Exchange 2010 Edge Transport Antispam IP Block List Question
Posted on 2011-03-07
I have an Edge transport server with the antispam filters installed. One of the features is an IP block list. In this feature you can specify a particular IP address that you would like to block email entirely.
I have had some bad blood with a former long term IT contractor. After relinquishing them from our organization I have noticed allot of random problems related to IT security and network stability. Being proactive, I've revamped the firewall policies and removed their usernames and login remnants from my servers and workstations. After doing so, almost all of the problems have stopped, except for one. My Edge transport server, that is located in my DMZ, has been plagued by this reoccurring problem where my DMZ gateway address is being added to the IP block list. This in turn stops all incoming mail flow to my Exchange server. The entry is usually only active for the default 24hours (other time frame options are available).
My question involves whether or not you think this problem is caused by a hacker, or just some incorrect settings being automatically modified by my Exchange servers or my DC.
Persuading evidence I have dug up is…
These settings are definitely not being set by myself or any other member of my organization.
Windows logs and firewall logs were mysteriously being deleted before I revamped my firewall and login policies
Strange ports are attempting to be accessed that are recorded in my firewall log. Some of which seem to be backdoor software titles and such as TWD’s Remote Anything
This only occurs after or before my normal working hours.. Such as 6am, 11pm or a weekend for example
Exchange Management Shell commands for adding entries to the IP block list have the exact same effect as using the Exchange Management Console EXCEPT with EMC you can specify a timeframe. EMS only uses the default 24hour setting as explained above (unless otherwise inputed). Basically telling me DOS prompts have been used to input the setting in question
The former contactor suffered a big loss of revenue from me after not requiring there services any longer, almost 50K a year. I’m also told thru other IT friends and coworkers that they dislike me and are constantly belittling my IT knowledge to persuade my CEO and branch directors to hire them back. Comments have actually been made to some of the directors that bypassing my network security would be a breeze and my security policies are a joke. (Completely not true, and extremely childish)
After termination, the contactors in question claim they lost the key to my network closets
Login info for routers, windows servers and other security devices were originally configured by them. After I took the helm of the IT department, the contractors denied they had any info on them and refused to help rebuild them.
The list goes on and on and on…
Please, tell me I’m not crazy. Does Exchange 2010 SP1 make changes to its antispam settings automatically? Or is someone out for revenge?