Over the last few days I have been seeing problems sending to certain destinations (iprimus.com.au carsales.com.au *.sa.gov..au clear.net.nz) with emails stuck in the outbound queue. Telnet to the affected hosts connects then drops the session for some reason, other domains I have tried are connecting fine and email to the majority of the Internets seems un-affected.
I have contacted carsales.com.au and clear.net.nz's mail folks and they aren't even seeing mail from me possibly pointing to a firewall issue.
Our mail server is hosted locally on a static IP business ADSL service (unfortunately no matching PTR) where it has sat happily for the last couple of years. It runs Exchange 2003 SP2 and 2k3 SBS with latest patches and servicepacks.
Diagnostic logging shows event ID's 4006 and 7010 of which I have read their corresponding eventid.net comments and KB articles but have had no luck with anything useful.
A check of all known RBL's turns up clean and initially Senderbase and other reputation checks turned up clean but earlier today (and a few times during the course of the day) our email volume has apparently jumped 300% which has no doubt tripped Ironport sensors. In the last couple of hours we have appeared on cbl.abuseat.org as well with the site claiming we had been infected by Cutwail (http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=144691
I have checked all our AV installs and all of them have definitions that should cover that infection but I have still downbloaded and started a scan using Stinger of the most likely targets.
ISA is showing no port 25 traffic except from Exchange itself and none of the IP addresses or ports Cutwail is known to use are appearing in my live queries in ISA. My Cisco 870 is showing no large jump in firewall hits (int or ext) and interface traffic from my VLAN for our customer AP is showing no traffic (this is only important as far as this AP bypasses the ISA server)
cbl.atabuse.org is fairly adamant their detection is pretty full proof (as much as it can be) and the apparent jump is outbound mail has me paranoid about a possible compromised machine.
What have I missed, anyone had similar problems either relating to the virus or to the mail situation (In particular Ironport) ?
Note: I have also talked directly to Ironport about how their sensors work and if it was purely an increase in email volume or detected spam + email volume and they have confirmed the later and that our reputation as of earlier today was -2. Ironport by default is aparently configured to drop email from a host at -3. Unfortunately their sensors are just that and they have nothing more they can give me to narrow down the possible source of the problems.