Cannot send emails anymore due to Barracuda networks

Status
Not open for further replies.

lavola

Posts: 7   +0
I am in desperate need of help... My husband inadvertently opened up an attacchemnt (ARGHH) and downloaded who knows what. I am not sure if whatever he downloaded is creating this problem or if the email problem is due to some other bigger issue..
These are the facts: we have 4 computers on a network. We use exchange server for emails. Yesterday we noticed emails were coming back due to our IP address having a bad reputation on barracuda networks. After reading about it it seems that we can not send emails until the problem has been resolved. I called my tech who asked me to go to a cmd prompt and type netstat_ on and see which of the pcs had any ip addresses that show :25. My husband's pc was found to be the only culprit. Then the tech asked me to download AVG and update it, isolate the pc from the network and scan. Done that. It found a slew of infections and viruses whic I placed in the vault. AFter reading a few posts, I get the impression that the system, though shows clean in AVG is porbably not.
What now? How do I get off this Barracuda list and get on with my emails?
Can anyojne out there help? My technician is great but he's just too busy and I need to go back to work, thanks
 
I called my tech who asked me to go to a cmd prompt and type netstat_ on and see which of the pcs had any ip addresses that show :25. My husband's pc was found to be the only culprit.

hum; the :25 is the port number for outbound email and it will be seen ONLY when
it is active :(

With Exchange Server(ES), this should be the only system that is sending to your ISP
(all the clients will send to ES), so run netstat -on that system.

Meanwhile, I'll do some research on getting your ES to be more secure ...
 
Hi Jobeard, Before beginning the whole process, I did look in the ES for the :25 and the server did not show any :25. Then I started the computer in safe mode, and ran AVG while in safe mode. it scanned the C hard drive and according to what I read it removed many infected files to the vault. After that I restarted normally, ran the netstat -on and behold... all the 25's were still there!!!
 
YES!!! :25 is the port number used for sending email -- it must be there to have it work.

Port 110 or 143 is used for reading email from your ISP.

The Tech was trying to get you to see the ip numbers associated with port 25, eg
xxx.yyy.zzz.123:25

the xxx.yyy.zzz.123 portion is what has been 'blacklisted' by Barracuda, due to
the virus's you had on your ES.

You need to call them back, describe the maintenance you have performed and
get them to remove your IP address from the list :)
 
Good morning! So the :25 should be there.. I'm not sure I understand ..Are the numbers I am to look for the 110 or 143 before the :25? And on what pc, the server or my husband's pc hard drive?
 
Thought I'd leave this info here. I stopped by because "Barracuda Networks" was a new one on me. Here's the description:

http://en.wikipedia.org/wiki/Barracuda_Networks

I'm going to take a guess here and say that whatever attachment was opened had script in it to induce a mass mailing, so his IP got put on the spam list. Of course, the mailings went out over his IP!

I wouldn't think it was a port issue, but rather than finding a way to have the IP removed from the spammer list.

You might find this interesting also:
Trend Micro sues Barracuda, potentially raises the cost of security for all"
http://news.cnet.com/8301-13505_3-9856170-16.html
Bet he won't do that again!
 
netstat -on
Code:
TCP    [COLOR="Blue"]192.168.0.4:[/color][COLOR="Red"]4313[/COLOR]  [COLOR="Magenta"]68.111.16.30[/COLOR][COLOR="Red"]:53[/COLOR]        TIME_WAIT
TCP    192.168.0.4:4317     192.168.0.3:139        ESTABLISHED
TCP    192.168.0.4:4320       74.55.96.66:80         TIME_WAIT
TCP    192.168.0.4:4322       74.55.96.66:80         ESTABLISHED
TCP    192.168.0.4:4323       64.41.151.32:80        LAST_ACK
TCP    192.168.0.4:4324       74.55.96.66:80         ESTABLISHED
your ip address or the far-end address are noted and the port number follows the ':'
In this display, I've connected to 68.111.16.30 (my ISPs dns address) on port 53 (which is the dns port)

ASSUMING that all your computers contact the Exchange Server for email, then
you need to run netstat on the ES machine.

Frankly, if your address has been blocked, it should be your public ip address,
not any address behind your router/lan.
You can determine your public ip address with this URL: http://checkip.dyndns.org/
 
Yes, all our emails do go through the ES - I did run netstat on the ES yesterday, and I did not find any :25, however there are a slew of others on there, the problem is I am not sure what I am looking for. I checked all computers and our ip is . Yesterday I disconnected his pc form the network so no spam could go out. Then I went to mxtoolbox
to see where I was blacklisted, and wherever I could I asked to be removed from their list. We need to access his emails but I'm afraid I have not done enough to stop the spam....
 
I was stopping by to tell you to either remove or disguise the IP, but decided to check it first: according to the ArinWhois database, it's not a valid IP. Please don't leave you IP.
 
Well it doesn't make too much difference since it's showing as invalid. But there is an Edit feature for posts.

Did you understand that I was telling you the IP is not a valid IP?
 
good morning Bobbye, I found the edit button... thanks. I had searched for the ip address on each pc including the ES, all pc 's had the same number. Now I may have made a mistake transcribing it, so in a bit I'll be back at the office and check it again. I'll get back to you in a few hours...
 
Don't post the IP here. Check to make sure it's valid here: http://ws.arin.net/whois

For instance, if you type the IP from momok in the example 74.55.96.66, it shows the TechSpot server at The Planet.com Internet Services, Inc. When I typed yours in, I got 'no IP with that listing'.
 
Well I ''m stumped. I know every computer has the number mentioned. I know we exist because we get emails every day and we run a business. I just pinged and the repsonse is the same at mxtoolbox. what now?
 
Status
Not open for further replies.
Back