Solved

edge server stops receiving email with mcafee firewall on

Posted on 2011-09-15
23
974 Views
Last Modified: 2012-05-12
I have been having a problem with being blacklisted for some reason. I am try to lock down my Edge exchange server to resolve the problem so I have install my McAfee client from my Sonicwall device but whenever the firewall is enable I cannot receive outside email. I have enable the following TCP ports but still not working. What am I missing?

53, 389, 143, 110, 25, 443, 445, 465, 80, 993-995, 3268-3269, 50386-50636
0
Comment
Question by:GMSMRM
  • 11
  • 9
  • 3
23 Comments
 
LVL 16

Expert Comment

by:Auric1983
ID: 36548455
Can you try testexchangeconnectivity.com and see what happens? I would test connecting to your server from the outside. Try telnetting to port 25
0
 

Author Comment

by:GMSMRM
ID: 36549029
I am not sure what has changed. I just re-enabled the firewall with the same settings this morning and I am receiving messages with no problem. I tested with the tool as you suggested with my firewall on and it passed. I will keep a watch full eye on it but I am still having issues with being blacklisted and I can't figure out why.
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 36549862
I don't believe putting McAfee on your Edge server is going to prevent you getting on a blacklist. Using this method implies that your Edge server has a virus and is emailing out. McAfee isn't going to prevent a device on your LAN from contracting a virus and sending out email through your SW. What I believe is happening is just that. You've got a workstation contracting a virus and emailing out to the Internet and you're getting blacklisted.

Use the link below to allow ONLY your Edge server to email out. This will block an infected machine from emailing through port 25.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5623

You can also tell what device is infected by looking at the Connections either within Firewall > Connections or System > Diagnostics > Connections. What you use will depend on the model and/or version of your firmware on the sonicwall.
0
 
LVL 16

Expert Comment

by:Auric1983
ID: 36549885
Check out mxtoolbox and see what the reports say about your domain
0
 

Author Comment

by:GMSMRM
ID: 36550068
Auric1983, I have been using mxtoolbox, thats how I know I have been blackisted.

Digitap, I have added the firewall rules as suggested. However, I found that with these settings I have a personal account in my outlook that I cannot send email from. Possibly this is what I need to do.

I guess all I can do now is wait to see if the blacklist removes me.
0
 
LVL 16

Expert Comment

by:Auric1983
ID: 36550443
How do you have your infrastructure configured?  

Is it actually an Edge server setup in your DMZ with a subscription back to your main exchange server? Or is this just your primary exchange server with a NAT rule ??

0
 
LVL 33

Expert Comment

by:digitap
ID: 36550740
This is the part I don't like. You have them remove you and then wait to see if it comes back. If you have cases where hosts NEED to get out, then you can create an address group, adding those hosts to the group. Use the address group in your firewall rule.
0
 

Author Comment

by:GMSMRM
ID: 36550820
Auric1983: I have a Exchange and Edge server usingn NAT through a Sonicwall NSA240 device. I am not using DMZ.

Digitap:Luckily I don not have any host that "need" to get out other than through EDGE. I was blacklisted 7 times. I have been removed off one already (and not added back yet) and I am waitng on requests submitted to 3 others to be removed. The remaining either depend on the requested blacklist or will autoremove after so many hours of no spam traffic detected.

What a pain!

Thanks all your responses, they have been helpful.
0
 
LVL 33

Expert Comment

by:digitap
ID: 36551017
Yes, it's a pain. Keep in mind you can at least possibly detect who might be mass emailing out by the connections monitor. Also, have you gotten feedback that it's spamming that has gotten you blacklisted and not just an incorrectly configured Exchange server? Perhaps running the BPA for Exchange on your servers might be a good step while you wait.
0
 

Author Comment

by:GMSMRM
ID: 36551358
I have 3 results from the connections monitor on Sonciwall. These addresses are not familial to me or my network. Any ideas?

Created:                2011/09/16 15:06:07.736
Source IP:              213.199.154.204
Source Port:            43144
Destination IP:         208.17.117.13
Destination Port:       25
Protocol:               TCP
Src Interface:          X1
Dst Interface:          X1
Status:                 Active
Flow:                   SMTP
IPS Category:           N/A
Expiry:                 131
Bytes - Tx:             2292214
Bytes - Rx:             44132
Packets - Tx:           1627
Packets - Rx:           955
---------------------------------------------------------------
Created:                2011/09/16 15:05:26.176
Source IP:              213.199.154.207
Source Port:            38481
Destination IP:         208.17.117.13
Destination Port:       25
Protocol:               TCP
Src Interface:          X1
Dst Interface:          X1
Status:                 Active
Flow:                   SMTP
IPS Category:           N/A
Expiry:                 131
Bytes - Tx:             5216596
Bytes - Rx:             100160
Packets - Tx:           3699
Packets - Rx:           2173
---------------------------------------------------------------
Created:                2011/09/16 15:06:39.496
Source IP:              63.240.94.249
Source Port:            62230
Destination IP:         208.17.117.13
Destination Port:       25
Protocol:               TCP
Src Interface:          X1
Dst Interface:          X1
Status:                 Active
Flow:                   SMTP
IPS Category:           N/A
Expiry:                 131
Bytes - Tx:             583540
Bytes - Rx:             11104
Packets - Tx:           418
Packets - Rx:           237
---------------------------------------------------------------
0
 
LVL 33

Expert Comment

by:digitap
ID: 36551387
This just looks like someone trying to send email to you. They are not originating internally. I assume Destination IP is the IP of your WAN interface. Yes?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:GMSMRM
ID: 36551425
No, the destination IP is not in my address block. Mine Public IPs start in 65.216.xxx.xxx
0
 

Author Comment

by:GMSMRM
ID: 36551435
Some good news, I have gone down from 7 to 4 blacklistings.
0
 
LVL 33

Expert Comment

by:digitap
ID: 36551516
The question would be if the firewall logs show those as dropped connections. This would indicate that your firewall is doing it's job. Just to make sure, I'd check your firewall rules WAN > LAN (and any other production zones you're using) to make sure there isn't anything open. I saw a question recently where someone had left an RDP port open and someone was trying to hack their server. I encountered that myself. Left the port open for the vendor and they never told me they were done. A couple of months later, I see failed login attempts in routine security checks.

Hopefully, the blacklist number goes down and stays down.
0
 

Author Comment

by:GMSMRM
ID: 36561057
digitap,
So fare so good. We have not been added to anymore blacklist over the weekend, however there are still 4 that I'm waiting on removal. I think your firewall settings suggestion was the answer. However today one of my manager incurred the following messages when trying to email one of our customers. Any ideas?


Diagnostic information for administrators:

Generating server: Edge.GMSMRM.local

lweaverling@mellotts.com
CH1EHSMHS002.bigfish.com #550 5.7.1 Service unavailable; Client host [65.216.203.210] blocked using Blocklist 1, mail from IP banned; To request removal from this list please forward this message to delist@messaging.microsoft.com. ##

Original message headers:

Received: from Exchange.GMSMRM.local (xx.xx.xx.xx) by mail.mymailserver.com
 (xx.xx.xx.xx) with Microsoft SMTP Server (TLS) id 8.2.255.0; Mon, 19 Sep 2011
 11:31:41 -0400
Received: from Exchange.GMSMRM.local ([10.0.0.6]) by exchange ([10.0.0.6])
 with mapi; Mon, 19 Sep 2011 11:31:40 -0400
From: Josh Helbig <xxxx@pioneerconveyor.com>
To: "Weaverling, Larry" <xxxxxx@mellotts.com>
Date: Mon, 19 Sep 2011 11:33:48 -0400
Subject: RE: Consol Project
Thread-Topic: Consol Project
Thread-Index: Acx232M6hBff1FsKSDWSV1lpgaWJugAAe2EQAAAJKuA=
Message-ID: <F834BFAC6D717141950C9FC2324566249526E6C792@exchange>
References: <F834BFAC6D717141950C9FC2324566249526E6C785@exchange>
 <07C194184C442D4DB71BA11D036F97E00AA0A2514B@MELWARAS3EML.CORP.MELLOTTS.COM>
In-Reply-To: <07C194184C442D4DB71BA11D036F97E00AA0A2514B@MELWARAS3EML.CORP.MELLOTTS.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/related;
        boundary="_004_F834BFAC6D717141950C9FC2324566249526E6C792exchange_";
        type="multipart/alternative"
MIME-Version: 1.0
Return-Path: xxxxxx@pioneerconveyor.com

<Edited by SouthMod to remove sensitive info>
0
 
LVL 33

Expert Comment

by:digitap
ID: 36564424
It's hard to tell. A client sending email from mellotts.com appears to have been blocked by client 65.216.203.210. If I look up your MX record, I see that it points to mail.gmsminerepair.com, but the IP for this A record is 65.216.203.214. Although it doesn't match the IP of the client performing the block, it appears it's possibly within the same subnet. I assume this is your public IP subnet. Neither 65.216.203.210 or 214 are in any spam DB that I've been able to find (I subscribe to DNSSTUFF.com so this is the tool I used to do the spam DB lookup).

However, the MX record for mellotts.com points to mail.global.sprint.com which points to public IP of 213.199.180.150. This IP address didn't show up in the spam DB either.

Then, there is CH1EHSMHS002.bigfish.com who's MX record points to mail.global.bigfish.com which points to the public IP of 65.55.88.22. This IP wasn't on the spam DB either.

bigfish.com, from what I've been able to find on the Internet, is Microsoft's Office 360 or Exchange hosting service. My best guess is someone is using this service to pull email from a sprint POP account and somehow it's going out through the MS Exchange hosting service.

Someone's IP was on a Microsoft ban list. I don't know who's and the DB searches I use don't search Microsoft's DB. There is an email address in the NDR above that you can send a removal request to. I'm just not sure who's IP was blocked.

Hope that helps.
0
 

Author Comment

by:GMSMRM
ID: 36566878
Digitap,

Thanks for your input. The 2 IPs as you discussed above are in my block. One is directed to my firewall for NAT and the other is the firewall itself. Thanks for running my IP through your tools. It is most likely at this point that my IP is listed on Microsoft's list. The last SPAM recoreded from my IP was on 9/15/2011. I am trying to find an effective way to contact the correct person to handle being removed from bigfish,com's list.
0
 

Author Comment

by:GMSMRM
ID: 36566980
I have forwarded some of the returned emails to "delist@messaging.microsoft.com" hoping that I get a reply and removed from their list. I'm not sure how long to expect it will take. My boss is about to rip my head off because we can't communicate with our largest customer.
0
 
LVL 33

Expert Comment

by:digitap
ID: 36567356
I understand. It can be frustrating. The fact that MS doesn't have their own DB makes me think MS uses a different spam DB to populate their own IP block lists. The fact that they have a delist email address tells me that they use them to add IP addresses not remove them. I think it's a ridiculous way of managing spam, but it's what they've chosen.
0
 

Author Comment

by:GMSMRM
ID: 36567429
Wow Digitap. I actually just received an email from MS. Here it is.


Hello Dennis,
Thank you for contacting Microsoft Online Services Technical Support.  This email is in reference to ticket number 1162147765, which was opened in regards to your delisting request for 65.216.203.210
The IP address you submitted has been reviewed and removed from our block lists.  Please note that there may be a 1-2 hour delay before this change propagates through our entire system.
We apologize for any inconvenience this may have caused you.  As long as our spam filtering systems do not mark a majority of email from the IP address as spam-like, your messages will be allowed to flow as normal through our network.  However, should we detect an increase in spam-like activity, the IP address may be placed on our block lists again.
Should you have any further questions or concerns, please feel free to respond to this email.
Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.
Sincerely,
Jennifer Garfutt
Microsoft Online Services Technical Support
0
 
LVL 33

Expert Comment

by:digitap
ID: 36567511
Sweet! Looks like you're clean.

One final note, remember that your posts can be found on the Internet so information here is essentially part of the public domain. The post you made here: http:#a36561057 has - in my opinion - sensitive information. I'd recommend using the Request Attention link in your question above and ask a moderator to remove the post. Remember to sanitize your posts.
0
 

Author Closing Comment

by:GMSMRM
ID: 36567573
Digitap, I think you deserve more points for all of your support on this case. I have awarded the post that gave me the most help in resolving being blacklisted in the first place. Though I have not been removed off all of the black list, the trend is heading that way. Thanks for your support. Your awesome!
0
 
LVL 33

Expert Comment

by:digitap
ID: 36567830
You're welcome and glad I could help. Thanks for the points!
0

Featured Post

Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now