Solved

Using SBS 2003 R2 standard, we are on an RBL, now what?

Posted on 2008-10-16
10
415 Views
Last Modified: 2012-05-05
People are getting messages when they try to send out through our Exchange server that's part of our SBS 2003 R2 standard network (with 2 nics).

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <exchange.ourdomain.com #5.5.0 smtp;550-"JunkMail rejected - (exchange.ourdomain.com) [74.94.39.2]:37448 is in an>

checking mxtoolbox.com, it says we are on some black lists.

that likely means a machine on the network is infected with a bot, right?  there's 35 machines on the network, so any advice on how to proceed?

1 list said the IP was added last night at 7:30PM.

Some people VPN into the office (they have laptops, so they don't have a machine in the office to connect with RWW).   If they are using their home machine to connect, and that home machine is infected,  checking the office machines won't turn this up and how quick does something get added to the RBLs?  A connection at 7PM would be to blame?

another question - how do we have exchange use the RBLs to help cut down spam coming into our machine?

thanks!
0
Comment
Question by:babaganoosh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 6

Accepted Solution

by:
DewFreak earned 100 total points
ID: 22730728
First I would implement a firewall flter that will only allow outbound mail to come from your mail server.  Basically shut down port 25 oubound from you network except from your mail server.  This should stop rogue trojans unless they are relaying via your exchange server.  Using your firewall may help you find which host is infected.  Do you have any monitoring tools with your firewall?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22730751
If your IP is blacklisted, usually means somebody from Internal are trying to send out spam emails. To find out who, I would start with the setting of "relay" first, make sure your exchange is not used for open relay.
to answer your question about how you can use RBL, that depends on what anti-spam you are using. It's usually the anti-spam software who usese the RBL.
0
 

Author Comment

by:babaganoosh
ID: 22730772
I'm trying to learn hwo to have avoided this so any tips along that route, would be appreciated.

don't allow VPN (any way to make sure connecting machines are clean?

the RBL said it was added at 7PM GMT, which would be about 1PM eastern time.  but people didn't have problems till this AM.  the domains we are sending to are not using that specific RBL?

how long does it take to fall off these lists / how long will we not be able to send out mail?  is there a work around?

thanks!
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:babaganoosh
ID: 22730802
I just realized.  this IP address comes into a router and is shared with other tenants in the building.  so it could be any machine on the network (our network or another in the building!?)

We have VERY rudmentary routers.  how can we sniff the main line going out for spam?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22730866
different RBL has different rules. You need to check with them.
If you and the other tenant of that building are sharing the same public IP, then you will have no idea who really is the spammer unless you also have admin access to their exchange server. (by the way, this is a really BAD settings, why do you do that?)
0
 

Author Comment

by:babaganoosh
ID: 22731315
why did we do it?  The owner thought it'd be a good marketing feature to include - i think electric is included (each tenant is not metered).  same thing with web - it's a utility / needed feature?  1 less thing a tenant needs to deal with when moving in?  again, like electric - it's already working.

Going forward, maybe that'll have to change.  but for now, the owner / my boss's business is the only 1 with the sbs standard with Exchange.  we have trend 3.6 on the server and our machines.  don't know what internet security the other tenants have (way too small to have exchange, I do know that).

so the static IP feed comes out of the comcast modem, into a linksys router, to share to the tenants and us  (192.168.1.0/24) .  then to keep tenants from getting into our network, we have a netgear firewall router.

I can get another IP address for the tenants, I guess?  then 2 routers connected to a switch connected to the modem?  Each router would have a static IP on the wan?

so lets say we do that - get the non sbs users off our IP.  Then what?  How to troubleshoot this on JUST an SBS network.
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22731658
"How to troubleshoot this on JUST an SBS network. "
well, as I suggested, the first step is make sure your Exchange is not used for Open relay.
0
 

Author Comment

by:babaganoosh
ID: 22732665
Based on this doc:

http://www.amset.info/exchange/spam-cleanup.asp

it is not set as a relay.  I did turn on the diagnostic logging.

I checked trend's control panel and the machines it knows about look OK (online, virus defs. are current, etc).

Looking at DHCP server, there's no machines that are not on the trend list (we only have 30 or so machines.. is there an easier way to see that only protectected machines are on the network?  Someone bringing in their own PC would get a DHCP address but might not have trend on it.

any advice on next steps?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22733736
check your queues in Exchange. Anything looks weird?
0
 

Author Comment

by:babaganoosh
ID: 22737367
no.  I'm thinking how do you track down a bot infected PC without going to each one?  A packet sniffer app on the SBS to see all traffic going through the sbs to the wan?
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question