Solved

Using SBS 2003 R2 standard, we are on an RBL, now what?

Posted on 2008-10-16
10
411 Views
Last Modified: 2012-05-05
People are getting messages when they try to send out through our Exchange server that's part of our SBS 2003 R2 standard network (with 2 nics).

            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
            <exchange.ourdomain.com #5.5.0 smtp;550-"JunkMail rejected - (exchange.ourdomain.com) [74.94.39.2]:37448 is in an>

checking mxtoolbox.com, it says we are on some black lists.

that likely means a machine on the network is infected with a bot, right?  there's 35 machines on the network, so any advice on how to proceed?

1 list said the IP was added last night at 7:30PM.

Some people VPN into the office (they have laptops, so they don't have a machine in the office to connect with RWW).   If they are using their home machine to connect, and that home machine is infected,  checking the office machines won't turn this up and how quick does something get added to the RBLs?  A connection at 7PM would be to blame?

another question - how do we have exchange use the RBLs to help cut down spam coming into our machine?

thanks!
0
Comment
Question by:babaganoosh
  • 5
  • 4
10 Comments
 
LVL 6

Accepted Solution

by:
DewFreak earned 100 total points
ID: 22730728
First I would implement a firewall flter that will only allow outbound mail to come from your mail server.  Basically shut down port 25 oubound from you network except from your mail server.  This should stop rogue trojans unless they are relaying via your exchange server.  Using your firewall may help you find which host is infected.  Do you have any monitoring tools with your firewall?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22730751
If your IP is blacklisted, usually means somebody from Internal are trying to send out spam emails. To find out who, I would start with the setting of "relay" first, make sure your exchange is not used for open relay.
to answer your question about how you can use RBL, that depends on what anti-spam you are using. It's usually the anti-spam software who usese the RBL.
0
 

Author Comment

by:babaganoosh
ID: 22730772
I'm trying to learn hwo to have avoided this so any tips along that route, would be appreciated.

don't allow VPN (any way to make sure connecting machines are clean?

the RBL said it was added at 7PM GMT, which would be about 1PM eastern time.  but people didn't have problems till this AM.  the domains we are sending to are not using that specific RBL?

how long does it take to fall off these lists / how long will we not be able to send out mail?  is there a work around?

thanks!
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:babaganoosh
ID: 22730802
I just realized.  this IP address comes into a router and is shared with other tenants in the building.  so it could be any machine on the network (our network or another in the building!?)

We have VERY rudmentary routers.  how can we sniff the main line going out for spam?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22730866
different RBL has different rules. You need to check with them.
If you and the other tenant of that building are sharing the same public IP, then you will have no idea who really is the spammer unless you also have admin access to their exchange server. (by the way, this is a really BAD settings, why do you do that?)
0
 

Author Comment

by:babaganoosh
ID: 22731315
why did we do it?  The owner thought it'd be a good marketing feature to include - i think electric is included (each tenant is not metered).  same thing with web - it's a utility / needed feature?  1 less thing a tenant needs to deal with when moving in?  again, like electric - it's already working.

Going forward, maybe that'll have to change.  but for now, the owner / my boss's business is the only 1 with the sbs standard with Exchange.  we have trend 3.6 on the server and our machines.  don't know what internet security the other tenants have (way too small to have exchange, I do know that).

so the static IP feed comes out of the comcast modem, into a linksys router, to share to the tenants and us  (192.168.1.0/24) .  then to keep tenants from getting into our network, we have a netgear firewall router.

I can get another IP address for the tenants, I guess?  then 2 routers connected to a switch connected to the modem?  Each router would have a static IP on the wan?

so lets say we do that - get the non sbs users off our IP.  Then what?  How to troubleshoot this on JUST an SBS network.
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22731658
"How to troubleshoot this on JUST an SBS network. "
well, as I suggested, the first step is make sure your Exchange is not used for Open relay.
0
 

Author Comment

by:babaganoosh
ID: 22732665
Based on this doc:

http://www.amset.info/exchange/spam-cleanup.asp

it is not set as a relay.  I did turn on the diagnostic logging.

I checked trend's control panel and the machines it knows about look OK (online, virus defs. are current, etc).

Looking at DHCP server, there's no machines that are not on the trend list (we only have 30 or so machines.. is there an easier way to see that only protectected machines are on the network?  Someone bringing in their own PC would get a DHCP address but might not have trend on it.

any advice on next steps?
0
 
LVL 18

Assisted Solution

by:flyingsky
flyingsky earned 400 total points
ID: 22733736
check your queues in Exchange. Anything looks weird?
0
 

Author Comment

by:babaganoosh
ID: 22737367
no.  I'm thinking how do you track down a bot infected PC without going to each one?  A packet sniffer app on the SBS to see all traffic going through the sbs to the wan?
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video discusses moving either the default database or any database to a new volume.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question