We've Been blacklisted--trying to figure out if our server is a spam relay

Hello,

We are having the exact same problem as in this thread:

http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/Email/SMTP/Q_23677451.html?sfQueryTermInfo=1+%22sbl+xbl.spamhaus.org%22+block

I am going through the steps provided and am getting stuck trying to telnet to our mail server.  I cannont telnet to the FQDN, only to the ip address.

I do the following:



C:\WINDOWS>nslookup
Default Server:  dcserver3.ic.internal
Address:  192.168.37.10

> set type=mx
> independencecenter.org
Server:  dcserver3.ic.internal
Address:  192.168.37.10

Non-authoritative answer:
independencecenter.org  MX preference = 20, mail exchanger = mail2.independencecenter.org
independencecenter.org  MX preference = 10, mail exchanger = barracuda.independencecenter.org

mail2.independencecenter.org    internet address = 74.223.82.114
barracuda.independencecenter.org        internet address = 74.223.82.114


I telnet to independencecenter.org 25 and it just hangs, then goes back to a windows prompt.
I telnet to the ip and get the following:
220 dcserver1.independencecenter.org ESMTP Service (Lotus Domino Release 7.0.2) ready at Mon, 17 Nov 2008 11:57:15 -0600

However, it won't respond to anything I type.  Can anyone tell me what's going on?

Also, how can I block port 25 outgoing on our sonicwall PRO 2040 Standard?

Thanks for any assistance,

Maureen
maureen99Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ravenplCommented:
use http://www.kloth.net/services/dnsbl.php and similar, indeed that are listed.
use http://spamlinks.net/prevent-secure-relay-test.htm to test for simple open-relays.
0
maureen99Author Commented:
I did manage to telnet in and got the following, I hope someone can tell me what this means:


220 dcserver1.independencecenter.org ESMTP Service (Lotus Domino Release 7.0.2) ready at Mon, 17 Nov 2008 15:08:55 -0600
ehlo wustl.edu
250-dcserver1.independencecenter.org Hello wustl.edu ([192.168.37.111]), pleased to meet you
250-HELP
250 PIPELINING
mail from:maureenlynne@yahoo.com
250 maureenlynne@yahoo.com... Sender OK
rcpt to:hacker@spam.com
554 Relay rejected for policy reasons.


Does rejected for policy reasons mean we're safe?  
0
ravenplCommented:
Actually that's why You are listed http://cbl.abuseat.org/lookup.cgi?ip=74.223.82.114
I suppose You not open-relay, but have some user who sends spam/virus out. Or maybe one of hosted webpages(if any) got hacked?
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Sjef BosmanGroupware ConsultantCommented:
You say you have the exact same problem? But, if I read carefully, your server is a Domino server and the other one was an Exchange server.

If, as you say, you cannot send mail, there may be several reasons. But first, can you tell us the exact problem, when looking from the Domino server? A Domino server has Mail Transfer options, in the Configuration document, see the Outbound settings. Some mail addresses can be blocked there. What are these settings?

Can you, from your server, connect to the outside world via port 25??
0
maureen99Author Commented:
Thanks for all the replys!

ravenpl:

Yes I have confirmed that we are not an open relay
I am going to call the company that hosts our website to see if it has been compromised.
More people are now reporting they cannot send mail.

sjef_bosman:

Yes, you are correct we are using domino 7.0.2 not exchange.  On the domino server, it says the following:


"11/18/2008 09:22:15 AM  Router: Error transferring message 00195F0B via SMTP to inbound.shopritedepot.com.netsolmail.net  550 5.7.1 Rejected: 74.223.82.114 listed at http://www.spamhaus.org/query/bl?ip=74.223.82.114"

I actually spoke to IBM concerning our configuration doc.  We checked these settings:

Configuration tab, messaging, configurations;  In the configuration document--> router/smtp, restrictions and controls, smtp inbound controls; inbound relay controls:  First three fields blank, an asterix(*) in the last field.

Configuration tab, messaging, configurations;  In the configuration document--> router/smtp, restrictions and controls, smtp inbound controls; inbound relay controls enforcement: First field says "External hosts;" Next field blank; Last says "Allow all authenticated users to relay"

Configuration tab, messaging, configurations;  In the configuration document--> router/smtp, restrictions and controls, smtp outbound controls, outbound sender controls: First 2 fields blank, Third field has a group with all our staff, all from our domain; rest of fields on smtp outbound control tab are blank.


sjef_bosman:
"Can you, from your server, connect to the outside world via port 25??"

Some mail is going out, but is there a way to test this?

Thanks again,

maureen
0
maureen99Author Commented:
I am thinking we have at least one machine someplace that hs the Stration/Warezov spambot on it.  Could have gotten their via a bad web page or a flash drive.  Does this sound right?

I am trying to use wireshark to capture and see if any one machine.  In the meantime I am guessing we will have to scan each machine until we find it so we can get off the blackslist.  

Please correct me if I'm wrong and let me know if anyone has suggestions, and thanks again!

Maureen
0
TNL_EngrCommented:
Maureen,
Right now your Sonicwall firewall is probably allowing all traffic on all ports out of your network if it originates from within your network.  This means it is allowing any PC, server, whatever to send out on port 25.  In addition to locating the offending PC, you might want to configure your Sonicwall to block all systems except your email server from sending on port 25.  If you have another system sending out email from within your network you will continue to get blacklisted even if you temporarily get them to remove you from their list.

TNL
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Sjef BosmanGroupware ConsultantCommented:
To check whether the server can create an SMTP connection, try from the server console

    telnet smtp.orange.fr 25

It should show a screen with

    220 mwblablah ESMTP ABO ****

Type quit and ENTER to end the session.

If that works, the server can make connections to the outside world.

And indeed, block all traffix on port 25 except for the real mail servers. You clicked the link to spamhaus.org ? Very instructive.
0
maureen99Author Commented:
I have blocked all outgoing on the firewall except the mail server.  I spoke to support at sonic wall and they walked me though it.  It doesn't look like there is any way to block specific ports on our sonicwall system.

I tried the telnet test and got the following from the mail server:
554 5.7.1 service refused. Client host 74.223.82.114 blocked for spamming issues
. Adresse IP source 74.223.82.114 bloquee pour incident de spam. Ref http://r.or
ange.fr/r/Oassistance_adresserejetee .

Telneting to smtp.orange.fr 25 from any other machine returns nothing so I guess they are blocked from sending out anything but mail to our server.

So far I am still scanning machines, I have found backdoor.bot on one of our servers, removed with malwarebytes.

Also found with avg8 free version:
I-worm\nuwar.V in \..\content.ie5\flash.exe

adware generic.BVV in c:\program files\common files\oem common\ robj.dll

We still have not specifically found the  Stration/Warezov spambot however.

I am still scanning machines but I wish I could find where the spam is coming from.  I have wireshark installed on a server dedicated to monitoring the gateway port on our switch.  If anyone has suggestions for a filter string or any way to locate the guilty machine, I would love to hear it.

Thanks yet again,

maureen



0
Sjef BosmanGroupware ConsultantCommented:
Okay, so even orange.fr are blocking you. By the way, I think that your tests prove that your server indeed reaches orange.fr via port 25, but that other PC's are somehow blocked (by your router/firewall??). Try telnet to orange.fr from your home PC, you'll see that it works.

Instead of stumnling around and spending precious time (equals money) on this, would it be possible to either buy a hardware router/firewall that has the blocking options you need, or to create one using the dumbest PC with two network interfaces and Linux on it? There are plenty good descriptions on the Internet of how to create a monitoring firewall with Linux.
0
maureen99Author Commented:
sjef bosman:

I am in the process of evaluating websense right now.  When I started here security was extremely loose.  I have tightened it somewhat with group policies, but right now we don't have a good system in place to monitor/police our LAN traffic, and I obviously want to get one asap....yesterday I caught a client (we are a health care facility) trying to surf porn sites.

Now, when I telnet to smtp.orange.fr from our mail server I get this:
220 mwinf2024.orange.fr ESMTP ABO **************************

When I do it from a LAN pc I get no response at all.

Nevertheless, we are no longer on the blacklist and,   it looks like mail is going through our smtp server today.





0
maureen99Author Commented:
Thanks very much for all your detailed help!  We are still having a few problems (maybe yet another thread) but we are off the blacklist.

Again, can't thank you enough,

Maureen
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.