Guy Sheldrake 
United Kingdom
Member since
4/28/2005
Registered Users
Posts: 229
 |
| 8/21/2008 05:25 PM |
|
I Have an SBS 2003 that for 18 months or so has been sending out mail under it's own steam via an ADSL connection with a fixed IP behind an ADSL firewall router running NAT. POP3 connector is used to collect mail so there is no inbound port 25 access at all
In the last couple of days the server (or I guess more correctly the IP of the server) has appeared on numerous blacklists to the point where you can't send mail.
On asking Barracuda why they are blocking, they suggest that large quantities of spam are coming from the server IP address (not the server dns name)
Initially I checked the server logs & exchange queues but all is as I would expect, I then ran a sys logger across the router that enables me to see everything passing across external IF of the router, there is very little port 25 traffic.
The above would suggest that there is not a problem (viral or otherwise) with the network.
Am I missing something obvious?
|
|
|
|
|
|
Boon Tee
Adelaide, Australia
Member since
8/1/2005
Platinum Membership
Posts: 484
|
| 8/22/2008 01:03 AM |
|
| Have you checked out what else is behind the router? One of the PCs? |
|
PowerBiz Solutions
Adelaide, Australia |
|
|
|
Guy Sheldrake
United Kingdom
Member since
4/28/2005
Registered Users
Posts: 229
|
| 8/22/2008 10:04 AM |
|
Well as the router holds the "offending" IP address & the workstations sitting behind it are all doing NAT across it I assumed that looking at all traffic passing across the router with the logging tool would show any PCs that are pumping rubbish out. There aren't any, the traffic patterns look perfectly normal.
|
|
|
|
|
|
Boon Tee
Adelaide, Australia
Member since
8/1/2005
Platinum Membership
Posts: 484
|
| 8/22/2008 12:35 PM |
|
| Have you been receiving a lot of spam? One of the standard techniques employed nowadays is to spam a server, so that the server generates NDRs back to the "sender" which is often the recipient of the spam. |
|
PowerBiz Solutions
Adelaide, Australia |
|
|
|
Guy Sheldrake
United Kingdom
Member since
4/28/2005
Registered Users
Posts: 229
|
| 8/22/2008 01:06 PM |
|
| no, and the server doesn't pick up mail directly, it's done using the pop3 connector, so any spam ndrs are not generated by the server rather by the ISPs mail server
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12627
|
| 8/22/2008 05:08 PM |
|
Hi Guy,
Are you running AV on the server and desktops? Are you sure that 25 inbound is not enabled on the router? Did you ask the ISP for logs that would proof your IP is to blame?
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
Brian Mayo
Along the shoreline of New England
Member since
6/22/2005
Registered Users
Posts: 317
|
| 8/22/2008 05:24 PM |
|
Since you're using the POP connector....you are setup with a webhost. Why not avoid this problem entirely..and just setup SMTP forwarding to their SMTP server? This way you never have to worry about reversedns, or ptr, etc.
|
|
|
|
|
|
Chris Timm
United Kingdom
Member since
6/28/2006
Registered Users
Posts: 87
|
| 8/22/2008 06:53 PM |
|
I have the same exact problem. In fact my customer called me today because he is getting a lot of SPAM on his email. When I looked at his inbox, there was about 130000 (Yes 13 thousand) messages in his inbox. And just as many in the Junk Mial folder , and it continued to grow. It looks like something has hijacked the server.
I have run an AV scan and spyware scan on all 5 machines including the server, and they are all clean. I ran AVG which is installed as well as about 3 different SPyware applications and All say its clean. The mailbox is continuing to grow..
All the messages are NDR;s which just seems to grow bigger and bigger all the time
|
|
|
|
|
|
Guy Sheldrake
United Kingdom
Member since
4/28/2005
Registered Users
Posts: 229
|
| 8/22/2008 08:02 PM |
|
In some sort of order then:-
1) Marina: AV is installed on the desktops but not the server. I'm positive that port 25 is blocked, I've port scanned from grc.com and its shown as stealth. In addition I can't telnet to it.
2) Brian: "Since you're using the POP connector....you are setup with a webhost" can you pls explain further.
3) Chris: I'm not experiencing spam issues, rather the IP of the server is blacklisted as a source of spam.
4) I've set the smtp connector to forward all mail so that the ISP can relay. THis has curred 99% of the problem, but barracuda still rejects the mail on the basis of the server's IP - I'm out of my depth now- how is barracuda gtting the server's IP if BT are relaying he mail?
5) Marina: re the logs - spamcop, spamhaus, barracuda are all blaclisting the server's ip and are not overly helpful. Interestingly BT (who provide the connection) are saying that sorbs aren't blacklisting us.
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12627
|
|
Guy Sheldrake
United Kingdom
Member since
4/28/2005
Registered Users
Posts: 229
|
| 8/26/2008 09:26 AM |
|
| 213.123.132.150
|
|
|
|
|
|
Brian Mayo
Along the shoreline of New England
Member since
6/22/2005
Registered Users
Posts: 317
|
| 8/26/2008 01:02 PM |
|
Posted By Guy Sheldrake on 8/22/2008 08:02 PM
In some sort of order then:-
1) Marina: AV is installed on the desktops but not the server. I'm positive that port 25 is blocked, I've port scanned from grc.com and its shown as stealth. In addition I can't telnet to it.
2) Brian: "Since you're using the POP connector....you are setup with a webhost" can you pls explain further.
4) I've set the smtp connector to forward all mail so that the ISP can relay. THis has curred 99% of the problem, but barracuda still rejects the mail on the basis of the server's IP - I'm out of my depth now- how is barracuda gtting the server's IP if BT are relaying he mail?
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12627
|
| 8/26/2008 01:59 PM |
|
Hi Guy,
Are you using 1 or 2 nics in the server? And do you have the 'Allow all computers...' box unchecked in the Relay options of the Default Virtual SMTP server?
|
|
| Marina Roos Smallbizserver.Net Administrator | Mission accomplished. We have joined the branch office to our SBS 2003 Headquarters and have the same user experience on the branch office as we have on our local network at the Headquarters. Want to know how? Signup up for a subscription and get instant access to the article series 'How to add an additional Domain Controller from a remote office to the SBS domain' |
|
|
|
|
Boon Tee
Adelaide, Australia
Member since
8/1/2005
Platinum Membership
Posts: 484
|
| 8/26/2008 03:07 PM |
|
According to http://www.mxtoolbox.com/blacklists.aspx, you are listed on some sites. Further investigation here - http://psbl.surriel.com/evidence?ip=213.123.132.150&action=Check+evidence provided the evidence of why they listed you. Hopefully that is helpful?
From cyomad@contratasyobras.com Thu Aug 14 09:44:40 2008
Delivery-date: Thu, 14 Aug 2008 09:44:40 -0400
Received: from .123.132.150] (helo=horizon.westonarchitects.co.uk)
by mail.victim.example with esmtp (Exim 4.63)
(envelope-from )
id 1KTd84-0006x4-6K
for victim@smtp.example; Thu, 14 Aug 2008 09:44:40 -0400
Date: Thu, 14 Aug 2008 11:57:16 +0000
From: "cece jorge"
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
MIME-Version: 1.0
To: "friend"
Subject: subject 
boundary="770A17EC376AF1C"
This is a multi-part message in MIME format.
--770A17EC376AF1C
charset=iso-8859-1
|
|
PowerBiz Solutions
Adelaide, Australia |
|
|
|
Boon Tee
Adelaide, Australia
Member since
8/1/2005
Platinum Membership
Posts: 484
|
| 8/26/2008 03:09 PM |
|
Also, from this site - http://www.moensted.dk/spam/no-more-funn/?addr=213.123.132.150&Submit=Submit
This ip is as a part of a listed netblock. This do NOT indicate that we think YOU are a spammer.This indicate that we in general don't trust your ISP/Contry/Connection type. However if you click "Whitelist/Exclude IP" your host will be automaticaly removed. |
|
PowerBiz Solutions
Adelaide, Australia |
|
|
|
Boon Tee
Adelaide, Australia
Member since
8/1/2005
Platinum Membership
Posts: 484
|
| 8/26/2008 03:15 PM |
|
Did you also realize that you have something open on port 80? It would be a good idea to close of that port. Port 443 and 4125 should be sufficient if you want to use OWA and RWW.
HTTP - 80
HTTP/1.1 403 Forbidden
Content-Length: 1549
Content-Type: text/html
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Tue, 26 Aug 2008 13:12:11 GMT
Connection: close |
|
PowerBiz Solutions
Adelaide, Australia |
|
|
|
Guy Sheldrake
United Kingdom
Member since
4/28/2005
Registered Users
Posts: 229
|
| 8/26/2008 06:33 PM |
|
Hi Marina,
There is 1 NIC and we are using a hardware firewall/router. The 'Allow all computers..." is set to only computers in the list and that is the local subnet (192.168.1.0/24) and the loopback.
I did know that there was something running on port 80.
Thanks for the other info, I'll review & get back to you.
I've set forwarding up to the isp's smtp server, but the logs show that the server is communicating directly with the recipients mail servers (ie it isn't forwarding). I've repaired the internet connection etc and checked all the setting on the smtp virtual server (stopped & restarted it) and also on the connector and it all looks normal but of course am still getting rejections - waht am I doing wrong/stupid??
|
|
|
|
|
|
Guy Sheldrake
United Kingdom
Member since
4/28/2005
Registered Users
Posts: 229
|
| 8/26/2008 07:22 PM |
|
Just reviewed the info Boon supplied:
The server name & IP are correct in the message header (ie they appear to originate from the server rather than something behind the server), but neither the log files for the smtp service or the message tracking centre can find the message listed.
Thoughts....
|
|
|
|
|
|
Marina Roos
The Netherlands
Member since
3/24/2005
Forum Admins
Posts: 12627
|
|
Guy Sheldrake
United Kingdom
Member since
4/28/2005
Registered Users
Posts: 229
|
| 8/27/2008 11:10 AM |
|
Hi Marina,
I've had a play and now think that I've got it right. However I'm still getting bounces:
As you can see the host name is now no longer the sbs, but how are barracuda lifting the IP address of the sbs if mail is being forwarded through the ISP?
|
|
|
|
|
|