Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1265
  • Last Modified:

On spam List, how can I determine if we are sending spam

Our Nat public ip address was put on a public spam list. We run Exchange 2003  on a windows 2003 server.  We have a barracuda 300  spam firewall (running in inbound mode).  We have a symantec 5420 firewall appliance.

What steps can I follow to determine if it possible we are sending out spam without my knowledge?  I also worry it may be coming from a machine other than my exchange server.

Or what configuration changes can I make to ensure all emails are only coming from our exchange server?
0
lkg115
Asked:
lkg115
  • 5
  • 5
  • 3
2 Solutions
 
SembeeCommented:
You should configure your firewall to block all port 25 traffic that tries to leave your network, except for those devices that should be sending the messages. That will show a compromised machine very quickly.

Simon.
0
 
tron121Commented:
I agree with Sembee, tighten up your outbound filtering. Make sure you are saving your firewall logs too.
Once you have your new filter in place make sure you test that the denied packets are indeed being logged. You can try this by opening a cmd window on a pc and typing "telnet mail.sonic.net 25" if you get a response from the mail server your filter is not working, if you don't get a response look for the block message in your firewall logs.

Most firewall have the capability to output syslog logging, I recommend the free syslog tool Kiwi Syslog (http://www.kiwisyslog.com/kiwi-syslog-daemon-overview/)

Syslog logs are saved as .txt files and are easily searchable with notepad or even windows search. It makes it very easy to find problems like you are experiencing.
0
 
lkg115Author Commented:
I have the firewall locked down smtp trafic should only be allowed from exchange server.   we have Exchange 2003.   On exchange server I have relays for only  computers in list 10.1.1.0 and i allow if successfully authenticated regardless of the above computer.  Is there something I am overlooking?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
tron121Commented:
If the RBL you are listed on can give you an example email of abuse try and look at the headers then correlate it to your firewall logs to see when the email was send though the exchange server. Once you have that nailed down use the message tracking center in exchange system manager to find out how the message was submitted (from what pc/user).

99% of the time spyware will send the spams out directly. it's not common for them to use mapi and outlook to send them out the exchange server....
0
 
SembeeCommented:
I wouldn't recommend allowing relaying by IP address. That can easily turn the server in to an open relay. Some firewalls handle NAT traffic in such a way that external traffic looks like it is coming from the firewall's internal IP address.

Ideally all relaying should be controlled by authentication only, with the administrator account excluded from being used under any circumstances.
If you have applications that need to relay through your Exchange server (by that I mean send to external email addresses - sending to internal email addresses does not require relaying settings) then use a second SMTP virtual server that is not exposed to the internet.

Simon.
0
 
lkg115Author Commented:
here is what the listing website said --- why we ended up on site

XX.xx.xx.xx  appeared to be suspicious because it was using the following name to identify itself during email (port 25) connections via the SMTP HELO/EHLO commands:

      h-XX-XX-XX-XX.sfldmidn.covad.net          (where XX-XX-XX-XX is our Nated external IP adress)

This MAY have been spamware, or it would be a misconfiguration in your mail server.  The CBL attempts to distinguish real mail server software from malware SMTP clients by expecting users to name their mail server[s] to indicate who _they_ are, not some random home PC in a generic end-user pool that's probably infected.

By causing your mail server to claim to be, for example,

mail.<your domain>

Chances are you won't be relisted.

Can someone help me figure out what I need to do to configure my exchange server correctly...


0
 
SembeeCommented:
Put your domain in to dnsreport.com and see what it flags in the mail server section.
Do you route email out through the appliance? If not then you may want to consider doing that. Use a smart host on an SMTP Connector to do that. http://www.amset.info/exchange/smtp-connector.asp
On the appliance, ensure that its helo/ehlo is configure to match your dns and reverse DNS for your MX records.

Simon.
0
 
lkg115Author Commented:
I do not have email routed through our baracuda Firewall.   However, I may investigate doing that if that can eliminate problem with server sending out spam.  I have yet to find any trojans on the server.  The dns reports shows that everything is ok with my mail set up.   However, for whatever reason extensive open relays tests do not work.  

As i side note...on my exchange server I see a process named esmta.exe. Is this the culprit?

 
0
 
lkg115Author Commented:
I meant to say the process is emsmta.exe...is this the culprit
0
 
SembeeCommented:
emsmta.exe is part of Exchange.
If you find something that you don't recognise, just put it in to Google. Legitimate file names will quickly show.
For example:
http://www.google.co.uk/search?hl=en&q=emsmta.exe

You either have to route email through the appliance, or the server needs to be configured correctly. However if the server does not receive email then you will fail some antispam tests. It is becoming more common to do a call back, where the server you are sending to tries to connect back. The theory is that a compromised home user will not have port 25 open for inbound traffic.

Simon.
0
 
tron121Commented:
At this point it does not appear that you are sending spam. What the message from the CBL is stating is that your configuration is suspicious and therefore they are blocking you as a precaution.

Check the following...
Open Exchange System Manager check in the SERVERNAME->Protocols->SMTP->Default SMTP Virtual Server properties->Delivery page->Advanced, Advanced Delivery Page check for the FQDN (Fully Qualified Domain Name) of the server. Make sure this is your mail server ie "server.company.com".  I believe this is where you set the identify info.  If I am correct you should see the h-XX-XX-XX-XX.sfldmidn.covad.net here currently.

You mentioned you don't have your email coming into the barracuda, are your users checking email with POP3 and just storing it on the exchange server?


0
 
lkg115Author Commented:
The FQDN is my mail Server.   Incoming mail is coming ito the Barracuda then forwarded to Exchange.   However, I have the appliance in Inbound mode and not forwarding all email thru otbound.  I did reconfigure the barracuda to not send out NDR's .  I am not sure if that may have triggered the problem.
0
 
SembeeCommented:
Is the server announcing itself as the IP address version of the DNS name as you have outlined above (ie you have changed it to match) or the FQDN on your own domain - so host.domain.com ?
The error message would tend to indicate the former.

You need to check both Exchange if it is sending email directly and the appliance.

Simon.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 5
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now