• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1816
  • Last Modified:

Domain is being blacklisted

Hi,

We haven't had this issue since we installed Ironport C150 for blocking spam. It's been a year. Two days ago our outgoing emails started bouncing back. I checked couple of blacklists and our domain is there. I submitted removal requests but they relist us again. How can I figure out which computer is sending out junk? What could happen that all of a sudden Ironport isn't scanning outgoing emails? I checked the licenses and they're all good. What should I do in this case?

We have SBS 2008 and Exchange 2007. I used network repair wizard recently. I don't think that is the problem. I checked the send connector in Exchange Management Console. I went to Organization Configuration -> Hub Transport -> Send Connectors Tab -> Properties of Windows SBS Internet Send [Name of Our Server] -> Network Tab -> Route mail through the following smart hosts -> Our Ironport IP 192.168.1.6. There is also Address Space tab which says Specify the address space to which this connector will route email. In our case type = smtp, address = *, cost = 1. Include all subdomains checked. Scoped send connector unchecked. Should I change * to 192.168.1.6 here too?

Thank you.
0
Yury Merezhkov
Asked:
Yury Merezhkov
  • 4
  • 2
2 Solutions
 
TonyStCommented:
First,  your router should be set to keep of log of incoming and outgoing activity.  It Not Turn that feature on.  From there you should be able to determin which lan IP is slamming the internet.  If you are getting blacklisted and emails are being bouced back it means you have a system on network thats spewing spam out of port 25.  Your router/firewall should be configured to only allow traffic on ports 25 and 110 to and from your exchange server.  It looks ike IronPort is not seeing the outgoing mails because they are being spewed from a comprised workstation thats sending them through your router directly.
0
 
MesthaCommented:
Domains are not blacklisted - hosts are.

There should be a reason why the host is being blacklisted. I would expect that it is a compromised workstation if you are using a spam appliance - unless the appliance has been configured incorrectly.

Can workstations connect to remote SMTP servers? If they can, then you need to block that activity. That will quickly show which workstation is sending out the spam and you will be able to deal with it.

Ideally you would want two IP addresses, one exclusively for email and the SBS server and another for everything else. Then if something like this happens, your server doesn't get caught in the crossfire.

Simon.
0
 
Yury MerezhkovDevelopment Team LeadAuthor Commented:
Anti-spam wasn't enabled on outgoing emails in IronPort. Anti-virus, however, was. I enabled anti-spam on outgoing. We'll see how it goes.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Yury MerezhkovDevelopment Team LeadAuthor Commented:
Thank you for your suggestions! Question about TonySt comment. We are blocking 25 port like this in our Cisco 1841 router:

access-list 127 permit tcp host 192.168.1.6 any eq smtp
access-list 127 deny   tcp any any eq smtp
access-list 127 permit ip any any

and then on inside interface we have:

ip access-group 127 in

You might not be familiar with Cisco ACLs but this is how it is done. My question is should I grant permission for traffic on port 25 to my exchange server (192.168.1.2) or to IronPort (192.168.1.6)? Right now as you can see it is IronPort.

0
 
TonyStCommented:
Is the IronPort configured to send incoming outgoing port 25 traffic only to the exhange server ??
or is the ironport excepting port 25 traffic from the entire lan ??

In any case the above blocking is correct, if the only IP addess alowed to send port 25 traffic to and from the IronPort is the exchange server.   If the other workstations were allowed to send port 25 traffic to the IronPort and the IronPort was not blocking spam then you have identified your leak.  That still means there is a source in your lan though of the bad stuff and you still have to find that.
0
 
Yury MerezhkovDevelopment Team LeadAuthor Commented:
IronPort is configured only to the exchange server. Ok, I am going to see if we get relisted again within 48 hours. I will close the question then. Thank you!
0
 
Yury MerezhkovDevelopment Team LeadAuthor Commented:
Thank you! Everything is working just fine. I still have to submit several removal requests but most blacklists don't have us listed anymore.
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now