blacklisted - help pls

We are blacklisted now and are unable to send out emails.
Our exchange had a relay setup to allow anything to 255.255.255.255 we removed that and we are still getting some machines trying to send out to that broadcast using Port 17500

we r running AV on those machines, please advice what else we could do to prevent this

we have the watch gaurd 330
GeekahAsked:
Who is Participating?
 
edster9999Connect With a Mentor Commented:
If there is data on port 17500 going to the broadcast address (255.255.255.255)
then this is not mail.  It is something else.

It may or may not be connected - it is possible it is a virus on a pc that has been sending spam out and this is it calling out to contact other pcs or to contact its main host for instructions - but it is not spam.  Thats not how mails travel.

Run wireshark and connect the pc in a place it can see the traffic.  See what traffic you get - on that port and on the main email port (port 25).  See which local address it is coming from and what it looks like.
0
 
michaelgoldsmithConnect With a Mentor Commented:
If you need to get email back up and running asap, ask your ISP if they have a smart host to relay through. Then, change from DNS outbound mail to smart host and you should be fine. Clear up your blacklisting and then switch back to DNS.
0
 
Tier1NetConnect With a Mentor Commented:
Where are you blacklisted? Have you ran an MXToolbox search to see who has you listed?

If you have access to the firewall, I would suggest blocking port 25 outbound for the entire network except for the Exchange server. Also, your Exchange server should be on a dedicated Public IP address that is separate from that of your Firewall. If you are able, you can switch the WAN IP relatively quickly with NAT to have the Exchange server source from a new WAN IP and it will no longer be blocked.
0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
edster9999Connect With a Mentor Commented:
A quick google of this port number lists it as something dropbox uses when it is installed on a pc.  First of all try stopping that from running.

Being banned from mail is probably nothing to do with this.  It normally means you were an open relay and a spammer went thousands or even millions of emails from your system.
If you stop whatever it is then you should go back to being allowed to send in about a week.

Either check the logs on your SMTP (mail) gateway or put a pc on that can monitor all traffic and look for a flood of emails and where they are coming from.

Not much you can do about it - you are blacklisted for a good reason.
Block the hole and you will be allowed to send again.
0
 
GeekahAuthor Commented:
we are still sending out to that ip 255.255.255.255 port 17500.. how do stop it??
i need to stop it first
0
 
michaelgoldsmithCommented:
Try running WireShark to see if you can find the affected PC(s). Take those off the network and scan them.
0
 
GeekahAuthor Commented:
I installed wireshark but would that mean I have to open flow of mail out so I can capture?
0
 
michaelgoldsmithCommented:
You should be able to see that port. Run wireshark and then filter out that port. You should see that traffic coming from only certain IP addresses.
0
 
GeekahAuthor Commented:
We ended up using postini to get out and it worked

thx
0
All Courses

From novice to tech pro — start learning today.