Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Using SBS 2003 R2 standard, we are on an RBL, now what?

Posted on 2008-10-16
10
Medium Priority
?
419 Views
Last Modified: 2012-05-05
People are getting messages when they try to send out through our Exchange server that's part of our SBS 2003 R2 standard network (with 2 nics).

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <exchange.ourdomain.com #5.5.0 smtp;550-"JunkMail rejected - (exchange.ourdomain.com) [74.94.39.2]:37448 is in an>

checking mxtoolbox.com, it says we are on some black lists.

that likely means a machine on the network is infected with a bot, right?  there's 35 machines on the network, so any advice on how to proceed?

1 list said the IP was added last night at 7:30PM.

Some people VPN into the office (they have laptops, so they don't have a machine in the office to connect with RWW).   If they are using their home machine to connect, and that home machine is infected,  checking the office machines won't turn this up and how quick does something get added to the RBLs?  A connection at 7PM would be to blame?

another question - how do we have exchange use the RBLs to help cut down spam coming into our machine?

thanks!
0
Comment
Question by:babaganoosh
  • 5
  • 4
10 Comments
 
LVL 6

Accepted Solution

by:
DewFreak earned 400 total points
ID: 22730728
First I would implement a firewall flter that will only allow outbound mail to come from your mail server.  Basically shut down port 25 oubound from you network except from your mail server.  This should stop rogue trojans unless they are relaying via your exchange server.  Using your firewall may help you find which host is infected.  Do you have any monitoring tools with your firewall?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 1600 total points
ID: 22730751
If your IP is blacklisted, usually means somebody from Internal are trying to send out spam emails. To find out who, I would start with the setting of "relay" first, make sure your exchange is not used for open relay.
to answer your question about how you can use RBL, that depends on what anti-spam you are using. It's usually the anti-spam software who usese the RBL.
0
 

Author Comment

by:babaganoosh
ID: 22730772
I'm trying to learn hwo to have avoided this so any tips along that route, would be appreciated.

don't allow VPN (any way to make sure connecting machines are clean?

the RBL said it was added at 7PM GMT, which would be about 1PM eastern time.  but people didn't have problems till this AM.  the domains we are sending to are not using that specific RBL?

how long does it take to fall off these lists / how long will we not be able to send out mail?  is there a work around?

thanks!
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 

Author Comment

by:babaganoosh
ID: 22730802
I just realized.  this IP address comes into a router and is shared with other tenants in the building.  so it could be any machine on the network (our network or another in the building!?)

We have VERY rudmentary routers.  how can we sniff the main line going out for spam?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 1600 total points
ID: 22730866
different RBL has different rules. You need to check with them.
If you and the other tenant of that building are sharing the same public IP, then you will have no idea who really is the spammer unless you also have admin access to their exchange server. (by the way, this is a really BAD settings, why do you do that?)
0
 

Author Comment

by:babaganoosh
ID: 22731315
why did we do it?  The owner thought it'd be a good marketing feature to include - i think electric is included (each tenant is not metered).  same thing with web - it's a utility / needed feature?  1 less thing a tenant needs to deal with when moving in?  again, like electric - it's already working.

Going forward, maybe that'll have to change.  but for now, the owner / my boss's business is the only 1 with the sbs standard with Exchange.  we have trend 3.6 on the server and our machines.  don't know what internet security the other tenants have (way too small to have exchange, I do know that).

so the static IP feed comes out of the comcast modem, into a linksys router, to share to the tenants and us  (192.168.1.0/24) .  then to keep tenants from getting into our network, we have a netgear firewall router.

I can get another IP address for the tenants, I guess?  then 2 routers connected to a switch connected to the modem?  Each router would have a static IP on the wan?

so lets say we do that - get the non sbs users off our IP.  Then what?  How to troubleshoot this on JUST an SBS network.
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 1600 total points
ID: 22731658
"How to troubleshoot this on JUST an SBS network. "
well, as I suggested, the first step is make sure your Exchange is not used for Open relay.
0
 

Author Comment

by:babaganoosh
ID: 22732665
Based on this doc:

http://www.amset.info/exchange/spam-cleanup.asp

it is not set as a relay.  I did turn on the diagnostic logging.

I checked trend's control panel and the machines it knows about look OK (online, virus defs. are current, etc).

Looking at DHCP server, there's no machines that are not on the trend list (we only have 30 or so machines.. is there an easier way to see that only protectected machines are on the network?  Someone bringing in their own PC would get a DHCP address but might not have trend on it.

any advice on next steps?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 1600 total points
ID: 22733736
check your queues in Exchange. Anything looks weird?
0
 

Author Comment

by:babaganoosh
ID: 22737367
no.  I'm thinking how do you track down a bot infected PC without going to each one?  A packet sniffer app on the SBS to see all traffic going through the sbs to the wan?
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
In this article, I will demonstrate that how to do a PST migration from Exchange Server to Office 365. This method allows importing one single PST, or multiple PST's at once.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question