"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Original Author: Robert Mitchell - Posted October 29th 2015
We first communicated this change in December of 2014 via email, then sent out reminder emails on June 8 and September 11 of this year, as well as posting it as a news item in our ticketing system. We can get you sorted out now, though.
As for the new settings, customer firewalls and Exchange access control (Receive connector) should reflect the following:
Subnets for SMTP
• 184.108.40.206/22 (255.255.252.0)• 220.127.116.11/27 (255.255.255.224)
Subnets for LDAP
And if needed an update SPF (TXT) Record
• v=spf1 mx include:reflexion.net ~all
Exchange 20131. Mail Flow, Rules, Create a new rule2. Apply this rule if, sender location is Outside the Organization3. Do the following - recommend reject or delete the message4. Click More options5. Add Exceptions for the Reflexion IP addresses• 18.104.22.168/22 (255.255.252.0)• 22.214.171.124/27 (255.255.255.224)
Exchange 2007/2010Open the Exchange Management ConsoleNavigate to Server Configuration > Hub Transport > Default Receive Connector > Properties > Network tabUnder "Receive mail from remote servers that have these addresses:" find the entry that says 0.0.0.0-255.255.255.0 and delete itUnder "Receive mail from remote servers that have these addresses:" click AddInput the first Reflexion IP range; repeat this step for each Reflexion IP• 126.96.36.199/22 (255.255.252.0)• 188.8.131.52/27 (255.255.255.224)
Click on the Permission Group tab and ensure that "anonymous users" is checkedStop and restart the MSExchangeTransport service on the HUB transport server(s)
Exchange 2003Open the Exchange System ManagerExpand Servers > Server Name > Protocols > SMTP > right-click "Default SMTP Virtual Server" (or the active receive connector name) and select PropertiesNavigate to the Access tab and then select the Connection buttonRemove any entries from previous providers or entries that have the IP range 0.0.0.0 - 255.255.255.0Click Add to enter a new IP restrictionSelect the group of computers option, insert the first IP range for Reflexion, click OK; repeat this step for each of the Reflexion IPs• 184.108.40.206/22 (255.255.252.0)• 220.127.116.11/27 (255.255.255.224)Restart the Simple Mail Transfer Protocol (SMTP) service to apply the changes