• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 493
  • Last Modified:

Blacklisted Help

Hello I work for a small consulting company and earlier today we got a call from a client who said their ISP called them to let them know that spam was being sent from their network. I went to the client and ran some scans using wireshark and did not see any mail traffic being sent from anything other than the mail server. The mail server is running Groupwise 7 on a Windows 2003 server. We have an adtran netvanta 2054 firewall and I looked at the allowed connections and did not see anything out of the ordinary. Just to be safe I locked down port 25 outbound on the firewall for everything except the mail server. I looked at our CA Etrust ITM 8.1 logs and did not see any new virus or pest activity on the network(That CA knows about anyway).  I updated signatures and ran manual virus and pest scans on the mail server which did not find anything. I made sure message relaying was turned off which it was. I then sat there and scratched my head. I called the ISP thinking maybe they could give me some helpful information and they couldn't. By now they had been blacklisted by spamhaus and most of their sent messages were undeliverable. I sent a request for removal to spamhaus and went to iptools.com and checked our MX records and everything was in order. Anyone have any ideas of what else to look into?  Thanks. Also nothing has changed recently. We did upgrade to a new mail server but that was 2-3 months ago. Also it was not my idea to put groupwise on a windows server. lol
0
cwilhelm83
Asked:
cwilhelm83
4 Solutions
 
ChiefITCommented:
You may have a server that is a comprimised open relay.
 http://en.wikipedia.org/wiki/Open_mail_relay

How to use IIS to configure DNS relay of mail.
http://support.microsoft.com/kb/230235
0
 
Justin DurrantSr. Engineer - Windows Server/VirtualizationCommented:
0
 
billmercerCommented:
"did not see any mail traffic being sent from anything other than the mail server."

Definitely sounds like an open relay to me.
0
 
upul007Commented:
use www.dnsstuff.com to run a report on your domain. I think they still give you five free trial runs. the tool is DNS report

This can also happen if your domain is spoofed by someone. set up a SPF record for the domain (www.openspf.org)

Also, you are not responsible if the receiving side cannot do a thorough check from their side but you may suffer is they list you as an openrelay, specially on to a hared DB. Then you need to prove your domains good and get them to set up specific checks when accepting email.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now