Things to Do When Your Exchange gets Blacklisted

Amit Zinman photo
One day you get a lot of phone calls regarding mail not getting anywhere and your SMTP queue is full of junk. This could easily get you into panic and much calls to outside expensive consultants. Instead, a few steps can rid you of these attacks. This article will deal with how to get your Exchange server out of block lists and stop attacks at the same time.

SMTP Configuration

The first thing to do would be to stop your SMTP service by going to the command prompt and running the following command:

Net stop smtpsvc

It might take a while but don't worry about it. Next, you need to locate the Exchange SMTP queue directories, typically located at "c:\program files\exchsrvr\mailroot\vsi 1".  Use the command prompt to change to this directory and delete all files under the "badmail" and "queue" directories. You might lose one or two valid mails but in case of an attack you might have to.

Now go to Exchange System Manager, and locate the SMTP virtual server and view its property pages Relay options.

The following setting ensures that you server is not open to any relay, neither from inside nor from the outside. It will also disable SMTP authentication so if you have POP3/SMTP clients they will have to use a different outgoing SMTP server.

Disabling notifications to the sender is also useful in this scenario so that your SMTP queue is not jammed with non-delivery messages.

Remember to check this option again once the attack is over.

Once this is done you can start the SMTP service using the following command:

Net start smtpsvc

Having started the SMTP service, check to see whether the Queues are filling up again.

Antivirus Protection

Now, you might well know that this is important. You should check whether your anti-virus is up to date on all servers and workstations. You can also run a check of one of the following online free virus checkers:

http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.kaspersky.com/scanforvirus
http://www.ravantivirus.com/scan/

Blacklists and Remote Attacks

Now, your server might still be under an attack and blacklisted.

The smart thing to do would be to call your ISP and ask them to change the MX record IP address for your mail server, which is the ISP DNS entry that tells mail servers how to locate your mail server. It is usually faster than contacting RBL websites and asking them to remove your server from the list. It will also thwart remote attacks on your server. Most ISPs will do this for you for free.

It might take about 24 hours or so for the DNS change to propagate around the world but it is a sure way to solve these problems.

Alternatively you can find out where your server is blacklisted and try to remove it. To do this enter the following link, adding your server's external IP address, for example

http://www.dnsstuff.com/tools/ip4r.ch?ip=123.123.123.123

It will show you where your server is blacklisted and links to websites where you can get instruction for being removed.

Conclusion

E-mail attacks both internal and external are not easy to fight due to the nature of the SMTP protocol, but if you know how to protect your server and block attacks they can be thwarted without resulting to drastic or costly measure.

About Amit Zinman

Amit Zinman photo Currently working as Project Manager and Systems Consultant, heading and consulting on Exchange and NT/Windows 2000 based migrations and deployments for large companies such as Checkpoint, Comverse, Smarteam, Nice, Aladdin and leading Israeli Banks, Also involved in writing scripts and custom solutions for clients based on ADSI, CDO and Visual Basic and teaching Windows 2000 and Exchange 2000 in MSCE colleges and lecturing in Microsoft User Groups.

Click here for Amit Zinman's section.

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on MSExchange.org! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update. Sign up to the MSExchange.org Monthly Newsletter, written by Exchange MVP Henrik Walther, containing news, the hottest tips, Exchange links of the month and much more. Subscribe today and don't miss a thing!



Receive all the latest articles by email!

Receive Real-Time & Monthly MSExchange.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an MSExchange.org member!

Discuss your Exchange Server issues with thousands of other Exchange experts. Click here to join!

Solution Center

Readers' Choice

Which is your preferred Fax Connectors solution?

Follow TechGenix on Twitter