Urgent Company Email Down for 1 Month!

Idbatterim

Hi, this day one month ago, all of the office email bounced back, with the following message...

Your message did not reach some or all of the intended recipients.

Subject: test
Sent: 17/08/2010 17:46

The following recipient(s) could not be reached:

'joebloggs@hotmail.com' on 17/08/2010 17:46
503 Valid RCPT TO <recipient> must precede DATA

Receiving incoming mail has never and is not a problem. After calling in the IT Techinician, we realise we have been blacklisted for sending out spam (we had been infected by a virus) according to the blacklist crowd it was the rustock virus, we ran anti virus checks, anti malware checks, everything on all computers, we also requested to be removed from blacklist. But according to blacklist.ie we have sent out spam as recently as 8 hours ago. This is what they say "IP Address x is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2010-08-17 08:00 GMT (+/- 30 minutes), approximately 8 hours ago.

It has been relisted following a previous removal at 2010-08-05 12:05 GMT (12 days, 4 hours, 1 minutes ago)

This IP is infected (or NATting for a computer that is infected) with the rustock spambot.

How to resolve future problems

Is is possible that their is a virus on a printer or router? Or that even up to date antivirus cant detect certain viruses and malware?

Currently I am using a gmail account to send out work email and all incoming email is rerouted to this account. I appreciate any help or advice any of you may have to offer!

jpl888

Your English isn't great. First thing to do is block all outgoing connections on port 25 and then either setup an SMTP relay on your own network or use an alternative protocol to send on the email clients (submission, whatever).

You could then contact the blacklister after an amount of time and asked to be removed.

Best of luck with it!

bhickey

Hello, some more info would really help so that we can give the best advice :

Broadband type & provider (e.g. ADSL from Vodafone)
Fixed or dynamic IP?
E-mail client(s) used
Mail server type (internal or hosted)
Sample of a blocked IP address
Router/firewall make/model

It should be easy enough then to sort this out. There are a few ways you could tackle it - it just depends on what your setup is.

testicle

You have a compromised box on your network. You need some traffic sniffer such has Wireshark in promiscuous mode to see which box it is.

Idbatterim

thanks for the help and suggestions. bhickey, i know the answers to most but not all of your questions, so will post them up for sure when i know, which will be Monday. I will forward you suggestions to the 2 IT technicians who have been in so far and have failed to correct the problem!

bhickey

Hello Idbatterim, did you get this sorted out and if so can you let us know how? Thanks.