Last week, all of a sudden, emails we were sending to the outside world were being bounced back with 4.4.7, 5.4.0, and 5.7.1 errors. I checked around, and learned that we are on the Composite Blocking List at abuseat.org (www.cbl.abuseat.org). They have a couple of great guides on how to figure out what's wrong with your server/network, and I've been following their instructions.
Here's what I've done so far:
* Added a rule to the firewall to block outgoing port 25 connections from any computer on the network other than the mailserver (hoping that that would stop any strange smtp traffic, if it were coming from a client computer)
*Ran various virus-scans & MalwareBytes on all client computers, and removed a couple of bots and a trojan (Rogue.AntispywareBot, Adware.Minibug, and Trojan.Agent)
*Used TCPView on each client computer, looking for smtp or port 25 connections, but did not see any
So far, I'm still clueless as to where this spam is coming from... abuseat.org says it's coming from our mailserver. Here's what their site actually says:
IP Address 173.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
It was last detected at 2010-08-27 08:00 GMT (+/- 30 minutes), approximately 13 hours ago.
It has been relisted following a previous removal at 2010-08-26 20:30 GMT (1 days, 54 minutes ago)
In all probility this IP address is a NAT gateway, and the machine at 192.168.16.2 in your local LAN is either infected, or if it's a server, badly misconfigured.
I delisted it yesterday, hoping that I had solved the problem, since it had been over 24 hours since abuseat.org had detected any spam from us... clearly, I was wrong :-P
We are all (11 clients, 1 server) connected to a 24-port rnetwork switch, which is connected to a firewall, which is connected to Comcast's router.
My server has been acting VERY strange lately (the last couple days), so I think it really is the problem machine. I can't access it using RDP (the client could not establish a connection to the remote computer), Symantec Endpoint Protection no longer sits in the system tray (nor does it appear to be running unless I start it manually), and it is running slow.
I know this seems like a lot of problems to list in one post, but they all seem to be related (to me... I'm no expert ;-) ) If this is just confusing or not enough info, just let me know what you need, and I'll get it right away (or try to explain the problem in a different way).
Thanks a ton,