Solved

Using SBS 2003 R2 standard, we are on an RBL, now what?

Posted on 2008-10-16
10
409 Views
Last Modified: 2012-05-05
People are getting messages when they try to send out through our Exchange server that's part of our SBS 2003 R2 standard network (with 2 nics).

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <exchange.ourdomain.com #5.5.0 smtp;550-"JunkMail rejected - (exchange.ourdomain.com) [74.94.39.2]:37448 is in an>

checking mxtoolbox.com, it says we are on some black lists.

that likely means a machine on the network is infected with a bot, right?  there's 35 machines on the network, so any advice on how to proceed?

1 list said the IP was added last night at 7:30PM.

Some people VPN into the office (they have laptops, so they don't have a machine in the office to connect with RWW).   If they are using their home machine to connect, and that home machine is infected,  checking the office machines won't turn this up and how quick does something get added to the RBLs?  A connection at 7PM would be to blame?

another question - how do we have exchange use the RBLs to help cut down spam coming into our machine?

thanks!
0
Comment
Question by:babaganoosh
  • 5
  • 4
10 Comments
 
LVL 6

Accepted Solution

by:
DewFreak earned 100 total points
Comment Utility
First I would implement a firewall flter that will only allow outbound mail to come from your mail server.  Basically shut down port 25 oubound from you network except from your mail server.  This should stop rogue trojans unless they are relaying via your exchange server.  Using your firewall may help you find which host is infected.  Do you have any monitoring tools with your firewall?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
Comment Utility
If your IP is blacklisted, usually means somebody from Internal are trying to send out spam emails. To find out who, I would start with the setting of "relay" first, make sure your exchange is not used for open relay.
to answer your question about how you can use RBL, that depends on what anti-spam you are using. It's usually the anti-spam software who usese the RBL.
0
 

Author Comment

by:babaganoosh
Comment Utility
I'm trying to learn hwo to have avoided this so any tips along that route, would be appreciated.

don't allow VPN (any way to make sure connecting machines are clean?

the RBL said it was added at 7PM GMT, which would be about 1PM eastern time.  but people didn't have problems till this AM.  the domains we are sending to are not using that specific RBL?

how long does it take to fall off these lists / how long will we not be able to send out mail?  is there a work around?

thanks!
0
 

Author Comment

by:babaganoosh
Comment Utility
I just realized.  this IP address comes into a router and is shared with other tenants in the building.  so it could be any machine on the network (our network or another in the building!?)

We have VERY rudmentary routers.  how can we sniff the main line going out for spam?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
Comment Utility
different RBL has different rules. You need to check with them.
If you and the other tenant of that building are sharing the same public IP, then you will have no idea who really is the spammer unless you also have admin access to their exchange server. (by the way, this is a really BAD settings, why do you do that?)
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:babaganoosh
Comment Utility
why did we do it?  The owner thought it'd be a good marketing feature to include - i think electric is included (each tenant is not metered).  same thing with web - it's a utility / needed feature?  1 less thing a tenant needs to deal with when moving in?  again, like electric - it's already working.

Going forward, maybe that'll have to change.  but for now, the owner / my boss's business is the only 1 with the sbs standard with Exchange.  we have trend 3.6 on the server and our machines.  don't know what internet security the other tenants have (way too small to have exchange, I do know that).

so the static IP feed comes out of the comcast modem, into a linksys router, to share to the tenants and us  (192.168.1.0/24) .  then to keep tenants from getting into our network, we have a netgear firewall router.

I can get another IP address for the tenants, I guess?  then 2 routers connected to a switch connected to the modem?  Each router would have a static IP on the wan?

so lets say we do that - get the non sbs users off our IP.  Then what?  How to troubleshoot this on JUST an SBS network.
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
Comment Utility
"How to troubleshoot this on JUST an SBS network. "
well, as I suggested, the first step is make sure your Exchange is not used for Open relay.
0
 

Author Comment

by:babaganoosh
Comment Utility
Based on this doc:

http://www.amset.info/exchange/spam-cleanup.asp

it is not set as a relay.  I did turn on the diagnostic logging.

I checked trend's control panel and the machines it knows about look OK (online, virus defs. are current, etc).

Looking at DHCP server, there's no machines that are not on the trend list (we only have 30 or so machines.. is there an easier way to see that only protectected machines are on the network?  Someone bringing in their own PC would get a DHCP address but might not have trend on it.

any advice on next steps?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
Comment Utility
check your queues in Exchange. Anything looks weird?
0
 

Author Comment

by:babaganoosh
Comment Utility
no.  I'm thinking how do you track down a bot infected PC without going to each one?  A packet sniffer app on the SBS to see all traffic going through the sbs to the wan?
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Dell Poweredge Server - Fault detected 8 27
IIS Log files on Exchange 2013 server 6 36
excahne, lync 9 21
outlook 3 5
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now