Solved

Exchange 2003 blacklisted

Posted on 2006-11-28
7
431 Views
Last Modified: 2010-03-06
I am new to exchange 2003, Since we have made the cut to it I have been blacklisted about every 3 days or so. I need help in trying to track down the problem. I have tested for open relays and have found none. when i was using exchange 2000 I never had any issues. Please Help!!!!

Thanks
Chad Logan
Network Administrator
Tiffin Motorhomes Inc.
0
Comment
Question by:tiffinIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 18027991
What is the reason for blacklisting? They will usually tell you.

Has the server been secured?
Do you have lots of messages in your queues?
Are you trying to send NDRs for non-valid users?

Simon.
0
 

Author Comment

by:tiffinIT
ID: 18028177
I am recieving bounce messages that give me the listing site, but I went to the mx toolbox site and did a quey and it displayed anll of the listing sites that i have been listed on. We do not do mass mailing or anything of that nature. Can you elaborate more on securing the server. I am checking the queues now to see how the message loads look. I am not sending Ndr's .  Is it possilbe that it is not coming from my servers? Maybe spoofing or someone internally has spyware that is sending out of that external ip
0
 
LVL 104

Accepted Solution

by:
Sembee earned 500 total points
ID: 18028682
If you only have a single IP address and are sharing it, then there is always the possibility that you have a compromised machine on your network. Quickest way to spot that is to block port 25 for all traffic except the Exchange server and see what is logged in the firewall. A compromised machine will quick show up.

Exchange is relay secure by default, but there are other attacks that can be made on Exchange.
The main two are NDR attacks and authenticated user.

NDR attacks is where email is sent to your server with non-valid users on purpose. The server then bounces the email back to the "sender" which is spoofed and is the real target. Enabling the recipient filter and tar pit deals with those.

Authenticated user is where relaying is allowed in Exchange if a valid username and password is used. The usual target is the administrator account. You can change the default settings of Exchange so that authenticated users cannot relay, or a small subset are able to.

http://www.amset.info/exchange/smtp-relaysecure.asp
http://www.amset.info/exchange/filter-unknown.asp

Simon.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Expert Comment

by:ndbuster
ID: 18029459
I've been thru a similar problem. We changed the Global Public address for port 25 on the firewall to a different address. Once that was changed, the black lists do not have that address and you are no longer black listed. However you may get blacklisted again...so locking down port 25 so that only 1 or 2 exchange bridgehead servers can send outbound email is a great idea.

This prevents any potentially infected machines with SMTP engines from sending email. Also be sure that SMTP is set to send mail for only "authenticated" users. If you already checked for an open relay that is good becuase you don't want an open relay internally or especially externally.

If you do need to relay internally, then add the IP addresses of those machines that cannot authenticate and need to relay to the SMTP virtual server.
0
 
LVL 23

Expert Comment

by:Stacy Spear
ID: 18030229
I would also lock down 587. Some bots use that because most network guys worth half their weight in salt know to check 25 and to lock it.

I would also add a SPF to your DNS record. So that anyone doing RDNS can see that what is your authorized sending server. MS got a wizard here for doing so http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/default.aspx
0
 

Author Comment

by:tiffinIT
ID: 18030596
i have locked down port 25 a long time ago i will try to lock down port 587. I went into the pix and did a show port on port 25 and found 2 internal ips flooding it with traffic. SO i am going to look at those machines first and see if that is the cause of my problems.
0
 
LVL 23

Expert Comment

by:Stacy Spear
ID: 18030804
SPF won't help in this case, since all traffic is coming from the pix. Still good to have it.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question