Exchange mail delivery issues

Over the last few days I have been seeing problems sending to certain destinations (iprimus.com.au carsales.com.au *.sa.gov..au clear.net.nz) with emails stuck in the outbound queue. Telnet to the affected hosts connects then drops the session for some reason, other domains I have tried are connecting fine and email to the majority of the Internets seems un-affected.

I have contacted carsales.com.au and clear.net.nz's mail folks and they aren't even seeing mail from me possibly pointing to a firewall issue.

Our mail server is hosted locally on a static IP business ADSL service (unfortunately no matching PTR) where it has sat happily for the last couple of years. It runs Exchange 2003 SP2 and 2k3 SBS with latest patches and servicepacks.

Diagnostic logging shows event ID's 4006 and 7010 of which I have read their corresponding eventid.net comments and KB articles but have had no luck with anything useful.

A check of all known RBL's turns up clean and initially Senderbase and other reputation checks turned up clean but earlier today (and a few times during the course of the day) our email volume has apparently jumped 300% which has no doubt tripped Ironport sensors. In the last couple of hours we have appeared on cbl.abuseat.org as well with the site claiming we had been infected by Cutwail (http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=144691)

I have checked all our AV installs and all of them have definitions that should cover that infection but I have still downbloaded and started a scan using Stinger of the most likely targets.

ISA is showing no port 25 traffic except from Exchange itself and none of the IP addresses or ports Cutwail is known to use are appearing in my live queries in ISA. My Cisco 870 is showing no large jump in firewall hits (int or ext) and interface traffic from my VLAN for our customer AP is showing no traffic (this is only important as far as this AP bypasses the ISA server)

cbl.atabuse.org is fairly adamant their detection is pretty full proof (as much as it can be) and the apparent jump is outbound mail has me paranoid about a possible compromised machine.

What have I missed, anyone had similar problems either relating to the virus or to the mail situation (In particular Ironport) ?

Note: I have also talked directly to Ironport about how their sensors work and if it was purely an increase in email volume or detected spam + email volume and they have confirmed the later and that our reputation as of earlier today was -2. Ironport by default is aparently configured to drop email from a host at -3. Unfortunately their sensors are just that and they have nothing more they can give me to narrow down the possible source of the problems.
LVL 2
SectorX4Asked:
Who is Participating?
 
SectorX4Connect With a Mentor Author Commented:
Just to summarize this now closed issue.

I convinced my ISP to create a PTR record for our domain which is in place and propagated, eventually our email volume according to Sender base established.

Eventually our reputation found it's way back to good and the problems with the involved MX's have all but disappeared.

Since then I have configured Exchange to CC all bounces to myself for early warning on this sort of problem as opposed to looking through reams of Event Viewer logs.

The technician I had been talking to via email regarding this changed his mind regarding Iron Port's sensor network indicating that organizations can actually flag traffic as opposed to the fully automated volume metrics that I was previously told were probably the cause for the blocking on Iron Port devices.

At this point I'm still not sure what caused these problems and with the information I have it's possible our mail server/traffic was manually blocked with the result being propagated to other Iron Port devices somehow. This is far from an accurate resolution but that's all I got.

Moral of the story is to keep a close watch on your MX rep and unusual changes in volume/content/bounces.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Read this article in FULL.

It has all necessary info for your issue. http://www.amset.info/exchange/spam-cleanup.asp
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
1. Make sure your relay settings are set in such a way that only exchange server can send outside emails. That will take off emails fired from a compromised machine.

2. Increase logging on smtp service to find out, if there is any affected machine, doing an authenticated relay.

3. Chcek the queues to see the destination domains that email is going to. Do they appear to be normal domains which your staff will mail?

4. Check whether you have been blacklisted here http://www.mxtoolbox.com/blacklists.aspx

5. you will need a ptr record for your mx record ip address. Call your isp for it and it shouldn't take long. Most of the major ISPs like AOL will reject emails if you don't have a valid ptr record.

Everything is fully explained in the article posted above.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell┬« is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
SectorX4Author Commented:
@Rajith

I have already read thew page (in full) and checked everything that was suggested.

1. All methods of relaying are denied as per http://www.abuse.net/relay.html and other tests specified on the first URL you posted.

2. Logging is already at maximum for SMTP Protocol

3. Yes they are domains we regularly email.as I have had users complain directly to me about them.

4.Seems we are listed on the follow RBL:

ivmSIP      Listed      LISTED      Return codes were: 127.0.0.2      240      391

Going to the imSVP site and doing a removal there shows us as not being listed though.

5. I have asked previously and since the IP space is owned by my ISP who assign it their own PTR they didn't want to change it.
0
 
SectorX4Author Commented:
Overnight it looks like our Senderbase reputation has increased to Neutral (I have asked Senderbase for details on why it dropped in the first place) and telnet to the affected destinations is now working.

I have also convinced my ISP to create a PTR record for our domain.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Only your ISP can create PTR records for your IP address. Some are absolute crap and won't accept this. But, you need to be persistent as no one else can do this.

Rajith.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.