We are a legitimate company. We have had some issues in the past with Virus attacks/ Spam bots getting our email server blacklisted.
After the most recent attack I have been tasked at coming up with a solution that would allow us to, once determined we are blocked, switch over to a clean server and IP
Here is how my superiors expect this to work... (I feel with the way email is setup and monitored by the blacklists this may not work as they expect.... though the blacklists do function on IP and not domain name....)
Determine which computer or exchange server is infected. Move to clean exchange server or remove infected computer from network Switch the company over to a functional and virus free exchange server. (a secondary is standing by) Switch the exchange server to a secondary IP address to avoid blacklisting.
The idea here is to move to a clean virus free server and an unblocked IP.
Questions:
Is this possible?
Will we just be blocked again? (let's assume we are not sending out spam on the secondary server and IP)
How can I accomplish moving the users from one exchange to the other. Moving mailboxes takes a LONG time. Both exchange servers are on site (physically beside each other)
With email reputation as heavily weighted as it is. Is it reasonable to expect email sent from the secondary IP to reach the users Inbox?
They expect this to take under 30 minutes to make the switch from (worst case) infected exchange server with blocked IP to clean exchange server with clean IP.
Server 2003 R2 Exchange 2003 SP2 Active Directory
Assistance/Advice/ or Alternatives are ALL Appreciated! Thanks everyone, Campo
EDIT: Every Machine has AVG
The Exchange Server is not an open relay and requires Authentication
I have done every step and taken every precaution and we still were infected.
EDIT: BLOCKED AGAIN
new virus name (GRUM)
This is not on our exchange server. No way, scanned with so many things. Went through the registry myself. NOTHING! Scanned all other server NOTHING scanned user computers NOTHING WTF?
Odd thing is email still goes through but we are on the CBL....
Moved SMTP to non standard port. Explicitly blocked port 25 on firewall. delisted us.
UPDATE:
I added additional IPs. Now how do I connect the users on one IP to the server on the other IP? Do I just have the Exchange server have 2 IPs (one for each internal network) or is there more to it?
UPDATE 2
This is a reply to @Madboys comment under his answer:
I have not done it yet. here is the setup. WE now have 5 IPs. I will use 2 for now. 1 for office network. 1 for exchange. Our modem contains both IPs sent to one port on the back of the machine. That LAN cable goes into a switch which then splits into 2. Each goes into our modem (dual Wan RV042) I assign the exchange to one subnet. Network to the other. Please confirm this plan. Ideally a PIX or similar FW appliance would be best. But again 0 dollars must be spent. Question is how will users on one subnet talk to the other? Should I set this up differently? Completely separate networks?
UPDATE 3
****OK I was able to do this. Modem to switch then I have 3 cables out of the switch. 1 Goes to a WRT54G for wireless and to separate outside consultants on their own network (they have no reason to be on ours). The other two cables go to my RV042 which supports Dual WAN. I setup a second sub-net. Now how to I isolate each WAN on its own sub-net? I believe the point of Daul WAN on this appliance is to maintain up time by utilizing separate ISPs.... Please assist. WE ARE SO CLOSE please advice ALSO: I do not see ANY outbound connections on PORT 25 other than from the exchange server. So that is good. And from the exchange the port 25 traffic is at a normal rate reflective of our volume.****
UPDATE 4
I have reasearched Open WRT and other solutons. I came upon PF Sense looks perfect!. Thoughts? I have an old P4 I can use. Then Just need a few compatible network cards :).
Resolved:
Modified network layout.
RV042 supports 1:1 Nat
Isolated Wifi on 1:1 Nat using WRT54G
Using 2 nics on Exchange server
1:1 IP mapped to smtp and OWA etc. Other for network traffic.
Thanks all for their help and assistance with this issue.
I own Exchange 2003 server and have only been blacklisted once. You must be doing something wrong to get blacklisted so much. I've fixed it by doing following:
Those 3 rules should make it clear to get you running without spam problems. You can even go thru and unlist your already blacklisted IP's. MxToolBox will help you a lot with that.
Just to add, maybe you should get some help. Hire consultant or something. I can help if you would like some help.
To answer some of your questions asked:
So my advice to you is clean your environment (you can check if you're still sending spam on spamlists since they usually give you ability to check last spam received from your IP - use that as part of your investigation), block 25 port, put exchange on different IP then other servers, users and check daily if you're doing OK. You can even set yourself on monitoring on MXToolBox to send you an email if any spam sending starts away.
You'll be much better off protecting your Exchange server, then trying to figure out how to migrate exchange on the fly.
Install some anti-virus software on your exchange server. Secure your front end servers (the ones that have SMTP running and that the computers on the internet send email to) so that people can't send email via the server from outside your network. Install some anti-virus software on all your servers and workstations.
Once all this is done you should be protected from spammers sending email through your servers and you should stop getting blacklisted.
I think you're putting too many eggs in the wrong basket. First thing's first: PROTECT YOUR NETWORK!
Get some sort of virus scanning going on at your gateway. An IPS at the same location would also be a great idea.
Put good antivirus software on all of your computers. I know we hate it (I hate it too), but it's a necessary evil. Anything that gets past your first line of defense should get caught by the AV.
Block outbound connections to port 25 from every computer except your Exchange servers. There's a reason why ISPs often do this. It's because it stops spam zombies dead. Can't do nothing if they can't connect on port 25.
Look into outbound email services. I'm a user of Postini myself. For the price, it's well worth it. There are others as well. I think Trend Micro, AppRiver, and Exchange Defender all do this...probably many more...
As for your solution, definately maybe. Most blocklists will block single IP addresses. So if one gets blocked, you can switch to another. I assume, however, that there are blocklists that are smarter than that. I'm sure someone out there is blocking IP addresses in blocks. So I wouldn't rely on this as a real solution.
As far as moving people, you can always route email through another Exchange server without moving the mailboxes. There's nothing to say that just because a user's mailbox is on one server that all of their mail has to go out to the internet from the same server...just set it up in Exchange to all go through a clean server.
To add to @mrdenny above, also prohibit workstations from sending email outside of the company network. The workstations should only be able to send email through the exchange server which will send the email out to the recipient. Stop anonymous relaying on your exchange server, only allow secure connections and close port 25. If you can, create the SPF records for your domain (http://www.openspf.org/). It also goes without saying to have antivirus software installed on your workstations and exchange server.
Yes, you can move to a different IP and server. However, unless you track down the source of this, and prevent it from happening in the future, it will almost certainly happen again (and again :-). The spam-fighters aren't clueless, expect this to only work for a little while before they implement a larger block and start contacting your upstream ISPs.
So, you can do this, but it shouldn't be your primary response to getting blacklisted.
Yes.
Likeky your whole network and all netwroks assigned to you will be blocked at one time.
Basically 2007+ allow you to have different roles for a server. Simply do not have mailboxes on your front end server, use it purely for email exchange. But then, with 2010 and not-stupid configuration you would not ever have the issue.
Yes.
That said, I never had an issue with spam in 15 years from any of my servers. So, your problem is not the computer, your problem is an admin not able to secure something as simple as a dedicated SMTP sender.