| Author |
Message |
Applebaum
Guest
|
 Posted:
Wed Nov 02, 2005 9:51 pm Post subject:
Our ISP accuses suspicious activity from us, Blocked port 25 |
|
|
Our ISP's ISP blocked our port 25 because they claim to have detected
suspicious activity coming from our IP address. They have not elaborated,
except to say that this was strike 1 for us. They've reopened the port for
now. Strike 2 requires written statement that we've taken care of the
problem, strike 3 and we're out. With friends like these...
I keep our SBS2000 server up to date with all Microsoft patches (I use HFNet
Check). We've got Symantec AntiVirus and Mail Security for Exchange. I ran
SpyBot yesterday, it came up clean. I installed SpamCatcher last week (I
turned that off yesterday, just as a troubleshooting measure).
I did notice in our Exchange queue a large number of messages waiting to go
out to domains that looked unfamiliar. Most of the messages were coming
from our Postmaster@sa-intl.org account.
Questions:
1) What else can I do to ensure that we're not sending out anything
suspicious from our IP address?
2) What are the queued messages from postmaster@sa-intl.org ? Is this
simply my server's response to unsolicited emails from those domains?
3) When I rebooted the server yesterday, after logging on, a window came up
that said "Windows has finished installing new devices. Do you want to
restart now?" I haven't installed anything, other than SpamCatcher. I
can't find anything in an event log to shed any light on this. Should I
worry about it?
4) Are there ISA logs I could monitor to watch what's coming from our IP?
Many many thanks in advance!!!
Matthew |
|
| Back to top |
|
 |
Applebaum
Guest
|
| Posted:
Wed Nov 02, 2005 9:51 pm Post subject:
Re: Our ISP accuses suspicious activity from us, Blocked por |
|
|
Thank you for the perspective reminder!
Meanwhile, I've been following MS steps to ensure I'm not an open relay.
I'm about to run the telnet tests from offsite, but I've noticed one strange
thing. In the SMTP properties, in the Access tab, in the Relay button, in
the list of Computers Which May Relay through this virtual server, there's
an IP address I don't recognize.
"Phillip Windell" <@.> wrote in message
news:OijIXz%233FHA.2424@TK2MSFTNGP10.phx.gbl...
| Quote: | Then tell them that was Strike One for them when they blocked you without
telling you,...
Then it was Strike Two when they threatened you afterwards,.....
"...Strike Three it's a new ISP..."
You are the customer,..you are paying them,...you are the "boss"...
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------
"Applebaum" <mappleNOSPAM@inch.com> wrote in message
news:eIJaIw93FHA.3976@TK2MSFTNGP15.phx.gbl...
Our ISP's ISP blocked our port 25 because they claim to have detected
suspicious activity coming from our IP address. They have not
elaborated,
except to say that this was strike 1 for us. They've reopened the port
for
now. Strike 2 requires written statement that we've taken care of the
problem, strike 3 and we're out. With friends like these...
I keep our SBS2000 server up to date with all Microsoft patches (I use
HFNet
Check). We've got Symantec AntiVirus and Mail Security for Exchange. I
ran
SpyBot yesterday, it came up clean. I installed SpamCatcher last week (I
turned that off yesterday, just as a troubleshooting measure).
I did notice in our Exchange queue a large number of messages waiting to
go
out to domains that looked unfamiliar. Most of the messages were coming
from our Postmaster@sa-intl.org account.
Questions:
1) What else can I do to ensure that we're not sending out anything
suspicious from our IP address?
2) What are the queued messages from postmaster@sa-intl.org ? Is this
simply my server's response to unsolicited emails from those domains?
3) When I rebooted the server yesterday, after logging on, a window came
up
that said "Windows has finished installing new devices. Do you want to
restart now?" I haven't installed anything, other than SpamCatcher. I
can't find anything in an event log to shed any light on this. Should I
worry about it?
4) Are there ISA logs I could monitor to watch what's coming from our IP?
Many many thanks in advance!!!
Matthew
|
|
|
| Back to top |
|
|
Phillip Windell
Guest
|
| Posted:
Wed Nov 02, 2005 9:51 pm Post subject:
Re: Our ISP accuses suspicious activity from us, Blocked por |
|
|
Then tell them that was Strike One for them when they blocked you without
telling you,...
Then it was Strike Two when they threatened you afterwards,.....
"...Strike Three it's a new ISP..."
You are the customer,..you are paying them,...you are the "boss"...
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------
"Applebaum" <mappleNOSPAM@inch.com> wrote in message
news:eIJaIw93FHA.3976@TK2MSFTNGP15.phx.gbl...
| Quote: | Our ISP's ISP blocked our port 25 because they claim to have detected
suspicious activity coming from our IP address. They have not elaborated,
except to say that this was strike 1 for us. They've reopened the port
for
now. Strike 2 requires written statement that we've taken care of the
problem, strike 3 and we're out. With friends like these...
I keep our SBS2000 server up to date with all Microsoft patches (I use
HFNet
Check). We've got Symantec AntiVirus and Mail Security for Exchange. I
ran
SpyBot yesterday, it came up clean. I installed SpamCatcher last week (I
turned that off yesterday, just as a troubleshooting measure).
I did notice in our Exchange queue a large number of messages waiting to
go
out to domains that looked unfamiliar. Most of the messages were coming
from our Postmaster@sa-intl.org account.
Questions:
1) What else can I do to ensure that we're not sending out anything
suspicious from our IP address?
2) What are the queued messages from postmaster@sa-intl.org ? Is this
simply my server's response to unsolicited emails from those domains?
3) When I rebooted the server yesterday, after logging on, a window came
up
that said "Windows has finished installing new devices. Do you want to
restart now?" I haven't installed anything, other than SpamCatcher. I
can't find anything in an event log to shed any light on this. Should I
worry about it?
4) Are there ISA logs I could monitor to watch what's coming from our IP?
Many many thanks in advance!!!
Matthew
|
|
|
| Back to top |
|
|
Javier Gomez [SBS MVP]
Guest
|
| Posted:
Thu Nov 03, 2005 1:51 am Post subject:
Re: Our ISP accuses suspicious activity from us, Blocked por |
|
|
If you were running SBS/Exchange 2k3... I would say that you should block
addresses that don't exist on the directory. I would bet that the large
queues that you are seeing are due to NDR "spam" (ironically this means that
the server is actually RFC compliant).
Unfortunately, I don't know how to block these on SBS2k without using a 3rd
party tool (like GFI Mail Essentials). You can disable all NDRs but that
might be too extreme.
More info:
http://msmvps.com/javier/archive/2004/10/27/16828.aspx
--
Javier [SBS MVP]
www.msmvps.com/javier
<< SBS ROCKS!!! >>
"Applebaum" <mappleNOSPAM@inch.com> wrote in message
news:eIJaIw93FHA.3976@TK2MSFTNGP15.phx.gbl...
| Quote: | Our ISP's ISP blocked our port 25 because they claim to have detected
suspicious activity coming from our IP address. They have not elaborated,
except to say that this was strike 1 for us. They've reopened the port
for
now. Strike 2 requires written statement that we've taken care of the
problem, strike 3 and we're out. With friends like these...
I keep our SBS2000 server up to date with all Microsoft patches (I use
HFNet
Check). We've got Symantec AntiVirus and Mail Security for Exchange. I
ran
SpyBot yesterday, it came up clean. I installed SpamCatcher last week (I
turned that off yesterday, just as a troubleshooting measure).
I did notice in our Exchange queue a large number of messages waiting to
go
out to domains that looked unfamiliar. Most of the messages were coming
from our Postmaster@sa-intl.org account.
Questions:
1) What else can I do to ensure that we're not sending out anything
suspicious from our IP address?
2) What are the queued messages from postmaster@sa-intl.org ? Is this
simply my server's response to unsolicited emails from those domains?
3) When I rebooted the server yesterday, after logging on, a window came
up
that said "Windows has finished installing new devices. Do you want to
restart now?" I haven't installed anything, other than SpamCatcher. I
can't find anything in an event log to shed any light on this. Should I
worry about it?
4) Are there ISA logs I could monitor to watch what's coming from our IP?
Many many thanks in advance!!!
Matthew
|
|
|
| Back to top |
|
|
Javier Gomez [SBS MVP]
Guest
|
| Posted:
Thu Nov 03, 2005 1:51 am Post subject:
Re: Our ISP accuses suspicious activity from us, Blocked por |
|
|
| Quote: | In the SMTP properties, in the Access tab, in the Relay button, in the
list of Computers Which May Relay through this virtual server, there's an
IP address I don't recognize.
|
Which is? Public/Private? Can you trace it?
--
Javier [SBS MVP]
www.msmvps.com/javier
<< SBS ROCKS!!! >> |
|
| Back to top |
|
|
Applebaum
Guest
|
| Posted:
Thu Nov 03, 2005 1:51 am Post subject:
Re: Our ISP accuses suspicious activity from us, Blocked por |
|
|
Yes, I traced it to what seems to be a rather large communications provider.
I'm guessing it came from one of their clients. I've informed them.
It was 64.152.61.74.
I feel so... violated!!
I've followed Microsoft's directions on closing open relays, and I've passed
their telnet test. Can I assume I'm clean now? Why did my ISP think that
we were an open relay? That doesn't sound like a very common sort of false
positive.
"Javier Gomez [SBS MVP]" <javier_gomez@REMOVE.THIS.engineer.com> wrote in
message news:uXV7jg$3FHA.2676@TK2MSFTNGP15.phx.gbl...
| Quote: | In the SMTP properties, in the Access tab, in the Relay button, in the
list of Computers Which May Relay through this virtual server, there's an
IP address I don't recognize.
Which is? Public/Private? Can you trace it?
--
Javier [SBS MVP]
www.msmvps.com/javier
SBS ROCKS!!!
|
|
|
| Back to top |
|
|
Phillip Windell
Guest
|
| Posted:
Thu Nov 03, 2005 1:51 am Post subject:
Re: Our ISP accuses suspicious activity from us, Blocked por |
|
|
"Javier Gomez [SBS MVP]" <javier_gomez@REMOVE.THIS.engineer.com> wrote in
message news:%23aMvJg$3FHA.1420@TK2MSFTNGP09.phx.gbl...
| Quote: | If you were running SBS/Exchange 2k3... I would say that you should block
addresses that don't exist on the directory. I would bet that the large
queues that you are seeing are due to NDR "spam" (ironically this means
that
the server is actually RFC compliant).
Unfortunately, I don't know how to block these on SBS2k without using a
3rd
party tool (like GFI Mail Essentials). You can disable all NDRs but that
might be too extreme.
|
What I did in our case was a combination of that. I run GFI, but on a
separate SMTP Host and turned off NDRs on it only. Then only the "good"
mail (in theory, and according to GFI) gets passed on to the Exchange Server
which does have NDR turned on,...so then (hopefully) the only NDRs will be
"good" NDRs.
It still isn't perfect, but does reasonably well.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp
Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
----------------------------------------------------- |
|
| Back to top |
|
|
Applebaum
Guest
|
| Posted:
Thu Nov 03, 2005 1:51 am Post subject:
Re: Our ISP accuses suspicious activity from us, Blocked por |
|
|
Wow, your nicely written blog makes me really want to upgrade to 2k3.
Which makes me wonder: It's nearly 2006. There's an SBS2000, and a 2003.
What's next, and when's it coming? Am I foolish to upgrade to yesterday's
news?
Thanks everyone for your help!
Matthew
"Javier Gomez [SBS MVP]" <javier_gomez@REMOVE.THIS.engineer.com> wrote in
message news:%23aMvJg$3FHA.1420@TK2MSFTNGP09.phx.gbl...
| Quote: | If you were running SBS/Exchange 2k3... I would say that you should block
addresses that don't exist on the directory. I would bet that the large
queues that you are seeing are due to NDR "spam" (ironically this means
that the server is actually RFC compliant).
Unfortunately, I don't know how to block these on SBS2k without using a
3rd party tool (like GFI Mail Essentials). You can disable all NDRs but
that might be too extreme.
More info:
http://msmvps.com/javier/archive/2004/10/27/16828.aspx
--
Javier [SBS MVP]
www.msmvps.com/javier
SBS ROCKS!!!
"Applebaum" <mappleNOSPAM@inch.com> wrote in message
news:eIJaIw93FHA.3976@TK2MSFTNGP15.phx.gbl...
Our ISP's ISP blocked our port 25 because they claim to have detected
suspicious activity coming from our IP address. They have not
elaborated,
except to say that this was strike 1 for us. They've reopened the port
for
now. Strike 2 requires written statement that we've taken care of the
problem, strike 3 and we're out. With friends like these...
I keep our SBS2000 server up to date with all Microsoft patches (I use
HFNet
Check). We've got Symantec AntiVirus and Mail Security for Exchange. I
ran
SpyBot yesterday, it came up clean. I installed SpamCatcher last week (I
turned that off yesterday, just as a troubleshooting measure).
I did notice in our Exchange queue a large number of messages waiting to
go
out to domains that looked unfamiliar. Most of the messages were coming
from our Postmaster@sa-intl.org account.
Questions:
1) What else can I do to ensure that we're not sending out anything
suspicious from our IP address?
2) What are the queued messages from postmaster@sa-intl.org ? Is this
simply my server's response to unsolicited emails from those domains?
3) When I rebooted the server yesterday, after logging on, a window came
up
that said "Windows has finished installing new devices. Do you want to
restart now?" I haven't installed anything, other than SpamCatcher. I
can't find anything in an event log to shed any light on this. Should I
worry about it?
4) Are there ISA logs I could monitor to watch what's coming from our IP?
Many many thanks in advance!!!
Matthew
|
|
|
| Back to top |
|
|
SuperGumby [SBS MVP]
Guest
|
| Posted:
Thu Nov 03, 2005 1:51 am Post subject:
Re: Our ISP accuses suspicious activity from us, Blocked por |
|
|
The R2 release of SBS 2003 is several months away, the next release will be
a 'Longhorn' based product several months after standard Longhorn server is
released.
"Applebaum" <mappleNOSPAM@inchNOSPAM.com> wrote in message
news:u94pWKA4FHA.2872@TK2MSFTNGP15.phx.gbl...
| Quote: | Wow, your nicely written blog makes me really want to upgrade to 2k3.
Which makes me wonder: It's nearly 2006. There's an SBS2000, and a 2003.
What's next, and when's it coming? Am I foolish to upgrade to yesterday's
news?
Thanks everyone for your help!
Matthew
"Javier Gomez [SBS MVP]" <javier_gomez@REMOVE.THIS.engineer.com> wrote in
message news:%23aMvJg$3FHA.1420@TK2MSFTNGP09.phx.gbl...
If you were running SBS/Exchange 2k3... I would say that you should block
addresses that don't exist on the directory. I would bet that the large
queues that you are seeing are due to NDR "spam" (ironically this means
that the server is actually RFC compliant).
Unfortunately, I don't know how to block these on SBS2k without using a
3rd party tool (like GFI Mail Essentials). You can disable all NDRs but
that might be too extreme.
More info:
http://msmvps.com/javier/archive/2004/10/27/16828.aspx
--
Javier [SBS MVP]
www.msmvps.com/javier
SBS ROCKS!!!
"Applebaum" <mappleNOSPAM@inch.com> wrote in message
news:eIJaIw93FHA.3976@TK2MSFTNGP15.phx.gbl...
Our ISP's ISP blocked our port 25 because they claim to have detected
suspicious activity coming from our IP address. They have not
elaborated,
except to say that this was strike 1 for us. They've reopened the port
for
now. Strike 2 requires written statement that we've taken care of the
problem, strike 3 and we're out. With friends like these...
I keep our SBS2000 server up to date with all Microsoft patches (I use
HFNet
Check). We've got Symantec AntiVirus and Mail Security for Exchange. I
ran
SpyBot yesterday, it came up clean. I installed SpamCatcher last week
(I
turned that off yesterday, just as a troubleshooting measure).
I did notice in our Exchange queue a large number of messages waiting to
go
out to domains that looked unfamiliar. Most of the messages were coming
from our Postmaster@sa-intl.org account.
Questions:
1) What else can I do to ensure that we're not sending out anything
suspicious from our IP address?
2) What are the queued messages from postmaster@sa-intl.org ? Is this
simply my server's response to unsolicited emails from those domains?
3) When I rebooted the server yesterday, after logging on, a window came
up
that said "Windows has finished installing new devices. Do you want to
restart now?" I haven't installed anything, other than SpamCatcher. I
can't find anything in an event log to shed any light on this. Should I
worry about it?
4) Are there ISA logs I could monitor to watch what's coming from our
IP?
Many many thanks in advance!!!
Matthew
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in