Our firewall failed about 3 weeks ago and while it was being replaced we were placed on the “cbl.abuseat.org” spam blacklist. Once we got the new firewall in and configured we were able to get unlisted. Now about 2 weeks later we are listed again. Here is our config info and what we have tried.
Win2K3 – Exchange 2003 which goes through the firewall. The firewall was set to deny all out going SMTP traffic except for SMTP traffic (originally not restricted to port 25) from our exchange server. Our 110 client XP machines are running McAfee and set to not allow sending of smtp traffic (I have seen this work, so am fairly confident it is working). That was good enough until yesterday when we were blacklisted again.
Working with our firewall vendor we now only allow SMTP traffic on port 25 from the exchange server. All other SMTP traffic is blocked from leaving our network.
It appears that mail was going out on strange ports such as .23111 from our exchange server, is that correct (see first set of log info)? But I am not sure from the latest logs if that has been fixed. Also, can spam bots send spam through an exchange server on port 25? If so can it be stopped without finding the spam bot? We are looking for the spam bot but not having any luck yet.
Thanks for any help.
I ran tcpdump and got the following info before we made the latest firewall changes:
16:54.8 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [.], ack 263, win 65273, length 0
16:55.7 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [P.], ack 4221, win 14600, length 12
16:55.7 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [P.], ack 275, win 65261, length 6
16:56.0 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [P.], ack 4221, win 14600, length 12
16:56.0 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [.], ack 275, win 65261, length 0
16:56.1 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [P.], ack 4227, win 14600, length 21
16:56.1 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [F.], seq 296, ack 4227, win 14600, length 0
16:56.1 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [.], ack 297, win 65240, length 0
16:56.1 IP exchange-server.our-domain.com.23111 > s5a1.psmtp.com.25: Flags [F.], seq 4227, ack 297, win 65240, length 0
16:56.6 IP s5a1.psmtp.com.25 > exchange-server.our-domain.com.23111: Flags [.], ack 4228, win 14600, length 0
16:57.7 IP exchange-server.our-domain.com.23257 > pineapp.hcsmail.co m.25: Flags [S], seq 3560091943, win 65535, options [mss 1460,nop,nop,sackOK], length 0
16:58.0 IP pineapp.hcsmail.com.25 > exchange-server.our-domain.com.2 3257:00:00 Flags [S.], seq 3962637029, ack 3560091944, win 5840, options [mss 1380,nop,nop,sackOK], length 0
16:58.0 IP exchange-server.our-domain.com.23257 > pineapp.hcsmail.co m.25: Flags [.], ack 1, win 65535, length 0
16:58.1 IP pineapp.hcsmail.com.25 > exchange-server.our-domain.com.2 3257:00:00 Flags [P.], ack 1, win 5840, length 20
16:58.1 IP exchange-server.our-domain.com.23257 > pineapp.hcsmail.co m.25: Flags [P.], ack 21, win 65515, length 33
16:58.2 IP pineapp.hcsmail.com.25 > exchange-server.our-domain.com.2 3257:00:00 Flags [.], ack 34, win 5840, length 0
16:58.2 IP pineapp.hcsmail.com.25 > exchange-server.our-domain.com.2 3257:00:00 Flags [P.], ack 34, win 5840, length 20
This is what I got after the firewall changes:
01:52.6 IP our-exchange.our-domain.com.17177 > our-domaincontroller.our-domain.com.53: 12044+ A? mail.painclinic-nw.com. (40)
01:52.6 IP our-exchange.our-domain.com.15727 > our-domaincontroller.our-domain.com.53: 12285+ A? mail.snyders-han.com. (38)
01:52.7 IP 99-53-214-98.lightspeed.genvil.sbcglobal.net.1770 > our-exchange.our-domain.com.443: Flags [.], ack 570, win 16380, length 0
01:52.9 IP 204-0.202-68.tampabay.res.rr.com.58065 > our-exchange.our-domain.com.443: Flags [P.], ack 1, win 17477, length 49
01:52.9 IP 204-0.202-68.tampabay.res.rr.com.58065 > our-exchange.our-domain.com.443: Flags [P.], ack 1, win 17477, length 197
01:52.9 IP our-exchange.our-domain.com.443 > 204-0.202-68.tampabay.res.rr.com.58065: Flags [.], ack 1503, win 64573, length 0
01:52.9 IP our-exchange.our-domain.com.443 > 204-0.202-68.tampabay.res.rr.com.58068: Flags [P.], ack 1, win 64649, length 149
01:52.9 IP ggadke.our-domain.com.1203 > our-exchange.our-domain.com.1025: Flags [.], ack 1, win 65016, length 1
01:52.9 IP our-exchange.our-domain.com.1025 > ggadke.our-domain.com.1203: Flags [.], ack 1, win 65269, length 0
01:52.9 IP dwhite.our-domain.com.1215 > our-exchange.our-domain.com.1025: Flags [.], ack 1631, win 65535, length 1
01:52.9 IP our-exchange.our-domain.com.1025 > dwhite.our-domain.com.1215: Flags [.], ack 2574, win 64590, length 0
01:52.9 IP vbejin.our-domain.com.1282 > our-exchange.our-domain.com.1025: Flags [.], ack 1, win 64548, length 1
01:52.9 IP our-exchange.our-domain.com.1025 > vbejin.our-domain.com.1282: Flags [.], ack 1, win 64769, length 0
01:53.0 IP 204-0.202-68.tampabay.res.rr.com.58065 > our-exchange.our-domain.com.443: Flags [P.], ack 1, win 17477, length 49
01:53.0 IP our-storagedevice.our-domain.com.123 > our-exchange.our-domain.com.123: NTPv3, symmetric active, length 68
01:53.0 IP our-exchange.our-domain.com.21059 > our-domaincontroller.our-domain.com.53: 34757+ PTR? 9.1.168.192.in-addr.arpa. (42)
01:53.0 IP our-domaincontroller.our-domain.com.53 > our-exchange.our-domain.com.21059: 34757* 1/0/0 PTR[|domain]
01:53.0 AR P, Request who-has our-storagedevice.our-domain.com tell our-exchange.our-domain.com, length 28
01:53.0 IP our-exchange.our-domain.com.123 > our-storagedevice.our-domain.com.123: NTPv3, Server, length 68
01:53.1 AR P, Reply our-storagedevice.our-domain.com is-at 00:15:17:22:b2:44 (oui Unknown), length 92
01:53.1 IP 99-53-214-98.lightspeed.genvil.sbcglobal.net.1775 > our-exchange.our-domain.com.443: Flags [P.], ack 1, win 17477, length 41
01:53.1 IP our-exchange.our-domain.com.443 > 204-0.202-68.tampabay.res.rr.com.58065: F
Here is part of a smtp log from the exchange server:
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 our-exchange – 25 – – 220+Postini+ESMTP+225+y6_29_1c0+ready.++CA+Business+and+Professions+Code+Section+17538.45+forbids+use+of+this+system+for+unsolicited+electronic+mail+advertisements. 0 0 164 0 78 SMTP – – – –
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionCommand SMTPSVC1 our-exchange – 25 EHLO – our-exchange.Northwoods.com 0 0 4 0 78 SMTP – – – –
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 our-exchange – 25 – – 250-Postini+says+hello+back 0 0 27 0 172 SMTP – – – –
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionCommand SMTPSVC1 our-exchange – 25 MAIL – FROM: 0 0 4 0 172 SMTP – – – –
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 our-exchange – 25 – – 250+Ok 0 0 6 0 250 SMTP – – – –
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionCommand SMTPSVC1 our-exchange – 25 RCPT – TO: 0 0 4 0 250 SMTP – – – –
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 our-exchange – 25 – – 250+Ok 0 0 6 0 782 SMTP – – – –
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionCommand SMTPSVC1 our-exchange – 25 DATA – – 0 0 4 0 782 SMTP – – – –
7/2/2010 17:36:15 64.18.6.14 OutboundConnectionResponse SMTPSVC1 our-exchange – 25 – – 354+Feed+me 0 0 11 0 860 SMTP – – – –
7/2/2010 17:36:17 64.18.6.14 OutboundConnectionResponse SMTPSVC1 our-exchange – 25 – – 250+Thanks 0 0 10 0 1657 SMTP – – – –
7/2/2010 17:36:17 64.18.6.14 OutboundConnectionCommand SMTPSVC1 our-exchange – 25 QUIT – – 0 0 4 0 1672 SMTP – – – –
7/2/2010 17:36:17 64.18.6.14 OutboundConnectionResponse SMTPSVC1 our-exchange – 25 – – 221+Catch+you+later 0 0 19 0 1735 SMTP – – – –
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 our-exchange gateway IP 0 EHLO – #NAME? 250 0 320 27 0 SMTP – – – –
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 our-exchange gateway IP 0 MAIL – +FROM: 250 0 108 95 0 SMTP – – – –
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 our-exchange gateway IP 0 RCPT – +TO: 250 0 41 38 0 SMTP – – – –
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 our-exchange gateway IP 0 DATA – +<5db32eec-3b06-4e97-8b34-6c147ac35b0a@xtinmta11.xt.local> 250 0 141 22978 281 SMTP – – – –
7/2/2010 17:37:09 208.65.144.247 p01c11m094.mxlogic.net SMTPSVC1 our-exchange gateway IP 0 QUIT – p01c11m094.mxlogic.net 240 515 75 4 0 SMTP – – – –
Best Answer
Hmmm... where to start.
Your Exchange server doesn't make outbound SMTP connections to other email servers FROM port 25, it makes those outbound connections TO port 25. This is the way all TCP\IP hosts operate regardless of the service in question (for the most part, but for this argument consider this to be the case). Exchange uses a local port in the ephemeral port range as it's outgoing port and it connects to another email server on that servers' port 25. This works in reverse when other email servers connect to your Exchange server to send you email, the other server connects from one of it's ephemeral ports to port 25 on your Exchange server.
Why do you think the firewall is relevant to this problem? When the firewall failed did you not have a replacement firewall in place? What was protecting your network while you waited for the new firewall?
If any of your workstations are infected with malware then they're at risk for sending spam through the Exchange server via MAPI or SMTP (depending on how the workstations and the Exchange server are configured), or from themselves.
Merely having a firewall in front of your Exchange server doesn't have anything to do with whether or not your outbound mail will be flagged as Spam or whether or not your Exchange servers' outbound ip address will be blacklisted. External email servers have no way of detecting whether or not your Exchange server is behind a firewall. A firewall may reduce the likelihood of being blacklisted by restricting outbound SMTP traffic to just that from the Exchange server, which presumably is not being used as a relay.
Your first tcpdump shows the TCP session information for what is presumably an SMTP communication session but gives you no information regarding that SMTP session and is therefore almost worthless in troubleshooting your problem.
Your second tcpdump doesn't show any SMTP connection that I could find and is therefore worthless in troubleshooting your problem.
All that being said, here are a couple of pointers:
Make sure your Exchange servers outbound greeting matches the FQDN for your public MX record.
Make sure to set up a PTR record in your public DNS for the FQDN of the Exchange server.
Make sure to set up an SPF record in your public DNS.
Restrict all outbound communication TO port 25 for all internal hosts except your Exchange server.
None of these are guaranteed to keep you off of the blacklists, but they're helpful in that regard.
As a final note, enable SMTP logging on your Exchange server so that you'll have a log record of all inbound and outbound SMTP sessions. This is invaluable in troubleshooting SMTP problems.