[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

We've Been blacklisted--trying to figure out if our server is a spam relay

Posted on 2008-11-17
12
Medium Priority
?
1,434 Views
Last Modified: 2013-11-30
Hello,

We are having the exact same problem as in this thread:

http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/Email/SMTP/Q_23677451.html?sfQueryTermInfo=1+%22sbl+xbl.spamhaus.org%22+block

I am going through the steps provided and am getting stuck trying to telnet to our mail server.  I cannont telnet to the FQDN, only to the ip address.

I do the following:



C:\WINDOWS>nslookup
Default Server:  dcserver3.ic.internal
Address:  192.168.37.10

> set type=mx
> independencecenter.org
Server:  dcserver3.ic.internal
Address:  192.168.37.10

Non-authoritative answer:
independencecenter.org  MX preference = 20, mail exchanger = mail2.independencecenter.org
independencecenter.org  MX preference = 10, mail exchanger = barracuda.independencecenter.org

mail2.independencecenter.org    internet address = 74.223.82.114
barracuda.independencecenter.org        internet address = 74.223.82.114


I telnet to independencecenter.org 25 and it just hangs, then goes back to a windows prompt.
I telnet to the ip and get the following:
220 dcserver1.independencecenter.org ESMTP Service (Lotus Domino Release 7.0.2) ready at Mon, 17 Nov 2008 11:57:15 -0600

However, it won't respond to anything I type.  Can anyone tell me what's going on?

Also, how can I block port 25 outgoing on our sonicwall PRO 2040 Standard?

Thanks for any assistance,

Maureen
0
Comment
Question by:maureen99
  • 6
  • 3
  • 2
  • +1
12 Comments
 
LVL 43

Expert Comment

by:ravenpl
ID: 22977860
use http://www.kloth.net/services/dnsbl.php and similar, indeed that are listed.
use http://spamlinks.net/prevent-secure-relay-test.htm to test for simple open-relays.
0
 

Author Comment

by:maureen99
ID: 22979595
I did manage to telnet in and got the following, I hope someone can tell me what this means:


220 dcserver1.independencecenter.org ESMTP Service (Lotus Domino Release 7.0.2) ready at Mon, 17 Nov 2008 15:08:55 -0600
ehlo wustl.edu
250-dcserver1.independencecenter.org Hello wustl.edu ([192.168.37.111]), pleased to meet you
250-HELP
250 PIPELINING
mail from:maureenlynne@yahoo.com
250 maureenlynne@yahoo.com... Sender OK
rcpt to:hacker@spam.com
554 Relay rejected for policy reasons.


Does rejected for policy reasons mean we're safe?  
0
 
LVL 43

Expert Comment

by:ravenpl
ID: 22979672
Actually that's why You are listed http://cbl.abuseat.org/lookup.cgi?ip=74.223.82.114
I suppose You not open-relay, but have some user who sends spam/virus out. Or maybe one of hosted webpages(if any) got hacked?
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 22984700
You say you have the exact same problem? But, if I read carefully, your server is a Domino server and the other one was an Exchange server.

If, as you say, you cannot send mail, there may be several reasons. But first, can you tell us the exact problem, when looking from the Domino server? A Domino server has Mail Transfer options, in the Configuration document, see the Outbound settings. Some mail addresses can be blocked there. What are these settings?

Can you, from your server, connect to the outside world via port 25??
0
 

Author Comment

by:maureen99
ID: 22989057
Thanks for all the replys!

ravenpl:

Yes I have confirmed that we are not an open relay
I am going to call the company that hosts our website to see if it has been compromised.
More people are now reporting they cannot send mail.

sjef_bosman:

Yes, you are correct we are using domino 7.0.2 not exchange.  On the domino server, it says the following:


"11/18/2008 09:22:15 AM  Router: Error transferring message 00195F0B via SMTP to inbound.shopritedepot.com.netsolmail.net  550 5.7.1 Rejected: 74.223.82.114 listed at http://www.spamhaus.org/query/bl?ip=74.223.82.114"

I actually spoke to IBM concerning our configuration doc.  We checked these settings:

Configuration tab, messaging, configurations;  In the configuration document--> router/smtp, restrictions and controls, smtp inbound controls; inbound relay controls:  First three fields blank, an asterix(*) in the last field.

Configuration tab, messaging, configurations;  In the configuration document--> router/smtp, restrictions and controls, smtp inbound controls; inbound relay controls enforcement: First field says "External hosts;" Next field blank; Last says "Allow all authenticated users to relay"

Configuration tab, messaging, configurations;  In the configuration document--> router/smtp, restrictions and controls, smtp outbound controls, outbound sender controls: First 2 fields blank, Third field has a group with all our staff, all from our domain; rest of fields on smtp outbound control tab are blank.


sjef_bosman:
"Can you, from your server, connect to the outside world via port 25??"

Some mail is going out, but is there a way to test this?

Thanks again,

maureen
0
 

Author Comment

by:maureen99
ID: 22989067
I am thinking we have at least one machine someplace that hs the Stration/Warezov spambot on it.  Could have gotten their via a bad web page or a flash drive.  Does this sound right?

I am trying to use wireshark to capture and see if any one machine.  In the meantime I am guessing we will have to scan each machine until we find it so we can get off the blackslist.  

Please correct me if I'm wrong and let me know if anyone has suggestions, and thanks again!

Maureen
0
 
LVL 4

Accepted Solution

by:
TNL_Engr earned 1000 total points
ID: 22989929
Maureen,
Right now your Sonicwall firewall is probably allowing all traffic on all ports out of your network if it originates from within your network.  This means it is allowing any PC, server, whatever to send out on port 25.  In addition to locating the offending PC, you might want to configure your Sonicwall to block all systems except your email server from sending on port 25.  If you have another system sending out email from within your network you will continue to get blacklisted even if you temporarily get them to remove you from their list.

TNL
0
 
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 1000 total points
ID: 22990137
To check whether the server can create an SMTP connection, try from the server console

    telnet smtp.orange.fr 25

It should show a screen with

    220 mwblablah ESMTP ABO ****

Type quit and ENTER to end the session.

If that works, the server can make connections to the outside world.

And indeed, block all traffix on port 25 except for the real mail servers. You clicked the link to spamhaus.org ? Very instructive.
0
 

Author Comment

by:maureen99
ID: 22997448
I have blocked all outgoing on the firewall except the mail server.  I spoke to support at sonic wall and they walked me though it.  It doesn't look like there is any way to block specific ports on our sonicwall system.

I tried the telnet test and got the following from the mail server:
554 5.7.1 service refused. Client host 74.223.82.114 blocked for spamming issues
. Adresse IP source 74.223.82.114 bloquee pour incident de spam. Ref http://r.or
ange.fr/r/Oassistance_adresserejetee .

Telneting to smtp.orange.fr 25 from any other machine returns nothing so I guess they are blocked from sending out anything but mail to our server.

So far I am still scanning machines, I have found backdoor.bot on one of our servers, removed with malwarebytes.

Also found with avg8 free version:
I-worm\nuwar.V in \..\content.ie5\flash.exe

adware generic.BVV in c:\program files\common files\oem common\ robj.dll

We still have not specifically found the  Stration/Warezov spambot however.

I am still scanning machines but I wish I could find where the spam is coming from.  I have wireshark installed on a server dedicated to monitoring the gateway port on our switch.  If anyone has suggestions for a filter string or any way to locate the guilty machine, I would love to hear it.

Thanks yet again,

maureen



0
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 22999964
Okay, so even orange.fr are blocking you. By the way, I think that your tests prove that your server indeed reaches orange.fr via port 25, but that other PC's are somehow blocked (by your router/firewall??). Try telnet to orange.fr from your home PC, you'll see that it works.

Instead of stumnling around and spending precious time (equals money) on this, would it be possible to either buy a hardware router/firewall that has the blocking options you need, or to create one using the dumbest PC with two network interfaces and Linux on it? There are plenty good descriptions on the Internet of how to create a monitoring firewall with Linux.
0
 

Author Comment

by:maureen99
ID: 23006951
sjef bosman:

I am in the process of evaluating websense right now.  When I started here security was extremely loose.  I have tightened it somewhat with group policies, but right now we don't have a good system in place to monitor/police our LAN traffic, and I obviously want to get one asap....yesterday I caught a client (we are a health care facility) trying to surf porn sites.

Now, when I telnet to smtp.orange.fr from our mail server I get this:
220 mwinf2024.orange.fr ESMTP ABO **************************

When I do it from a LAN pc I get no response at all.

Nevertheless, we are no longer on the blacklist and,   it looks like mail is going through our smtp server today.





0
 

Author Closing Comment

by:maureen99
ID: 31517525
Thanks very much for all your detailed help!  We are still having a few problems (maybe yet another thread) but we are off the blacklist.

Again, can't thank you enough,

Maureen
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Suggested Courses
Course of the Month19 days, 6 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question