The important thing here is whether your queues in the Exchange server have lots of messages in them. If they are clear, then it is probably not your Exchange server that is being abused, but a client. However if you are using a smart host of some kind to send email then your server could still be the source of the blacklisting.
Have you checked the blacklist's web sites? Sometimes they will have a copy of the message that triggered the listing. Looking at the message you might be able to diagnose which machine it is. I wrote a blog posting on this exact scenario a few months ago. http://www.sembee.co.uk/archive/2008/03/13/73.aspx The fact that you have Symantec on all of your workstations means nothing. Which product do you think all of the BOT writers test their "product" against to see if it will infect the machines? The market leader - Symantec. Simon. -- Simon Butler MVP: Exchange, MCSE Amset IT Solutions Ltd. e: [EMAIL PROTECTED] w: www.amset.co.uk w: www.amset.info Need cheap certificates for Exchange, compatible with Windows Mobile 5.0? http://CertificatesForExchange.com/<http://certificatesforexchange.com/> for certificates from just $23.99. Need a domain for your certificate? http://DomainsForExchange.net/<http://domainsforexchange.net/> ________________________________ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: 28 July 2008 23:15 To: NT System Admin Issues Subject: RE: blacklists Yes, with MXToolbox everything check out. ________________________________ From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:11 PM To: NT System Admin Issues Subject: RE: blacklists Have you tested for Open Relay? Roger Wright Network Administrator 727.572.7076 x388 _____ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said "no". My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 "Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org<blocked::http://www.leementalhealth.org/> to learn more." Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~