maureen99
asked on
We've Been blacklisted--trying to figure out if our server is a spam relay
Hello,
We are having the exact same problem as in this thread:
https://www.experts-exchange.com/questions/23677451/Why-are-ALL-of-my-outgoing-e-mails-being-blocked-and-returned-as-undeliverable.html?sfQueryTermInfo=1+"sbl+xbl.spamhaus.org"+block
I am going through the steps provided and am getting stuck trying to telnet to our mail server. I cannont telnet to the FQDN, only to the ip address.
I do the following:
C:\WINDOWS>nslookup
Default Server: dcserver3.ic.internal
Address: 192.168.37.10
> set type=mx
> independencecenter.org
Server: dcserver3.ic.internal
Address: 192.168.37.10
Non-authoritative answer:
independencecenter.org MX preference = 20, mail exchanger = mail2.independencecenter.o rg
independencecenter.org MX preference = 10, mail exchanger = barracuda.independencecent er.org
mail2.independencecenter.o rg internet address = 74.223.82.114
barracuda.independencecent er.org internet address = 74.223.82.114
I telnet to independencecenter.org 25 and it just hangs, then goes back to a windows prompt.
I telnet to the ip and get the following:
220 dcserver1.independencecent er.org ESMTP Service (Lotus Domino Release 7.0.2) ready at Mon, 17 Nov 2008 11:57:15 -0600
However, it won't respond to anything I type. Can anyone tell me what's going on?
Also, how can I block port 25 outgoing on our sonicwall PRO 2040 Standard?
Thanks for any assistance,
Maureen
We are having the exact same problem as in this thread:
https://www.experts-exchange.com/questions/23677451/Why-are-ALL-of-my-outgoing-e-mails-being-blocked-and-returned-as-undeliverable.html?sfQueryTermInfo=1+"sbl+xbl.spamhaus.org"+block
I am going through the steps provided and am getting stuck trying to telnet to our mail server. I cannont telnet to the FQDN, only to the ip address.
I do the following:
C:\WINDOWS>nslookup
Default Server: dcserver3.ic.internal
Address: 192.168.37.10
> set type=mx
> independencecenter.org
Server: dcserver3.ic.internal
Address: 192.168.37.10
Non-authoritative answer:
independencecenter.org MX preference = 20, mail exchanger = mail2.independencecenter.o
independencecenter.org MX preference = 10, mail exchanger = barracuda.independencecent
mail2.independencecenter.o
barracuda.independencecent
I telnet to independencecenter.org 25 and it just hangs, then goes back to a windows prompt.
I telnet to the ip and get the following:
220 dcserver1.independencecent
However, it won't respond to anything I type. Can anyone tell me what's going on?
Also, how can I block port 25 outgoing on our sonicwall PRO 2040 Standard?
Thanks for any assistance,
Maureen
ASKER
I did manage to telnet in and got the following, I hope someone can tell me what this means:
220 dcserver1.independencecent er.org ESMTP Service (Lotus Domino Release 7.0.2) ready at Mon, 17 Nov 2008 15:08:55 -0600
ehlo wustl.edu
250-dcserver1.independence center.org Hello wustl.edu ([192.168.37.111]), pleased to meet you
250-HELP
250 PIPELINING
mail from:maureenlynne@yahoo.co m
250 maureenlynne@yahoo.com... Sender OK
rcpt to:hacker@spam.com
554 Relay rejected for policy reasons.
Does rejected for policy reasons mean we're safe?
220 dcserver1.independencecent
ehlo wustl.edu
250-dcserver1.independence
250-HELP
250 PIPELINING
mail from:maureenlynne@yahoo.co
250 maureenlynne@yahoo.com... Sender OK
rcpt to:hacker@spam.com
554 Relay rejected for policy reasons.
Does rejected for policy reasons mean we're safe?
Actually that's why You are listed http://cbl.abuseat.org/lookup.cgi?ip=74.223.82.114
I suppose You not open-relay, but have some user who sends spam/virus out. Or maybe one of hosted webpages(if any) got hacked?
I suppose You not open-relay, but have some user who sends spam/virus out. Or maybe one of hosted webpages(if any) got hacked?
You say you have the exact same problem? But, if I read carefully, your server is a Domino server and the other one was an Exchange server.
If, as you say, you cannot send mail, there may be several reasons. But first, can you tell us the exact problem, when looking from the Domino server? A Domino server has Mail Transfer options, in the Configuration document, see the Outbound settings. Some mail addresses can be blocked there. What are these settings?
Can you, from your server, connect to the outside world via port 25??
If, as you say, you cannot send mail, there may be several reasons. But first, can you tell us the exact problem, when looking from the Domino server? A Domino server has Mail Transfer options, in the Configuration document, see the Outbound settings. Some mail addresses can be blocked there. What are these settings?
Can you, from your server, connect to the outside world via port 25??
ASKER
Thanks for all the replys!
ravenpl:
Yes I have confirmed that we are not an open relay
I am going to call the company that hosts our website to see if it has been compromised.
More people are now reporting they cannot send mail.
sjef_bosman:
Yes, you are correct we are using domino 7.0.2 not exchange. On the domino server, it says the following:
"11/18/2008 09:22:15 AM Router: Error transferring message 00195F0B via SMTP to inbound.shopritedepot.com. netsolmail .net 550 5.7.1 Rejected: 74.223.82.114 listed at http://www.spamhaus.org/query/bl?ip=74.223.82.114"
I actually spoke to IBM concerning our configuration doc. We checked these settings:
Configuration tab, messaging, configurations; In the configuration document--> router/smtp, restrictions and controls, smtp inbound controls; inbound relay controls: First three fields blank, an asterix(*) in the last field.
Configuration tab, messaging, configurations; In the configuration document--> router/smtp, restrictions and controls, smtp inbound controls; inbound relay controls enforcement: First field says "External hosts;" Next field blank; Last says "Allow all authenticated users to relay"
Configuration tab, messaging, configurations; In the configuration document--> router/smtp, restrictions and controls, smtp outbound controls, outbound sender controls: First 2 fields blank, Third field has a group with all our staff, all from our domain; rest of fields on smtp outbound control tab are blank.
sjef_bosman:
"Can you, from your server, connect to the outside world via port 25??"
Some mail is going out, but is there a way to test this?
Thanks again,
maureen
ravenpl:
Yes I have confirmed that we are not an open relay
I am going to call the company that hosts our website to see if it has been compromised.
More people are now reporting they cannot send mail.
sjef_bosman:
Yes, you are correct we are using domino 7.0.2 not exchange. On the domino server, it says the following:
"11/18/2008 09:22:15 AM Router: Error transferring message 00195F0B via SMTP to inbound.shopritedepot.com.
I actually spoke to IBM concerning our configuration doc. We checked these settings:
Configuration tab, messaging, configurations; In the configuration document--> router/smtp, restrictions and controls, smtp inbound controls; inbound relay controls: First three fields blank, an asterix(*) in the last field.
Configuration tab, messaging, configurations; In the configuration document--> router/smtp, restrictions and controls, smtp inbound controls; inbound relay controls enforcement: First field says "External hosts;" Next field blank; Last says "Allow all authenticated users to relay"
Configuration tab, messaging, configurations; In the configuration document--> router/smtp, restrictions and controls, smtp outbound controls, outbound sender controls: First 2 fields blank, Third field has a group with all our staff, all from our domain; rest of fields on smtp outbound control tab are blank.
sjef_bosman:
"Can you, from your server, connect to the outside world via port 25??"
Some mail is going out, but is there a way to test this?
Thanks again,
maureen
ASKER
I am thinking we have at least one machine someplace that hs the Stration/Warezov spambot on it. Could have gotten their via a bad web page or a flash drive. Does this sound right?
I am trying to use wireshark to capture and see if any one machine. In the meantime I am guessing we will have to scan each machine until we find it so we can get off the blackslist.
Please correct me if I'm wrong and let me know if anyone has suggestions, and thanks again!
Maureen
I am trying to use wireshark to capture and see if any one machine. In the meantime I am guessing we will have to scan each machine until we find it so we can get off the blackslist.
Please correct me if I'm wrong and let me know if anyone has suggestions, and thanks again!
Maureen
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have blocked all outgoing on the firewall except the mail server. I spoke to support at sonic wall and they walked me though it. It doesn't look like there is any way to block specific ports on our sonicwall system.
I tried the telnet test and got the following from the mail server:
554 5.7.1 service refused. Client host 74.223.82.114 blocked for spamming issues
. Adresse IP source 74.223.82.114 bloquee pour incident de spam. Ref http://r.or
ange.fr/r/Oassistance_adre sserejetee .
Telneting to smtp.orange.fr 25 from any other machine returns nothing so I guess they are blocked from sending out anything but mail to our server.
So far I am still scanning machines, I have found backdoor.bot on one of our servers, removed with malwarebytes.
Also found with avg8 free version:
I-worm\nuwar.V in \..\content.ie5\flash.exe
adware generic.BVV in c:\program files\common files\oem common\ robj.dll
We still have not specifically found the Stration/Warezov spambot however.
I am still scanning machines but I wish I could find where the spam is coming from. I have wireshark installed on a server dedicated to monitoring the gateway port on our switch. If anyone has suggestions for a filter string or any way to locate the guilty machine, I would love to hear it.
Thanks yet again,
maureen
I tried the telnet test and got the following from the mail server:
554 5.7.1 service refused. Client host 74.223.82.114 blocked for spamming issues
. Adresse IP source 74.223.82.114 bloquee pour incident de spam. Ref http://r.or
ange.fr/r/Oassistance_adre
Telneting to smtp.orange.fr 25 from any other machine returns nothing so I guess they are blocked from sending out anything but mail to our server.
So far I am still scanning machines, I have found backdoor.bot on one of our servers, removed with malwarebytes.
Also found with avg8 free version:
I-worm\nuwar.V in \..\content.ie5\flash.exe
adware generic.BVV in c:\program files\common files\oem common\ robj.dll
We still have not specifically found the Stration/Warezov spambot however.
I am still scanning machines but I wish I could find where the spam is coming from. I have wireshark installed on a server dedicated to monitoring the gateway port on our switch. If anyone has suggestions for a filter string or any way to locate the guilty machine, I would love to hear it.
Thanks yet again,
maureen
Okay, so even orange.fr are blocking you. By the way, I think that your tests prove that your server indeed reaches orange.fr via port 25, but that other PC's are somehow blocked (by your router/firewall??). Try telnet to orange.fr from your home PC, you'll see that it works.
Instead of stumnling around and spending precious time (equals money) on this, would it be possible to either buy a hardware router/firewall that has the blocking options you need, or to create one using the dumbest PC with two network interfaces and Linux on it? There are plenty good descriptions on the Internet of how to create a monitoring firewall with Linux.
Instead of stumnling around and spending precious time (equals money) on this, would it be possible to either buy a hardware router/firewall that has the blocking options you need, or to create one using the dumbest PC with two network interfaces and Linux on it? There are plenty good descriptions on the Internet of how to create a monitoring firewall with Linux.
ASKER
sjef bosman:
I am in the process of evaluating websense right now. When I started here security was extremely loose. I have tightened it somewhat with group policies, but right now we don't have a good system in place to monitor/police our LAN traffic, and I obviously want to get one asap....yesterday I caught a client (we are a health care facility) trying to surf porn sites.
Now, when I telnet to smtp.orange.fr from our mail server I get this:
220 mwinf2024.orange.fr ESMTP ABO **************************
When I do it from a LAN pc I get no response at all.
Nevertheless, we are no longer on the blacklist and, it looks like mail is going through our smtp server today.
I am in the process of evaluating websense right now. When I started here security was extremely loose. I have tightened it somewhat with group policies, but right now we don't have a good system in place to monitor/police our LAN traffic, and I obviously want to get one asap....yesterday I caught a client (we are a health care facility) trying to surf porn sites.
Now, when I telnet to smtp.orange.fr from our mail server I get this:
220 mwinf2024.orange.fr ESMTP ABO **************************
When I do it from a LAN pc I get no response at all.
Nevertheless, we are no longer on the blacklist and, it looks like mail is going through our smtp server today.
ASKER
Thanks very much for all your detailed help! We are still having a few problems (maybe yet another thread) but we are off the blacklist.
Again, can't thank you enough,
Maureen
Again, can't thank you enough,
Maureen
use http://spamlinks.net/prevent-secure-relay-test.htm to test for simple open-relays.