Running Exchange on a SBS 2003 box. Somehow a virus got onto the system, that was sending spam emails out every couple of minutes for days on end. They emails were destined for @live.com & @yahoo.com accounts. I was on vacation and didn't see the plethora of undeliverables in my inbox. So get back to work, find the virus and remove it. I'm 100% certain that it is gone. It was also spamming broadcast packets on my network, and that is no longer happening. So besides my inbox having over 200,000 undeliverables to delete, I figure everyone else should be ok to send/recieve emails. Not the case. No one can get to the outside world with email. We can send internally just fine. Check the System manager queues and see that there is still a plethora of re-sends waiting to go out to the @live and @yahoo emails. Freeze both of those queues and delete all the messages. After about 10 minutes the @live goes away, but the yahoo is still there saying "connection refused by server." I understand that my server was sending out spam and that's why yahoo is blocking me, but any ideas on why I couldn't send emails anywhere else? My email recieves the undeliverables and I'm having to delete all the "failed to send" spam messages, but haven't seen any bounce backs on saying not deliverable. Any ideas..Thanks

Add to where I'm at so far. Started being able to send emails to outside my network. Still cannot get any email however. Checked my mx/a records. They point to my external IP Checked nslookup from an outside networked computer. confirms that ip address for my mail record is pointing to the correct place. used telnet to send email from external network just fine. Not sure what else to try. Thanks Also not getting failure notices when sending from other emails.

On Wed, 3 Oct 2012 16:27:52 +0000, The POS Guy wrote: > > >Running Exchange on a SBS 2003 box. Somehow a virus got onto the system, that was sending spam emails out every couple of minutes for days on end. They emails were destined for @live.com & @yahoo.com accounts. I was on vacation and didn't see the plethora of undeliverables in my inbox. > >So get back to work, find the virus and remove it. I'm 100% certain that it is gone. It was also spamming broadcast packets on my network, and that is no longer happening. > >So besides my inbox having over 200,000 undeliverables to delete, I figure everyone else should be ok to send/recieve emails. Not the case. No one can get to the outside world with email. We can send internally just fine. > >Check the System manager queues and see that there is still a plethora of re-sends waiting to go out to the @live and @yahoo emails. Freeze both of those queues and delete all the messages. After about 10 minutes the @live goes away, but the yahoo is still there saying "connection refused by server." I understand that my server was sending out spam and that's why yahoo is blocking me, but any ideas on why I couldn't send emails anywhere else? Your IP address is probably on a bunch of DNSBLs by now. Visit this URL: http://mxtoolbox.com/blacklists.aspx Put your IP address into the edit box and see which of the most popular DNSBLs have you listed. Then start the work of getting yourself UNlisted -- or ask your ISP if you can get another IP address and change your "A" record and whatever else you use that lists the IP address (SPF TXT records, NS records, etc.). Or maybe your ISP shutdown acess to port 25? Call them and ask. >My email recieves the undeliverables and I'm having to delete all the "failed to send" spam messages, but haven't seen any bounce backs on saying not deliverable. > >Any ideas..Thanks See above for starters. --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

RATS-Dyna, spamcannibal, ucprotectl1 have my blacklisted. I'll work on those. I did check with my ISP about 25, and it's still open. confirmed with port checker as well. Thanks for the help, and hopefully today I can start getting emails again. Might just end up changing my ip address from my ISP.

Hello. "Somehow a virus got onto the system" This statement makes me believe that it may happen again. I suggest you did deeper into the cause so that you can take preventative measures. Server's don't just get viruses for no reason. Make sure you don't have users using it as a terminal server. Don't surf or download and install software unless from a VERY trusted source Keep it patched. What type of router do you have? If possible, I would suggest you add a rule to the router's packet filter to disallow SMTP traffic from all LAN hosts expect for the Exchange server itself. This way, if one of the LAn workstations gets a virus, you will not wind up on a spam list.Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

unreachable for too long is now the response I'm getting when trying to send mail to my exchange server. Any thoughts?

Hello, To start, make sure all the Exchange services are running, the store us mounted and your router is forwarding port 25 to the server. Then, establish a telnet session on port 25 to the server and see if you get a response. From the server itself, telnet 127.0.0.1 25 if it works (220), then from a lanworkstation telnet privateip 25 if that works, then from a remote workstation telnet publicip 25 Can you send an email internally? Post back the results please. Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

On Sat, 6 Oct 2012 19:34:43 +0000, The POS Guy wrote: >unreachable for too long > >is now the response I'm getting when trying to send mail to my exchange server. > >Any thoughts? So this s a different problem to the one you started with? Now you can SEND, but not receive, mail? Did you change your IP address? If you did, did you adjust the "A" record used by your "MX" record in your external DNS? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Exchange Event, Running Exchange Imap4, disabled (not using any imap I think) Exchange Information Store, running Exchange Management, running exchange mta stacks, not running exchange pop3, running exchange routing engine, running exchange site replication not running, disabled exchange system attendant, running Telnet to server from server (127.0.0.1) connects fine on port 25 Telnet to server from lan workstation to lan ip, connects fine Telnet to server from outside lan, says "Press any key to continue..." then connection is lost after a few seconds. Did not change my external IP address, the MX & A records point to correct location. The SBS server functions as the router, and smtp is limited to just that computer. The virus was on the server and not on any workstations. I can send email internally, and send email out, just not recieve. Get that "unreachable for too long" response after several hours.

Initially, besides the email floods going out, no one could send/receive emails. I think that was partially due to the flood of emails going out. It was at least 10 a minute.

Hello, This would seem to be an inbound firewall issue. To confirm, make sure that when you were unable to telnet, you were using your public IP adderess and NOT the FQDN, otherwise it could be a DNS or DNS blocking issue. From outside, telnet to the server's public IP on port 25, if you don't get a response: Make sure your public firewall has port 25 open and is forwarding to the Exchange Server Make sure the Windows Firewall is OFF or it has port 25 open Make sure you do not have third party firewalls that were put in place by AV software during cleaning Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

On Tue, 9 Oct 2012 14:44:13 +0000, The POS Guy wrote: >Initially, besides the email floods going out, no one could send/receive emails. I think that was partially due to the flood of emails going out. It was at least 10 a minute. What domain name are you using, and what's the IP address you think you're using? You can obfuscate the domain name as long as you do it in a way that a human being can understand. E.g., domain dot tld, domain period tld, domain <.> tld, etc. Without knowing where the mail goes nobody can tell you what your server is telling the outside world -- or if it's talking at all! --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Using Routing and Remote Access for the firewall, confirmed it has port 25 open for the server. Checked inbound/outbound filters for anything odd, didn't see anything. Turned firewall off and tested from external computer and still same response on telnet to my public ip. Making any changes to the RRAS I would restart the service after making any changes. Before when i was testing, I was using my public ip that is static from my ISP. iXpXoXsRsX-TTky.XcYoXm 7@4@.1$9$1.1&4$3#.9)8) remove the chars that require a shft key Thanks

I tried to telnet into the IP address stated above and could not. Given that from within the LAN you can telnet to the Exch server and you get a 220, byt you cannot from the outside, this appears to be a firewall problem. Please make sure port 25 is open Please make sure port 25 is forwarded to 127.0.0.1 (since you are using RRAS) Please make sure there are no third part firewalls installed on the server (from AV software, etc) Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

Hello, I just ran an Nmap against that IP address, it shows no open firewall ports.Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

On Wed, 10 Oct 2012 14:02:35 +0000, The POS Guy wrote: > > >Using Routing and Remote Access for the firewall, confirmed it has port 25 open for the server. Checked inbound/outbound filters for anything odd, didn't see anything. Turned firewall off and tested from external computer and still same response on telnet to my public ip. Making any changes to the RRAS I would restart the service after making any changes. > > > >Before when i was testing, I was using my public ip that is static from my ISP. > > > >iXpXoXsRsX-TTky.XcYoXm > > > >7@4@.1$9$1.1&4$3#.9)8) > >remove the chars that require a shft key Have you transposed the 2nd and 3rd octet in the IP address? That's a pretty clever way of disguising the address! I get no connection at the xx.191.143.xx address. At the xx.143.191.xx address (i.e. the one your MX record refers to) I get a connection but it eventually times out with no response. Check your firewall and make sure you have it configured properly to get the connection from the xx.143.191.xx address to whatever IP address your Exchange server uses. Or make sure your Exchange server's listening on the correct IP address! --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Took a screenshot, and didn't change anything as that setting I've checked several times. If your showing 25 as closed, if I go to http://www.yougetsignal.com/tools/open-ports/ and check 25 from there, it says it's open.? No other firewalls running except for RRAS's firewall.

On Wed, 10 Oct 2012 18:15:37 +0000, The POS Guy wrote: > > >Took a screenshot, and didn't change anything as that setting I've checked several times. > >If your showing 25 as closed, if I go to http://www.yougetsignal.com/tools/open-ports/ and check 25 from there, it says it's open.? > > > >No other firewalls running except for RRAS's firewall. Maybe he's using the IP address you posted and not the IP address in the "A" record your MX record uses? --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

Hello, Can you make sure the LAN/WAN ports are configured correctly on the RRAS? I cannot RDP, Telnet on 25 or 110 or telnet on 443, according to your screnshot, all are open. Also, why is there no traffic on your LAN adapter? You need to make sure it's connected to a switch. Remember, NAT needs to have both adapters connected. Port forwarding forwards to the LAN adapter. Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

Stopped RRAS, and put in a router with port forwarding set for the ones I need. FTP, SMTP, RDP, SSL, and HTTP. Everything but exchange is working. Gone through service manager fixing any references to old ip address (192.168.x.1 was server with RRAS, now it's 192.168.x.2) and still haven't gotten a bounce back from my yahoo, so we will see. I can telnet in remotely to 25 now.

Got exchange working, under the SMTP virtual server, I had unchecked anonymous access. Checked it back and it's working. Now the only problem I'm having is transitioning everything over to the new server's lan IP address. When I try to get to my website mainly for exhange OWA, i get a "Sorry, 192.168.x.2 is managing this device" Checked IIS and changed everything from default to the new server address, but still having problems. even if I try and access my router I get the same "managing device error" I have to unplug the server from the network to check router settings. Edit, Now just getting into router using the public ip. :/

When I try to get to my website mainly for exhange OWA, i get a "Sorry, 192.168.x.2 is managing this device" Sounds like you are http'ing into the router,change the router's management port to something other than 80. Enter this: https://privateip/owa from the serverMiguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

privateip/owa works. Externally, now I just get the login prompt for my router. Using a netgear I had laying around, and it has the spot to change the default port, but I think it's for the "remote management" setting, and not on the lan.

Forward port 443 to the Exchange box. Then go to https://yourpublicIPaddress/owa. If the router's managment prompt comes up, that means you have the router's management interface set to listen on port 443. Change it to 444, 4043, etc. Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

Forward port 443 to the Exchange box. Then go to https://yourpublicIPaddress/owa. If the router's managment prompt comes up, that means you have the router's management interface set to listen on port 443. Change it to 444, 4043, etc. Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

So seems to be working now, we use /exchange and not /owa for some reason, but not a big deal. So now everything seems to be working except for two things. 1. Can't get the android phones to sync with exchange. Was working before. 2. From the internal network I cannot connect to my server using the machine name, I have to use ip address. I can't even ping. I appreciate all your help and hopefully this is the last set of things.

Can you open a new thread for these new questions. Thanks.Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog