RE: blacklists
On 28 Jul 2008 at 17:23, Dennis Hoefer wrote: Open Policy Manager on theWatchguard 700, youwill have either a proxy or filter policy for SMTP. On the Outgoing tab, set From: to the IP address of your mail server and To: to all The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own.You can also set the rule to log denied traffic which will quickly identify internal machines that areattempting to use port 25. If there's any way to log attempts to use port 25, do that as well, then you can figure out which machine(s) are trying to send. I implemented just such a pair of IPTABLES rules on an IPCop firewall for a client-of-a-colleague who kept getting blacklisted and we discovered a forgotten box on a Frame Relay line from a remote site which she wasn't aware of when she checked 'all' the computers for infections. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 +---+ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Everything is looking good this morning, as far as our email is concerned and so far still off the blacklists. In host watch of the Watchguard System Manager, I am getting numerous (hundreds/minute) outbound Filtered-SMTP denies from my DC (which is my mail gateway). I thought mail was just going thru there one-way (incoming). Mail in -WG Firewall - DC (Symantec Mail Security for SMTP) - Exchange Server - WG Firewall - Mail out. Could there just be a misconfiguration on my DC? Paul From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:52 PM To: NT System Admin Issues Subject: RE: blacklists They are proxy's. I have two defined. One called SMTP and it has the incoming set From: any, To: WG ip - DC (mail gateway). The outgoing tab is disabled. The other proxy is called Filtered-SMTP. It's Incoming is Disabled and the Outgoing is set From: Any, To: Any. I change this From: Exchange ip, To: Any. I've never been able to figure logging on the WG. I can never find the logs and for email, I can't find where to set the address?? The WG interface seems so simple, but it really makes me feel like an idiot at times. Hope this is good enough damage control for tonight. I'll be back in the am to check things and do more investigating. Thanks for all the suggestions. Paul From: Dennis Hoefer [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:24 PM To: NT System Admin Issues Subject: RE: blacklists Open Policy Manager on the Watchguard 700, you will have either a proxy or filter policy for SMTP. On the Outgoing tab, set From: to the IP address of your mail server and To: to all The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own. You can also set the rule to log denied traffic which will quickly identify internal machines that are attempting to use port 25. Configuration is a little different on the newer Watchguard boxes, but should be pretty straight forward on the 700. If the problem persists, then you're back to a relay problem or compromised mail server. Dennis From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 4:54 PM To: NT System Admin Issues Subject: RE: blacklists Set the mail server so that it only accepts mail from your exchange server They are one and the same. My DC is actually my Mail Gateway between the WG and Exchange. Block port 25 at the firewall for all but authorized systems (mail server). Any idea how to do this on a Watchguard 700? Thanks From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:47 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet
RE: blacklists
It sounds like either something is misconfigured, your DC is infected or you don't correctly understand how mail is supposed to flow in your network. Get on your DC and run netstat -no and looks for connection to port 25 on your firewall. Then look up the PID in task manager to see what process on the DC is sending the mail. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 6:00 AM To: NT System Admin Issues Subject: RE: blacklists Everything is looking good this morning, as far as our email is concerned and so far still off the blacklists. In host watch of the Watchguard System Manager, I am getting numerous (hundreds/minute) outbound Filtered-SMTP denies from my DC (which is my mail gateway). I thought mail was just going thru there one-way (incoming). Mail in -WG Firewall - DC (Symantec Mail Security for SMTP) - Exchange Server - WG Firewall - Mail out. Could there just be a misconfiguration on my DC? Paul From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:52 PM To: NT System Admin Issues Subject: RE: blacklists They are proxy's. I have two defined. One called SMTP and it has the incoming set From: any, To: WG ip - DC (mail gateway). The outgoing tab is disabled. The other proxy is called Filtered-SMTP. It's Incoming is Disabled and the Outgoing is set From: Any, To: Any. I change this From: Exchange ip, To: Any. I've never been able to figure logging on the WG. I can never find the logs and for email, I can't find where to set the address?? The WG interface seems so simple, but it really makes me feel like an idiot at times. Hope this is good enough damage control for tonight. I'll be back in the am to check things and do more investigating. Thanks for all the suggestions. Paul From: Dennis Hoefer [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:24 PM To: NT System Admin Issues Subject: RE: blacklists Open Policy Manager on the Watchguard 700, you will have either a proxy or filter policy for SMTP. On the Outgoing tab, set From: to the IP address of your mail server and To: to all The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own. You can also set the rule to log denied traffic which will quickly identify internal machines that are attempting to use port 25. Configuration is a little different on the newer Watchguard boxes, but should be pretty straight forward on the 700. If the problem persists, then you're back to a relay problem or compromised mail server. Dennis From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 4:54 PM To: NT System Admin Issues Subject: RE: blacklists Set the mail server so that it only accepts mail from your exchange server They are one and the same. My DC is actually my Mail Gateway between the WG and Exchange. Block port 25 at the firewall for all but authorized systems (mail server). Any idea how to do this on a Watchguard 700? Thanks From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:47 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change
RE: blacklists
It's the Symantec Mail Security for SMTP. Now what? From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 9:54 AM To: NT System Admin Issues Subject: RE: blacklists It sounds like either something is misconfigured, your DC is infected or you don't correctly understand how mail is supposed to flow in your network. Get on your DC and run netstat -no and looks for connection to port 25 on your firewall. Then look up the PID in task manager to see what process on the DC is sending the mail. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 6:00 AM To: NT System Admin Issues Subject: RE: blacklists Everything is looking good this morning, as far as our email is concerned and so far still off the blacklists. In host watch of the Watchguard System Manager, I am getting numerous (hundreds/minute) outbound Filtered-SMTP denies from my DC (which is my mail gateway). I thought mail was just going thru there one-way (incoming). Mail in -WG Firewall - DC (Symantec Mail Security for SMTP) - Exchange Server - WG Firewall - Mail out. Could there just be a misconfiguration on my DC? Paul From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:52 PM To: NT System Admin Issues Subject: RE: blacklists They are proxy's. I have two defined. One called SMTP and it has the incoming set From: any, To: WG ip - DC (mail gateway). The outgoing tab is disabled. The other proxy is called Filtered-SMTP. It's Incoming is Disabled and the Outgoing is set From: Any, To: Any. I change this From: Exchange ip, To: Any. I've never been able to figure logging on the WG. I can never find the logs and for email, I can't find where to set the address?? The WG interface seems so simple, but it really makes me feel like an idiot at times. Hope this is good enough damage control for tonight. I'll be back in the am to check things and do more investigating. Thanks for all the suggestions. Paul From: Dennis Hoefer [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:24 PM To: NT System Admin Issues Subject: RE: blacklists Open Policy Manager on the Watchguard 700, you will have either a proxy or filter policy for SMTP. On the Outgoing tab, set From: to the IP address of your mail server and To: to all The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own. You can also set the rule to log denied traffic which will quickly identify internal machines that are attempting to use port 25. Configuration is a little different on the newer Watchguard boxes, but should be pretty straight forward on the 700. If the problem persists, then you're back to a relay problem or compromised mail server. Dennis From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 4:54 PM To: NT System Admin Issues Subject: RE: blacklists Set the mail server so that it only accepts mail from your exchange server They are one and the same. My DC is actually my Mail Gateway between the WG and Exchange. Block port 25 at the firewall for all but authorized systems (mail server). Any idea how to do this on a Watchguard 700? Thanks From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:47 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I
RE: blacklists
And those are connections from the DC to the firewall (and not the reverse)? Something is misconfigured or you misunderstand how mail is supposed to flow. Is all the mail flowing outbound that is supposed to be? ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 8:05 AM To: NT System Admin Issues Subject: RE: blacklists It's the Symantec Mail Security for SMTP. Now what? From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 9:54 AM To: NT System Admin Issues Subject: RE: blacklists It sounds like either something is misconfigured, your DC is infected or you don't correctly understand how mail is supposed to flow in your network. Get on your DC and run netstat -no and looks for connection to port 25 on your firewall. Then look up the PID in task manager to see what process on the DC is sending the mail. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 6:00 AM To: NT System Admin Issues Subject: RE: blacklists Everything is looking good this morning, as far as our email is concerned and so far still off the blacklists. In host watch of the Watchguard System Manager, I am getting numerous (hundreds/minute) outbound Filtered-SMTP denies from my DC (which is my mail gateway). I thought mail was just going thru there one-way (incoming). Mail in -WG Firewall - DC (Symantec Mail Security for SMTP) - Exchange Server - WG Firewall - Mail out. Could there just be a misconfiguration on my DC? Paul From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:52 PM To: NT System Admin Issues Subject: RE: blacklists They are proxy's. I have two defined. One called SMTP and it has the incoming set From: any, To: WG ip - DC (mail gateway). The outgoing tab is disabled. The other proxy is called Filtered-SMTP. It's Incoming is Disabled and the Outgoing is set From: Any, To: Any. I change this From: Exchange ip, To: Any. I've never been able to figure logging on the WG. I can never find the logs and for email, I can't find where to set the address?? The WG interface seems so simple, but it really makes me feel like an idiot at times. Hope this is good enough damage control for tonight. I'll be back in the am to check things and do more investigating. Thanks for all the suggestions. Paul From: Dennis Hoefer [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:24 PM To: NT System Admin Issues Subject: RE: blacklists Open Policy Manager on the Watchguard 700, you will have either a proxy or filter policy for SMTP. On the Outgoing tab, set From: to the IP address of your mail server and To: to all The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own. You can also set the rule to log denied traffic which will quickly identify internal machines that are attempting to use port 25. Configuration is a little different on the newer Watchguard boxes, but should be pretty straight forward on the 700. If the problem persists, then you're back to a relay problem or compromised mail server. Dennis From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 4:54 PM To: NT System Admin Issues Subject: RE: blacklists Set the mail server so that it only accepts mail from your exchange server They are one and the same. My DC is actually my Mail Gateway between the WG and Exchange. Block port 25 at the firewall for all but authorized systems (mail server). Any idea how to do this on a Watchguard 700? Thanks From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:47 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have
RE: blacklists
Yes, all the mail seems to be flowing out just fine. I'm getting rely denied ndr's for a few domains and I seem to be listed with Barracuda still, but no other issues I'm aware of. I'm showing connections using port 25 on both local address and foreign address. The entries which are on local address most of the state values are Time-wait with a pid of 0. The occasional pid of smssmtp. All the foreign addresses showing pid of smssmtp. I must not understand how mail is supposed to flow. I assumed that the mail flowed into and out of the Mail Gateway (my DC), and maybe it did (and still trying), but my Exchange Server seems to be sending it fine since that is the only ip allowed out in my firewall (for smtp traffic). When I installed Ninja on my Exchange Box I uninstalled Symantec for Exchange (or whatever it's called). My plan was to also take Symantec Mail Security for SMTP off the DC, but decide that it was an extra layer of Security that wasn't hurting anything. I can't remember if we did anything to change the flow of outgoing email at that time or not. Paul From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 11:15 AM To: NT System Admin Issues Subject: RE: blacklists And those are connections from the DC to the firewall (and not the reverse)? Something is misconfigured or you misunderstand how mail is supposed to flow. Is all the mail flowing outbound that is supposed to be? ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 8:05 AM To: NT System Admin Issues Subject: RE: blacklists It's the Symantec Mail Security for SMTP. Now what? From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 9:54 AM To: NT System Admin Issues Subject: RE: blacklists It sounds like either something is misconfigured, your DC is infected or you don't correctly understand how mail is supposed to flow in your network. Get on your DC and run netstat -no and looks for connection to port 25 on your firewall. Then look up the PID in task manager to see what process on the DC is sending the mail. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 6:00 AM To: NT System Admin Issues Subject: RE: blacklists Everything is looking good this morning, as far as our email is concerned and so far still off the blacklists. In host watch of the Watchguard System Manager, I am getting numerous (hundreds/minute) outbound Filtered-SMTP denies from my DC (which is my mail gateway). I thought mail was just going thru there one-way (incoming). Mail in -WG Firewall - DC (Symantec Mail Security for SMTP) - Exchange Server - WG Firewall - Mail out. Could there just be a misconfiguration on my DC? Paul From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:52 PM To: NT System Admin Issues Subject: RE: blacklists They are proxy's. I have two defined. One called SMTP and it has the incoming set From: any, To: WG ip - DC (mail gateway). The outgoing tab is disabled. The other proxy is called Filtered-SMTP. It's Incoming is Disabled and the Outgoing is set From: Any, To: Any. I change this From: Exchange ip, To: Any. I've never been able to figure logging on the WG. I can never find the logs and for email, I can't find where to set the address?? The WG interface seems so simple, but it really makes me feel like an idiot at times. Hope this is good enough damage control for tonight. I'll be back in the am to check things and do more investigating. Thanks for all the suggestions. Paul From: Dennis Hoefer [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:24 PM To: NT System Admin Issues Subject: RE: blacklists Open Policy Manager on the Watchguard 700, you will have either a proxy or filter policy for SMTP. On the Outgoing tab, set From: to the IP address of your mail server and To: to all The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own. You can also set the rule to log denied traffic which will quickly identify internal machines that are attempting to use port 25. Configuration is a little different on the newer Watchguard boxes, but should be pretty straight forward on the 700. If the problem persists, then you're back to a relay problem or compromised mail server. Dennis From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 4:54 PM To: NT System Admin Issues Subject: RE: blacklists Set the mail server so that it only accepts mail from your exchange server They are one and the same. My DC is actually my Mail Gateway
RE: blacklists
I'm going to move this over to the Exchange forum. Thanks for all the help. Paul From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 12:42 PM To: NT System Admin Issues Subject: RE: blacklists Yes, all the mail seems to be flowing out just fine. I'm getting rely denied ndr's for a few domains and I seem to be listed with Barracuda still, but no other issues I'm aware of. I'm showing connections using port 25 on both local address and foreign address. The entries which are on local address most of the state values are Time-wait with a pid of 0. The occasional pid of smssmtp. All the foreign addresses showing pid of smssmtp. I must not understand how mail is supposed to flow. I assumed that the mail flowed into and out of the Mail Gateway (my DC), and maybe it did (and still trying), but my Exchange Server seems to be sending it fine since that is the only ip allowed out in my firewall (for smtp traffic). When I installed Ninja on my Exchange Box I uninstalled Symantec for Exchange (or whatever it's called). My plan was to also take Symantec Mail Security for SMTP off the DC, but decide that it was an extra layer of Security that wasn't hurting anything. I can't remember if we did anything to change the flow of outgoing email at that time or not. Paul From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 11:15 AM To: NT System Admin Issues Subject: RE: blacklists And those are connections from the DC to the firewall (and not the reverse)? Something is misconfigured or you misunderstand how mail is supposed to flow. Is all the mail flowing outbound that is supposed to be? ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 8:05 AM To: NT System Admin Issues Subject: RE: blacklists It's the Symantec Mail Security for SMTP. Now what? From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 9:54 AM To: NT System Admin Issues Subject: RE: blacklists It sounds like either something is misconfigured, your DC is infected or you don't correctly understand how mail is supposed to flow in your network. Get on your DC and run netstat -no and looks for connection to port 25 on your firewall. Then look up the PID in task manager to see what process on the DC is sending the mail. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 29, 2008 6:00 AM To: NT System Admin Issues Subject: RE: blacklists Everything is looking good this morning, as far as our email is concerned and so far still off the blacklists. In host watch of the Watchguard System Manager, I am getting numerous (hundreds/minute) outbound Filtered-SMTP denies from my DC (which is my mail gateway). I thought mail was just going thru there one-way (incoming). Mail in -WG Firewall - DC (Symantec Mail Security for SMTP) - Exchange Server - WG Firewall - Mail out. Could there just be a misconfiguration on my DC? Paul From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:52 PM To: NT System Admin Issues Subject: RE: blacklists They are proxy's. I have two defined. One called SMTP and it has the incoming set From: any, To: WG ip - DC (mail gateway). The outgoing tab is disabled. The other proxy is called Filtered-SMTP. It's Incoming is Disabled and the Outgoing is set From: Any, To: Any. I change this From: Exchange ip, To: Any. I've never been able to figure logging on the WG. I can never find the logs and for email, I can't find where to set the address?? The WG interface seems so simple, but it really makes me feel like an idiot at times. Hope this is good enough damage control for tonight. I'll be back in the am to check things and do more investigating. Thanks for all the suggestions. Paul From: Dennis Hoefer [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:24 PM To: NT System Admin Issues Subject: RE: blacklists Open Policy Manager on the Watchguard 700, you will have either a proxy or filter policy for SMTP. On the Outgoing tab, set From: to the IP address of your mail server and To: to all The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own. You can also set the rule to log denied traffic which will quickly identify internal machines that are attempting to use port 25. Configuration is a little different on the newer Watchguard boxes, but should be pretty straight forward on the 700. If the problem persists, then you're back to a relay problem or compromised mail server. Dennis From: Paul
RE: blacklists
Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Are you allowing mail relaying on your internal network? ESMSMTPDefault SMTPAccessRelay (Any exclusions here at all?) You cannot change the port/25 if you expect to be able to send mail to other organizations. You can only change the port if you are passing emails off to another server, and then that server sends it out. I think it's time to start looking through your SMTP logs on your mail server. Also, check out http://www.authsmtp.com/ Set your exchange box to send mail through them on a obscure port, and turn off port 25 on all your firewalls. I'm not talking zone alarm, I'm talking about your perimeter hardware firewall. This will get your messages out, and let things calm down to get you off the blacklists. Sam From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 4:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Set the mail server so that it only accepts mail from your exchange server They are one and the same. My DC is actually my Mail Gateway between the WG and Exchange. Block port 25 at the firewall for all but authorized systems (mail server). Any idea how to do this on a Watchguard 700? Thanks From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:47 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Then forget about the Set the mail server so that it only accepts mail from your exchange server part. Just set your firewall so that it only accept SMTP mail from that server. Sorry, but I can't help you on the watchguard config. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:54 PM To: NT System Admin Issues Subject: RE: blacklists Set the mail server so that it only accepts mail from your exchange server They are one and the same. My DC is actually my Mail Gateway between the WG and Exchange. Block port 25 at the firewall for all but authorized systems (mail server). Any idea how to do this on a Watchguard 700? Thanks From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:47 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Have you tested for Open Relay? Roger Wright Network Administrator 727.572.7076 x388 _ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Yes, with MXToolbox everything check out. From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:11 PM To: NT System Admin Issues Subject: RE: blacklists Have you tested for Open Relay? Roger Wright Network Administrator 727.572.7076 x388 _ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Infected computers use port 25 like everything else. At the firewall create a port 25 outbound rule that only allows the Exchange server. BTW your final firewall rule should be to disallow everything that isn't specifically allowed, right?! At the Exchange server only allow relaying for localhost. Now any outbound spam has no choice to get out except to use MAPI and the Exchange server, and if such a thing were happening you could track it. Assuming of course, that the Exchange server itself is clean. Carl _ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Sounds like a client open with SMTP, I just went through that deal recently Paul, removed the malicious user from the network As for Barracuda Reputation, GOOD LUCK...we are still on that system even though I cleared our org from the other lists. Thomas From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:15 PM To: NT System Admin Issues Subject: RE: blacklists Yes, with MXToolbox everything check out. From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:11 PM To: NT System Admin Issues Subject: RE: blacklists Have you tested for Open Relay? Roger Wright Network Administrator 727.572.7076 x388 _ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Open Policy Manager on the Watchguard 700, you will have either a proxy or filter policy for SMTP. On the Outgoing tab, set From: to the IP address of your mail server and To: to all The default rule is all to all, which will allow traffic from port 25 to pass from any machine on your network. By setting From: to only your mail server IP, you will block any internal machines that may be attempting to send SMTP traffic on their own. You can also set the rule to log denied traffic which will quickly identify internal machines that are attempting to use port 25. Configuration is a little different on the newer Watchguard boxes, but should be pretty straight forward on the 700. If the problem persists, then you're back to a relay problem or compromised mail server. Dennis From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 4:54 PM To: NT System Admin Issues Subject: RE: blacklists Set the mail server so that it only accepts mail from your exchange server They are one and the same. My DC is actually my Mail Gateway between the WG and Exchange. Block port 25 at the firewall for all but authorized systems (mail server). Any idea how to do this on a Watchguard 700? Thanks From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:47 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like you may have an infected client on your network that is sending outbound spam. Block port 25 at the firewall for all but authorized systems (mail server). Set the mail server so that it only accepts mail from your exchange server. That should get things cleared up enough so that you'll stay off the blacklists and give you some time to hunt for the guilty party. ...Tim From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 2:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: blacklists
Thanks Thomas. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:21 PM To: NT System Admin Issues Subject: RE: blacklists Sounds like a client open with SMTP, I just went through that deal recently Paul, removed the malicious user from the network As for Barracuda Reputation, GOOD LUCK...we are still on that system even though I cleared our org from the other lists. Thomas From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:15 PM To: NT System Admin Issues Subject: RE: blacklists Yes, with MXToolbox everything check out. From: Roger Wright [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 6:11 PM To: NT System Admin Issues Subject: RE: blacklists Have you tested for Open Relay? Roger Wright Network Administrator 727.572.7076 x388 _ From: Paul Everett [mailto:[EMAIL PROTECTED] Sent: Monday, July 28, 2008 5:35 PM To: NT System Admin Issues Subject: blacklists We've been finding ourself on some blacklists since last week and have basically shut us down. Specifically Spamhaus and Barracuda's. I'm not sure if I have an infected computer on my network sending spam or not. I've requested my ip removed from the blacklists several times, but after a day or two I'm back on. I've got a window to post this question before it happens again. Here's what I have. One Domain, two locations connected via PTP T1 (Adtrans). All Internet access is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard Firewall. All clients (about 200) running Symantec AV. I don't have really the tools or knowledge to run any packet capture software (or anything else) to determine if I have an owned machine, but while I am working on that is there any way to close my firewall to outbound mail traffic while still letting my Exchange out? Do infected computers send email thru port 25 like Exchange? If so, can I block that port and change the port Exchange uses to send? If so, how? This may take me awhile, but I'd like to stay off the blacklists in the mean time. One thing I've done is installed Zone Alarm on my pc to see if I can catch any of my local computers scanning my network. After the install it asked if I wanted my Outlook to act as a Server. The info button showed that it should be ok to do, but I said no. My email seems to be working but I keep getting notifications that ZA is blocking internet access to my computer from my mail server. This is probably nothing. Thanks for any suggestions. Paul Everett IS Dept. Lee Mental Health Center 239-791-1551 Lee Mental Health Center, Inc. providing services through Ruth Cooper Center for Behavioral Health Care and VISTA Behavioral Crisis Services. Visit our website at www.leementalhealth.org blocked::http://www.leementalhealth.org/ to learn more. Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message, including attachments. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas. Warning: Although precautions have been taken to make sure no viruses are present in this email, Girl Scouts of Southwest Texas cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
