Earthlink is blocking our email -- "mx-roseate.atl.sa.earthlink.net #550 550 Dynamic/zombied/spam IPs blocked."

This could be yet another spam message sent out trying to fool you into thinking you are blocked.

Sure fire way to check is to visit http://www.mxtoolbox.com/blacklists.aspx and see if you are listed.  If you are, then come back and advise - I will let you know the next steps to take.  If not, then I would treat it as spam.

Also check http://www.mxtoolbox.com/diagnostic.aspx to see if your mail server is okay - to see if you are an open relay etc.

You can check you IP on www.dnsstuff.com (may need a subscription) to see if you are a static IP - if you are, then ignore the message as spam.

If in the email headers, the from address and the to address are similar / the same, then again, this is going to be spam.

The message is unlikely to be spam. The NDR was generated by the author's Exchange Server, indicating it attempted to contact the Earthlink servers, the connection failed or was dropped, and so the author's server NDRed the message.

If it were backscatter, the NDR would more than likely have come from another server - not the senders'.

-Matt

Full unadulterated headers would be useful.

<<mx-roseate.atl.sa.earthlink.net #550 550 Dynamic/zombied/spam IPs blocked. Write blockedbyearthlink@abuse.earthlink.net ##>>

Lots of large ISPs, including apparently Earthlink, will use RBLs that block large numbers of "dynamic" IP addresses.  You have to understand that ISP's use the same huge blocks of leased IP addresses to assign both dynamic and static IPs to their customers.  The RBL organizations don't know, and don't have any obligation to check, whether any particular IP address leased by a large ISP is in fact assigned as static or dynamic. One of the most well-known of these RBLs is the SORBS-DUHL list.  It's very possible that this is where your IP is listed as dynamic. The end result, which I've seen many times in the past, is that a business that leases a "static" IP address from their ISP gets blocked as "dynamic."

You can do two things. One, if you can find out whether you are listed on the SORBS-DUHL list (or any other mass dynamic IP blocking list), you can probably contact them and have your IPs removed from their list.  Two, you can send an email to the address listed in the NDR message at Earthlink and see if you can get them to unlist you somehow on their own system.  This second option would be a last-ditch, as I'm not sure what they could do if they are in fact using SORBS-DUHL or a similar RBL.

tigermatt, thanks for the info.

(alanhardisty, I already did all of the things you suggested and listed their results in the original post... except for verifying our IP address is static using dnsstuff.com -- which I don't think is possible. But I am 100% sure it's static because I have hard-coded it into our Watchguard Firebox firewall's WAN interface).

The headers I included at the bottom are the full headers of an example email I sent from OURDOMAIN.com.  I don't want to give out our actual domain name / IP address / email addresses, but if you want this info I can email it to you directly.

I triple-checked and we are definitely using a static IP address. We have a block of 5 assigned to us.  A few weeks ago we were having issues with our reverse DNS entry for our mail server. Our ISP, Verizon, mistyped our rDNS entry as "MAIL.OURDOMAIN.COM" instead of "MAIL1.OURDOMAIN.COM" (with a "1" after "MAIL"). But we've gotten that fixed and squared away a couple weeks ago. You can see from the SMTP Diagnostic (MXToolbox.com) that our Reverse DNS entry is OK:

Rev DNS Check:       OK - 173.50.xxx.xxx resolves to mail1.OURDOMAIN.com


I contacted Earthlink directly (by replying to their email with "BLOCKED <ip address>" in the subject line, as instructed). They responded back and gave me a case number. They said to include the case # in the subject line if I wish to include any more info. I replied back, left the case # in the subject line, and gave them some more info. I immediately got ANOTHER NDR from Exchange on this 2nd email (but not the first one):

...
Diagnostic information for administrators:

Generating server: mail1.OURDOMAIN.com

openrelay@abuse.earthlink.net
corleone.admin.atl.earthlink.net #550 Unknown local part openrelay in <openrelay@abuse.earthlink.net> ##

...

Which is weird. This was from their initial automated response:

"If your mail server/gateway IP is not on these lists, is not dynamic, and is not an open relay/proxy/zombie, please reply back to blockedbyearthlink@abuse.earthlink.net with  'BLOCKED <insert IP>' in  the subject line with the mail server/gateway IP inserted.

Blockedbyearthlink@abuse.earthlink.net does not block any mail sent to it; so, if possible, please email us from the server in question.  All reports sent to this address, not using this format will receive this auto response.  This process will allow us minimize the amount of time to resolve any blocking issues.  Please note, any emails you send to us without the formatted subject lines are not kept.  If you included important information in that first unblock request, please make sure that information is included in your subject-formatted response."


So I sent the email to Blockedbyearthlink@abuse.earthlink.net, and they replied via abuse@abuse.earthlink.net (with the case # and a brief "thank you for contacting us"), and then when I replied to that email I got the NDR above from openrelay@abuse.earthlink.net. So they must be blocking email sent to abuse@... which seems strange!

Have you tried using telnet to test the connection manually to port 25.  You may see more specific results:

Telnet 209.86.93.121 25

http://exchange.mvps.org/smtp_frames.htm

Thank you for that information, hypercat. Good to know.

I checked SORBS at http://www.us.sorbs.net/lookup.shtml (our server is located in Oregon, U.S.A, by the way) and got this result:

[173.50.xxx.xxx] Not found in the database
[173.50.xxx.xxx] was not found in the SORBS database.

(By the way, it looks like SORBS might be closing down soon: "It comes with great sadness that I have to announce the imminent closure of SORBS. The University of Queensland have decided not to honor their agreement with myself and SORBS and terminate the hosting contract. ..." (from their home page)).

I telnet'ed to that Earthlink mail server IP address and got the same error message:

220 mx-collie.atl.sa.earthlink.net EL_4_2_10_GMA_32  ESMTP EarthLink SMTP Server
 Thu, 25 Jun 2009 15:08:21 -0400 (EDT)
HELO OURDOMAIN.com
250 mx-collie.atl.sa.earthlink.net Hello OURDOMAIN.com [173.50.153.2], pl
ease to meet you
MAIL FROM: SENDER@OURDOMAIN.com
550 550 Dynamic/zombied/spam IPs blocked. Write blockedbyearthlink@abuse.earthli
nk.net


Connection to host lost.

Wow - what is the cloud coming to? ORDB, now SORBS, pretty soon we're going to have to pay for using RBL lists - I really think that's the next step.  I think the only reason Spamcop is still around is that they were bought out by Ironport.  Anyway, thanks for that info. Since it looks like your IP wasn't in their database, maybe something else is going on here.  So, Earthlink replies to your email with an abuse email address that's blocked - that's pretty sneaky :-P

If you don't have any luck getting Earthlink to respond, Matt's suggestion about using a smart host might be your best bet.  I was going to suggest that, too, but he got in there before me...

I will contact Verizon right now about setting up a smart host.

Your domain is setup with 2  MX records and one of those (your secondary) is not setup with a Reverse DNS pointer:

ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries/* (if you see "Timeout" below, it may mean that your DNS servers did not respond fast enough)*/. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool on our site if you recently changed your reverse DNS entry (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server). The problem MX records are:
xxx.xxx.xxx.xxx.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0) (check it)].

Could you be sending out via your secondary MX and getting blocked as no RDNS is setup?

Not a massive problem, but you also don't have an SPF record setup.  It may be worth constructing one and adding it to your DNS settings.

Cannot locate any static / non static info about your IP but will keep digging.

Thanks for your email.

Looking at your telnet check, it is only when you advertise your domain name that they block you, so they are not blocking you by your IP Address immediately, but when they check your domain and then find something they don't like.

You are currently listed on www.backscatterer.org.  This is almost certainly going to be your problem.

This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does not mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
If you don't know what BACKSCATTER or Sender Callouts are, click the links above to get clue how to stop that kind of abuse.


To track down what happened investigate your smtplogs at 2009/06/24 12:04 German time:

You will either find that your system tried to send bounces to claimed but in reality faked senders, or your system tried sender verify callouts against our members at that time.


PLEASE NOTE: Timezone of all informations displayed is Germany

A total of 31 Impacts were seen during this listing. Last was 2009/06/24 12:04
Earliest date this IP can expire is 2009/07/22.

History: 2009/05/01 22:37 listed

Preventing backscatter:

http://spamlinks.net/prevent-secure-backscatter.htm#reject

Could you forward your IP information to me? My address is listed in my profile - http:M_3651209.html.

I strongly believe, however, the Smart Host approach is the way to go. The information you need from Verizon is the address of their outbound SMTP server and any authentication details required. You then configure your Send Connector to send email out using the SMTP server provided, and enable outbound basic authentication.

-Matt

Their SMTP server address is outgoing.verizon.net (just looked that up online).

I'm currently on hold with Verizon on the phone... their tech support didn't know what a Smart Host is, so he transferred me to Billing/Sales (not sure why).... who [obviously] did not know what a Smart Host is, so she is trying to find someone who does know so they can provide me with the authentication details. I'm guessing it would be our username and password.... which we probably never set up because we never planned on using their POP/SMTP servers.

Smart host is their email server address e.g. smtp.verizon.com.

You still need to resolve your backscatter problem, which is probably why you are asking the question in the first place.

Ading a smart host will not clear up your problem, but it may help you get your mail out.  You will still have the initial problem sticking around until you prevent backscatter.

Earthlink's abuse email specifically stated that the only two RBL's they use are CPL and Spamhaus. They didn't mention Backscatter / backscatterer.org. So I doubt Earthlink is checking that DNSBL.  

(Also, any list that charges 50 Euros to be removed from immediately is a little suspicious in my opinion).

And this doesn't really make sense to me:

"To track down what happened investigate your smtplogs at 2009/06/24 12:04 German time:

You will either find that your system tried to send bounces to claimed but in reality faked senders, or your system tried sender verify callouts against our members at that time."

That's poorly worded... and what are "sender verify callouts" ... and who are "their members" ??

Still on hold with Verizon.... 20 mins later. They are playing the worst elevator / smooth jazz hold music, in case you were curious.

Hey,

If you forward me your IP/domain info I can provide a second pair of eyes on your backscatter problem. Out of the box, Exchange 2007 will drop SMTP sessions if the sender is not listed in the directory. This stops instances of backscatter, however this default configuration must have been changed.

You should not have to pay to be removed from an RBL.

Sending out via an SMTP Server provided by the ISP is my preferred approach, because it helps prevent smaller problems occurring in the future which may have a detrimental effect on your outbound email flow. It's a one-time change, but one that could save you from many email outages in the future.

-Matt

Your server is basically configured to reply to all inbound message that arrive with an incorrectly addressed To recipient with a non-delivery report.

You are thus essentially sending out spam your self as spammers spoof email address to pretent that the message comes from someone other than themselves and you are sending NDR reports out to innocent people, and some invalid addresses.

You need to stop this asap.

Whatever the backscatter problem being discussed is, your Exchange Server itself isn't subject to such an issue.

Initiating a direct telnet session to your server and attempting to send an email to an external recipient (I used RCPT TO:example@example.com) fails with the usual 550 5.7.1 Unable to relay. This indicates the SMTP session would have been dropped with no further communication; no mail would have been accepted and no NDRs produced by your server, so no backscatter.

You also have a good tarpit time on non-local recipients, which is good to prevent spammers running a dictionary attack to find valid addresses at your domain.

I am convinced your problem is Earthlink, and an SMTP Smart Host is the easiest solution.

-Matt

alanhardisty,

Please clarify what you are basing this information on. A direct telnet test to the server is conclusive and means the server itself is not producing NDR messages for email sent to recipients not in its own Active Directory.

-Matt

Yeah I'd like to know why or how you came to this conclusion, that our Exchange Server is sending back NDR's to anyone who sends an email address with an "incorrectly addressed" To: field. (What does "incorrectly addressed" mean? That the email address is badly formed? User doesn't exist? Can't resolve the domain? Invalid characters?).

We have 3 receive connectors configured in Hub Transport: Client MAIL1, Default MAIL1, and www. The Permission Groups for "Client MAIL1" include only "Exchange users." The Perm Groups for "www" only include "Exchange Servers."

And the Perm Groups for "Default MAIL1" include Anonymous Users, Exchange Users, Exchange Servers, and Legacy Exchange Servers. But the "Authentication" tab is set to TLS, Basic Auth, Exchange Server, and Integrated Windows authentication.

So basically, unless you're an Exchange user, or you authenticate somehow, you're not going to be able to relay through this server. And I don't see anywhere that it's configured to send an NDR to anyone but an internal Exchange user. If it is... where would this option be?

Matt - how do you end up getting listed on a site like backscatterer.org then if you server is innocent?

I can't say how you become listed on a blacklist; they have all sorts of routes of compiling information and many blacklisting sites often blacklist servers which haven't been properly checked or aren't actually a major problem.

What I do know is the server is not sending backscatter. A direct telnet session on port 25 to the server confirms this.

For info, the location to drop all sessions for users not listed in the directory is EMC > Organization Configuration > Hub Transport > Anti-Spam > Recipient Filtering (Properties) > Blocked Recipients > Block messages sent to recipients not in the Global Address List.

By default, that option is checked.

-Matt

All,

Have a read of this link and see if this makes sense.

http://www.allspammedup.com/2009/04/protecting-yourself-and-others-from-backscatter-spam-with-exchange-server-2007/

Fnillc - can you please check this setting and see if it is turned on and report back

This page seems to have some good info on preventing Backscatter with Exchange Server 2007:

http://social.technet.microsoft.com/Forums/en-US/exchangesvrantivirusandantispam/thread/b8b54d8f-51be-4b05-8f69-3af17967ee96

Specifically this comment:

"Hi,

If your server is attacked and act as a NDR sender role, you need to turn on Recipient Validation on the server.

In Exchange Server 2003, Recipient Filtering has an option to "Filter recipients who are not in the directory". In Exchange Server 2007, this is called Recipient Validation.

Exchange Management Console does not have the option to turn on Recipient Validation. Use the following command to turn it on:

Set-RecipientFilterConfig -RecipientValidationEnabledEmbarrassedtrue

To check your Recipient Filtering configuration:

Get-RecipientFilterConfig
 
Hope this helps. Thanks,
 
Elvis"

(From MSFT, Moderator of TechNet).


There was a typo in the command (or I think part of it was interpreted as an emoticon)... and the actual command is:

Set-RecipientFilterConfig -RecipientValidationEnabled $true

I ran this and received this result:

WARNING: The command completed successfully but no settings of
'RecipientFilterConfig' have been modified.

I ran "Get-RecipientFilterConfig" to check the setting (before and after running the "Set" command), and RecipientValidationEnabled was set to TRUE both times. So this has been enabled for a while now (not sure how long, as there are other people who work on the Exchange Server here). And we're definitely not paying Backscatterer.org 50 Euros to be delisted!

The link essentially describes backscatter spam - but that is definitely not what is happening here.

-Matt

Did you check to see if you were allowing NDR's as per my last post?

Yes, "Allow non-delivery reports" is checked. But I'm not going to uncheck this, because NDR's are important (just like the article says:

"The simplest and most obvious way to prevent an Exchange server sending backscatter spam is to uncheck the box for allowing NDRs to be sent to external domains.  Unfortunately this is not the best way to go about doing it.  NDRs are a valid part of the SMTP protocol and serve a genuinely useful purpose.  Imagine if a business partner incorrectly addressed a critical email and received no NDR.  A business could lose money if the mistake is not noticed straight away, which it would be if an NDR was sent back to the sender.  NDRs are necessary and should not be disabled."


This option is also checked, Matt: "EMC > Organization Configuration > Hub Transport > Anti-Spam > Recipient Filtering (Properties) > Blocked Recipients > Block messages sent to recipients not in the Global Address List."


I'm going to look into use Connection Filtering to look up sending IP addresses in the SpamHaus DB, as the article that alanhardisty posted suggests:

"The safest way to prevent backscatter from originating from your server is to block the inbound spam to begin with.  ... With Exchange Server 2007 you can make use of Connection Filtering to look up sending IP addresses in the SpamHaus database and terminate the SMTP connection."

The fact the option in Anti-Spam is set means you are not allowing backscatter. I cannot explain why you are on that blacklist.

You must not disable NDRs; that could end up getting you into more trouble than it is worth, since NDRs are required under the SMTP RFCs.

Having Recipient Filtering for non-GAL addresses enabled is enough to stop backscatter. Using an RBL is another idea to prevent connections from banned IPs, but is not strictly required as the Anti-Spam option takes care of all backscatter-worthy mail before backscatter NDRs are generated.

-Matt

Okay - so there is a distinct possibility that you are sending out backscatter and thus are listed on backscatterer.org.  If you follow the advise in my link as you suggest you are going to then you will hopefully get yourself removed from their listing and stay off.  Whether or not this is the problem that brought you to EE in the first place remains to be seen, especially if you say that Earthlink don't use Backscatterer, but then I know of ISP who tell you the problem with your internet connection is down to you when it turns out that it is not, so I would treat tat with a pinch of scepticism !

The suggestion is that it will be about 1 month before you drop off the list, so the sooner you start the better:

A total of 32 Impacts were seen during this listing. Last was 2009/06/25 20:43
Earliest date this IP can expire is 2009/07/23.

The last receipt was an hour ago (two possibly as they are 1 hour ahead) - so this is a current problem.

I will say it one last time. The Author is not sending out backscatter. The second part of their last post ("This option is also checked") confirms this. I have also confirmed this with a direct telnet session.

I am asking the Exchange Zone Advisor to review this question.

-Matt

Matt - I can't argue with you on this due to my inferior knowledge of 2007 and as you have a few more points under your belt then I do, but the appearance on the backscatterer site is a little strange if you rule out the server as a source of NDR's to spammers - I hope you will agree?

I'm actually not so sure our Exchange Server isn't sending out Backscatter spam. After reading up on it more, it seems like a problem that affects all Exchange Servers that Allow NDR's (which is the default setting).

I know that "Block messages sent to recipients not in the Global Address List" is checked... but I don't see how this option would prevent NDR's from being sent back to a spammer who 1) spoofed their email address to that of their spam recipient/victim, and 2) sent an email to an email address that doesn't exist (ex: djkfner89jgrgh9e98rjj@OURDOMAIN.com).

What is stopping Exchange Server from saying "This recipient address does not exist... I better send an NDR back to the sender" (who spoofed their email address to be GrandmaJenkins1908@hotmail.com)?

I think filtering out sender IP addresses based on looking them up in SpamHaus is a good idea. That way the SMTP session gets terminated before Exchange has a chance to check the recipient's email address, find out it's invalid and send back the NDR.

I certainly agree with you the appearance on that site is strange.
However the site is also strange; paying to get yourself removed from some form of blacklist is awfully fishy to me.

-Matt

Where is Simon when you need him?

FYI - The ¬50 is charged once you have cleared up the problem to remove yourself from their listings quickly, rather than to sit and wait for 4 weeks to drop off naturally.

Lost the Euro Symbol in my last posting!

We use Ninja Email Security (by Sunbelt), and I just remembered that a couple months ago my boss was complaining about a sudden increase in the amount of spam he was receiving.

So I went into Ninja Email Security and started tweaking the settings, trying to reduce the amount of spam received.  One of the steps I took was to enable RBL checks under Connection Filtering.... for both Spamhaus and Spamcop.

So we've already been filtering out connections based on Spamhaus/Spamcop for a couple months now. (And Backscatterer.org states that it will auto delist after 4 weeks of "not abusing the net").

However... not every single spammer's IP address is listed on Spamhaus/Spamcop. And I bet they change and spoof their IP addresses all the time... not to mention infecting brand new computers [with unlisted IP addresses] with mass mailer viruses. So there's a chance that our server has recently been attacked by NDR/Backscatter spammers, and that's why we are listed.

HOWEVER... I'm still not convinced that that's why Earthlink is blocking email from us. They specifically list the two RBL's they check... Spamhaus and CPL:

"If you are the administrator of the email server being blocked, please know you may be able to expedite unblocking by checking to see if your mail server is listed in the following lists and resolving before emailing us:

The CBL
http://cbl.abuseat.org/lookup.cgi
This is a list of IPs that may be currently infected and sending spam unknowingly.

Spamhaus
http://www.spamhaus.org/sbl/index.lasso
From their website you will be able to query your IP to see if it listed in any of their 3 lists that track dynamic IPs, zombied IPs, and IPs that are known to purposely send spam.  EarthLink blocks IPs known to be dynamic, zombied, and purposely sending spam.
"

And we aren't on either list. So I bet Earthlink has our IP address listed as being in a dynamic block, erroneously.  So I think I'm back to trying to get Verizon tech support to give me my SMTP authentication credentials so I can use their outgoing server as a smart host.

There are two issues and most probably not related that are being discussed.

1. The backscatter problem and

2. Your original problem.

They are not necessarily related, but as I found out about the backscatter problem, thought it workwhile mentioning as it may be connected.

Your original problem may be an incorrectly listed IP address being part of a dynamic list, not a static one, so a call to Verizon to hopefully confirm this as you say is worthwhile.

www.dnsstuff.com used to show the nature of an IP address but no longer does, so my subscription cannot help there I am afraid.  Hopefully Verizon can.

Using an RBL is not a complete solution; recipient filtering for non-GAL recipients will prevent backscatter in its normal sense. The RBL simply reduces network traffic and improves Exchange performance by dropping inbound SMTP sessions based on originating IP address, before any mail from or recipeint to headers are ever exchanged. If the IP is not on the RBL, recipient filtering will sort things out.

You are not listed on either of the RBLs so I do not know exactly why Earthlink are filtering you.

Sending out via the SMTP smart host from Verizon is the easiest solution to this problem, if you don't want to get on to Earthlink to resolve the problem directly.

-Matt

Just a quick question before I leave this whole issue alone - bowing to the combined knowledge of two EE Experts :-(

Do NDR's get logged in any logs that can be checked?

That's it - no more on this subject from me!

As Kieran said, I've run a few more tests and you might need to make a small configuration change. Open up Exchange Management Console and expand Organization Configuration > Hub Transport. Click the Anti-Spam tab. Is 'Recipient Filtering' enabled? If not, right-click on it and enable it.

I truly believe your only easy way out at the moment is to use the smart host. Kieran confirmed my suspiscions that that blacklist is indeed a scam; the fact they ask for cash gives it away.

-Matt

Alan,

NDRs may be logged in Message Tracking, *if* it is enabled on the server.

Do you allow Out Of Office Messages out of your organisation?

Why would that matter?  What path are you walking down here Alan?

So I configured the smart host (outgoing.verizon.net) with Basic Authentication, and entered our Verizon username and password, that I received from Verizon tech support. I successfully sent a test email from me@OURDOMAIN.com to my Gmail account, and received it.

I then sent a test email to abuse@abuse.earthlink.net and within a few seconds I received an NDR back from Verizon's SMTP server:

"The following organization rejected your message: madm-corleone.atl.sa.earthlink.net (TCP|206.46.173.17|33735|207.69.200.218|25) (corleone.admin.atl.earthlink.net ESMTP Exim 3.36 #4 Thu, 25 Jun 2009 17:48:04 -0400)."
...
"Generating server: vms173017.mailsrvcs.net (tcp-daemon)

openrelay@abuse.earthlink.net
madm-corleone.atl.sa.earthlink.net (TCP|206.46.173.17|33735|207.69.200.218|25) (corleone.admin.atl.earthlink.net ESMTP Exim 3.36 #4 Thu, 25 Jun 2009 17:48:04 -0400) #<madm-corleone.atl.sa.earthlink.net (TCP|206.46.173.17|33735|207.69.200.218|25) (corleone.admin.atl.earthlink.net ESMTP Exim 3.36 #4 Thu, 25 Jun 2009 17:48:04 -0400) #5.0.0 smtp;550 Unknown local part openrelay in <openrelay@abuse.earthlink.net>> #SMTP#
"
-----------------------------------------------------------------------

However, I then sent an email to the original, intended recipient: EMAILADDRESS@teleport.com (Teleport was bought out by Earthlink, by the way)... and within a minute or so I received an auto-reply / spam control message from them:

"I apologize for this automatic reply to your email.

To control spam, I now allow incoming messages only from senders I have approved beforehand.

Click on this link...."


So it looks like using the Smart Host option fixed the problem with sending to this user.... but not to abuse@abuse.earthlink.net (though the error message on that NDR is different, and mentions "Unknown local part openrelay" --- what does that mean??). But I don't really care if we can't email abuse@abuse.earthlink.net... hopefully we will never have to deal with them again.

Also, Matt, Recipient Filtering was not enabled... so I enabled it.

One question... are there any downsides to using an SMTP Smart Host? Will any mail servers out there complain that a Verizon SMTP server is trying to relay mail for OURDOMAIN.com? Or is it just like using an authenticated relay server?

Dog with a very small bone!

Yes we allow Out of Office messages out of our organization. Is there a new Out of Office Spam Attack I need to worry about now as well?? ;-)

(Wow, this Question got really long in just 4 hours!).

I took Matt's suggestion and configured Exchange Server's Send Connector to send out using Verizon's SMTP server as a smart host (outgoing.verizon.net).  Had to get our username and password from tech support, and set up Basic Authentication. Now all of our emails look like they are coming from Verizon's mail servers, which [hopefully] shouldn't have any problems with being erroneously listed as dynamic/zombied IP addresses, or on an RBL.

Good call on the smarthost Matt, shame we probably won't ever know what the problem was with earthlink :S

http://profs.logti.etsmtl.ca/cfuhrman/backscatter/Analysis_of_massive_backscatter_of_email_spam.pdf

1st Paragraph of the abstract.  Sorry

There is no Out of Office attack I am aware of at present; I'm not sure what route Alan was going up there.

The error on the NDR message to the Earthlink abuse address is not an Exchange message; it is an Earthlink message so is clearly a problem at their end.

Good to hear you resolved the issue with the Smart Host and you can now send the email out.

Thanks

Matt

Thanks Alan for checking backscatterer.org and notifying me about the listing.  Even though that particular site/list looks a little fishy... backscatter is definitely something I don't want our server to be a potential victim of.

This TechNet site seems to confirm what Matt stated... that Recipient Filtering (and some other settings) should prevent it from happening.

Thank you all for your help and your time in resolving this issue! Now my boss can send his friend an email about going fishing! (Which is what started this whole thing in the first place).

I just think it worth mentoning that backscatter is not just NDR messages but also Out Of Office messages being returned to spoofed sender email addressed messages that make their way through the spam filters.

Am I off my head on this one - or is this a potential reason why the listing is on backscatterer.org?

I see what you are saying Alan, OOF can sometimes count

OOF messages are the devil anyway, but mainly because any automated email sucks - and most of them have socially engineerable information, like "I am out of the country with my family for 2 weeks"

That said, it is totally moot, the problem was never going to be about backscatter - yes, you were right that it is *A* problem here, but it is positively not *THE* problem

I don't agree that the backscatterer.org site is at all fishy.  It is as valid as spamcop, sorbs and all the others in my opinion and I think that dismissing it as a dodgy site just because they ask for money for delisting quickly, is shortsighted and incorrect.

Well kieran I still have a "case" open with Earthlink's Abuse department. So I can email them from a different email address and bug them about delisting our IP address... and ask them why we were listed/rejected in the first place.

If they can give me a good explanation then I will try to remember to post it here, in case anyone else wanders across this Question in the future and can't use the Smart Host solution (workaround, really) for whatever reason.

I know it is not 'the' problem - but as I discovered it whilst trying to address the original problem and as I see it as a problem - it is worth mentioning, investigating and resolving.

Alan, I am not dismissing it soley because they ask for money - the fact that they specifically say "Do not use this list to block mail" is the reason why it can be ignored.  The debate on delisting for money can be done another time, personally I'd call it extortion.

I agree with you totally, but don't want to cloud the issue with the validity of the website.

If there is a backscatter problem, caused by Out Of Office messages and fnillc is a vistim of this problem, then it needs to be understood and possible measures taken to prevent it from happening, assuming that fnillc wishes to do so.

My name's Tony by the way. ;-)

Haven't I now taken steps to prevent both NDR and Out of Office backscatter spam from being sent by Exchange? Shouldn't the combination of Recipient Filtering and Spamhaus/Spamcop RBL checks take care of those problems?

Recipient Filtering now being enabled will stop you from the majority of it - but, if you are still allowing OOF messages to the internet, you are still (slightly) vulnerable

That is usually a vulnerability people accept though

Hi Tony,

Glad your issue is resolved - sorry if I have caused a massive debate about something that is not really a problem.  Sorry to keep on about it - I don't like loose ends and it also helps me to understand more too.

Kieran -  appreciate that Out Of Office messages are an acceptable risk and if they are deemed backscatter, then so be it.

If only we could round up all the spammers, tow them out to sea and leave them there, computerless!

Time to go tackle some more questions now - and hopefully cause less controversy.  Apologies to all if I caused any upset.

Oh no worries at all Alan!!

Any and all help, theories, advice, etc. is appreciated... even if we have to have a lengthy discussion to determine what exactly is the problem/solution/workaround.... and what we can semi-safely ignore.

(By the way.... completely unrelated... did you guys hear there are reports from the L.A. Times that Michael Jackson died today of a heart attack??).

Yes - just seen the news in the UK about unconfirmed reports and it seems that he has died from a heart attack - found at home not breathing earlier today (midday).

There is nothing wrong with being thorough Alan, I understand why you kept on about it - I just wanted to ensure that your persistance about what is effectively a secondary issue didn't derail the main problem.

Kieran

Completely agree.  I hope that was not the case and will bear this in mind in future questions.  Appreciate the feedback.

I got this response from EarthLink Abuse Department last Friday, June 26, 2009 (I just haven't gotten around to posting it here yet):
"
Hello,

This IP has been unblocked. Please allow 2-24 hours for traffic to our network to return to normal.

Thanks,

Earthlink Network Abuse
"

I asked them why our IP address had been blocked in the first place, so we could avoid this problem in the future (or if we were on an RBL, that would be good to know!). But they haven't gotten back to me, and I doubt they will. And I don't want to take the time to call them.

So, basically... who knows why we were listed in the first place! Probably a mistake on their end.

~Tony