Announcement

Collapse
No announcement yet.

Exchange 2003 - Emails bouncing back. Seems to be reported as spam

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange 2003 - Emails bouncing back. Seems to be reported as spam

    Hello,

    A customer started having problems with their email system 3 days ago. They can receive email ok and send internally, but they can't send externally or reply to external emails they've received. Email bounces back either after a few seconds or after a few minutes depending on who they've emailed.

    The problem occurs for all users. They have an SBS 2003 server running Exchange. There's about 8 users, Exchange database is only about 3GB in size. No changes have been made to the server.

    Here's a couple of examples of messages that have bounced back:

    There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
    <customersdomain.co.uk #5.5.0 smtp;554 Service unavailable; Client host [mail.customersdomain.co.uk] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=217.40.34.193>


    customersdomain.co.uk #5.5.0 smtp;550 OU-001 Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support>


    Someone else got the 4.4.7 error code on a bounced back email.


    Is it likely their domain has somehow got blacklisted? Not sure where to start here.
    Last edited by itgeezer; 3rd July 2008, 11:20.

  • #2
    Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

    One user has managed to successfully get an email through to their personal Gmail account, but that seems to be the only email that's gone through successfully today.

    Comment


    • #3
      Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

      I did a blacklist check at mxtoolbox.com

      It came up with the following:

      Blacklist Name Status Reason TTL Response Time (ms)
      CBL LISTED Blocked - see Detail
      Return codes were: 127.0.0.2 3600 375
      DNSBLNETAUT1 LISTED Blocked - see Detail
      Return codes were: 127.0.0.2 10800 1453
      PSBL LISTED Listed in PSBL, see Detail
      Return codes were: 127.0.0.2 2100 5000
      SPAMCOP LISTED Blocked - see Detail
      Return codes were: 127.0.0.2 2100 4828
      Spamhaus-ZEN LISTED Detail
      Return codes were: 127.0.0.4 1800 5031
      UCEPROTECTL1 LISTED IP 217.40.34.193 is UCEPROTECT-Level 1 listed. See Detail
      Return codes were: 127.0.0.2 2100 4953
      WPBL LISTED Spam source - Detail
      Return codes were: 127.0.0.2 3000 4906


      Then there was a long list underneath that where they aren't blocked.


      If I click on the details for one of them I get:

      IP Address xxx.40.34.193 is currently listed in the CBL.

      It was detected at 2008-07-03 07:00 GMT (+/- 30 minutes), approximately 4 hours ago.

      ATTENTION: This IP is infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating in a botnet.

      This is the Cutwail BOT

      You need to patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.

      If this IP is a NAT firewall/gateway, you MUST configure the NAT to prevent outbound port 25 connections to the Internet except from your real mail servers.

      Request delisting of xxx.40.34.193.

      Comment


      • #4
        Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

        It seems pretty straightforward. What don't you understand?

        The info you posted has lots of detail in it. For example:

        Barracuda IP Reputation Lookup
        The IP address "as posted below" is listed in the Barracuda Reputation System as "poor" as of 07/03/08 05:27:41 PST.

        You need to check your Exchange isn't an open relay
        http://www.petri.com/preventing_exch...m_relaying.htm

        Run your local AV on all servers/clients and clean
        Run another AV (trend online maybe) as a separate check.

        Run something like Spybot on everything as well.
        etc


        In the future look into only allowing port 25 out from Exchange (assuming this isn't the case already) and make sure definitions are kept up to date.
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

          Spamcop and Spamhaus are the big ones here. Work to get your ip delisted from these two first and then see how email flows.

          Comment


          • #6
            Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

            Domains don't get blacklisted - IP addresses do.
            If you only have a single IP address then it is most likely that a workstation has got compromised.

            Take a look at this blog posting of mine: http://www.sembee.co.uk/archive/2008/03/13/73.aspx

            I have outlined what has happened and what you need to do.

            Simon.
            --
            Simon Butler
            Exchange MVP

            Blog: http://blog.sembee.co.uk/
            More Exchange Content: http://exchange.sembee.info/
            Exchange Resources List: http://exbpa.com/
            In the UK? Hire me: http://www.sembee.co.uk/

            Sembee is a registered trademark, used here with permission.

            Comment


            • #7
              Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

              First time I've encountered a problem like this. Major panic! They were blacklisted in 7 places. I've now got that down to 3. Some, but not all, email is now getting through. Also a couple of people there had Blackberry devices that hadn't been working all week, and they started working again as soon as they came off some of the blacklists.

              Found the offending machine in the company, the antivirus defs were 6 months out-of-date and after re-loading Symantec AV it was then displaying loads of messages trying to send loads of emails out to random addresses. Managed to delete a couple of trojans from it.

              Thanks for the replies chaps. Much appreciated.
              Last edited by itgeezer; 3rd July 2008, 19:35.

              Comment


              • #8
                Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

                do you have a PTR setup as well?
                What do I know, I am only 26.

                Comment


                • #9
                  Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

                  A PTR record wont make any diffrence. If his been blacklisted its because his exchange has been compromised and his domain/subnet/ip address is relaying spurious email. Theres quite a few steps he needs to take to lock down his exchange other than just getting his ip address delisted.

                  Comment


                  • #10
                    Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

                    In most cases it isn't the Exchange server that has been compromised. It is actually a workstation on the network that is sending out the spam. If you only have a single IP address then the IP address gets listed which blocks traffic from the Exchange server as well.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: Exchange 2003 - Emails bouncing back. Seems to be reported as spam

                      Originally posted by Sembee View Post
                      In most cases it isn't the Exchange server that has been compromised. It is actually a workstation on the network that is sending out the spam. If you only have a single IP address then the IP address gets listed which blocks traffic from the Exchange server as well.

                      Simon.
                      Good ol NAT

                      Comment

                      Working...
                      X