Marked as CBL Spam on Spamhaus - can't find the threat anywhere

Yesterday Morning my office, using Exchange 2003, started getting bounce backs with emails we sent out.  Not every email but probably 40-50% of them.  

      Gregory.Mullikin@Cigna.com on 10/17/2013 5:57 PM
            You do not have permission to send to this recipient.  For assistance, contact your system administrator.
            <fosterthomas.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [209.252.228.2] blocked using Spamhaus Blocklist, mail from IP banned; To request removal from this list see http://www.spamhaus.org/query/bl?ip=209.252.228.2 .>


So I go to the link at spamhaus and request to be removed, and we are taken off the list, then a few hours later we are put back on the list and i have to do it again.

They have this Norton Tool as a recommendation

https://security.symantec.com/nbrt/npe.aspx

I have run that on both servers and every client computer, and removed anything it found.  However we are still being marked as Spam and I have no idea what else to look for.  Any ideas?
LVL 1
FosterThomasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
Most likely you have a hidden spambot on one of the workstations.  I usually target the user with the most issues and scan deeper into the PC.

Guide to help find the culprit
http://cbl.abuseat.org/advanced.html

Guide for removal
http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Desktop_Anti-Virus/A_12285-Virus-Removal-Methods.html
0
FosterThomasAuthor Commented:
I used the Tool that SpamHaus recommened and checked every computer possible, I deleted the threats and we are still getting marked as Spam.

Is there away to isolate which client computer it is?  Could it not be the server?
0
Nick RhodeIT DirectorCommented:
Could be the server or someone is relaying off your server also.  Do you have a bunch of random messages stuck in your queue?
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

FosterThomasAuthor Commented:
No the only thing in the Queue's are to carriers we use for work in the medical field.  So they are all trusted.

I don't see anything else in the queue.  

How else could I tell if someone was relaying off the server?
0
Dave HoweSoftware and Hardware EngineerCommented:
if possible:
a) alter your firewall to block outbound to tcp port 25 *except* for your own mail server. If your firewall allows, log denies which will give you an idea of which internal hosts are trying to send smtp.

b) enable logging and/or packet capture on the mail server to monitor traffic there for relay.
0
FosterThomasAuthor Commented:
I am not sure how to do number one.  I have a TZ 190 Sonic Wall any idea how to do that?
0
Dave HoweSoftware and Hardware EngineerCommented:
According to the admin guide found HERE
Firewall >> Access Rules
"ADD" button
Allow from LAN to ANY
Service SMTP
Source <ip of email server>

make this the first rule in the rule base (move it up if required)

"ADD" button
Deny from LAN to ANY
Service SMTP
Enable Logging [X] ticked

make this the second rule in the rule base (move it up or down if required)
0
FosterThomasAuthor Commented:
I have a lot more questions than that and don't want to mess something up, below is the box I get when hit the ADD button.

I can't figure out how to add my IP address in the source and what to put for other answers.
Capture.JPG
0
FosterThomasAuthor Commented:
Anyone else have any ideas.

I have a few questions.

We have some user who just use the OWA link remotely and they are never in our office.  So it is impossible for me to check their computers for threats.  How do people normally handle this?

Second, I am still threat free on both servers and all Client computers, yet again this afternoon we got blocked on the SpamHaus site and i had to reidenitfy with them that we are legit.

Again it is not every email we send, only some, but it has happened to every user on our network.

What can I do in our firewall, if a trojan or something compromised the server isn't it on the server and doing a SonicWall Firewall Rule won't block it because it will still be sending from our IP address if it is on our server?

Please help.
0
footechCommented:
Correct, limiting SMTP to just the server won't help if it is just the server that is sending out the spam.  However, it's much more likely for a workstation to be compromised than the server, and it help to eliminate a lot of possibilites.  If your queues and message tracking don't show any evidence of sending abnormal emails, then it's more likely that there is malware on the server that is sending the emails itself.

Have you checked your configuration to be sure you're not an open relay, or that you're not sending out NDRs for invalid recipients (backscatter)(you should have recipient filtering on)?
Check your DNS records with tools like MXToolbox.com.

Some programs will send out emails at such a rate that it can take days for recipient systems to work through them, so sometimes even after you have done a cleanup, you may continue to get listed for a couple days (maybe more).
0
FosterThomasAuthor Commented:
Do you know where the Open Relay setting/check would be in Exchange 2003, I am not sure where to check for that.  

At mxtookbox.com if I do a scan it says two warning with SOA serial Number Format is Invalid and Expire Value is out of recommended range.

I am not sure what an SOA is though.
0
footechCommented:
MXToolbox has a check for open relay (the SMTP check), as do some other sites.  The settings to adjust this are found under the SMTP virtual server properties > Access tab, and also the SMTP connector.  Alan Hardisty has a number of great articles that are related.
http://alanhardisty.wordpress.com/tag/open-relay/

SOA is a type of DNS record (Start of Authority).  It contains information about a zone.  A quick google search will yield information about it's structure if you're interested.  However, neither of those warnings will cause you any problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FosterThomasAuthor Commented:
I have read everything I can on blocking SMTP on my firewall except for my mail server and i just can't figure it out.  Does anyone know how to do this on a SonicWall TZ 190
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.