We are being blocked from various mail servers because of trojan

Discussion in 'Windows Small Business Server' started by Jaredean, May 12, 2009.

  1. Jaredean

    Jaredean Guest


    Our e-mail today has been having MAJOR issues going out. We are being
    tagged from several sites and from what i've been able to gather our
    network, either server or users, has been infected with a spam sending
    trojan...at least that is what one of the lists that we are on is
    saying...here is the text of one of the sites that is blocking us:

    IP Address xx.xxx.xxx.xx is currently listed in the CBL.

    It was detected at 2009-05-11 21:00 GMT (+/- 30 minutes),
    approximately 1 days, 1 hours, 30 minutes ago.

    ATTENTION: At the time of detection, this IP was infected with, or
    NATting for a computer infected with a high volume spam sending trojan
    - it is participating or facilitating a botnet sending spam or
    spreading virus/spam trojans.

    ATTENTION: If you simply repeatedly remove this IP address from the
    CBL without correcting the problem, the CBL WILL eventually stop
    letting you delist it and you will have to contact us directly.

    This is the cutwail spamBOT

    You MUST patch your system and then fix/remove the trojan. Do this
    before delisting, or you're most likely to be listed again almost

    If this IP is a NAT firewall/gateway, you MUST configure the NAT to
    prevent outbound port 25 connections to the Internet except from your
    real mail servers. Please see our recommendations on NAT firewalls

    The Microsoft MSRT (Malicious Software Removal Tool) stands a good
    chance of being able to find/remove the malicious software. If you can
    find which machine the malware is on.

    we are also getting blocked from others like the following:

    "Blocked by Lake Dallas ISD Mail Filter"
    "rejected by Windows Live Hotmail for policy reasons"
    "using pf-ip4tset.blagr.emailsrvr.com"
    etc...many many errors like this giving us rejections...

    Plus, there is a message on the server:

    "A large number of messages are pending in the e-mail server send

    I've been trying to find out what is going on, but because i've never
    had an issue like this in over 10 years of admin on this network, my
    skills at finding and destroying are a bit rusty...i've been scanning
    systems with the "Microsoft MSRT (Malicious Software Removal Tool)",
    per the CBL instructions, but with no luck so far...there are about 20
    users and i've been going systematically through each trying to find
    who the culprit is...

    So, does anyone have steps that i should take to weed this thing out?
    Steps i need to take to get the server protected again and then to get
    us cleared to send mail again?


    Jaredean, May 12, 2009
    1. Advertisements

  2. Jaredean

    Jaredean Guest

    no ideas?
    Jaredean, May 13, 2009
    1. Advertisements

  3. Hello jared,

    Thank you for posting in SBS newsgroup.

    Based on the symptoms it seems your domain is listed and blocked by certain blacklists. You need to block the 25 port from the router/firewall on the
    server as suggested and perform a thorough virus/spam scanning on both SBS server and every clients using your anti-virus software. A solid and
    updated antivirus software is absolutely essential.

    If the virus still exists, you should contact your antivirus vendor for assistance with identifying or removing virus or worm infections. If you need more help
    with virus-related issues, contact Microsoft Product Support Services.

    For support within the United States and Canada, call toll-free (866) PCSAFETY (727-2338).
    For support outside the United States and Canada, visit the Product Support Services Web page (http://support.microsoft.com/?pr=SecurityHome).

    To confirm if the email domain or server IP is blocked, you may try the following 3rd party website:

    RBL Realtime Block List

    Regarding your concern about how to find the originating IP addresses of spam and virus mail messages in SBS server, I am afraid that you may need to
    enable and increase the diagnostic logging level on the Exchange Transport and check the SMTP log for everything details. However, this is not
    recommended since most of the spammer will spoof the IP address and domain name with dynamic ones. Therefore, this method is not efficient and
    time-consuming. Instead of looking for the originating IP addresses of spam and virus mail messages, please refer to the following suggestions and links
    to know more about anti-spam deployment in Exchange server.

    Suggestion One: Connection-Level Protection - [ IP Connection Filtering ]
    First of all, Connection filtering is used to configure Exchange Server to contact a Realtime Block List (RBL) provider to determine whether the computer
    that an e-mail message is sent from appears in a list of "blacklisted" computers. You can also configure exceptions to these connection filters. Generally,
    use a RBL and stop 90% of the spam.

    1. How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003

    2. How to prevent unsolicited commercial e-mail in Exchange 2003

    Suggestions Two: Protocol-Level Protection - [Recipient and Sender Filtering ]
    Exchange Server 2003 provides a recipient filtering feature that can block an e-mail message that has been sent to a recipient that does not exist. The
    recipient filtering feature blocks the e-mail message by rejecting the recipient that does not exist. The recipient filtering feature blocks the e-mail message
    at the Simple Mail Transfer Protocol (SMTP) level. A side effect of this feature is that a malicious sender or a sender of unsolicited commercial e-mail can
    enumerate e-mail addresses that do exist by using a technique that is known as a directory harvest attack.

    If you click to select the "Filter recipients who are not in the Directory" check box when you configure the recipient filtering feature, directory lookup for
    recipients is enabled. If directory lookup is enabled, senders of unsolicited e-mail may discover valid e-mail addresses in your Exchange Server

    How to configure connection filtering to use Realtime Block Lists (RBLs) and how to configure recipient filtering in Exchange 2003

    Suggestions Three: Content-Level Protection - [ Intelligent Message Filter ]
    Microsoft Exchange Server Intelligent Message Filter helps companies reduce the amount of unsolicited commercial e-mail (UCE), also known as spam,
    received by users. This guide provides overall operational information to help optimize the performance of Exchange Server Intelligent Message Filter.

    1. Microsoft Exchange Intelligent Message Filter£¨IMF£© Deployment Guide

    2. Monitoring and Troubleshooting Exchange Server Intelligent Message Filter

    Suggestion Four: SMTP tar pitting
    Tar pitting is the practice of deliberately inserting a delay into certain SMTP communications that are associated with spam or with other unwanted traffic.
    To be effective, these kinds of communications typically rely on generating a high volume of traffic. By slowing an SMTP conversation, you can
    dramatically reduce the rate at which automated spam can be sent or at which a dictionary attack can be conducted. Legitimate traffic may also be
    slowed by tar pitting.

    1. SMTP tar pit feature for Microsoft Windows Server 2003

    2. A software update is available to help prevent the enumeration of Exchange Server 2003 e-mail addresses

    More related information:

    Exchange Server 2003 Anti-Spam Framework Overview

    Exchange server - New Weapons In The Fight Against Spam

    Anti-Spam Enhancements in Exchange Server 2003 Service Pack 2

    TechNet Support WebCast: Fighting spam using Microsoft Exchange Server 2003

    Hope this helps. Also, if you have any questions or concerns, please do not hesitate to let me know.

    Thanks for your earlier feedback!

    Best regards,
    Robbin Meng(MSFT)
    Microsoft Online Newsgroup Support

    Please post your EBS related questions to the EBS newsgroup on Connect website:

    If you want to use a newsreader other than a web forum to access these newsgroups,
    please refer to the following blog to apply NNTP password and configure a newsreader:
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Robbin Meng [MSFT], May 13, 2009
  4. Jaredean

    ERG Guest

    you need to configure your firewall to block all outgoing network
    traffic on port 25 while still allowing your exchange server traffic on
    port 25.

    do you have any sort of anti-virus software you can use to scan your
    computers? you really need to make sure your network is clean.

    once you are confident that port 25 is blocked on your network and your
    network is clean, you can go the CBL site (http://cbl.abuseat.org/)
    and request your IP to be removed from the block list.

    more info about securing your network can be found on their site:
    ERG, May 13, 2009
  5. Jaredean

    Jaredean Guest

    Thank you so much (both of you) for your replies...i've been here over
    10 hours going user to user running malicious scans, antivirus scans,
    etc on each system...i've found a couple with trojans and feel i've
    gotten it eradicated...

    SO, now i want to block Port 25, but don't know the steps...i have SBS
    2003 with ISA 2004 on it, so any steps to do this so i don't mess up
    the mail would be very much appreciated!

    again, thank you!


    Jaredean, May 13, 2009
  6. Robbin Meng [MSFT], May 13, 2009
  7. Jaredean

    Duncan McC Guest

    Hi Robbin, would it be possible to elaborate a bit on the rule, for
    Jared, um... me (for future), and anyone else wondering using ISA?

    Where would it go exactly - before or after the existing SBS 2003 ISA
    2004 auto-made ones - see pic...

    Also, should any of the SBS ones be disabled?

    Duncan McC, May 13, 2009
  8. Jaredean

    Jaredean Guest

    Thanks Dave...When i was working on it over night i looked at the
    Queue and there weren't that many messages / connectors in there at
    all (maybe 2) and i checked and they looked legit...but, it seemed
    like they weren't really "going out" for some reason, so i didn't know
    what is the deal...they say "retry" and look like they've been there
    for a day now...


    Jaredean, May 13, 2009
  9. Jaredean

    Jaredean Guest

    YES! Thank you Duncan for bringing this up...i've been searching for
    steps on this and can't find specific steps (nothing makes me feel
    like i know nothing about SBS like ISA Server...i don't like working
    in it at all)...

    Here is something I tried, but after trying it nothing would go
    out...i'll put the exact settings i chose and someone smarter than
    myself (pretty much anyone here) can let me know where i went wrong...

    GO TO ISA SERVER AND choose SERVER > FIREWALL POLICY > on right under
    Tasks choose "Create New Access Rule"

    Here are the settings for first rule that i setup to only allow e-mail
    from our server:

    called: smtp allow sbs
    rule action: allow
    selected protocol: smtp
    ports: 25
    rule applies to traffic from these sources: <Our Server Name>
    rule applies to traffic sent to these destinations: external
    rule applies to requests from the following user sets: all users

    Here are the settings for the second rule that i setup to block all
    other e-mail through our server:

    called: smtp DENY network
    rule action: deny
    selected protocol: smtp
    ports: 25
    rule applies to traffic from these sources: INTERNAL
    rule applies to traffic sent to these destinations: external
    rule applies to requests from the following user sets: all users

    Last, i noticed the SMTP Outbound Access Rule, so i put the two i
    created (allow above the deny) and then disabled the SMTP OUTBOUND

    I then restarted SMTP and tested several e-mails and nothing went
    through...then i noticed they just got stuck in the Queue...i disabled
    my rules and re-enabled the SMTP Outbound Access Rule and restared the
    SMTP service to get it back and it worked...But, Port 25 is still wide
    open from within the network, so no idea what to do at this point...i
    REALLY want to block everyone but the server, but want to do it the
    right way so we can still e-mail...

    Jaredean, May 13, 2009
  10. Jaredean

    Jaredean Guest

    I did the CBL list and we are unblocked on there now, but are still
    having issues with many many others and i think it might be a coulple
    of hours, but don't know what i'm missing on some...it just says, "see
    your admin"...no instructions on how to remove...


    Jaredean, May 13, 2009
  11. Jaredean

    SteveB Guest

    You shouldn't need the first allow rule since you already have one that the
    CEICW setup for outbound SMTP from the server only. Your deny rule for
    internal clients looks ok.
    SteveB, May 13, 2009
  12. Hmm...I have to disagree with this. Most RBLs are good about noticing the
    difference between a real spambot network and backscatter from NDRs.
    Especially with multiple RBLs listing him, he probably has a real infection
    somewhere on the network.

    Cliff Galiher, May 13, 2009
  13. Jaredean

    Jaredean Guest

    But isn't the rule setup by the CEICW an allow rule for everyone to go
    through port 25? The SMTP Outbound Access Rule is the one i'm
    thinking about.

    Jaredean, May 14, 2009
  14. Jaredean

    SteveB Guest

    No look at it and you'll see the from is local host which means only the SBS
    SteveB, May 14, 2009
  15. Jaredean

    Jaredean Guest

    Hey all, i'm getting pretty concerned becuase this is the 2nd day i'm
    having to deal with this and we are getting put on more blacklists.
    I'm running on very little sleep and have to get this fixed tonight
    while people are out of the office...here is some more information to
    help asses the situation...

    In the past the owner didn't want to spend the money for network
    antivirus, so when Trend Micro expired last June he told me to just
    use store bought McAfee on some of the computers and not worry about
    the server for antivirus software...BIG mistake, i know - i just
    didn't have any money for it...

    Well, now i don't have any antivirus solution on the 2 servers (main
    and member) and some of the clients are missing McAffee...i realize
    this is a horrible mistake, and know i will get lectured but can only
    do what i have the ability from the owner to do even after telling him
    multiple times it makes my job harder.

    So, here is my current need:

    1. Put antivirus on both servers (please give me a good suggestion
    that i can put on right now to hopefully have 30 or 60 days of trial
    to come up with the money)

    EVERYONE BUT SERVER. It is very surprising to me that this is a
    solution i read about, but can not find a single "how to" article on
    it...i'm not an ISA guy at all, so with ISA 2004 i feel very
    lost...personally, i hate working in it and was very frusterated last
    night at 4:00 in the morning after searching for an hour and not
    finding anything. If this is a common thing to do, how come nobody
    has detail steps to follow?

    3. I'd like to find out throught some sort of logs on the server how
    to view this issue...i thought i had it fixed, we were removed from
    the blacklists...i slept for about 3 hours after being up almost 30
    and when i woke up we were back on the blacklists...so, i obviously
    missed something...

    As always THANK YOU...this group is invaluable...i really do try and
    find fixes myself before posting to the group...i don't want to be
    viewed as taking adavantage of you guys, but with all of the jobs i
    have, Network Admin is only one of several and it gets neglected until
    we have a "fire" situation...


    Jaredean, May 14, 2009
  16. Jaredean

    Leythos Guest

    You are so screwed.

    Your best and only bet is to backup the DATA and then wipe the servers
    and computers in the network and start from scratch. Once your network
    is compromised so badly, without AV or other tools, there is no way you
    can be sure you've got it all cleaned. "Cleaning" it would never pass a
    security audit, certainly not worth risking your business for it.

    What you need to do is rebuild the servers while your network is
    shutdown and isolated, using a different AD name, different passwords
    for admin accounts, and disconnect all workstations from the network
    while you rebuild your servers.

    This could be completed in about 6 hours, then, ONLY CONNECT TO
    MICROSOFT to get patches and updates.

    Contact any vendor and buy the minimum licensing for a Corporate AV
    solution - I have never been hacked while using Symantec Corporate
    Edition products - the most current version is Symantec End Point
    Protection, 5 licenses is cheap and you're going to need it.

    You could have the entire office clean and back online in a single day.

    Once you get this done, have your ISP assign you a new public IP, fix
    your public DNS, make sure that the ISP creates a valid RDNS record, and
    then start submitting your domain name for removal to the black-lists.

    If you attempt to get yourself removed before you've fixed the problem
    you are likely to be put on a permanent block.
    Leythos, May 14, 2009
  17. Jaredean

    Jaredean Guest

    Wow, you are saying that is my only option? That it might not just be
    a single computer that is blasting through port 25, but it is
    something that can't be found by putting Symantec on it now and
    running a full scan? That i have no other option?

    Jaredean, May 14, 2009
  18. Jared, the idea comes from a basic security principle 'once compromised
    trust cannot be restored'.

    The idea of this is that if something gets in it is possible for other
    processes to also operate below the level at which AV operates, you can
    _never_ be sure of that installation again.

    It's a 'risk analysis'. Is clean install and assurety of proper operation
    better than operation of an untrusted system?
    SuperGumby [SBS MVP], May 14, 2009
  19. Yes, it is your only option.

    The problem is that viruses, once they get a foothold, can lie to AV
    software, change signature files as they are installed, or otherwise thwart
    cleaning procedures. MOST of the modern malware and botnet variants can do

    Even if one machine on your network was infected, it has had plenty of time
    on that machine to scrape various domain credentials so your entire domain
    is potentially compromised. This means the only effective fix is to rebuild
    the domain...hence the reason Leythos suggests copying *JUST THE DATA* (no
    AD migration!!!!) and using new accounts, passwords, new joins, etc.

    The money saved on passing over AV is lost in time/wages rebuilding the
    network. You knew the lecture was coming...so here it is...you should've
    stuck to your guns with your boss and *REFUSED* (yes, that means threatening
    to quit) over this shortcut. Because guess what...now thiis problem
    reflects on YOU, not him. You can go to him and say "I told you so" all you
    want, and his/her response will be "I didn't realize the problem was this
    bad! You didn't explain it to me!!!" So...yeah....you are screwed.

    Knuckle down, do the work, and double check everything.

    Cliff Galiher, May 14, 2009
  20. Jaredean

    Jaredean Guest

    Thanks for your reply...i guess i question this (but am obviously the
    minority based on responses) - because not all antivirus software is
    100% effective...i know that there are companies out there that get
    virus' and if they got a single trojan then they would have to scrap
    the netowork and start over? If the server had Symantec or Trend on
    it and we still had this issue crop up because it didn't catch a "new
    variant" then it can't be trusted?

    Jaredean, May 14, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.