Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Blacklisted
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
Blacklisted - 31.Mar.2008 8:55:00 PM
|
|
|
shudson105
Posts: 20
Joined: 22.Sep.2006
Status: offline
|
For the past week my company's emails have been getting blocked because our ip addy has been blacklisted. Nothing I have done has been able to fix the issue. Today I finally ran a packet capture tool (wireshark) in hopes of finding something I can work with and I discovered (at least during the day) that while no mail (and no spam) is leaving my network, my exchange is generating thousands of SYN packets. They are leaving by high numbered ports and are being sent to 25 on some outside network. Why is exchange doing this and how do I stop it? I noticed that my smtp queue is filled with mail that came through my anti-spam software yet cannot be delivered to any current user. During the same time frame, there was about twice as many unique SYN packet ip addresses as undeliverable mail in the queue.
Any thoughts on how these syn packets are being generated and how to fix it?
Steve
BTW, I have run every free anti-virus, anti-spam, malware and rootkit tool I could find and all I got was 4 low-risk cookies.
|
|
|
|
|
RE: Blacklisted - 31.Mar.2008 9:52:25 PM
|
|
|
ik8sqi
Posts: 6
Joined: 13.Jan.2008
Status: offline
|
Are you sure you're only sending SYNs...? A simple SYN won't usually get you blacklisted.. In order to be potentially blacklisted, the connection instead needs to be fully established, and your server must send at least some SMTP commands to attempt the sending of an email.. But in this case, you will see the entire sequence SYN - SYN/ACK - ACK and you will then see some SMTP traffic.
Now it's possible that once you're blacklisted, further attempts to send emails to networks that blacklist you will result in them disconnecting you right after the SYN packet, but that just means the damage has already been done - your network has already sent what others see as malicious traffic.
I'd recommend you analyze the Wireshark data for *established* connections out on port 25, and see if those established ones still show sign of malicious/invalid traffic, as if so, they will show you the source of it within your network.
_____________________________
Roberto Franceschetti
www.logsat.com
|
|
|
|
|
RE: Blacklisted - 2.Apr.2008 12:01:51 AM
|
|
|
shudson105
Posts: 20
Joined: 22.Sep.2006
Status: offline
|
I *think* and *hope* that I have the problem fixed. The problem wasn't on our server, but actually another machine in the network that was harboring a really nasty virus with its own smtp engine. I requested delisting off the blacklists and so far all of our mail has been traversing the internet without interuption. No idea where all the syn packets from exchange came from, but thoughout the afternoon, that problem seemed to have disappeared too.
Appreciated the help!
Steve
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
