AdamAtAppiam Posted October 26, 2006 Share Posted October 26, 2006 Over the past few weeks the server I maintain is constantly being blocked by several spam filters such as the CBL and SpamCop. Whilst I am a great believer in these tools (considering the ammount of spam we used to recieve!!), my users are becoming annoyed as to the large amount of emails being returned. I have run the following tools on the Exchange 2003 server we run the mail from (as advised by SpamHaus) : McAfee stinger, Symantec malicious software remover, FXMyDoom remover, Microsoft Malicious software remover, Norton Anti-Virus, SecCheck.....all of which have returned no sign of a virus or trojan residing on the server 'misbehaving itself'! I am now at my wits end as to how to remain 'unblocked' by CBL. Any further help would be greatly appreciated. Link to comment Share on other sites More sharing options...
Farelf Posted October 26, 2006 Share Posted October 26, 2006 Do you care to leave an IP address? Some of the Exchange 2003 users may be able to offer suggestions but they would probably like to probe some of your configuration as well. Link to comment Share on other sites More sharing options...
AdamAtAppiam Posted October 26, 2006 Author Share Posted October 26, 2006 Do you care to leave an IP address? Some of the Exchange 2003 users may be able to offer suggestions but they would probably like to probe some of your configuration as well. If it helps matters the IP address is 83.146.42.90 Link to comment Share on other sites More sharing options...
agsteele Posted October 26, 2006 Share Posted October 26, 2006 If it helps matters the IP address is 83.146.42.90 As you will be aware this IP address is not currently listed in the SpamCop BL. That's no reassurance, of course, for you given that you believe you have been in the past. A check on Senderbase shows that you are not currently listed in any of the most active block-lists. I took a look at the report history for your IP and find no reports which most likely means that you have been hitting spamtraps assuming that you have had SpamCop blocks previously. I note that your IP is provided by Bulldog and is a DSL line. Is this a fixed IP address permanently allocated to you? If not then this could be part of your problem. Some ISPs will reject mail based purely on the fact that the source IP is dynamic. Given that there are no reports visible to users I would suggest you may have to raise the issue with deputies[at]spamcop.net They will want some evidence from you that you are the appropriate person to deal with on the matter rather than an end-user. The most likely causes of spamtrap hits are firstly misdirected auto-responders. See the FAQ for more on this. Secondly an infected PC behind a router on this IP. Assuming you've ruled out the Trojan on a PC - the auto-responder issue would be the place to start. But check with the deputies. Andrew Link to comment Share on other sites More sharing options...
AdamAtAppiam Posted October 26, 2006 Author Share Posted October 26, 2006 Andrew, Many thanks for the speedy reply. As you noted the IP address (which is fixed), is not currently listed...that will soon change. Before the end of the day it will be listed in the CBL on Spamhaus. I remove it manually from the CBL directory as soon as the emails get returned to the users. but by the next day it will be listed again. I presume a virus/trojan check will have to be undertaken on all computers behind the router? I just cant understand how one infected PC would cause this issue for the whole network. Link to comment Share on other sites More sharing options...
agsteele Posted October 26, 2006 Share Posted October 26, 2006 I presume a virus/trojan check will have to be undertaken on all computers behind the router? I just cant understand how one infected PC would cause this issue for the whole network. I'm not so sure it is an infected PC, but, yes, you should check them all. This assumes you have a single IP address which you have behind a NAT firewall. So, in effect, all your PCs share the same IP address. So just one machine would create a problem for the whole network. You could close port 25 on your router for all users except the Exchange server. That would most likely stop any spew from an infected machine. But you really should look at the misdirected bounces and auto-responder issue I linked to the FAQ previously. Typically that is a more likely problem. You can fix that by aggresively tackling incoming spam prior to it reaching your users. Many folk will tell you that the best approach is to disable all vacation and auto-response messages. In many business situations it is hard to persuade colleagues of the value of this. Obviously rejecting incoming spam in the initial SMTP handshake is a good way to go. That drops a good bit of the problem. Stopping the spam that gets through that stage from reaching an auto-responder will ensure that it isn't bounced back to a spam-trap. So spam filtering within Exchange is important. I also believe you can set up rules so that only 'known' senders get vacation messages and the like. So a known correspondent would receive the 'I'm sorry I'm away message' whilst an unknown sender would not get that message. Since spam which carries a forged spam-trap address as sender will not be known you won't get listed by that means. I'm not an Exchange user but others around here might be able to point to further assistance. Again the FAQ has stuff about Exchange. Andrew Link to comment Share on other sites More sharing options...
DavidT Posted October 26, 2006 Share Posted October 26, 2006 You should probably take a look through this recent topic, also posted here in the Blocklist Help forum by an Exchange server admin: http://forum.spamcop.net/forums/index.php?showtopic=7344 There's an item in the SpamCop FAQ specifically appropriate to Exchange server issues: http://www.spamcop.net/fom-serve/cache/372.html Among other things, it suggests that you disable the "guest" account and also SMTP AUTH. DT Link to comment Share on other sites More sharing options...
Farelf Posted October 27, 2006 Share Posted October 27, 2006 If you do elect to check for infected machines on your network (as a precaution) I had heard that CBL can be very helpful in providing "evidence" which might help with the needles and haystacks convergence. Have you found otherwise? Or not had the chance to try yet? Looking at http://cbl.abuseat.org/faq.html Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.