By Nicholas Blank

An Exchange organization may find itself blacklisted - due to a virus infestation on an otherwise well guarded network.

Here's the scenario - One day out of the blue a corporation's domain is blacklisted. The whole world seems to be returning its mail for violation of security policies the company didn't know it violated.

Turns out the corporation's domain is blacklisted for spamming.

The Exchange server is blamed first.

The logic is that surely this is the only machine capable of sending mail, so it must have been compromised or infected! Microsoft OS based servers often take the rap for being seen as soft towards intrusions and infections.

Penetration tests prove the machine is secure enough not to present itself as an open relay. Detailed file level virus scans confirm the machine is clean and message logs confirm that no spam had previously or is currently originating from the machine. Where to from here? The Exchange server's mails return as NDR's, but it seems to be innocent of the crime.

A clue comes in one of the NDR's - which includes detail revealing that mails are rejected due to a worm on the network guilty of spreading SPAM. The NDR suggests that either the mail server or another machine on the network capable of communicating via the Internet gateway is infected and spamming.

Turns out that users with their own machines, which included auditors and sales reps plugged into the corporate network, not knowing they were infected with a SPAM worm. These machines were the ones spamming via the companies outgoing Internet gateway. The gateway's I.P. address became blocked in a few hours.
Outgoing email NDR'd soon after, with other ISP's email servers rejecting outgoing mail.

Requesting to be unlisted may not happen until the reason for being listed has been dealt with and no other infections of this nature are present.

Worms and Viruses may include their own SMTP software capable of sending mail. Any machine infected with any of the current variants of the Storm Worm (also known as Storm, Zhelatin, Peacomm, Nuwar, Tibs and other names) or other infections capable of sending mail may result in a domain being reported or blacklisted. This may include any number of worms, Trojans and viruses capable of broadcasting via an Internet perimeter as well.

Network and perimeter security as well as adequate levels of anti virus protection including mandatory scan's of visiting machines, become part of the daily arsenal to secure companies networks and prevent the abuse of company resources.

Nicolas Blank is a Microsoft Infrastructure Architect and consultant, and specializes in Exchange, Active Directory, architecture, systems management, migration and scripting. Nicolas is a Microsoft MVP for Exchange and spends what spare time he has writing, blogging and talking about Exchange and associated technologies.