The other day, I got a call from one of my clients who said that their email was bouncing back from people they had always been able to send to. I investigated and found that the error message was to the effect of <hostname.domain #5.5.0 smtp;550 Blocked;Spam/Zombie address listed at spamhaus.org sbl-xbl>.
Well, that was odd, because the client is running a bona fide Exchange server and a check of the server revealed nothing wrong that I could see. Thinking that maybe an employee was infected with a mass-mailer trojan, I blocked all traffic on smtp port 25 from all addresses on the network except the Exchange server.
Running the netstat -an command on my client’s PC revealed 88 connections, all trying to send mail out on port 25, which the firewall was now blocking.
Certainly, you don’t want to get infected by a mass-mailer trojan, but blocking outbound traffic on port 25 from your network is a sure-fire spam zombie killer and will prevent your IP address from getting blacklisted if someone does get infected.Of course, you’ll want to clean up that infection as quickly as possible.