Link to home
Create AccountLog in
Avatar of ryan80
ryan80

asked on

Email server keeps on getting put on blacklist

I have an internal Exchange server that keeps getting put on a blacklist. I have checked and verified that it is not an open relay.  I have scanned the computers on the network and placed a GPO preventing port 25 from being used.  

However I still seem to be having this issue.  I have 2 gateways,  all of the desktops are using a FIOS connection, and then servers are using a T1 line. The IP address that is being blocked is on the T1 line.  I have NAT'ing setup on a Netopia router so the IP runs to the front end Exchange server.

Any ideas on what could be causing this?  How can I check how many emails are being sent from the Excahnge server so I can see if it is being used to send out spam?  I am programming a firewall now so only the Exchange server will be able to use port 25, but how can I find the source of the problem?
SOLUTION
Avatar of Syedm2
Syedm2

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of ryan80
ryan80

ASKER

Port 25 is blocked except for on the servers.  I tried to enable logging on the server so I can see if the mail is going out through the server, but I dont see any records for email that I am sending out. I am looking in the application logging for the server that send the mail, but can not find any records to see what user is sending out mail.



I looked in the logs and found this record, however I am thinking that this is my server blocking spam?

This is an SMTP protocol warning log for virtual server ID 1, connection #28. The remote host "159.134.198.151", responded to the SMTP command "rcpt" with "451 http://www.spamhaus.org/query/bl?ip=98.109.210.194  ". The full command sent was "RCPT TO:<bitich@gofree.indigo.ie>  ".  This may cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.
Avatar of ryan80

ASKER

If I am sending from an exchange account in outlook, it would not show in in the logging, correct?

ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of ryan80

ASKER

I know that I am on blacklists.  The messages that I am getting say that the public IP of the mail server is the one being blocked.  
The point I was getting across is that based on the IP address posted above, some of the blacklists you cannot get off. They are ISP level blacklists.

If the server keeps getting back on blacklists then you need to block port 25 traffic completely (in and outbound), stop it on the Exchange server and then watch the logs. If email is being sent out by something else it will quickly fill the logs.

-M
Avatar of ryan80

ASKER

OK,  I requested to be removed from CBL and spamcop.  Some of the lists indicate that I will just have to wait up to 7 days.  Now I have stopped port 25 traffic on all of the desktops so that should help, but the way that our network is set up, only the server should be able to use the IP address that mail is going out through.  

I disabled the email connector on the server, and when I disabled it, there were no more warnings poping up in the event log about emails going out and being blocked.  Additionally I tested it by reenabling it and I got warnings again within a few minutes, so the connector is definitely causing the problem.

How do I go about getting removed from the rest of the blacklists? Do i just have to wait until I automatically get cleared after a set amount of time?
yes, u have to wait till u get whitelisted.
A lot of the blacklists are actually querying other blacklists to make their own. Therefore if you request to be cleared off one or two you can be gone from others.

You haven't' said what version of Exchange this is, but an SMTP connector (if Exchange 2003) cannot be the cause of the problem, because it is just a configuration tool. It is not actually doing the work. It simply tells Exchange how to manage the traffic. Therefore I suspect that all that is happening when you put the SMTP connector back in again is that the traffic that was lurking on one of the servers queues is simply being collected together in to a single queue for the connector.

-M
Avatar of ryan80

ASKER

Also it seems that the bounceback that I showed you may have been a spoof of one of our email addresses. the ip address that we use is not the one that was listed in the error message above. Our IP is with Covad. When I go to mxtoolbox I am listed on the following lists:

 Blacklist Name   Status Reason TTL Response Time (ms)
CASA-CBL  LISTED Mail from 68.167.116.140 refused, see Detail
Return codes were: 127.0.8.2 9288 31
CASA-CBL+  LISTED Mail from 68.167.116.140 refused, see Detail
Return codes were: 127.0.8.6 9288 31
CBL  LISTED Blocked - see Detail
Return codes were: 127.0.0.2 2088 31
SPAMCOP  LISTED Blocked - see Detail
Return codes were: 127.0.0.2 588 31
Spamhaus-ZEN  LISTED Detail
Return codes were: 127.0.0.4 288 250
UCEPROTECTL1  LISTED IP 68.167.116.140 is UCEPROTECT-Level 1 listed. See Detail
Return codes were: 127.0.0.2
 

I have put in a request for CBL and Spamhaus.  UCEProtect says it just takes 7 days.  The other 2 are in chinese so i dont know what to do there.
UCEPROTECT will unblock u in 7 days or u have to pay them to do it faster
Rest of them,u can go to the website and get it whitelisted
enable logging on msexchangetransport\authentication to 7
In Event Viewer, search the Application log for event 1708. Event 1708 indicates that the account authenticates with the Exchange computer to send relayed mail.
This will tell if a account which is allowed to relay has a compromised password
Blacklists do not work on email addresses, they work on IP addresses.
If the IP address was correct, then that is involved somewhere.

-M
Avatar of ryan80

ASKER

I know that blacklists work on IPs, but I am just a little confused on how I got an error message relating to another server IP.  Is it possible that another server was spoofing our email address and we just got the bounce back?
check this KB How to configure Sender of Policy Framework records in the Windows Server 2003 Domain Name System    
 http://support.microsoft.com/kb/912716
yes.
Avatar of ryan80

ASKER

Mestha, it is Exchange 2003.  Are you sure that it can not be a connector?  i enabled logging and dont see any authorized relays happening. The event log on the front end server was getting these errors constantly while the smtp connector was active:

This is an SMTP protocol warning log for virtual server ID 1, connection #81. The remote host "204.10.107.126", responded to the SMTP command "rcpt" with "451 Blocked - see http://www.spamcop.net/bl.shtml?68.167.116.140  ". The full command sent was "RCPT TO:<xhxyp@bondnbotes.com>  ".  This may cause the connection to fail.

As soon as I disabled the SMTP connector the error messages disapear.  I disabled it 3 hours ago and have not had a bounce back error since.  I enabled it again and the errors started within a few minutes. So it seems that it is the source of the issue, at least that is what it seems.  Any thought on this, as I am not very Exchange savy.
Avatar of ryan80

ASKER

Also I am still trying to figure out how to view all emails that are sent out through the server.  I have enabled logging for the smtp server and have been reviewing the logs. Everything looks legitimate.  But as I am new to this I could be missing something.  is there any way to see the emails in detail?
I think there is some terminology issues here to start with.

You cannot disable the SMTP connectors. You can disable the SMTP virtual servers. Therefore make sure that you are referring to the correct thing.

-M
Go to the address space on the smtp connector,check if allow messages to be relayed to these domains.
is it checked??
if yes,uncheck it.
Avatar of ryan80

ASKER

Sorry my mistake with the terminology.  I set the connector to send to ip 99.99.99.99. that is how I disabled it.

I do have tha box unchecked on the connector
That doesn't disable the SMTP connector. All it does is cause email to queue as it attempts to be delivered to an invalid smart host.

-M
Avatar of ryan80

ASKER

but since the spam stopped, that means that the connector was most likely the source of the problem?
Avatar of ryan80

ASKER

I looked at the queue today and the connector has about a thousand emails in queue. Only a few of them are legitimate.
All the connector does is show you the messages that are waiting to use its configuration. If you delete the connector then you will end up with a large number of messages in individual queues.

Have you not cleaned out the queues? Verified how the server is being abused?
The server is being attacked, most likely from outside, either as an open relay, authenticated relay or NDR attacks.

-M
how about recreating the connector?
Could be a corrupt connector as well.
Avatar of ryan80

ASKER

Ok, it is not just the email connector.  Im sorry that I know little about Exchange, that is the next book i was planning on reading.

I stopped the main queue for outgoing mail, and there is spam messages in there as well.  All the mail is coming from a postmaster@domainname email address.  However I have not created that email address. I also do not see in the GAL.  Is this a email address that is created automatically?

Any ideas?
postmaster is an account which sends NDR,u cannot see it in GUI.
Delivery status notifications are sent by that account.
Postmaster is NDR spam. Very common.
You need to enable recipient filtering and the tarpit and then restart the SMTP Server service.

http://www.amset.info/exchange/filter-unknown.asp

postmaster@ is a system email address. It is usually on the account that was used to used to install Exchange, but if that account was removed Exchange will continue to use it for sending Non Delivery reports.

-M
Avatar of ryan80

ASKER

Mestha,

Thank you very much. It looks like may have been it.  There were hundreds of postmaster messages that were queued up to send out.  I followed the steps that you listed and the queue is no longer building up.  I will monitor it and see if that resolves everything.

I want to find a way to track the total number of email messages sent out by the Exchange server, but I will post this in another question as this one has certainly has enough already and you deserve more points that can be given in just one question.