Solved

Using SBS 2003 R2 standard, we are on an RBL, now what?

Posted on 2008-10-16
10
410 Views
Last Modified: 2012-05-05
People are getting messages when they try to send out through our Exchange server that's part of our SBS 2003 R2 standard network (with 2 nics).

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <exchange.ourdomain.com #5.5.0 smtp;550-"JunkMail rejected - (exchange.ourdomain.com) [74.94.39.2]:37448 is in an>

checking mxtoolbox.com, it says we are on some black lists.

that likely means a machine on the network is infected with a bot, right?  there's 35 machines on the network, so any advice on how to proceed?

1 list said the IP was added last night at 7:30PM.

Some people VPN into the office (they have laptops, so they don't have a machine in the office to connect with RWW).   If they are using their home machine to connect, and that home machine is infected,  checking the office machines won't turn this up and how quick does something get added to the RBLs?  A connection at 7PM would be to blame?

another question - how do we have exchange use the RBLs to help cut down spam coming into our machine?

thanks!
0
Comment
Question by:babaganoosh
  • 5
  • 4
10 Comments
 
LVL 6

Accepted Solution

by:
DewFreak earned 100 total points
ID: 22730728
First I would implement a firewall flter that will only allow outbound mail to come from your mail server.  Basically shut down port 25 oubound from you network except from your mail server.  This should stop rogue trojans unless they are relaying via your exchange server.  Using your firewall may help you find which host is infected.  Do you have any monitoring tools with your firewall?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22730751
If your IP is blacklisted, usually means somebody from Internal are trying to send out spam emails. To find out who, I would start with the setting of "relay" first, make sure your exchange is not used for open relay.
to answer your question about how you can use RBL, that depends on what anti-spam you are using. It's usually the anti-spam software who usese the RBL.
0
 

Author Comment

by:babaganoosh
ID: 22730772
I'm trying to learn hwo to have avoided this so any tips along that route, would be appreciated.

don't allow VPN (any way to make sure connecting machines are clean?

the RBL said it was added at 7PM GMT, which would be about 1PM eastern time.  but people didn't have problems till this AM.  the domains we are sending to are not using that specific RBL?

how long does it take to fall off these lists / how long will we not be able to send out mail?  is there a work around?

thanks!
0
 

Author Comment

by:babaganoosh
ID: 22730802
I just realized.  this IP address comes into a router and is shared with other tenants in the building.  so it could be any machine on the network (our network or another in the building!?)

We have VERY rudmentary routers.  how can we sniff the main line going out for spam?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22730866
different RBL has different rules. You need to check with them.
If you and the other tenant of that building are sharing the same public IP, then you will have no idea who really is the spammer unless you also have admin access to their exchange server. (by the way, this is a really BAD settings, why do you do that?)
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 

Author Comment

by:babaganoosh
ID: 22731315
why did we do it?  The owner thought it'd be a good marketing feature to include - i think electric is included (each tenant is not metered).  same thing with web - it's a utility / needed feature?  1 less thing a tenant needs to deal with when moving in?  again, like electric - it's already working.

Going forward, maybe that'll have to change.  but for now, the owner / my boss's business is the only 1 with the sbs standard with Exchange.  we have trend 3.6 on the server and our machines.  don't know what internet security the other tenants have (way too small to have exchange, I do know that).

so the static IP feed comes out of the comcast modem, into a linksys router, to share to the tenants and us  (192.168.1.0/24) .  then to keep tenants from getting into our network, we have a netgear firewall router.

I can get another IP address for the tenants, I guess?  then 2 routers connected to a switch connected to the modem?  Each router would have a static IP on the wan?

so lets say we do that - get the non sbs users off our IP.  Then what?  How to troubleshoot this on JUST an SBS network.
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22731658
"How to troubleshoot this on JUST an SBS network. "
well, as I suggested, the first step is make sure your Exchange is not used for Open relay.
0
 

Author Comment

by:babaganoosh
ID: 22732665
Based on this doc:

http://www.amset.info/exchange/spam-cleanup.asp

it is not set as a relay.  I did turn on the diagnostic logging.

I checked trend's control panel and the machines it knows about look OK (online, virus defs. are current, etc).

Looking at DHCP server, there's no machines that are not on the trend list (we only have 30 or so machines.. is there an easier way to see that only protectected machines are on the network?  Someone bringing in their own PC would get a DHCP address but might not have trend on it.

any advice on next steps?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22733736
check your queues in Exchange. Anything looks weird?
0
 

Author Comment

by:babaganoosh
ID: 22737367
no.  I'm thinking how do you track down a bot infected PC without going to each one?  A packet sniffer app on the SBS to see all traffic going through the sbs to the wan?
0

Featured Post

Will my email signature work in Office 365?

You've built an email signature using raw HTML code in Office 365, but you can't review how it looks with Transport Rules. So you have to test it over and over again before it can be used. Isn't this a bit of a waste of your time? Wouldn't a WYSIWYG editor make it a lot easier?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now