Solved

Keep getting Blacklisted

Posted on 2009-05-12
11
812 Views
Last Modified: 2012-05-06
Our external IP keeps getting blacklisted.  Have tested with the following site;

http://www.spamhelp.org/shopenrelay/shopenrelaytest.php
http://verify.abuse.net/cgi-bin/relaytest

Niether report an open relay.  

Also am receiving email to our domain from our domain.  Headers on these emails contain an IP addresses that are not ours.  Sending email user is a valid user on our system.
0
Comment
Question by:BudStear
  • 3
  • 2
  • 2
  • +3
11 Comments
 
LVL 6

Accepted Solution

by:
jesusrulesme earned 250 total points
ID: 24364145
You are likely an open relay.  Here is a test.

http://www.abuse.net/relay.html

If you are, here is a tutorial to prevent relaying.  

http://www.petri.co.il/preventing_exchange_2000_2003_from_relaying.htm
0
 
LVL 6

Expert Comment

by:jesusrulesme
ID: 24364154
Oh.  Another possibility is that you have an infected machine on your network.  Make sure your firewall is restricted to only send out port 25 from your Exchange server.
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 250 total points
ID: 24364191
If you only have one IP address the most likely source is a compromised workstation. If your server was an open relay then it is easy to spot as the queues would be full of messages.

I wrote this blog posting last year which has explained what has probably happened.

http://blog.sembee.co.uk/archive/2008/03/13/73.aspx

Simon.
0
 

Author Comment

by:BudStear
ID: 24364225
It's not an Open Relay.  Have already check that as indicated in my orginal message.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24364238
Once you get hung up like this is difficult to get rid of it in a timely fashion before your ISP blocks port 25 on you. The best and most efficient way to stop your server from getting compromised or even having a client on you network cause the IP block is to use a filtering service like AppRiver's Secure Tide.

All of your mail is filtered before it reaches your domain and either using your firewall or Exchange connection settings you block all traffic on port 25 except from the AppRiver filtering servers. Your MX records change to filtering servers and they relay to your IP....in turn, no spammers can get into your server. AppRiver is the service I'm familiar with but there's others I'm sure. They do a free trial and it can be up and running today with your problems fixed.

http://www.appriver.com/secureTide/system-overview.asp
http://support01.appriver.com/KB/a39/limiting-inbound-smtp-traffic-except-from-apprivers-servers.aspx
0
Why spend so long doing email signature updates?

Do you spend loads of your time carrying out email signature updates? Not very interesting are they? Don’t let signature updates get you down. Let Exclaimer Cloud - Signatures for Office 365 make managing email signatures a breeze.

 
LVL 65

Expert Comment

by:Mestha
ID: 24364252
Not sure how a filtering service would help if a workstation is compromised. Most workstations are not compromised via email, it is usually a drive by download on a web site, clicking on or installing something. All a filtering service will do is protect the server - and to be honest, if a server is setup correctly then it is very hard for Exchange to be abused.

Simon.
0
 
LVL 30

Expert Comment

by:renazonse
ID: 24364325
The filtering service allows all inbound traffic on port 25 to be blocked completely through your firewall and allow only the Exchange server to send mail out. Obviously, you know what you're talking about but the filtering service also will limit up to 80% of the mail that's delivered to your domain limiting the amount of viruses and garbage email that makes it to mailboxes.

It's not the cheapest solution but it's an instant solution and a solution that can prevent potential problems. Like you said, up-to-date antivirus isn't enough and these days antivirus has become pretty useless for stuff like this.

That is a great article you wrote. I didn't know the compromised workstation would generate the error logs with the bot couldn't send.

0
 

Author Comment

by:BudStear
ID: 24364333
Mestha, can you expand on this line from your blog:  "A compromised machine will quickly show on the logs when it cannot connect. You can then go and find the machine and deal with it."

What logs will this compromised machine apprear in?
0
 
LVL 6

Expert Comment

by:TonySt
ID: 24364447
I think you have a workstation with some malware thats spamming the planet using port 25.
1.You need to find that workstation and clean it up. You can Identify it by checking the logs on your router.
2. You need to set the NAT rules (port blocking) to allow port 25/110 access to only your exchange server.
3. After running for a few hours, recheck the router logs to be sure the only IP using port 25/110 is your exchange server.
4. Do a check to find out where you are blacklisted:   http://www.mxtoolbox.com/blacklists.aspx
and request removal. In most cases you have to provide them with a statement that you have corrected the problem.  If you request removal too many times without fixing the cause then they it will be harder to get de-listed.
0
 
LVL 65

Expert Comment

by:Mestha
ID: 24364515
You have taken the line out of context. If you read it with the line immediately beforehand it is clear that I mean the firewall logs.

If you block port 25 with logging enabled, then each time the bot attempts to send out it will be logged. The internal IP address will show and you can then find the machine and kick the user off it.

Simon.
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24507200
Hi,

The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:

http://www.arbornetworks.com/
http://www.genienrm.com/
http://www.narus.com/
http://www.lancope.com/
http://www.flukenetworks.com/

4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance, http://www.towerdata.com/services/email/deliverability/repcheck.html

5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

6) FW/Router Logs: You need to enable logging of any rule that allow outbound SMTP traffic, so you can later check the source of any suspicious spam traffic from inside-to-outside.

Technical Notes:

First of all, I would recommend blocking all outbound traffic to port 25 except your mail/antispam servers. Becuase there is no need to leave this big threat open.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (http://www.wireshark.org/download.html)

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP (http://en.wikipedia.org/wiki/Network_tap) from some vendor like NetOptics (http://www.netoptics.com/products/product_family.asp?cid=1).


2) Another sniffing tool is Tcpick (linux based), download it from (https://sourceforge.net/projects/tcpick/).

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (http://nmap.org/download.html)

here how to scan for port 25 (change 202.21.192.1/24 with your network range)

#nmap -sS 202.21.192.1/24 -p 25

4) TCPDump is another good sniffer, download it from (http://www.tcpdump.org/)

Here how to sniff port 25

#tcpdump -i eth0 port 25



A Symantec Certified Specialist @ your service
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now