I requested to unblock it and to be sure I changed the IP of my mail server onto another one. To be sure that my exchange wasn't an open relay I performed some tests (as described in other topics as well) and apparantely only authenticated users can connect to the mail-server... (Tests from autside using telnet gave the "connection failed" error).
But now, a few days later, I get these error mails again... but now for the second (fixed btw) IP-address. When checking several blacklists (http://www.robtex.com/r/195.162.193.76.html) I saw that it was listed again.... But now I have no clue what to do to prevent from being blocked again...
I'm quite desperate as my mailserver has been up and running several months now without any error uptil now... I don't get it.
Thanks for the help !
I've encountered al problem lately, at the beginning of the week I received several emails like this when sending mails...
Your message did not reach some or all of the intended recipients.
Subject: Test
Sent: 9/04/2006 14:37
The following recipient(s) could not be reached:
rec1@dom.com on 9/04/2006 14:37
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<mydomain.be #5.5.0 smtp;551 Mail from your IP is currently blocked based on RBL listing>
I've contacted my ISP and apparantly my IP has been blocked so I requested to unblock it and to be sure I changed the IP of my mail server onto another one. To be sure that my exchange wasn't an open relay I performed some tests (as described in other topics as well) and apparantely only authenticated users can connect to the mail-server... (Tests from autside using telnet gave the "connection failed" error).
But now, a few days later, I get these error mails again... but now for the second (fixed btw) IP-address. When checking several blacklists (http://www.robtex.com/r/195.162.193.76.html) I saw that it was listed again.... But now I have no clue what to do to prevent from being blocked again...
I'm quite desperate as my mailserver has been up and running several months now without any error uptil now... I don't get it.
Thanks for the help !
Assuming your not relaying, and generally your SMTP queues dont have a couple hundred lines of connections that liik illegetimate (indicating that you might be relaying spam) your problem is that use of these blocking mechanisms are on the rise. You may not be able to directly send email from exchange connected via your internet service. Does the ISP say that it is a business connection? Is it a static IP address? If you change IP's and the new one is still blocked it means that a whole range of IP's have been added to RBL's to prevent the ISP who does primarly offer safe haven to spammers from moving IP's around as they are blocked.
It is probably best to setup an SMTP connector to finish sending your messages. Every ISP has to offer it's customers a SMTP server, and it is not going to be blocked. http://www.amset.info/exchange/smtp-connector.asp
It is probably best to setup an SMTP connector to finish sending your messages. Every ISP has to offer it's customers a SMTP server, and it is not going to be blocked. http://www.amset.info/exchange/smtp-connector.asp
ASKER
Hi,
The other Ip's in my range aren't blocked... and they are all fixed ip's.
Indeed it is a business-line that I've got so that shouldn't be the problem.
What I forgot to mention is that I do use an smtp-connector to send my mails... (that's wy I don't understand how this could have happened)
When I change IP it worked for 3 days fine, up till now that is...
The other Ip's in my range aren't blocked... and they are all fixed ip's.
Indeed it is a business-line that I've got so that shouldn't be the problem.
What I forgot to mention is that I do use an smtp-connector to send my mails... (that's wy I don't understand how this could have happened)
When I change IP it worked for 3 days fine, up till now that is...
My instinct is that you may have an infected machine inside your network. If you use a single IP address for the entire LAN then all connections coming out of your network will appear to come from the same IP address.
You can keep changing your IP address, but if a machine inside is infected, then you will continue to get listed (and annoy your ISP)
First thing I would do is configure your firewall to block all connections on port 25 - SMTP, except your Exchange server.
If the firewall can do it, then I would also configure Exchange to use an SMTP Connector, then configure the firewall to only allow OUTBOUND SMTP connections to the ISPs server. Inbound should be left alone.
Turn up the logging and wait. An infected machine will show up pretty quickly because it is trying to send messages out.
You aren't on any of the open relay lists, so I don't think it is that, although you could test the machine - see http://www.amset.info/exchange/spam-cleanup.asp for instructions.
You could also scan your entire network for port 25. No workstations should have anything on port 25. If you find anything then you should investigate.
Simon.
You can keep changing your IP address, but if a machine inside is infected, then you will continue to get listed (and annoy your ISP)
First thing I would do is configure your firewall to block all connections on port 25 - SMTP, except your Exchange server.
If the firewall can do it, then I would also configure Exchange to use an SMTP Connector, then configure the firewall to only allow OUTBOUND SMTP connections to the ISPs server. Inbound should be left alone.
Turn up the logging and wait. An infected machine will show up pretty quickly because it is trying to send messages out.
You aren't on any of the open relay lists, so I don't think it is that, although you could test the machine - see http://www.amset.info/exchange/spam-cleanup.asp for instructions.
You could also scan your entire network for port 25. No workstations should have anything on port 25. If you find anything then you should investigate.
Simon.
ASKER
I'm running a full-scaled scan on the entire network as we speak. Hope this helps...
But now a quick question... :
i've got 5 available IP's from my ISP. Would it be better to assign my Exchange and external IP? But the problem resides in this: I've got an SBS2003 running on the server which is also used for print & file sharing... What is the best solution to do so than????
Is this correct?
Modem
|
Switch
|
--------------------------
| (195.162.193.74) | (195.162.193.75)
Router Server SBS2003 (+exchange)
| (192.168.10.1 | (192.168.10.200)
Switch--------------------
|
--------------------------
|(192.168.10.5) | (192.168.10.6)
Computer 1 Computer 2
If I desing my network as above, won't this make a huge security-risk because my server is exposed directly to the internet? Any suggestions?
But now a quick question... :
i've got 5 available IP's from my ISP. Would it be better to assign my Exchange and external IP? But the problem resides in this: I've got an SBS2003 running on the server which is also used for print & file sharing... What is the best solution to do so than????
Is this correct?
Modem
|
Switch
|
--------------------------
| (195.162.193.74) | (195.162.193.75)
Router Server SBS2003 (+exchange)
| (192.168.10.1 | (192.168.10.200)
Switch--------------------
|
--------------------------
|(192.168.10.5) | (192.168.10.6)
Computer 1 Computer 2
If I desing my network as above, won't this make a huge security-risk because my server is exposed directly to the internet? Any suggestions?
It depends on whether your firewall can do a one-to-one NAT. If it can, and you can give the Exchange server its own IP address, then I would do that.
You would then need to get DNS and reverse DNS configured correctly. I like to give the Exchange server its own IP address so that it the email flow is separate from the other traffic - particularly web browsing. If the firewall is then advanced enough you can make further restrictions on what can come and go.
Simon.
You would then need to get DNS and reverse DNS configured correctly. I like to give the Exchange server its own IP address so that it the email flow is separate from the other traffic - particularly web browsing. If the firewall is then advanced enough you can make further restrictions on what can come and go.
Simon.
ASKER
Where in the picture does the firewall come in? My router has a built-in firewall... Do I need to implement another one?
Router and firewalls are often the same thing.
I usually deploy the Cisco PIX 501/505 which is a firewall with routing capabilities. It depends on what the router is capable of. If it is a consumer level router then you may not have the control that you need.
Simon.
I usually deploy the Cisco PIX 501/505 which is a firewall with routing capabilities. It depends on what the router is capable of. If it is a consumer level router then you may not have the control that you need.
Simon.
ASKER
Okay, I'm a bit confused now :p
I've got an cisco 876 router, configured with 2 vlans (one for the cable-internet and one for the internal network)... I've got a sonicwall somewhere I've never used. Would it be better to deploy it as following? :
Cisco
|
SonicWall
|
Switch
|
--------------
| |
PC1(.5) Server1 (.200)
If I'm correct than the one-to-one nat make Server1 appear as 195.162.193.75 and all other trafic as 195.162.193.74, right?
I've got an cisco 876 router, configured with 2 vlans (one for the cable-internet and one for the internal network)... I've got a sonicwall somewhere I've never used. Would it be better to deploy it as following? :
Cisco
|
SonicWall
|
Switch
|
--------------
| |
PC1(.5) Server1 (.200)
If I'm correct than the one-to-one nat make Server1 appear as 195.162.193.75 and all other trafic as 195.162.193.74, right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the tips, I'll try that and get back to you tonight/tomorrow ! Thank you !
ASKER
When trying to figure out why I was blacklisted I saw that it had to do with "spamtrap mail received", but I have no clue what it means... Thanks!
Michael