Exchange Server Being Blacklisted
I have an exchange server in a domain that is getting blacklisted due to a spammer spoofing the domain. I checked with the ISP and they are not blocking any traffic, and there does not seem to be any substantial spurts of traffic so I do not think the emails are being generated locally.
My clients mentioned purchasing a Barracuda device, but I would like to avoid that expense if possible. What would be my next step to narrow this down?
My clients mentioned purchasing a Barracuda device, but I would like to avoid that expense if possible. What would be my next step to narrow this down?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes, the only way you are being blacklisted is because spam is going out through your IP. Spoofed message headers may appear to come from your domain, but the IP address trail will likely not show your address. Blacklist services don't care about the domains, just the originating IP addresses.
One of the systems on your network definately has a spam generating trojan. Lock down your firewall so that port 25 traffic is only allowed outbound from your server IP address. Ensure that your exchange server is not configured to allow open, unauthenticated relay from anywhere, including the internal subnet (some admins create this exception). Allowing relay from localhost or the server's own IP address may be necessarry for some applications that send e-mail alerts (backup, AV, etc.), but you may want to remove even that exception until you can verify the server is clean (it probably is).
Finally, identify any PCs that may be infected (look for unusualy long boot times, having to boot several times to be able to complete login, poor performance, etc.) and disconnect them from the network while you clean them.
Once that is done, you can (re)submit to de-list your IP address from the blacklists.
The Baracuda may actually help in this case because it can keep the outgoing stream clean as well as the incoming stream. For a lot less, you can subscribe to services like MX Logic (for a small network) which can include outbound message scanning as well. While that will keep you off of blacklists, it will not solve the underlying virus problem.
One of the systems on your network definately has a spam generating trojan. Lock down your firewall so that port 25 traffic is only allowed outbound from your server IP address. Ensure that your exchange server is not configured to allow open, unauthenticated relay from anywhere, including the internal subnet (some admins create this exception). Allowing relay from localhost or the server's own IP address may be necessarry for some applications that send e-mail alerts (backup, AV, etc.), but you may want to remove even that exception until you can verify the server is clean (it probably is).
Finally, identify any PCs that may be infected (look for unusualy long boot times, having to boot several times to be able to complete login, poor performance, etc.) and disconnect them from the network while you clean them.
Once that is done, you can (re)submit to de-list your IP address from the blacklists.
The Baracuda may actually help in this case because it can keep the outgoing stream clean as well as the incoming stream. For a lot less, you can subscribe to services like MX Logic (for a small network) which can include outbound message scanning as well. While that will keep you off of blacklists, it will not solve the underlying virus problem.
ASKER
Can mail on an exchange environment go out any other machine than the server? Isn't everything going out through it anyway?
Also, it looks like all the spam is generating through the postmaster account. Can that be disabled? (See pic)
It looks like by turning on the filtering that these messages are no longer going out but piling up in the queue. How can I delete everything in the queue at once?
Capture.PNG
Also, it looks like all the spam is generating through the postmaster account. Can that be disabled? (See pic)
It looks like by turning on the filtering that these messages are no longer going out but piling up in the queue. How can I delete everything in the queue at once?
Capture.PNG
ASKER
Also, here are the auth settings for the smtp connector. Anonymous should be cleared, no?
Capture.PNG
Capture.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Note: NDR spam is annoying, but should not cause your mail server IP address to be blacklisted. Disabling NDR is entirely optional in your case.
ASKER
Thank you so much for taking the time to post such a detailed solution. I'll follow up later today.
ASKER
HFV,
I've been looking through my router for an option to block port 25 from all except the exchange box. The "router" they have is a basic Linksys model. "BEFSR81"
Is this function too limited for a residential unit?
I've been looking through my router for an option to block port 25 from all except the exchange box. The "router" they have is a basic Linksys model. "BEFSR81"
Is this function too limited for a residential unit?
Linksys support can probably tell you better than I, however in general I don't believe the residental linksys routers have outbound firewall filtering capability, only the ability to add inbound port forwarding rules.
For a client server network I would recomend at a minimum going with something like a Netgear ProSafe series firewall/router. Watchguard and Sonicwall both make feature rich and very capable entry level firewall products also like the Watchguard x10e, x20e, or x55e (sized by features, number of users, etc) which can also include unified threat management capabilities that can be subscribed to separately or as a package. Sonicwall comperable products are the TZ 170 or TZ 180 models. However if you don't need a lot of extra features, the Netgears will give you better control over ports than you have now without worrying so much about complicated user and feature licensing. Linksys and D-Link both have similar series products, but i forget what they are called.
You can usually find Netgear ProSafe series stuff at a MicroCenter or similar. I doubt you would find at BestBuy. Watchguard, Sonicwall you are going to need to order.
For a client server network I would recomend at a minimum going with something like a Netgear ProSafe series firewall/router. Watchguard and Sonicwall both make feature rich and very capable entry level firewall products also like the Watchguard x10e, x20e, or x55e (sized by features, number of users, etc) which can also include unified threat management capabilities that can be subscribed to separately or as a package. Sonicwall comperable products are the TZ 170 or TZ 180 models. However if you don't need a lot of extra features, the Netgears will give you better control over ports than you have now without worrying so much about complicated user and feature licensing. Linksys and D-Link both have similar series products, but i forget what they are called.
You can usually find Netgear ProSafe series stuff at a MicroCenter or similar. I doubt you would find at BestBuy. Watchguard, Sonicwall you are going to need to order.
ASKER
Great stuff, thank you! I will look into those options. They also have a manged switch that perhaps I can do some work-around with until I can get my hands on a better router.
ASKER
Thanks all, I installed he new routers and blocked all port 25 traffic through it except for the server.
ASKER
I didn't think that would help either...the guy I am replacing recommended that to my customer. I just found out that none of the systems were configured for scheduled scans from the Trend AV server, infections are abound.
Thanks guys, I'll report back tomorrow on how it goes!