Moved Exchange database to a different drive, and got blacklisted?

TAPtech

TAPtech

Well-Known Member
Reaction score
521
Location
Fairfield County, CT
What the heck?

I have a client with a SBS2008 running Exchange 2007. One of the original RAID 1 drives failed, swapped both of them out for new ones (one, let it rebuild, did the next). Set up an additional RAID 1 set for more data storage. Once that was set, I used the built in Exchange 2007 "Move Database" tool. That went ahead with no issues.

The next morning around 9AM I get a call from client- they can receive but cannot send emails. Uh oh, I though. Well I looked at the send errors, and the emails are being rejected because their IP is blacklisted on Spamhaus!

What the heck?

The Spamhaus details are actually very useful, it gave the name of the most likely spam bot sending out the emails. I asked the client to run their Kaspersky on every machine, scanned the server, and cleared the blacklist.

At first I was thinking that somehow moving the Exchange database caused the blacklist so I wasn't too worried about a real infection. But now I'm thinking, well, what the heck?
 
It happens sometimes there isn't even really anything doing it my company has landed on that list at least 3 times before. Usually just go through the process to get off the BL and if you get back on it within 24 hours then worry.
 
Make sure you only allow outgoing SMTP from the exchange server at the firewall, block everything else.
 
Not related to moving the infostore...just a coincidence.

Are you dumping right out to the internet? Or spitting out to a mail bastion host with an outbound SMTP service? Got a text record to the PTR? Have you run MXToolbox tests against the server and followed the recommended changes?
 
Checked the Sonicwall Connections Monitor and do not see anything on Port 25. I'm not good at Sonicwall. Is the Connections Monitor only in real time, or at least somewhat recent time? I'm looking through the "Log" on the tree at the left. Can I set up monitoring on a specific port here? I don't see an option for it.

Also, if someone is familiar with Sonicwall please check this setup I have made for blocking SMTP traffic:

1)Created an object for the Server's static IP (actually was already in there, looks like the guy who installed it did that).
2)In LAN to WAN, block all SMTP traffic
3)In LAN to WAN, allow SMTP traffic to the server object
 
YeOldeStonecat said:
Not related to moving the infostore...just a coincidence.

Are you dumping right out to the internet? Or spitting out to a mail bastion host with an outbound SMTP service? Got a text record to the PTR? Have you run MXToolbox tests against the server and followed the recommended changes?
Click to expand...

Whoa, just ran the tool, very informative. I have used MXtoolbox before for simple cname lookups but I didn't know they had this great SMTP tool!

-Server is going straight into the 'net, looks like it was a "get SBS and set up every option it has in 2 hours" job. Seriously, this low end Dell PE was running eeeeevvvverything. We're fixing that slowly though ;)

-I get "SMTP Reverse DNS Mismatch" error on MXtools.

-MXtoolbox blacklist check (again, awesome!) shows: BARRACUDA, CBL, ivmSIP, RATS Dyna, SPAMCOP, and Spamhaus ZEN. Everything else looks good.

There is one workstation that has a lot of activity and uses a lot of bandwidth on multiple ports. The bulk of it is probably from Spotify, but I'm not familiar with the other ports. The user is an early 20's guy and probably has some "fringe" surfing habits. I will inspect his workstation tomorrow when he is in.

Sorry StoneCat, but what does PTR stand for?
 
Thanks dbdawn. I didn't notice the priority column. Fortunately I got lucky on the initial setup and it was in the correct order.

I had to delist from the blacklist in order to test functionality to make sure emails could get out. Looks like it is working.

I also checked the Exchange logs to see if it could be an infected Outlook. I don't see anything mischievous looking.

This is the IP with all the mulit-port traffic. Look like anything?

Capture.png
 
Last edited:
I can not stress this enough. NEVER request a delist until you have removed all possible infections. Very important! If you're running a recent sonicwall, go to the firewall and set a block rule for all traffic on port 25, and be sure to check enable logging. Then go into the log. It will pop up within a minute or two. Once you get the ip of the suspect, take it off line and clean. Once you have clear logs, THEN request delisting. You may have already caused some damage here. Most of the lists will give you a very hard time getting delisted again so soon. If you're on rats, the only way you'll get off is to request a reverse dns entry from your isp. This doesn't cost anything; they do it all the time. Also, have them block outbound 25. Check your bounce-back headers to see if it's your ip, domain, or both that's been listed.
 
angry_geek said:
I can not stress this enough. NEVER request a delist until you have removed all possible infections. Very important!
Click to expand...

+1 Very important, because soon they won't delist your IP address anymore.

Also those logs are weird. Are you running endpoint anti-virus in addition to some sort of UTM?
 
I'm not sure how to enable the logging properly. Under the log tab, I clicked reports and "Start Data Collection." Is that it? Is there a way to narrow down to SMTP? I do not see anything in the Log categories for port 25.

Having trouble sleeping tonight so it's a good project :o

I'm already seeing that the 3rd shift over there on multiple torrent websites.

This is a really good client of mine but they do not like to set up service contracts so we're on break/fix. I have recommended they subscribe to the SonicWall edge anti-virus / anti-spam but they didn't bite. Maybe this will be a good wake up call!
 
TAPtech said:
Sorry StoneCat, but what does PTR stand for?
Click to expand...

PoinTeR Record
http://hosting.intermedia.net/support/kb/?id=1317

aka RevDNS....Reverse DNS.

Make life easy for yourself. My rule of thumb for all of our Exchange clients...always use a mail bastion host that not only filters inbound spam and viruses, but also handles the outbound e-mail.

Like Postini, or services my MXLogic or Appriver.
We rolled our own services which we use for lots of our clients, and some other IT places use our services.

Allows you to lock down your clients Exchange server...port 25 is ONLY open/forwarded/exposed to accept traffic from the IP addresses specified (those of your mail service). The whole rest of the world is locked out. You set this in Exchange..and more importantly it's set on the edge appliance/firewall. This protects the Exchange server from those constant grinding attacks and directory harvests.

And of course you setup the outbound service so that the Exchange server sends mail out through a trusted SMTP service. This greatly cuts down on your worry about being put on spam lists. Pretty much eliminates it.
 
No need to ink out those IPs...your inside network is private, even if that 3rd octect was left unblackened out...it's behind NAT, and it's a private class C range. And the destination IPs are most likely just random.
 
I would much sooner switch these guys over to o365 than do too much work on the Exchange server. They have 6 email accounts. A lot more computers inside the network but most are for interior purposes and do not need email. They typically don't like subscriptions but they did seem a bit interested in o365 and I think this would be a very good reason to switch.

The Data collection on the SonicWall showed a lot of unsavory traffic last night during the third shift. 1GB data to an Iphone, and another 1GB to an IP I do not recognize.

Lots of hits to torrent sites, and some porn sites. Looks like they need to change the wireless password!

I found one IP wailing the port 25 block! Woohoo! Time to throw a bucket of bleach into the case.
 
dbdawn said:
+1 Very important, because soon they won't delist your IP address anymore.

Also those logs are weird. Are you running endpoint anti-virus in addition to some sort of UTM?
Click to expand...

I don't 100% agree with that because it is easy enough to falsely end up on the list. In addition to false listing this is also because I work for an operation that is 24/7 and the upper management doesn't tolerate any downtime on email. But certainly on a 2nd or 3rd blocking withing a time frame less than a week you need to do as much research and trouble shooting before delisting. They will delist after but the process is not automated it involves making a request and providing some details in order for them to authorize and delist again.

Definitely agree with blocking SMTP from anything that isn't a server and even them limit it to the server(s) that need to send out SMTP. Relay needs to be turned off or limited to select devices which need it such as perhaps a network scanner or copier with a scan to email option.
 
Blues said:
I don't 100% agree with that because it is easy enough to falsely end up on the list. In addition to false listing this is also because I work for an operation that is 24/7 and the upper management doesn't tolerate any downtime on email. But certainly on a 2nd or 3rd blocking withing a time frame less than a week you need to do as much research and trouble shooting before delisting. They will delist after but the process is not automated it involves making a request and providing some details in order for them to authorize and delist again.
Click to expand...

I should clarify that I am going on my experience. Do you use any type of spam filtering service such as Barracuda, MXLogic, Postini or Mimecast on all incoming and outgoing email?
 
You must log in or register to reply here.

Similar threads

callthatgirl
A dream button in Outlook
Replies
0
Views
649
callthatgirl
callthatgirl
callthatgirl
Outlook Classic to New Outlook Autocomplete
Replies
0
Views
838
callthatgirl
callthatgirl
HCHTech
[SOLVED] Exchange Mail Flow Rules and + addresses
Replies
4
Views
771
HCHTech
HCHTech
HCHTech
GoDaddy again - Outlook error 7ita9
Replies
3
Views
732
callthatgirl
callthatgirl
thecomputerguy
SPF issues causing all mail from vendor to go to Junk.
Replies
6
Views
1K
Markverhyden
Markverhyden
Back
Top