Email and IP blacklisted how to clear up

to2007
to2007 used Ask the Experts™
on
WE have 10 users and an SBS 2008 server wtih 2007 Exchange. We just began to be blacklisted by several of the blakclisting organinzations.  It appears that someone has hijcaked our email addresses and or got into network and is spaming etc.  

I have been out of the cournhtyr with limited email top remote into offide to check it out.  Currently the office obiously recievesinbound mail but outbound appears to mostly be blocked.

THe office runs Symatnec Endpoint but it appears taht the defintions are out of date and no one renewed the license etc.  Plus SYmantec is not necessairly good at catching all this stuff anyway!

I can run scnas with it and also Malwarebytes and Spybot Search and Destroy once back at office.  We need to clean up before getting un-blacklisted.

My qutesiont are has anyoone gone through this and what is is anything the best way to determine what happened and is going on ?   I haven't had to deal with this and am lost at trying to figure out what to do to see what happened and fixed.  Being out of country with limited access remotely to check has also been a pain.

thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Abbas HaidarSenior Infrastructure Manager
Commented:
log it on mxtoolbox.coma and they will do it for you, or you can still ask for a new IP address from your ISP
Commented:
Agree, mxtoolbox.com will list all the sites that are blocking you IP.  Also, run a test from the site to make sure your exchange is not an open relay, thats the most likely cause of being blacklisted.
You need to really make sure that your PC's and server are clean.

You need an antivirus package that will scan both PC's and Server.

Suggest maybe Trend Micro.

Kaspersky do a 30-day trial for their Server antivirus. Maybe be worth putting that on and cleaning.

Once you have happy that all machines are clean (hard to tell i know). Then you can ask to be taken off the black lists.

Got to http://www.mxtoolbox.com/SuperTool.aspx

Do a search for your server IP and then check blacklists. You should be able to click on each one that has listed you and get removal instructions.

Be aware though, if you get back in the list straight away its a real pain to get off again.

You could then implement a 3rd party spam blocker such as Trend that will handle mails before they reach your mail server.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thanks all

Here is what i have done though.

I talked to MxToolbox directly while out of courtry after going to their site and seeing who had blacklisted us.  They said not open relay but someone got in with spam etc.  They told mke they will sell (have trial) service to be spam filter and backup email source just in case but they do not clean anything in the netowrk.

They suggestted that Kaspersky,. Symantec MacAfee etc were uuseless to stop it only to tell you that you got something and scannig with most of them won't work to clean internal machines.

Mxtoolbox was who  suggestted  Malwarebytes and Spybot S&D.

I do know how to have them assist in remo9vig from blacklist or i can gdo that part.

My concern with just IP address new is that i also beleive the domain  name gets blacklisted as well and we can not change that.

We can contract with Mxtoolbox or another spam filter company  but that is not a solution to finindg out what did happen internally and what to best get it cleaned with.

Just no simple all in one cleaning investigative tool for internal network for us small sometimes confused folks!

Any other ideas on the investigtaion and clean up?

Thanks

They should just flat beat the crap out of spammers!
WORKS2011Managed IT Services, Cyber Security, Backup
Commented:
I agree with jerseysam, I've been called in to resolve issues like this many times and 99% it's not the server (email) taken over it's a workstation infected with SMTP relay that keeps spitting out email or trying to act as a relay, many blacklisting companies monitor the connection attempt to bad known spammers so they see your IP trying to contact the spamming servers IP and you're instantly shutdown. My point is you won't see excessive email abuse only the bug trying to connect to the spam server.

Luckily for me the virus (bug) was noticeable enough that I could figure out what the problem workstation was after the end user reported the behavior. Malwarebytes didn't clean up all of it or did Microsoft Security Essentials I had to restore to the previous nights restore point to resolve the issue then it took about another 45 minutes to be removed from the blacklists.

I would spend time focusing on the workstations. Something else I've tried is install Spiceworks and sometimes it shows 3rd party software that can lead to the infected workstation.

Good luck.
Yes WORKS2011 is of the same opinion as me.

Basically you need to make sure ALL workstaions are clean.

Server Clean also.

Only then can you risk being de-listed on spamlists.

Its a real pain, but no other way. If Server appears clean and you remove yourself from list, you may find infected PC then drops you right back in it.

You can try using mail relay to move IP away from your listing. However, real cure is clean PC's and Server!
Sudeep SharmaTechnical Designer
Commented:
>>>>SBS 2008 server wtih 2007 Exchange

Do you have any Firewall in your network?

Make sure that except Exchange no other system would be able to send the email. That would mean that outbound connection to port 25 should be allowed only by Exchange on your Firewall/Router or Gateway.

Further, on Excahnge Server only authenticated Users should be allowed to send the email and no anonymous user should be allowed to send the email. Follow the article from alanhardisty below:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2727-Prevent-Spam-From-Your-Own-Domain-in-Exchange-2007.html

Also check if the spam emails are been sent from your Exchange. For that check the Outbound queues of Exchange. Below another article you would like to check

Why are my outbound queues filling up with mail I didn't send
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2556-Why-are-my-outbound-queues-filling-up-with-mail-I-didn%27t-send.html

Let us know.

Sudeep

Author

Commented:
All helped in one way or another> what a mess!  Thanks everyone

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial