RE: blacklists

[Angus Scott-Fleming]

On 28 Jul 2008 at 17:23, Dennis Hoefer  wrote:

> Open Policy Manager on theWatchguard 700, youwill have either a proxy or
> filter policy for SMTP. On the "Outgoing" tab, set From: to the IP address
> of your mail server and To: to "all" The default rule is all to all, which
> will allow traffic from port 25 to pass from any machine on your network. By
> setting From: to only your mail server IP, you will block any internal
> machines that may be attempting to send SMTP traffic on their own.You can
> also set the rule to log denied traffic which will quickly identify internal
> machines that areattempting to use port 25. 

If there's any way to log attempts to use port 25, do that as well, then you 
can figure out which machine(s) are trying to send.  I implemented just such a 
pair of IPTABLES rules on an IPCop firewall for a client-of-a-colleague who 
kept getting blacklisted and we discovered a forgotten box on a Frame Relay 
line from a remote site which she wasn't aware of when she checked 'all' the 
computers for infections.

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038
+---+




~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: blacklists

[Paul Everett]

I'm going to move this over to the Exchange forum.  

Thanks for all the help.

Paul

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 12:42 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Yes, all the mail seems to be flowing out just fine.  I'm getting "rely
denied" ndr's for a few domains and I seem to be listed with Barracuda
still, but no other issues I'm aware of.

I'm showing connections using port 25 on both "local address" and
"foreign address".  The entries which are on "local address" most of the
"state" values are Time-wait with a pid of 0.  The occasional pid of
smssmtp.

All the foreign addresses showing pid of smssmtp.

 

I must not understand how mail is supposed to flow.  I assumed that the
mail flowed into and out of the Mail Gateway (my DC), and maybe it did
(and still trying), but my Exchange Server seems to be sending it fine
since that is the only ip allowed out in my firewall (for smtp traffic).

When I installed Ninja on my Exchange Box I uninstalled Symantec for
Exchange (or whatever it's called).  My plan was to also take Symantec
Mail Security for SMTP off the DC, but decide that it was an extra layer
of Security that wasn't hurting anything.  I can't remember if we did
anything to change the flow of outgoing email at that time or not.

 

Paul



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 11:15 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

And those are connections from the DC to the firewall (and not the
reverse)? Something is misconfigured or you misunderstand how mail is
supposed to flow. Is all the mail flowing outbound that is supposed to
be?

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 8:05 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

It's the Symantec Mail Security for SMTP.  Now what?

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 9:54 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

It sounds like either something is misconfigured, your DC is infected
or you don't correctly understand how mail is supposed to flow in your
network.  Get on your DC and run netstat -no and looks for connection to
port 25 on your  firewall. Then look up the PID in task manager to see
what process on the DC is sending the mail.

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 6:00 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

Everything is looking good this morning, as far as our email is
concerned and so far still off the blacklists.  In "host watch" of the
Watchguard System Manager, I am getting numerous (hundreds/minute)
outbound Filtered-SMTP "denies" from my DC (which is my mail gateway).
I thought mail was just going thru there one-way (incoming).

Mail in ->WG Firewall -> DC (Symantec Mail Security for SMTP) ->
Exchange Server -> WG Firewall -> Mail out.

Could there just be a misconfiguration on my DC?

 

Paul

 

________

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:52 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

They are proxy's.  I have two defined.  One called SMTP and it has the
incoming set From: any, To: WG ip -> DC (mail gateway).  The outgoing
tab is disabled.

The other proxy is called Filtered-SMTP.  It's Incoming is Disabled and
the Outgoing is set From: Any, To: Any.  I change this From: Exchange
ip, To: Any.

I've never been able to figure logging on the WG.  I can never find the
logs and for email, I can't find where to set the address??  The WG
interface seems so simple, but it really makes me feel like an idiot at
times.

 

Hope this is good enough damage control for tonight.  I'll be back in
the am to check things and do more investigating.

 

Thanks for all the suggestions.

 

Paul

 



From: Dennis Hoefer [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:24 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Open Policy Manager on the Watchguard 700, you will have either a proxy
or filter policy for SMTP.  On the "Outgoing" tab, set From: to the IP
address of your mail server and To: to "all"  The default rule is all to
all, which will allow traffic from port 25 to pass from any machine on
your network.  By setting From: to only your mail server IP, you will
block any internal machines that may be attempting to send SMTP traffic
on their own.  You can also set the rule to log denied traffic which
will quickly identify internal machines that are attempting to use port
25.

 

Configuration is a little different 

RE: blacklists

[Paul Everett]

Yes, all the mail seems to be flowing out just fine.  I'm getting "rely
denied" ndr's for a few domains and I seem to be listed with Barracuda
still, but no other issues I'm aware of.

I'm showing connections using port 25 on both "local address" and
"foreign address".  The entries which are on "local address" most of the
"state" values are Time-wait with a pid of 0.  The occasional pid of
smssmtp.

All the foreign addresses showing pid of smssmtp.

 

I must not understand how mail is supposed to flow.  I assumed that the
mail flowed into and out of the Mail Gateway (my DC), and maybe it did
(and still trying), but my Exchange Server seems to be sending it fine
since that is the only ip allowed out in my firewall (for smtp traffic).

When I installed Ninja on my Exchange Box I uninstalled Symantec for
Exchange (or whatever it's called).  My plan was to also take Symantec
Mail Security for SMTP off the DC, but decide that it was an extra layer
of Security that wasn't hurting anything.  I can't remember if we did
anything to change the flow of outgoing email at that time or not.

 

Paul



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 11:15 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

And those are connections from the DC to the firewall (and not the
reverse)? Something is misconfigured or you misunderstand how mail is
supposed to flow. Is all the mail flowing outbound that is supposed to
be?

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 8:05 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

It's the Symantec Mail Security for SMTP.  Now what?

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 9:54 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

It sounds like either something is misconfigured, your DC is infected
or you don't correctly understand how mail is supposed to flow in your
network.  Get on your DC and run netstat -no and looks for connection to
port 25 on your  firewall. Then look up the PID in task manager to see
what process on the DC is sending the mail.

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 6:00 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

Everything is looking good this morning, as far as our email is
concerned and so far still off the blacklists.  In "host watch" of the
Watchguard System Manager, I am getting numerous (hundreds/minute)
outbound Filtered-SMTP "denies" from my DC (which is my mail gateway).
I thought mail was just going thru there one-way (incoming).

Mail in ->WG Firewall -> DC (Symantec Mail Security for SMTP) ->
Exchange Server -> WG Firewall -> Mail out.

Could there just be a misconfiguration on my DC?

 

Paul

 

________

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:52 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

They are proxy's.  I have two defined.  One called SMTP and it has the
incoming set From: any, To: WG ip -> DC (mail gateway).  The outgoing
tab is disabled.

The other proxy is called Filtered-SMTP.  It's Incoming is Disabled and
the Outgoing is set From: Any, To: Any.  I change this From: Exchange
ip, To: Any.

I've never been able to figure logging on the WG.  I can never find the
logs and for email, I can't find where to set the address??  The WG
interface seems so simple, but it really makes me feel like an idiot at
times.

 

Hope this is good enough damage control for tonight.  I'll be back in
the am to check things and do more investigating.

 

Thanks for all the suggestions.

 

Paul

 

____

From: Dennis Hoefer [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:24 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Open Policy Manager on the Watchguard 700, you will have either a proxy
or filter policy for SMTP.  On the "Outgoing" tab, set From: to the IP
address of your mail server and To: to "all"  The default rule is all to
all, which will allow traffic from port 25 to pass from any machine on
your network.  By setting From: to only your mail server IP, you will
block any internal machines that may be attempting to send SMTP traffic
on their own.  You can also set the rule to log denied traffic which
will quickly identify internal machines that are attempting to use port
25.

 

Configuration is a little different on the newer Watchguard boxes, but
should be pretty straight forward on the 700.  If the problem persists,
then you're back to a relay problem or compromised mail server.  

 

Dennis  

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July

RE: blacklists

[Tim Evans]

And those are connections from the DC to the firewall (and not the
reverse)? Something is misconfigured or you misunderstand how mail is
supposed to flow. Is all the mail flowing outbound that is supposed to
be?

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 8:05 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

It's the Symantec Mail Security for SMTP.  Now what?

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 9:54 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

It sounds like either something is misconfigured, your DC is infected
or you don't correctly understand how mail is supposed to flow in your
network.  Get on your DC and run netstat -no and looks for connection to
port 25 on your  firewall. Then look up the PID in task manager to see
what process on the DC is sending the mail.

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 6:00 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

Everything is looking good this morning, as far as our email is
concerned and so far still off the blacklists.  In "host watch" of the
Watchguard System Manager, I am getting numerous (hundreds/minute)
outbound Filtered-SMTP "denies" from my DC (which is my mail gateway).
I thought mail was just going thru there one-way (incoming).

Mail in ->WG Firewall -> DC (Symantec Mail Security for SMTP) ->
Exchange Server -> WG Firewall -> Mail out.

Could there just be a misconfiguration on my DC?

 

Paul

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:52 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

They are proxy's.  I have two defined.  One called SMTP and it has the
incoming set From: any, To: WG ip -> DC (mail gateway).  The outgoing
tab is disabled.

The other proxy is called Filtered-SMTP.  It's Incoming is Disabled and
the Outgoing is set From: Any, To: Any.  I change this From: Exchange
ip, To: Any.

I've never been able to figure logging on the WG.  I can never find the
logs and for email, I can't find where to set the address??  The WG
interface seems so simple, but it really makes me feel like an idiot at
times.

 

Hope this is good enough damage control for tonight.  I'll be back in
the am to check things and do more investigating.

 

Thanks for all the suggestions.

 

Paul

 



From: Dennis Hoefer [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:24 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Open Policy Manager on the Watchguard 700, you will have either a proxy
or filter policy for SMTP.  On the "Outgoing" tab, set From: to the IP
address of your mail server and To: to "all"  The default rule is all to
all, which will allow traffic from port 25 to pass from any machine on
your network.  By setting From: to only your mail server IP, you will
block any internal machines that may be attempting to send SMTP traffic
on their own.  You can also set the rule to log denied traffic which
will quickly identify internal machines that are attempting to use port
25.

 

Configuration is a little different on the newer Watchguard boxes, but
should be pretty straight forward on the 700.  If the problem persists,
then you're back to a relay problem or compromised mail server.  

 

Dennis  

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:54 PM
To: NT System Admin Issues
Subject: RE: blacklists

"Set the mail server so that it only accepts mail from your exchange
server" They are one and the same.  My DC is actually my Mail Gateway
between the WG and Exchange.

"Block port 25 at the firewall for all but authorized systems (mail
server)."  Any idea how to do this on a Watchguard 700?

 

Thanks

 

 

____

From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:47 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip 

RE: blacklists

[Paul Everett]

It's the Symantec Mail Security for SMTP.  Now what?

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 9:54 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

It sounds like either something is misconfigured, your DC is infected
or you don't correctly understand how mail is supposed to flow in your
network.  Get on your DC and run netstat -no and looks for connection to
port 25 on your  firewall. Then look up the PID in task manager to see
what process on the DC is sending the mail.

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 6:00 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

Everything is looking good this morning, as far as our email is
concerned and so far still off the blacklists.  In "host watch" of the
Watchguard System Manager, I am getting numerous (hundreds/minute)
outbound Filtered-SMTP "denies" from my DC (which is my mail gateway).
I thought mail was just going thru there one-way (incoming).

Mail in ->WG Firewall -> DC (Symantec Mail Security for SMTP) ->
Exchange Server -> WG Firewall -> Mail out.

Could there just be a misconfiguration on my DC?

 

Paul

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:52 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

They are proxy's.  I have two defined.  One called SMTP and it has the
incoming set From: any, To: WG ip -> DC (mail gateway).  The outgoing
tab is disabled.

The other proxy is called Filtered-SMTP.  It's Incoming is Disabled and
the Outgoing is set From: Any, To: Any.  I change this From: Exchange
ip, To: Any.

I've never been able to figure logging on the WG.  I can never find the
logs and for email, I can't find where to set the address??  The WG
interface seems so simple, but it really makes me feel like an idiot at
times.

 

Hope this is good enough damage control for tonight.  I'll be back in
the am to check things and do more investigating.

 

Thanks for all the suggestions.

 

Paul

 



From: Dennis Hoefer [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:24 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Open Policy Manager on the Watchguard 700, you will have either a proxy
or filter policy for SMTP.  On the "Outgoing" tab, set From: to the IP
address of your mail server and To: to "all"  The default rule is all to
all, which will allow traffic from port 25 to pass from any machine on
your network.  By setting From: to only your mail server IP, you will
block any internal machines that may be attempting to send SMTP traffic
on their own.  You can also set the rule to log denied traffic which
will quickly identify internal machines that are attempting to use port
25.

 

Configuration is a little different on the newer Watchguard boxes, but
should be pretty straight forward on the 700.  If the problem persists,
then you're back to a relay problem or compromised mail server.  

 

Dennis  

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:54 PM
To: NT System Admin Issues
Subject: RE: blacklists

"Set the mail server so that it only accepts mail from your exchange
server" They are one and the same.  My DC is actually my Mail Gateway
between the WG and Exchange.

"Block port 25 at the firewall for all but authorized systems (mail
server)."  Any idea how to do this on a Watchguard 700?

 

Thanks

 

 

____

From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:47 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (abo

RE: blacklists

[Tim Evans]

It sounds like either something is misconfigured, your DC is infected
or you don't correctly understand how mail is supposed to flow in your
network.  Get on your DC and run netstat -no and looks for connection to
port 25 on your  firewall. Then look up the PID in task manager to see
what process on the DC is sending the mail.

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 29, 2008 6:00 AM
To: NT System Admin Issues
Subject: RE: blacklists

 

Everything is looking good this morning, as far as our email is
concerned and so far still off the blacklists.  In "host watch" of the
Watchguard System Manager, I am getting numerous (hundreds/minute)
outbound Filtered-SMTP "denies" from my DC (which is my mail gateway).
I thought mail was just going thru there one-way (incoming).

Mail in ->WG Firewall -> DC (Symantec Mail Security for SMTP) ->
Exchange Server -> WG Firewall -> Mail out.

Could there just be a misconfiguration on my DC?

 

Paul

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:52 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

They are proxy's.  I have two defined.  One called SMTP and it has the
incoming set From: any, To: WG ip -> DC (mail gateway).  The outgoing
tab is disabled.

The other proxy is called Filtered-SMTP.  It's Incoming is Disabled and
the Outgoing is set From: Any, To: Any.  I change this From: Exchange
ip, To: Any.

I've never been able to figure logging on the WG.  I can never find the
logs and for email, I can't find where to set the address??  The WG
interface seems so simple, but it really makes me feel like an idiot at
times.

 

Hope this is good enough damage control for tonight.  I'll be back in
the am to check things and do more investigating.

 

Thanks for all the suggestions.

 

Paul

 



From: Dennis Hoefer [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:24 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Open Policy Manager on the Watchguard 700, you will have either a proxy
or filter policy for SMTP.  On the "Outgoing" tab, set From: to the IP
address of your mail server and To: to "all"  The default rule is all to
all, which will allow traffic from port 25 to pass from any machine on
your network.  By setting From: to only your mail server IP, you will
block any internal machines that may be attempting to send SMTP traffic
on their own.  You can also set the rule to log denied traffic which
will quickly identify internal machines that are attempting to use port
25.

 

Configuration is a little different on the newer Watchguard boxes, but
should be pretty straight forward on the 700.  If the problem persists,
then you're back to a relay problem or compromised mail server.  

 

Dennis  

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:54 PM
To: NT System Admin Issues
Subject: RE: blacklists

"Set the mail server so that it only accepts mail from your exchange
server" They are one and the same.  My DC is actually my Mail Gateway
between the WG and Exchange.

"Block port 25 at the firewall for all but authorized systems (mail
server)."  Any idea how to do this on a Watchguard 700?

 

Thanks

 

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:47 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my

RE: blacklists

[Paul Everett]

Everything is looking good this morning, as far as our email is
concerned and so far still off the blacklists.  In "host watch" of the
Watchguard System Manager, I am getting numerous (hundreds/minute)
outbound Filtered-SMTP "denies" from my DC (which is my mail gateway).
I thought mail was just going thru there one-way (incoming).

Mail in ->WG Firewall -> DC (Symantec Mail Security for SMTP) ->
Exchange Server -> WG Firewall -> Mail out.

Could there just be a misconfiguration on my DC?

 

Paul

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:52 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

They are proxy's.  I have two defined.  One called SMTP and it has the
incoming set From: any, To: WG ip -> DC (mail gateway).  The outgoing
tab is disabled.

The other proxy is called Filtered-SMTP.  It's Incoming is Disabled and
the Outgoing is set From: Any, To: Any.  I change this From: Exchange
ip, To: Any.

I've never been able to figure logging on the WG.  I can never find the
logs and for email, I can't find where to set the address??  The WG
interface seems so simple, but it really makes me feel like an idiot at
times.

 

Hope this is good enough damage control for tonight.  I'll be back in
the am to check things and do more investigating.

 

Thanks for all the suggestions.

 

Paul

 



From: Dennis Hoefer [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:24 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Open Policy Manager on the Watchguard 700, you will have either a proxy
or filter policy for SMTP.  On the "Outgoing" tab, set From: to the IP
address of your mail server and To: to "all"  The default rule is all to
all, which will allow traffic from port 25 to pass from any machine on
your network.  By setting From: to only your mail server IP, you will
block any internal machines that may be attempting to send SMTP traffic
on their own.  You can also set the rule to log denied traffic which
will quickly identify internal machines that are attempting to use port
25.

 

Configuration is a little different on the newer Watchguard boxes, but
should be pretty straight forward on the 700.  If the problem persists,
then you're back to a relay problem or compromised mail server.  

 

Dennis  

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:54 PM
To: NT System Admin Issues
Subject: RE: blacklists

"Set the mail server so that it only accepts mail from your exchange
server" They are one and the same.  My DC is actually my Mail Gateway
between the WG and Exchange.

"Block port 25 at the firewall for all but authorized systems (mail
server)."  Any idea how to do this on a Watchguard 700?

 

Thanks

 

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:47 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook

RE: blacklists

[Paul Everett]

They are proxy's.  I have two defined.  One called SMTP and it has the
incoming set From: any, To: WG ip -> DC (mail gateway).  The outgoing
tab is disabled.

The other proxy is called Filtered-SMTP.  It's Incoming is Disabled and
the Outgoing is set From: Any, To: Any.  I change this From: mail ip,
To: Any.

I've never been able to figure logging on the WG.  I can never find the
logs and for email, I can't find where to set the address??  The WG
interface seems so simple, but it really makes me feel like an idiot at
times.

 

Hope this is good enough damage control for tonight.  I'll be back in
the am to check things and do more investigating.

 

Thanks for all the suggestions.

 

Paul

 



From: Dennis Hoefer [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:24 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Open Policy Manager on the Watchguard 700, you will have either a proxy
or filter policy for SMTP.  On the "Outgoing" tab, set From: to the IP
address of your mail server and To: to "all"  The default rule is all to
all, which will allow traffic from port 25 to pass from any machine on
your network.  By setting From: to only your mail server IP, you will
block any internal machines that may be attempting to send SMTP traffic
on their own.  You can also set the rule to log denied traffic which
will quickly identify internal machines that are attempting to use port
25.

 

Configuration is a little different on the newer Watchguard boxes, but
should be pretty straight forward on the 700.  If the problem persists,
then you're back to a relay problem or compromised mail server.  

 

Dennis  

 



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:54 PM
To: NT System Admin Issues
Subject: RE: blacklists

"Set the mail server so that it only accepts mail from your exchange
server" They are one and the same.  My DC is actually my Mail Gateway
between the WG and Exchange.

"Block port 25 at the firewall for all but authorized systems (mail
server)."  Any idea how to do this on a Watchguard 700?

 

Thanks

 

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:47 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intend

RE: blacklists

[tgonzalez]

Paul, run NMAP, I use that once a week to see if any user loads up a new
app and if it enables a port or what, then I shut it down

 

 

Thomas

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:24 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Thanks Thomas.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:21 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like a client open with SMTP, I just went through that deal
recently Paul, removed the malicious user from the network

 

As for Barracuda Reputation, GOOD LUCK...we are still on that system
even though I cleared our org from the other lists.

 

 

Thomas

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:15 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Yes, with MXToolbox everything check out.

 



From: Roger Wright [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:11 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Have you tested for Open Relay?

 

   

 

Roger Wright

Network Administrator

727.572.7076  x388

_

 

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 

 

 

This email and any attached files are confidential and intended solely
for the intended recipient(s). If you are not the named recipient you
should not read, distribute, copy or alter this email. Any views or
opinions expressed in this email are those of the author and do not
represent those of the Girl Scouts of Southwest Texas. Warning: Although
precautions have been taken to make sure no viruses are present in this
email, Girl Scouts of Southwest Texas cannot accept responsibility for
any loss or damage that arise from the use of this email or attachments.

 

 

 

 



This email and any attached files are confidential and intended solely for the 
intended recipient(s). If you are not the named recipient you should not read, 
distribute, copy or alter this email. Any views or opinions expressed in this 
email are those of the author and do not represent those of the Girl Scouts of 
Southwest Texas company. Warning: Although precautions have been taken to make 
sure no viruses are present in this email, the company cannot accept 
responsibility for any loss or damage that arise from the use of this email or 
attachments.
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

Re: blacklists

[Matt Plahtinsky]

when your setting up the watchguard rule to only allow port 25 from
your mail server, also check log deny on the rule.  You can then set
it up to email you every time the rule is tripped. That will notify
you when it happens and from what ip address.

Matt
- Original message -


Sounds like you may have an infected client o...

Sent from Gmail for mobile

On 7/28/08, Tim Evans <[EMAIL PROTECTED]> wrote:
> Sounds like you may have an infected client on your network that is
> sending outbound spam. Block port 25 at the firewall for all but
> authorized systems (mail server). Set the mail server so that it only
> accepts mail from your exchange server. That should get things cleared
> up enough so that you'll stay off the blacklists and give you some time
> to hunt for the guilty party.
>
>
>
>
>
> ...Tim
>
>
>
> From: Paul Everett [mailto:[EMAIL PROTECTED]
> Sent: Monday, July 28, 2008 2:35 PM
> To: NT System Admin Issues
> Subject: blacklists
>
>
>
> We've been finding ourself on some blacklists since last week and have
> basically shut us down.  Specifically Spamhaus and Barracuda's.
>
> I'm not sure if I have an infected computer on my network sending spam
> or not.  I've requested my ip removed from the blacklists several times,
> but after a day or two I'm back on.  I've got a window to post this
> question before it happens again.  Here's what I have.
>
> One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
> access is at one location where I have my Mail Server 2003 (Ninja) and a
> Watchguard Firewall.  All clients (about 200) running Symantec AV.
>
> I don't have really the tools or knowledge to run any packet capture
> software (or anything else) to determine if I have an owned machine, but
> while I am working on that is there any way to close my firewall to
> outbound mail traffic while still letting my Exchange out?  Do infected
> computers send email thru port 25 like Exchange?  If so, can I block
> that port and change the port Exchange uses to send?  If so, how?
>
> This may take me awhile, but I'd like to stay off the blacklists in the
> mean time.
>
>
>
> One thing I've done is installed Zone Alarm on my pc to see if I can
> catch any of my local computers scanning my network.  After the install
> it asked if I wanted my Outlook to act as a Server.  The info button
> showed that it should be ok to do, but I said "no".  My email seems to
> be working but I keep getting notifications that ZA is blocking internet
> access to my computer from my mail server.  This is probably nothing.
>
>
>
> Thanks for any suggestions.
>
> Paul Everett
> IS Dept.
> Lee Mental Health Center
> 239-791-1551
>
> "Lee Mental Health Center, Inc. providing services through Ruth Cooper
> Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
> Visit our website at www.leementalhealth.org
> http://www.leementalhealth.org/>  to learn more."
>
> Confidentiality Notice:  This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information.  Any unauthorized review, use,
> disclosure, or distribution is prohibited.   If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all
> copies of the original message, including attachments.
>
>
>
>
>
>
>
> ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
> ~   ~

-- 
Sent from Gmail for mobile | mobile.google.com

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: blacklists

[Simon Butler]

The important thing here is whether your queues in the Exchange server have 
lots of messages in them.
If they are clear, then it is probably not your Exchange server that is being 
abused, but a client. However if you are using a smart host of some kind to 
send email then your server could still be the source of the blacklisting.

Have you checked the blacklist's web sites? Sometimes they will have a copy of 
the message that triggered the listing. Looking at the message you might be 
able to diagnose which machine it is.

I wrote a blog posting on this exact scenario a few months ago. 
http://www.sembee.co.uk/archive/2008/03/13/73.aspx

The fact that you have Symantec on all of your workstations means nothing.
Which product do you think all of the BOT writers test their "product" against 
to see if it will infect the machines? The market leader - Symantec.

Simon.


--
Simon Butler
MVP: Exchange, MCSE
Amset IT Solutions Ltd.

e: [EMAIL PROTECTED]
w: www.amset.co.uk
w: www.amset.info

Need cheap certificates for Exchange, compatible with Windows Mobile 5.0?
http://CertificatesForExchange.com/<http://certificatesforexchange.com/> for 
certificates from just $23.99.
Need a domain for your certificate? 
http://DomainsForExchange.net/<http://domainsforexchange.net/>






From: Paul Everett [mailto:[EMAIL PROTECTED]
Sent: 28 July 2008 23:15
To: NT System Admin Issues
Subject: RE: blacklists

Yes, with MXToolbox everything check out.


From: Roger Wright [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 6:11 PM
To: NT System Admin Issues
Subject: RE: blacklists

Have you tested for Open Relay?



Roger Wright
Network Administrator
727.572.7076  x388
_


From: Paul Everett [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 5:35 PM
To: NT System Admin Issues
Subject: blacklists

We've been finding ourself on some blacklists since last week and have 
basically shut us down.  Specifically Spamhaus and Barracuda's.
I'm not sure if I have an infected computer on my network sending spam or not.  
I've requested my ip removed from the blacklists several times, but after a day 
or two I'm back on.  I've got a window to post this question before it happens 
again.  Here's what I have.
One Domain, two locations connected via PTP T1 (Adtrans).  All Internet access 
is at one location where I have my Mail Server 2003 (Ninja) and a Watchguard 
Firewall.  All clients (about 200) running Symantec AV.
I don't have really the tools or knowledge to run any packet capture software 
(or anything else) to determine if I have an owned machine, but while I am 
working on that is there any way to close my firewall to outbound mail traffic 
while still letting my Exchange out?  Do infected computers send email thru 
port 25 like Exchange?  If so, can I block that port and change the port 
Exchange uses to send?  If so, how?
This may take me awhile, but I'd like to stay off the blacklists in the mean 
time.

One thing I've done is installed Zone Alarm on my pc to see if I can catch any 
of my local computers scanning my network.  After the install it asked if I 
wanted my Outlook to act as a Server.  The info button showed that it should be 
ok to do, but I said "no".  My email seems to be working but I keep getting 
notifications that ZA is blocking internet access to my computer from my mail 
server.  This is probably nothing.

Thanks for any suggestions.

Paul Everett
IS Dept.
Lee Mental Health Center
239-791-1551

"Lee Mental Health Center, Inc. providing services through Ruth Cooper Center 
for Behavioral Health Care and VISTA Behavioral Crisis Services.  Visit our 
website at www.leementalhealth.orghttp://www.leementalhealth.org/> to 
learn more."

Confidentiality Notice:  This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information.  Any unauthorized review, use, disclosure, or 
distribution is prohibited.   If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message, including attachments.














~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[Paul Everett]

Thanks Thomas.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:21 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like a client open with SMTP, I just went through that deal
recently Paul, removed the malicious user from the network

 

As for Barracuda Reputation, GOOD LUCK...we are still on that system
even though I cleared our org from the other lists.

 

 

Thomas

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:15 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Yes, with MXToolbox everything check out.

 



From: Roger Wright [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:11 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Have you tested for Open Relay?

 

   

 

Roger Wright

Network Administrator

727.572.7076  x388

_

 

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 

 

 

This email and any attached files are confidential and intended solely
for the intended recipient(s). If you are not the named recipient you
should not read, distribute, copy or alter this email. Any views or
opinions expressed in this email are those of the author and do not
represent those of the Girl Scouts of Southwest Texas. Warning: Although
precautions have been taken to make sure no viruses are present in this
email, Girl Scouts of Southwest Texas cannot accept responsibility for
any loss or damage that arise from the use of this email or attachments.

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[Dennis Hoefer]

Open Policy Manager on the Watchguard 700, you will have either a proxy
or filter policy for SMTP.  On the "Outgoing" tab, set From: to the IP
address of your mail server and To: to "all"  The default rule is all to
all, which will allow traffic from port 25 to pass from any machine on
your network.  By setting From: to only your mail server IP, you will
block any internal machines that may be attempting to send SMTP traffic
on their own.  You can also set the rule to log denied traffic which
will quickly identify internal machines that are attempting to use port
25.
 
Configuration is a little different on the newer Watchguard boxes, but
should be pretty straight forward on the 700.  If the problem persists,
then you're back to a relay problem or compromised mail server.  
 
Dennis  



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:54 PM
To: NT System Admin Issues
Subject: RE: blacklists



"Set the mail server so that it only accepts mail from your exchange
server" They are one and the same.  My DC is actually my Mail Gateway
between the WG and Exchange.

"Block port 25 at the firewall for all but authorized systems (mail
server)."  Any idea how to do this on a Watchguard 700?

 

Thanks

 

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:47 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 






~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[tgonzalez]

Sounds like a client open with SMTP, I just went through that deal
recently Paul, removed the malicious user from the network

 

As for Barracuda Reputation, GOOD LUCK...we are still on that system
even though I cleared our org from the other lists.

 

 

Thomas

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:15 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Yes, with MXToolbox everything check out.

 



From: Roger Wright [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:11 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Have you tested for Open Relay?

 

   

 

Roger Wright

Network Administrator

727.572.7076  x388

_

 

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 

 

 



This email and any attached files are confidential and intended solely for the 
intended recipient(s). If you are not the named recipient you should not read, 
distribute, copy or alter this email. Any views or opinions expressed in this 
email are those of the author and do not represent those of the Girl Scouts of 
Southwest Texas company. Warning: Although precautions have been taken to make 
sure no viruses are present in this email, the company cannot accept 
responsibility for any loss or damage that arise from the use of this email or 
attachments.
~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[Carl Houseman]

Infected computers use port 25 like everything else.
 
At the firewall create a port 25 outbound rule that only allows the Exchange
server.
BTW your final firewall rule should be to disallow everything that isn't
specifically allowed, right?!
 
At the Exchange server only allow relaying for localhost.
 
Now any outbound spam has no choice to get out except to use MAPI and the
Exchange server, and if such a thing were happening you could track it.
Assuming of course, that the Exchange server itself is clean.
 
Carl

  _  

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:35 PM
To: NT System Admin Issues
Subject: blacklists



We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam or
not.  I've requested my ip removed from the blacklists several times, but
after a day or two I'm back on.  I've got a window to post this question
before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to outbound
mail traffic while still letting my Exchange out?  Do infected computers
send email thru port 25 like Exchange?  If so, can I block that port and
change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the mean
time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can catch
any of my local computers scanning my network.  After the install it asked
if I wanted my Outlook to act as a Server.  The info button showed that it
should be ok to do, but I said "no".  My email seems to be working but I
keep getting notifications that ZA is blocking internet access to my
computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

 


~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: blacklists

[Paul Everett]

Yes, with MXToolbox everything check out.

 



From: Roger Wright [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 6:11 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Have you tested for Open Relay?

 

   

 

Roger Wright

Network Administrator

727.572.7076  x388

_

 

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[Roger Wright]

Have you tested for Open Relay?

 

   

 

Roger Wright

Network Administrator

727.572.7076  x388

_

 

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: blacklists

[Sam Cayze]

"Allow all computers which successfully authenticate to relay"
 
That's fine and dandy.



From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:03 PM
To: NT System Admin Issues
Subject: RE: blacklists



"Are you allowing mail relaying on your internal network?

ESM>SMTP>Default SMTP>Access>Relay (Any exclusions here at all?)"

 

There are no computers listed here, but the box below is checked: Allow
all computers which successfully authenticate to relay, regardless of
the list above.

 

I'll look into that website.

 

Thanks,

 



From: Sam Cayze [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:52 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Are you allowing mail relaying on your internal network?

 

ESM>SMTP>Default SMTP>Access>Relay (Any exclusions here at all?)

 

You cannot change the port/25 if you expect to be able to send mail to
other organizations.  You can only change the port if you are passing
emails off to another server, and then that server sends it out.

 

I think it's time to start looking through your SMTP logs on your mail
server.

 

Also, check out http://www.authsmtp.com/

Set your exchange box to send mail through them on a obscure port, and
turn off port 25 on all your firewalls.  I'm not talking zone alarm, I'm
talking about your perimeter hardware firewall.

 

This will get your messages out, and let things calm down to get you off
the blacklists.


Sam

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 






~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[Paul Everett]

"Are you allowing mail relaying on your internal network?

ESM>SMTP>Default SMTP>Access>Relay (Any exclusions here at all?)"

 

There are no computers listed here, but the box below is checked: Allow
all computers which successfully authenticate to relay, regardless of
the list above.

 

I'll look into that website.

 

Thanks,

 



From: Sam Cayze [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:52 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Are you allowing mail relaying on your internal network?

 

ESM>SMTP>Default SMTP>Access>Relay (Any exclusions here at all?)

 

You cannot change the port/25 if you expect to be able to send mail to
other organizations.  You can only change the port if you are passing
emails off to another server, and then that server sends it out.

 

I think it's time to start looking through your SMTP logs on your mail
server.

 

Also, check out http://www.authsmtp.com/

Set your exchange box to send mail through them on a obscure port, and
turn off port 25 on all your firewalls.  I'm not talking zone alarm, I'm
talking about your perimeter hardware firewall.

 

This will get your messages out, and let things calm down to get you off
the blacklists.


Sam

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[Tim Evans]

Then forget about the "Set the mail server so that it only accepts mail
from your exchange server" part. Just set your firewall so that it only
accept SMTP mail from that

server. Sorry, but I can't help you on the watchguard config.

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:54 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

"Set the mail server so that it only accepts mail from your exchange
server" They are one and the same.  My DC is actually my Mail Gateway
between the WG and Exchange.

"Block port 25 at the firewall for all but authorized systems (mail
server)."  Any idea how to do this on a Watchguard 700?

 

Thanks

 

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:47 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[Paul Everett]

"Set the mail server so that it only accepts mail from your exchange
server" They are one and the same.  My DC is actually my Mail Gateway
between the WG and Exchange.

"Block port 25 at the firewall for all but authorized systems (mail
server)."  Any idea how to do this on a Watchguard 700?

 

Thanks

 

 



From: Tim Evans [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 5:47 PM
To: NT System Admin Issues
Subject: RE: blacklists

 

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm>  ~

RE: blacklists

[Sam Cayze]

Are you allowing mail relaying on your internal network?

 

ESM>SMTP>Default SMTP>Access>Relay (Any exclusions here at all?)

 

You cannot change the port/25 if you expect to be able to send mail to
other organizations.  You can only change the port if you are passing
emails off to another server, and then that server sends it out.

 

I think it's time to start looking through your SMTP logs on your mail
server.

 

Also, check out http://www.authsmtp.com/

Set your exchange box to send mail through them on a obscure port, and
turn off port 25 on all your firewalls.  I'm not talking zone alarm, I'm
talking about your perimeter hardware firewall.

 

This will get your messages out, and let things calm down to get you off
the blacklists.


Sam

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 4:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~

RE: blacklists

[Tim Evans]

Sounds like you may have an infected client on your network that is
sending outbound spam. Block port 25 at the firewall for all but
authorized systems (mail server). Set the mail server so that it only
accepts mail from your exchange server. That should get things cleared
up enough so that you'll stay off the blacklists and give you some time
to hunt for the guilty party.

 

 

...Tim

 

From: Paul Everett [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 28, 2008 2:35 PM
To: NT System Admin Issues
Subject: blacklists

 

We've been finding ourself on some blacklists since last week and have
basically shut us down.  Specifically Spamhaus and Barracuda's. 

I'm not sure if I have an infected computer on my network sending spam
or not.  I've requested my ip removed from the blacklists several times,
but after a day or two I'm back on.  I've got a window to post this
question before it happens again.  Here's what I have.

One Domain, two locations connected via PTP T1 (Adtrans).  All Internet
access is at one location where I have my Mail Server 2003 (Ninja) and a
Watchguard Firewall.  All clients (about 200) running Symantec AV.

I don't have really the tools or knowledge to run any packet capture
software (or anything else) to determine if I have an owned machine, but
while I am working on that is there any way to close my firewall to
outbound mail traffic while still letting my Exchange out?  Do infected
computers send email thru port 25 like Exchange?  If so, can I block
that port and change the port Exchange uses to send?  If so, how?

This may take me awhile, but I'd like to stay off the blacklists in the
mean time.

 

One thing I've done is installed Zone Alarm on my pc to see if I can
catch any of my local computers scanning my network.  After the install
it asked if I wanted my Outlook to act as a Server.  The info button
showed that it should be ok to do, but I said "no".  My email seems to
be working but I keep getting notifications that ZA is blocking internet
access to my computer from my mail server.  This is probably nothing.

 

Thanks for any suggestions.

Paul Everett 
IS Dept. 
Lee Mental Health Center 
239-791-1551 

"Lee Mental Health Center, Inc. providing services through Ruth Cooper
Center for Behavioral Health Care and VISTA Behavioral Crisis Services.
Visit our website at www.leementalhealth.org
http://www.leementalhealth.org/>  to learn more."

Confidentiality Notice:  This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure, or distribution is prohibited.   If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message, including attachments.

 

 

 

~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~
~   ~