Exchange 2010 Edge Transport Antispam IP Block List Question

I have an Edge transport server with the antispam filters installed.  One of the features is an IP block list.  In this feature you can specify a particular IP address that you would like to block email entirely.

I have had some bad blood with a former long term IT contractor.  After relinquishing them from our organization I have noticed allot of random problems related to IT security and network stability.  Being proactive, I've revamped the firewall policies and removed their usernames and login remnants from my servers and workstations.  After doing so, almost all of the problems have stopped, except for one.  My Edge transport server, that is located in my DMZ, has been plagued by this reoccurring problem where my DMZ gateway address is being added to the IP block list.  This in turn stops all incoming mail flow to my Exchange server.  The entry is usually only active for the default 24hours (other time frame options are available).  

My question involves whether or not you think this problem is caused by a hacker, or just some incorrect settings being automatically modified by my Exchange servers or my DC.

Persuading evidence I have dug up is…

These settings are definitely not being set by myself or any other member of my organization.

Windows logs and firewall logs were mysteriously being deleted before I revamped my firewall and login policies

Strange ports are attempting to be accessed that are recorded in my firewall log.  Some of which seem to be backdoor software titles and such as TWD’s Remote Anything

This only occurs after or before my normal working hours.. Such as 6am, 11pm or a weekend for example

Exchange Management Shell commands for adding entries to the IP block list have the exact same effect as using the Exchange Management Console EXCEPT with EMC you can specify a timeframe.  EMS only uses the default 24hour setting as explained above (unless otherwise inputed). Basically telling me DOS prompts have been used to input the setting in question

The former contactor suffered a big loss of revenue from me after not requiring there services any longer, almost 50K a year.  I’m also told thru other IT friends and coworkers that they dislike me and are constantly belittling my IT knowledge to persuade my CEO and branch directors to hire them back.  Comments have actually been made to some of the directors that bypassing my network security would be a breeze and my security policies are a joke.  (Completely not true, and extremely childish)

After termination, the contactors in question claim they lost the key to my network closets

Login info for routers, windows servers and other security devices were originally configured by them.  After I took the helm of the IT department, the contractors denied they had any info on them and refused to help rebuild them.

The list goes on and on and on…

Please, tell me I’m not crazy.  Does Exchange 2010 SP1 make changes to its antispam settings automatically? Or is someone out for revenge?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
I think you indeed need a touch of paranioa mode here :-~

Did you check on the exchange server if there is perhaps a task running which causes this?
(control panel -> scheduled tasks).
Or perhaps a service running which shouldn't be there?

Further you could run a scan to see if you perhaps overlooked open ports, something like:
And perhaps a leak test:
ND02GAuthor Commented:
You're right, I'm becoming paranoid hahaha.  I refused to believe this was a malicious attack at first, but the unexplained downtime and menacing comments are persuading me to believe otherwise.  I will say this.. my systems have been running flawlessly up until informing the contractors in November I would no longer need their services in 2011.. then Ka-Boom!  2 servers crash, my LTO backup system stopped working.  Wires connected to my voicemail server are mysteriously plugged in backwards.  Security cameras and DVR's are randomly disabled and to make me even more paranoid, the contractors are conveniently making surprise visits just to say "Hi".  The strange thing is nothing is ever actually broken.. Just wounded enough to make me look like a fool...

Well.. This is Server 2008 R2, so no scheduled tasks in control panel.  But under Task Scheduler in the System Manager showed that only required Microsoft tasks have ever been run.  There are no custom tasks saved in the library.  This server is only 5 months old.  

As for a rouge service issue, I'm a little hazy on the exact services that Windows creates vs. custom services.  How would I know what ones (if any) are causing the problem?  Google each one and determine that way?  Or is there a list I can compare it against?  Restarting the server or restarting certain individual services have never duplicated the Exchange IP block list issue (my original problem).'s website service is down at the moment, but prompted me to try back in a day or two.  On a side note.. My hardware firewall is set to restrict all incoming traffic except for the required ports needed to run my exchange server and http.  Outbound is the opposite.. Nothing is blocked except for bandwidth hog websites and sexual content.  Is there any reason I should be concerned about the outbound policies?  I trust all my internal employees and workstations...

One more point of info... After fixing the issue (its reoccurring).  My Exchange 2010 server's Best Practice Analyzer, System Health and Mail Flow Troubleshooter all report that my systems (Hub Transport and Edge Transport) are running perfectly and living up to Microsoft’s recommended configurations.  After the settings are mysteriously changed, obviously all 3 tests fail.

Thanks for the suggestions!
IP block list on exchange server is not changed automatically.

Some people are mentally ill and when comes to money, there they have no limit. There are a lot of possibilities, that they are doing this to make you incapable of taking care of your IT - so they will prove that your company needs them. (I can not be sure about this.)

Preventing this can be a little bit difficult, because they had full access to your company's equipment and you will never know where everywhere they have left open remote access.

Firstly you should limit physical access to your server rooms and security equipment. Change the keys and take a list of people who has access.
Than you should change all administrative passwords and also check the permissions of all users (also local).
Other problem is to limit remote access. On every single computer is possible that is installed some of remote access software (or trojan) and some of them can work over port 80, which is open to outside world. Or maybe they have access to some remote consoles on server like ILO2 on HP servers.
One option is restricting internet access on non-working hours even more and/or checking firewall logs for strange traffic.
I really hope, that I'm wrong and everything is just a coincidence, but...

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Ernie BeekExpertCommented:
Came in a bit late, but....

@davorin: Totally agree, when it comes to money lots of people turn into total morons (if I may say so).

Another thing I was thinking of, there are lot's of programs out there with which you are able to remotely connect to a pc/server without any ports needed to be open on the firewall (from the out- to the inside). Thinking about: gotomypc, logmein, etc. These programs actively connect to the internet from the inside(!) which normally isn't blocked (like you said).

So for now be totally paranoid... Like davorin said: change the locks, create new administrator accounts (something like: admin) and restrict the normal administrator accounts as much as possible. Those guys are walking in just to say hi? Yeah, right. Escort them out of the office and don't let them in again (as friendly as possible of course :).

Check everything (again), if they are able to take over just one machine they are on your network and can do whatever they want. Restrict outgoing traffic as well (and monitor it), block machines that don't need an internet connection.

And SUE THE B*******


Sorry, going a bit haywire myself. I just can't stand that kind of people.
Perhaps we should just DDOS them?
ND02GAuthor Commented:
Guys.. I appreciate the input!  I’ve called there bluff and asked whether or not they had gained access to my systems.  Informing them I have made documentations of the issues since the beginning apparently changed their tone.  Of course no one admitted guilt, but they no longer “jumped” to offer their security services and seemed very nervous upon my confrontation… As if this kind of behavior a joke!

I’ve already begun changing physical security.  I’ve had all server rooms and network closets re-keyed today.  I initiated a companywide password change, but a few stragglers are still out there.  I’ve combed thru AD users and downgraded anyone not worthy of elevated account privileges (that didn’t go over to well with some folks, but oh well).  My next actions are to tighten my outbound traffic and sweep for RA software installed on client workstations.  Any advice you could recommend on the outbound policies would be helpful.

I’ll say this.. I feel MUCH better knowing that I’m not the only one who suspects foul play..

Thanks guys!  I’ll post the results of the RA sweep as well.

A DDoS attack would be nice payback hahahaha!
ND02GAuthor Commented:
Ok, well after doing a complete network security upgrade my problems have stopped.  I'm at the 2 week mark and everything is running perfectly again.  RA software was not found on any machines yet.  Rather than fight the IP block list feature, I just disabled it entirely.  I've changed outbound firewall security to maximum lockdown so I'm only allowing external access as needed.  Thanks for all the suggestions tips and support guys!
Ernie BeekExpertCommented:
You're welcome. Glad we were able to assist you in this endeavour :)
I'm glad that everything is back to normal.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.