Solved

Exchange Server Being Blacklisted

Posted on 2009-05-14
13
1,206 Views
Last Modified: 2013-12-09
I have an exchange server in a domain that is getting blacklisted due to a spammer spoofing the domain. I checked with the ISP and they are not blocking any traffic, and there does not seem to be any substantial spurts of traffic so I do not think the emails are being generated locally.

My clients mentioned purchasing a Barracuda device, but I would like to avoid that expense if possible. What would be my next step to narrow this down?
0
Comment
Question by:Nathaniel_ScrivNET
13 Comments
 
LVL 6

Assisted Solution

by:grandebob
grandebob earned 100 total points
ID: 24386813
On your firewall, make sure only your exchange server is allowed to send email on port 25. This will make sure that any workstation on your network that gets a bot or virus doesn't get you blacklisted.

If some one is spoofing your domain name, I would recommend checking your SPF record if you have one. Check out www.openspf.org for more information on how to set up an SPF record.

I don't think purchasing a barracuda will solve your problem if you are being spoofed.
0
 
LVL 9

Assisted Solution

by:Housammuhanna
Housammuhanna earned 100 total points
ID: 24390161
I had a simller case where the Exchange keeps listed as a Black list
I enable logging on ISA for SMTP from the internal to the external and I found that there is a client PC that have a Trojan and the AV did not detect it that had sent within 10 hour about 10000 SMTP request
so the problem is your IP is getting black list
So Block all the outgoing SMTP Request from the network to the internet, and also only allow the excahgne to send the EMails
Monitor your network for such a case
 
0
 

Author Comment

by:Nathaniel_ScrivNET
ID: 24391831
"I don't think purchasing a barracuda will solve your problem if you are being spoofed."

I didn't think that would help either...the guy I am replacing recommended that to my customer. I just found out that none of the systems were configured for scheduled scans from the Trend AV server, infections are abound.

Thanks guys, I'll report back tomorrow on how it goes!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 2

Expert Comment

by:HFVgally
ID: 24393391
Yes, the only way you are being blacklisted is because spam is going out through your IP. Spoofed message headers may appear to come from your domain, but the IP address trail will likely not show your address. Blacklist services don't care about the domains, just the originating IP addresses.
One of the systems on your network definately has a spam generating trojan. Lock down your firewall so that port 25 traffic is only allowed outbound from your server IP address. Ensure that your exchange server is not configured to allow open, unauthenticated relay from anywhere, including the internal subnet (some admins create this exception). Allowing relay from localhost or the server's own IP address may be necessarry for some applications that send e-mail alerts (backup, AV, etc.), but you may want to remove even that exception until you can verify the server is clean (it probably is).
Finally, identify any PCs that may be infected (look for unusualy long boot times, having to boot several times to be able to complete login, poor performance, etc.) and disconnect them from the network while you clean them.
Once that is done, you can (re)submit to de-list your IP address from the blacklists.
The Baracuda may actually help in this case because it can keep the outgoing stream clean as well as the incoming stream. For a lot less, you can subscribe to services like MX Logic (for a small network) which can include outbound message scanning as well. While that will keep you off of blacklists, it will not solve the underlying virus problem.
0
 

Author Comment

by:Nathaniel_ScrivNET
ID: 24402618
Can mail on an exchange environment go out any other machine than the server? Isn't everything going out through it anyway?

Also, it looks like all the spam is generating through the postmaster account. Can that be disabled? (See pic)
It looks like by turning on the filtering that these messages are no longer going out but piling up in the queue. How can I delete everything in the queue at once?
Capture.PNG
0
 

Author Comment

by:Nathaniel_ScrivNET
ID: 24402685
Also, here are the auth settings for the smtp connector. Anonymous should be cleared, no?


Capture.PNG
0
 
LVL 2

Accepted Solution

by:
HFVgally earned 300 total points
ID: 24403486
Mail can go out throug any computer that has a mail server on it. Many spaming viruses create their own SMTP servers on the infected PC itself. It does not need to relay through the mail server. This is why you need to lock down your firewall to allow outbound SMTP (port 25) traffic to go outbound ONLY when coming from your actual mail/Exchange server.
What you are seeing on your server looks like it could be NDR spam. This is a trick where the message spoofs the sender and the recipient. If delivery to the recipien fails - say it's an old account on your mail server, then it relies on your mail server to send a Non Delivery Report back to the spoofed "originating" e-mail address. This is done hoping that the person receiving the NDR opens up the message to see what they supposedly sent to someone else and thereby wind up reading the spam message or clicking on the attached virus payload.
To prevent NDR spam, you have to turn off Non-delivery reports on the server. The downside to this is that if someone sends a message to the wrong address on your domain (like a mis-spelled address) they will not get a bounce-back message to let them know that the address is invalid. To turn off NRD, In the Exchange system manager, under Global Settings, Internet Message format, tight click on Default and choose Properties, click the Advanced tab, and uncheck the box next to Allow non-delivery reports. You will then need to restart the SMTP service. Eventually the NDR bouncebacks building up in your queue will time out and you will not need to go into each one to delete messages manually.
Regarding open relay - you do need to have anomyous access on some areas of your SMTP configuration, or you will stop receiving messages entirely. From the screen capture it looks like this is from the Authentication... button under the Access control settings. That should be left as it is.
The settings you should be concerned with are under Relay Restrictions. Click the Relay... button. Relay restrictions should be set to Only the list below and that list should only include two addresses (assuming this is the only exchange server in your network), the address for the server itself and 127.0.0.1. The box to allow all computers which successfully authenticate to relay can be checked. You should ensure that you do not have any accounts on the server that use blank passwords.
You can test whether or not your server is an open relay at: http://www.abuse.net/relay.html
 
0
 
LVL 2

Expert Comment

by:HFVgally
ID: 24403547
Note: NDR spam is annoying, but should not cause your mail server IP address to be blacklisted. Disabling NDR is entirely optional in your case.
0
 

Author Comment

by:Nathaniel_ScrivNET
ID: 24403572
Thank you so much for taking the time to post such a detailed solution. I'll follow up later today.  
0
 

Author Comment

by:Nathaniel_ScrivNET
ID: 24404013
HFV,

I've been looking through my router for an option to block port 25 from all except the exchange box. The "router" they have is a basic Linksys model. "BEFSR81"

Is this function too limited for a residential unit?
0
 
LVL 2

Expert Comment

by:HFVgally
ID: 24404657
Linksys support can probably tell you better than I, however in general I don't believe the residental linksys routers have outbound firewall filtering capability, only the ability to add inbound port forwarding rules.
For a client server network I would recomend at a minimum going with something like a Netgear ProSafe series firewall/router. Watchguard and Sonicwall both make feature rich and very capable entry level firewall products also like the Watchguard x10e, x20e, or x55e (sized by features, number of users, etc) which can also include unified threat management capabilities that can be subscribed to separately or as a package. Sonicwall comperable products are the TZ 170 or TZ 180 models. However if you don't need a lot of extra features, the Netgears will give you better control over ports than you have now without worrying so much about complicated user and feature licensing. Linksys and D-Link both have similar series products, but i forget what they are called.
You can usually find Netgear ProSafe series stuff at a MicroCenter or similar. I doubt you would find at BestBuy. Watchguard, Sonicwall you are going to need to order.
0
 

Author Comment

by:Nathaniel_ScrivNET
ID: 24405003
Great stuff, thank you! I will look into those options. They also have a manged switch that perhaps I can do some work-around with until I can get my hands on a better router.
0
 

Author Comment

by:Nathaniel_ScrivNET
ID: 24457710
Thanks all, I installed he new routers and blocked all port 25 traffic through it except for the server.

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now