Exchange 2003 is blacklisted (spamtrap mail???)

Hey all,

I've encountered al problem lately, at the beginning of the week I received several emails like this when sending mails...

Your message did not reach some or all of the intended recipients.

      Subject:      Test
      Sent:      9/04/2006 14:37

The following recipient(s) could not be reached:
      rec1@dom.com on 9/04/2006 14:37
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <mydomain.be #5.5.0 smtp;551 Mail from your IP is currently blocked based on RBL listing>


I've contacted my ISP and apparantly my IP has been blocked so I requested to unblock it and to be sure I changed the IP of my mail server onto another one. To be sure that my exchange wasn't an open relay I performed some tests (as described in other topics as well) and apparantely only authenticated users can connect to the mail-server... (Tests from autside using telnet gave the "connection failed" error).

But now, a few days later, I get these error mails again... but now for the second (fixed btw) IP-address. When checking several blacklists (http://www.robtex.com/r/195.162.193.76.html) I saw that it was listed again.... But now I have no clue what to do to prevent from being blocked again...

I'm quite desperate as my mailserver has been up and running several months now without any error uptil now... I don't get it.


Thanks for the help !
LVL 11
MichaelVHAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MichaelVHAuthor Commented:
And before I forget....

When trying to figure out why I was blacklisted I saw that it had to do with "spamtrap mail received", but I have no clue what it means... Thanks!

Michael
0
carl_legereCommented:
Assuming your not relaying, and generally your SMTP queues dont have a couple hundred lines of connections that liik illegetimate (indicating that you might be relaying spam) your problem is that use of these blocking mechanisms are on the rise.  You may not be able to directly send email from exchange connected via your internet service.  Does the ISP say that it is a business connection?  Is it a static IP address?  If you change IP's and the new one is still blocked it means that a whole range of IP's have been added to RBL's to prevent the ISP who does primarly offer safe haven to spammers from moving IP's around as they are blocked.

It is probably best to setup an SMTP connector to finish sending your messages.  Every ISP has to offer it's customers a SMTP server, and it is not going to be blocked.  http://www.amset.info/exchange/smtp-connector.asp

0
MichaelVHAuthor Commented:
Hi,

The other Ip's in my range aren't blocked... and they are all fixed ip's.

Indeed it is a business-line that I've got so that shouldn't be the problem.

What I forgot to mention is that I do use an smtp-connector to send my mails... (that's wy I don't understand how this could have happened)

When I change IP it worked for 3 days fine, up till now that is...
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

SembeeCommented:
My instinct is that you may have an infected machine inside your network. If you use a single IP address for the entire LAN then all connections coming out of your network will appear to come from the same IP address.
You can keep changing your IP address, but if a machine inside is infected, then you will continue to get listed (and annoy your ISP)

First thing I would do is configure your firewall to block all connections on port 25 - SMTP, except your Exchange server.
If the firewall can do it, then I would also configure Exchange to use an SMTP Connector, then configure the firewall to only allow OUTBOUND SMTP connections to the ISPs server. Inbound should be left alone.
Turn up the logging and wait. An infected machine will show up pretty quickly because it is trying to send messages out.

You aren't on any of the open relay lists, so I don't think it is that, although you could test the machine - see http://www.amset.info/exchange/spam-cleanup.asp for instructions.

You could also scan your entire network for port 25. No workstations should have anything on port 25. If you find anything then you should investigate.

Simon.
0
MichaelVHAuthor Commented:
I'm running a full-scaled scan on the entire network as we speak. Hope this helps...

But now a quick question... :
i've got 5 available IP's from my ISP. Would it be better to assign my Exchange and external IP? But the problem resides in this: I've got an SBS2003 running on the server which is also used for print & file sharing... What is the best solution to do so than????

Is this correct?

                        Modem
                            |
                      Switch
                           |
             -----------------------------
             | (195.162.193.74)        | (195.162.193.75)
        Router                           Server SBS2003 (+exchange)
             |  (192.168.10.1            | (192.168.10.200)
        Switch-------------------------
             |
         ----------------------------
             |(192.168.10.5)        | (192.168.10.6)
          Computer 1        Computer 2


If I desing my network as above, won't this make a huge security-risk because my server is exposed directly to the internet? Any suggestions?
0
SembeeCommented:
It depends on whether your firewall can do a one-to-one NAT. If it can, and you can give the Exchange server its own IP address, then I would do that.
You would then need to get DNS and reverse DNS configured correctly. I like to give the Exchange server its own IP address so that it the email flow is separate from the other traffic - particularly web browsing. If the firewall is then advanced enough you can make further restrictions on what can come and go.

Simon.
0
MichaelVHAuthor Commented:
Where in the picture does the firewall come in? My router has a built-in firewall... Do I need to implement another one?
0
SembeeCommented:
Router and firewalls are often the same thing.
I usually deploy the Cisco PIX 501/505 which is a firewall with routing capabilities. It depends on what the router is capable of. If it is a consumer level router then you may not have the control that you need.

Simon.
0
MichaelVHAuthor Commented:
Okay, I'm a bit confused now :p

I've got an cisco 876 router, configured with 2 vlans (one for the cable-internet and one for the internal network)... I've got a sonicwall somewhere I've never used. Would it be better to deploy it as following? :

                                      Cisco
                                         |
                                   SonicWall
                                         |
                                     Switch
                                         |
                                  --------------
                                 |                |
                                PC1(.5)       Server1 (.200)


If I'm correct than the one-to-one nat make Server1 appear as 195.162.193.75 and all other trafic as 195.162.193.74, right?
0
SembeeCommented:
With NAT, if you have a single IP address then all traffic coming out of the network appears to come from that single IP. The router will translate the return traffic to send it to the correct internal IP address.

A one to one NAT does pretty much as you have said - it is an external IP address that is exclusive to a single device.

I haven't worked with a Cisco 876, but a quick look at the Cisco web site looks like it would do everything that you need. You shouldn't need to configure anything else.

It will just be a matter of getting in to the configuration of the device and setting the rules as required. If you have the device on a support contract from Cisco, then I would give Cisco support a call. Their support is the best I have ever worked with.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MichaelVHAuthor Commented:
Thanks for the tips, I'll try that and get back to you tonight/tomorrow ! Thank you !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.