Marked as CBL Spam on Spamhaus - can't find the threat anywhere
Yesterday Morning my office, using Exchange 2003, started getting bounce backs with emails we sent out. Not every email but probably 40-50% of them.
Gregory.Mullikin@Cigna.com
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<fosterthomas.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [209.252.228.2] blocked using Spamhaus Blocklist, mail from IP banned; To request removal from this list see http://www.spamhaus.org/query/bl?ip=209.252.228.2 .>
So I go to the link at spamhaus and request to be removed, and we are taken off the list, then a few hours later we are put back on the list and i have to do it again.
They have this Norton Tool as a recommendation
https://security.symantec.com/nbrt/npe.aspx
I have run that on both servers and every client computer, and removed anything it found. However we are still being marked as Spam and I have no idea what else to look for. Any ideas?
Gregory.Mullikin@Cigna.com
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<fosterthomas.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [209.252.228.2] blocked using Spamhaus Blocklist, mail from IP banned; To request removal from this list see http://www.spamhaus.org/query/bl?ip=209.252.228.2 .>
So I go to the link at spamhaus and request to be removed, and we are taken off the list, then a few hours later we are put back on the list and i have to do it again.
They have this Norton Tool as a recommendation
https://security.symantec.com/nbrt/npe.aspx
I have run that on both servers and every client computer, and removed anything it found. However we are still being marked as Spam and I have no idea what else to look for. Any ideas?
ASKER
I used the Tool that SpamHaus recommened and checked every computer possible, I deleted the threats and we are still getting marked as Spam.
Is there away to isolate which client computer it is? Could it not be the server?
Is there away to isolate which client computer it is? Could it not be the server?
Could be the server or someone is relaying off your server also. Do you have a bunch of random messages stuck in your queue?
ASKER
No the only thing in the Queue's are to carriers we use for work in the medical field. So they are all trusted.
I don't see anything else in the queue.
How else could I tell if someone was relaying off the server?
I don't see anything else in the queue.
How else could I tell if someone was relaying off the server?
if possible:
a) alter your firewall to block outbound to tcp port 25 *except* for your own mail server. If your firewall allows, log denies which will give you an idea of which internal hosts are trying to send smtp.
b) enable logging and/or packet capture on the mail server to monitor traffic there for relay.
a) alter your firewall to block outbound to tcp port 25 *except* for your own mail server. If your firewall allows, log denies which will give you an idea of which internal hosts are trying to send smtp.
b) enable logging and/or packet capture on the mail server to monitor traffic there for relay.
ASKER
I am not sure how to do number one. I have a TZ 190 Sonic Wall any idea how to do that?
According to the admin guide found HERE
Firewall >> Access Rules
"ADD" button
Allow from LAN to ANY
Service SMTP
Source <ip of email server>
make this the first rule in the rule base (move it up if required)
"ADD" button
Deny from LAN to ANY
Service SMTP
Enable Logging [X] ticked
make this the second rule in the rule base (move it up or down if required)
Firewall >> Access Rules
"ADD" button
Allow from LAN to ANY
Service SMTP
Source <ip of email server>
make this the first rule in the rule base (move it up if required)
"ADD" button
Deny from LAN to ANY
Service SMTP
Enable Logging [X] ticked
make this the second rule in the rule base (move it up or down if required)
ASKER
I have a lot more questions than that and don't want to mess something up, below is the box I get when hit the ADD button.
I can't figure out how to add my IP address in the source and what to put for other answers.
Capture.JPG
I can't figure out how to add my IP address in the source and what to put for other answers.
Capture.JPG
ASKER
Anyone else have any ideas.
I have a few questions.
We have some user who just use the OWA link remotely and they are never in our office. So it is impossible for me to check their computers for threats. How do people normally handle this?
Second, I am still threat free on both servers and all Client computers, yet again this afternoon we got blocked on the SpamHaus site and i had to reidenitfy with them that we are legit.
Again it is not every email we send, only some, but it has happened to every user on our network.
What can I do in our firewall, if a trojan or something compromised the server isn't it on the server and doing a SonicWall Firewall Rule won't block it because it will still be sending from our IP address if it is on our server?
Please help.
I have a few questions.
We have some user who just use the OWA link remotely and they are never in our office. So it is impossible for me to check their computers for threats. How do people normally handle this?
Second, I am still threat free on both servers and all Client computers, yet again this afternoon we got blocked on the SpamHaus site and i had to reidenitfy with them that we are legit.
Again it is not every email we send, only some, but it has happened to every user on our network.
What can I do in our firewall, if a trojan or something compromised the server isn't it on the server and doing a SonicWall Firewall Rule won't block it because it will still be sending from our IP address if it is on our server?
Please help.
Correct, limiting SMTP to just the server won't help if it is just the server that is sending out the spam. However, it's much more likely for a workstation to be compromised than the server, and it help to eliminate a lot of possibilites. If your queues and message tracking don't show any evidence of sending abnormal emails, then it's more likely that there is malware on the server that is sending the emails itself.
Have you checked your configuration to be sure you're not an open relay, or that you're not sending out NDRs for invalid recipients (backscatter)(you should have recipient filtering on)?
Check your DNS records with tools like MXToolbox.com.
Some programs will send out emails at such a rate that it can take days for recipient systems to work through them, so sometimes even after you have done a cleanup, you may continue to get listed for a couple days (maybe more).
Have you checked your configuration to be sure you're not an open relay, or that you're not sending out NDRs for invalid recipients (backscatter)(you should have recipient filtering on)?
Check your DNS records with tools like MXToolbox.com.
Some programs will send out emails at such a rate that it can take days for recipient systems to work through them, so sometimes even after you have done a cleanup, you may continue to get listed for a couple days (maybe more).
ASKER
Do you know where the Open Relay setting/check would be in Exchange 2003, I am not sure where to check for that.
At mxtookbox.com if I do a scan it says two warning with SOA serial Number Format is Invalid and Expire Value is out of recommended range.
I am not sure what an SOA is though.
At mxtookbox.com if I do a scan it says two warning with SOA serial Number Format is Invalid and Expire Value is out of recommended range.
I am not sure what an SOA is though.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have read everything I can on blocking SMTP on my firewall except for my mail server and i just can't figure it out. Does anyone know how to do this on a SonicWall TZ 190
Guide to help find the culprit
http://cbl.abuseat.org/advanced.html
Guide for removal
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/Desktop_Anti-Virus/A_12285-Virus-Removal-Methods.html