Infected computers use port 25 like everything else. At the firewall create a port 25 outbound rule that only allows the Exchange server. BTW your final firewall rule should be to disallow everything that isn't specifically allowed, right?! At the Exchange server only allow relaying for localhost. Now any outbound spam has no choice to get out except to use MAPI and the Exchange server, and if such a thing were happening you could track it. Assuming of course, that the Exchange server itself is clean. Carl
_____ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said "no". My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
