locked
Virus On Server spamming emails, fixed that but cannot send/recieve outside world RRS feed

  • Question

  • Running Exchange on a SBS 2003 box.  Somehow a virus got onto the system, that was sending spam emails out every couple of minutes for days on end.  They emails were destined for @live.com & @yahoo.com accounts.  I was on vacation and didn't see the plethora of undeliverables in my inbox.

    So get back to work, find the virus and remove it.  I'm 100% certain that it is gone.  It was also spamming broadcast packets on my network, and that is no longer happening.

    So besides my inbox having over 200,000 undeliverables to delete, I figure everyone else should be ok to send/recieve emails.  Not the case.  No one can get to the outside world with email.  We can send internally just fine.

    Check the System manager queues and see that there is still a plethora of re-sends waiting to go out to the @live and @yahoo emails.  Freeze both of those queues and delete all the messages.  After about 10 minutes the @live goes away, but the yahoo is still there saying "connection refused by server."  I understand that my server was sending out spam and that's why yahoo is blocking me, but any ideas on why I couldn't send emails anywhere else?

    My email recieves the undeliverables and I'm having to delete all the "failed to send" spam messages, but haven't seen any bounce backs on saying not deliverable.

    Any ideas..Thanks

    Wednesday, October 3, 2012 4:27 PM

Answers

All replies

  • Add to where I'm at so far.

    Started being able to send emails to outside my network.  Still cannot get any email however.

    Checked my mx/a records.  They point to my external IP

    Checked nslookup from an outside networked computer.  confirms that ip address for my mail record is pointing to the correct place.

    used telnet to send email from external network just fine.

    Not sure what else to try.

    Thanks


    Also not getting failure notices when sending from other emails.
    • Edited by The POS Guy Wednesday, October 3, 2012 7:57 PM
    Wednesday, October 3, 2012 7:54 PM
  • On Wed, 3 Oct 2012 16:27:52 +0000, The POS Guy wrote:
     
    >
    >
    >Running Exchange on a SBS 2003 box. Somehow a virus got onto the system, that was sending spam emails out every couple of minutes for days on end. They emails were destined for @live.com & @yahoo.com accounts. I was on vacation and didn't see the plethora of undeliverables in my inbox.
    >
    >So get back to work, find the virus and remove it. I'm 100% certain that it is gone. It was also spamming broadcast packets on my network, and that is no longer happening.
    >
    >So besides my inbox having over 200,000 undeliverables to delete, I figure everyone else should be ok to send/recieve emails. Not the case. No one can get to the outside world with email. We can send internally just fine.
    >
    >Check the System manager queues and see that there is still a plethora of re-sends waiting to go out to the @live and @yahoo emails. Freeze both of those queues and delete all the messages. After about 10 minutes the @live goes away, but the yahoo is still there saying "connection refused by server." I understand that my server was sending out spam and that's why yahoo is blocking me, but any ideas on why I couldn't send emails anywhere else?
     
    Your IP address is probably on a bunch of DNSBLs by now. Visit this
    URL: http://mxtoolbox.com/blacklists.aspx
     
    Put your IP address into the edit box and see which of the most
    popular DNSBLs have you listed. Then start the work of getting
    yourself UNlisted -- or ask your ISP if you can get another IP address
    and change your "A" record and whatever else you use that lists the IP
    address (SPF TXT records, NS records, etc.).
     
    Or maybe your ISP shutdown acess to port 25? Call them and ask.
     
    >My email recieves the undeliverables and I'm having to delete all the "failed to send" spam messages, but haven't seen any bounce backs on saying not deliverable.
    >
    >Any ideas..Thanks
     
    See above for starters.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, October 3, 2012 9:50 PM
  • RATS-Dyna, spamcannibal, ucprotectl1 have my blacklisted.  I'll work on those.

    I did check with my ISP about 25, and it's still open.  confirmed with port checker as well.

    Thanks for the help, and hopefully today I can start getting emails again.  Might just end up changing my ip address from my ISP.

    Thursday, October 4, 2012 3:35 PM
  • Hello.

    "Somehow a virus got onto the system"

    This statement makes me believe that it may happen again. I suggest you did deeper into the cause so that you can take preventative measures. Server's don't just get viruses for no reason.

    Make sure you don't have users using it as a terminal server.

    Don't surf or download and install software unless from a VERY trusted source

    Keep it patched.

    What type of router do you have? If possible, I would suggest you add a rule to the router's packet filter to disallow SMTP traffic from all LAN hosts expect for the Exchange server itself. This way, if one of the LAn workstations gets a virus, you will not wind up on a spam list.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    Thursday, October 4, 2012 4:00 PM
  • unreachable for too long

    is now the response I'm getting when trying to send mail to my exchange server.

    Any thoughts?

    Saturday, October 6, 2012 7:34 PM
  • Hello,

    To start, make sure all the Exchange services are running, the store us mounted and your router is forwarding port 25 to the server. Then, establish a telnet session on port 25 to the server and see if you get a response.

    From the server itself, telnet 127.0.0.1 25

    if it works (220), then from a lanworkstation telnet privateip 25

    if that works, then from a remote workstation telnet publicip 25

    Can you send an email internally?

    Post back the results please.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog


    • Edited by Miguel Fra Sunday, October 7, 2012 2:51 AM
    Sunday, October 7, 2012 2:51 AM
  • On Sat, 6 Oct 2012 19:34:43 +0000, The POS Guy wrote:
     
    >unreachable for too long
    >
    >is now the response I'm getting when trying to send mail to my exchange server.
    >
    >Any thoughts?
     
    So this s a different problem to the one you started with? Now you can
    SEND, but not receive, mail?
     
    Did you change your IP address? If you did, did you adjust the "A"
    record used by your "MX" record in your external DNS?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Sunday, October 7, 2012 3:37 PM
  • Exchange Event, Running

    Exchange Imap4, disabled (not using any imap I think)

    Exchange Information Store, running

    Exchange Management, running

    exchange mta stacks, not running

    exchange pop3, running

    exchange routing engine, running

    exchange site replication not running, disabled

    exchange system attendant, running

    Telnet to server from server (127.0.0.1) connects fine on port 25

    Telnet to server from lan workstation to lan ip, connects fine

    Telnet to server from outside lan, says "Press any key to continue..." then connection is lost after a few seconds.

    Did not change my external IP address, the MX & A records point to correct location.

    The SBS server functions as the router, and smtp is limited to just that computer.  The virus was on the server and not on any workstations.

    I can send email internally, and send email out, just not recieve.  Get that "unreachable for too long" response after several hours.

    Tuesday, October 9, 2012 2:42 PM
  • Initially, besides the email floods going out, no one could send/receive emails.  I think that was partially due to the flood of emails going out.  It was at least 10 a minute.

    Tuesday, October 9, 2012 2:44 PM
  • Hello,

    This would seem to be an inbound firewall issue. To confirm, make sure that when you were unable to telnet, you were using your public IP adderess and NOT the FQDN, otherwise it could be a DNS or DNS blocking issue.

    From outside, telnet to the server's public IP on port 25, if you don't get a response:

    Make sure your public firewall has port 25 open and is forwarding to the Exchange Server

    Make sure the Windows Firewall is OFF or it has port 25 open

    Make sure you do not have third party firewalls that were put in place by AV software during cleaning


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    Tuesday, October 9, 2012 9:50 PM
  • On Tue, 9 Oct 2012 14:44:13 +0000, The POS Guy wrote:
     
    >Initially, besides the email floods going out, no one could send/receive emails. I think that was partially due to the flood of emails going out. It was at least 10 a minute.
     
    What domain name are you using, and what's the IP address you think
    you're using? You can obfuscate the domain name as long as you do it
    in a way that a human being can understand. E.g., domain dot tld,
    domain period tld, domain <.> tld, etc.
     
    Without knowing where the mail goes nobody can tell you what your
    server is telling the outside world -- or if it's talking at all!
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Tuesday, October 9, 2012 9:53 PM
  • Using Routing and Remote Access for the firewall, confirmed it has port 25 open for the server.  Checked inbound/outbound filters for anything odd, didn't see anything.  Turned firewall off and tested from external computer and still same response on telnet to my public ip.  Making any changes to the RRAS I would restart  the service after making any changes.

    Before when i was testing, I was using my public ip that is static from my ISP.

    iXpXoXsRsX-TTky.XcYoXm


    7@4@.1$9$1.1&4$3#.9)8)

    remove the chars that require a shft key

    Thanks



    Wednesday, October 10, 2012 2:02 PM
  • I tried to telnet into the IP address stated above and could not. Given that from within the LAN you can telnet to the Exch server and you get a 220, byt you cannot from the outside, this appears to be a firewall problem.

    Please make sure port 25 is open

    Please make sure port 25 is forwarded to 127.0.0.1 (since you are using RRAS)

    Please make sure there are no third part firewalls installed on the server (from AV software, etc)


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    Wednesday, October 10, 2012 2:46 PM
  • Hello,

    I just ran an Nmap against that IP address, it shows no open firewall ports.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    Wednesday, October 10, 2012 3:04 PM
  • On Wed, 10 Oct 2012 14:02:35 +0000, The POS Guy wrote:
     
    >
    >
    >Using Routing and Remote Access for the firewall, confirmed it has port 25 open for the server. Checked inbound/outbound filters for anything odd, didn't see anything. Turned firewall off and tested from external computer and still same response on telnet to my public ip. Making any changes to the RRAS I would restart the service after making any changes.
    >
    >
    >
    >Before when i was testing, I was using my public ip that is static from my ISP.
    >
    >
    >
    >iXpXoXsRsX-TTky.XcYoXm
    >
    >
    >
    >7@4@.1$9$1.1&4$3#.9)8)
    >
    >remove the chars that require a shft key
     
    Have you transposed the 2nd and 3rd octet in the IP address? That's a
    pretty clever way of disguising the address!
     
    I get no connection at the xx.191.143.xx address. At the xx.143.191.xx
    address (i.e. the one your MX record refers to) I get a connection but
    it eventually times out with no response.
     
    Check your firewall and make sure you have it configured properly to
    get the connection from the xx.143.191.xx address to whatever IP
    address your Exchange server uses. Or make sure your Exchange server's
    listening on the correct IP address!
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, October 10, 2012 6:09 PM
  • Took a screenshot, and didn't change anything as that setting I've checked several times.

    If your showing 25 as closed, if I go to http://www.yougetsignal.com/tools/open-ports/ and check 25 from there, it says it's open.?

    No other firewalls running except for RRAS's firewall.
    • Edited by The POS Guy Wednesday, October 10, 2012 6:17 PM
    Wednesday, October 10, 2012 6:15 PM
  • On Wed, 10 Oct 2012 18:15:37 +0000, The POS Guy wrote:
     
    >
    >
    >Took a screenshot, and didn't change anything as that setting I've checked several times.
    >
    >If your showing 25 as closed, if I go to http://www.yougetsignal.com/tools/open-ports/ and check 25 from there, it says it's open.?
    >
    >
    >
    >No other firewalls running except for RRAS's firewall.
     
    Maybe he's using the IP address you posted and not the IP address in
    the "A" record your MX record uses?
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, October 10, 2012 10:07 PM
  • Hello,

    Can you make sure the LAN/WAN ports are configured correctly on the RRAS?

    I cannot RDP, Telnet on 25 or 110 or telnet on 443, according to your screnshot, all are open.

    Also, why is there no traffic on your LAN adapter? You need to make sure it's connected to a switch. Remember, NAT needs to have both adapters connected. Port forwarding forwards to the LAN adapter.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog



    • Edited by Miguel Fra Thursday, October 11, 2012 2:43 AM
    Thursday, October 11, 2012 2:41 AM
  • Stopped RRAS, and put in a router with port forwarding set for the ones I need.

    FTP, SMTP, RDP, SSL, and HTTP.

    Everything but exchange is working.  Gone through service manager fixing any references to old ip address (192.168.x.1 was server with RRAS, now it's 192.168.x.2) and still haven't gotten a bounce back from my yahoo, so we will see.

    I can telnet in remotely to 25 now.

    Saturday, October 13, 2012 12:33 AM
  • Got exchange working, under the SMTP virtual server, I had unchecked anonymous access.  Checked it back and it's working.

    Now the only problem I'm having is transitioning everything over to the new server's lan IP address.  When I try to get to my website mainly for exhange OWA, i get a "Sorry, 192.168.x.2 is managing this device"

    Checked IIS and changed everything from default to the new server address, but still having problems.  even if I try and access my router I get the same "managing device error"  I have to unplug the server from the network to check router settings.

    Edit,

    Now just getting into router using the public ip.  :/

    • Edited by The POS Guy Monday, October 15, 2012 2:27 PM
    Monday, October 15, 2012 1:39 PM
  • When I try to get to my website mainly for exhange OWA, i get a "Sorry, 192.168.x.2 is managing this device"

    Sounds like you are http'ing into the router,change the router's management port to something other than 80.

    Enter this: https://privateip/owa from the server


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    Monday, October 15, 2012 2:53 PM
  • privateip/owa works.

    Externally, now I just get the login prompt for my router. 

    Using a netgear I had laying around, and it has the spot to change the default port, but I think it's for the "remote management" setting, and not on the lan.


    • Edited by The POS Guy Monday, October 15, 2012 5:22 PM
    Monday, October 15, 2012 4:44 PM
  • Forward port 443 to the Exchange box. Then go to https://yourpublicIPaddress/owa. If the router's managment prompt comes up, that means you have the router's management interface set to listen on port 443. Change it to 444, 4043, etc.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    Monday, October 15, 2012 9:02 PM
  • So seems to be working now, we use /exchange and not /owa for some reason, but not a big deal.

    So now everything seems to be working except for two things.

    1.  Can't get the android phones to sync with exchange.  Was working before.

    2.  From the internal network I cannot connect to my server using the machine name, I have to use ip address.  I can't even ping.

    I appreciate all your help and hopefully this is the last set of things.

    Thursday, October 18, 2012 8:00 PM
  • Can you open a new thread for these new questions. Thanks.

    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog

    Thursday, October 18, 2012 11:39 PM