How to avoid getting listed in spam blocking sites like Baracuda, Spamhaus etc etc???
Our Router IP address got listed in Spamhaus in XBL list, so we were not able to send mails, mails got stuck in outbox. Incoming mails were fine.
Some how i unlisted the Router IP from site.
But i want to know why it gets listed, and how to avoid it from happening?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
If you are using POP3 to send / receive emails, then you will have to allow TCP port 25 from all computers otherwise they won't be able to send emails.
Not familiar with the Cyberoam C25i UTM+Firewall - but assume it is a heavy duty piece of kit.
Unfortunately, if you have de-listed yourself without knowing the cause of the listing, we will not get to the bottom of the reason, so we will just be speculating.
If it happens again, make sure you know why, then you can look into stopping it happening again.
It could be someone your organisation emails reported you as sending spam because they got an email they didn't want. But again, this is just speculation.
You mean I have to create rule in firewall to access mailserver, so that any host wont able to make any connection other then to mail server.
Cyberoam C25i is Firewall + UTM box.
I de-listed the IP as soon as i saw it, message said something like this "system must be infected by Bot. But i don't think so any system is infected cause we have Symantec Endpoint Protection (updated) on all systems.
Still can you suggest me any good Bot detection and removal tool?
Yes - if your clients use pop3 to your own server, then make a rule to only allow outbound tcp port 25 from the server.
You can still get infected with anti-virus software on the systems. All that has to happen is a careless click of the mouse and that gives permission to a nasty to install on your pc and then you are infected. Symantec or any other AV program will not stop that from happening.
Malwarebytes is a good general tol for detecting unwanted items. www.malwarebytes.org
This IP address getting listed in spam blocking sites, happened previously also when i had just plain router, so i purchased Cyberoam Firewall + UTM box to avoid this situation again.
I made revere DNS entry for ip address also to avoid this situation still no luck.
Man this spam sites are irritating.
I just dealt with an infection of th waledac spambot and it uses the systems own internal email mechanism to send spam, thus it used my customer's exchange server. It bugged the hell out of me for ages until I used the ISA server logs to identify traffic destined to port 25 externally, rules out the source as the server and the destination os the server and this left one machine.
I used DHCP to locate that machine and then check the machine for relevant registry entries and found the keys there. Update MalwareBytes and scanned and it found and removed the infection.
No more spam - no more blacklists.
Have you identified the machine(s) with the infection yet?
I don't understand how can infected systems can spam when they are behind Cyberoam C25i Firewall+UTM box appliance which is having features like Anti-Virus, Anti-Spam, IDP, Web Filtering.
Or can they breach security?
I brought Firewall to avoid this situation till this happening. And same thing happening. Oh god.
Let me tell you few things so that you guide me more appropriately...
- Mailserver is at remote location, its Postfix (unix based) mailing server.
- We users have configured POP3 account to access mails.
- All systems are workgroup environment.
Also to be honest my experience with Malwarebytes is not that good it was not able to fix my any issues up till now.
But since you suggest I'll install & scan all systems with Malwarebytes.
I thought ISA server was going to be sufficient to stop spam being sent out - boy was I wrong!
Whatever you have in the way of the internet - there is always a way around it if the person is clever enough.
Can you email me your IP address (via my profile) so that I can do some checks for you and see if I can give you some more accurate guidance to remove your problems. I'll understand if you don't want to.
Mate you didn't answer my few questions.
IP address you want? Like?
Also thing i should mention is that we get lot of Spam mails in our mailbox would that be causing this?
But i don't think, user open this mails, cause till now they aware what is spam and what is not. They straight away delete those mails.
Sorry (painting at home at the moment) - Once a virus is inside your system, they will find a way out.
All that has to happen is that a user clicks on a webpage with a bad program injected into it and they click OK or Cancel or No or a link (or even just visit the wrong site) and Bang! Infected.
Even the best firewall / security cannot stop this from happening.
I don't know your firewall at all - so cannot comment on the specifics of what it can / cannot / is supposed to do, but I know that it is always a game of cat and mouse.
If you get lots of spam - ditch the postfix at the remote location and manage it yourself. I just installed Vamsoft ORF - www.vamsoft.com (on the recommendation of Mestha - EE's leading Exchange expert and Microsoft MVP) and since installing it - 0 spam and I am on day 12.
Previously I would get 7-10 a week - since Vamsoft - nothing. It is extremely well priced at $239 per server so whatever you are paying for postfix - if it is more than $239 - you are wasting your money. This software is excellent.
In terms of IP - please can I have your Internet facing IP.
Here is the response from uceprotect:
Who is responsible for this listing?
YOU ARE NOT!. Your IP 114.143.226.235 was NOT involved in a spamrun, but has a spammy neighborhood. Other customers within this range did not care about their security and got hacked and started spamming, while your provider has possibly not even noticed that there is a serious problem.
We are sorry for you, but you have chosen an provider not acting fast enough on spammers.
Therefore we recommend:
Please send a complaint to your provider and request them to fix this problem immediately.
Think about this: You pay them for, that you can use the Internet without problems.
If they are ignoring your complaint or claiming they can't do anything, you should consider to change your provider.
Can't you make an exception for me?
We never make exceptions. Requests to us are futile. Only your provider can fix this problem.
Our system respects IP's which are registered at ips.whitelisted.org, these are excluded from Level 2.
How can this netrange be removed from Level 2?
After your provider has fixed his problems, the UCEPROTECT-Level 2 listing will be removed automatically and free of charge as soon as the causal Level 1 listings will expire.
Every IP temporary listed at Level 1 expires 7 days after we have seen the last abusive action originating from it.
If your provider don't want to wait for free expiration, they can optionally do Expressdelisting, which is charged a total of 150 EUROs per Level 2 listed allocation.
It is necessary that all problems which have caused the Level 2 listing are fixed in first place, otherwise this netrange might end up in Level 2 again within a short timeframe.
Basically - you are not spamming - but IP's from your ISP close to your IP address are spamming, so you should be fine in terms of infections, but you need to talk to your ISP and complain to them and get the to deal with this.
But how can i prove them (ISP), that this problem is from there end.
They will say 114.143.226.235 belongs to your firewall which is getting blocked, that means there is spamming from your end. You need to Fix it.
I had this problem with my previous ISP also. So moved to this bigger ISP which is current one(TATA Teleservices).
I got the above information from www.mxtoolbox.com running the blacklist check for your ip address.
Once you get the results, click on the link in the righ-hand column and you get taken to the uceprotect site.
Enter your ip and you will get the same info I did.
Get Tata to do the same and get them to sort out their problems.
Don't get fobbed off - insist they resolve the issue or move to another (cleaner) isp if there is one!
OK got it what i have to do. Fight with ISP. I'll do it.
But do i have to worry about UCEPROTECTL2 & UCEPROTECTL3 listings?
Actually i'm more worried about getting listed in Spamhaus-ZEN, This is site which causes a lots of problems to me. Need more info this site. See pic
IP got listed over there on last Thursday i made a request removed it. We were no able to send mails, mails were stuck outbox itself.
One more thing---
Now as you say its problem with ISP, then should i relax keep network as it is I mean shall I avoid go around install and scan all systems for Malwares??
Spamhaus - ZEN
If you get listed - find out why and then let us know as we can give you specific advise to eliminate the problem. Right now - you don't have the info so we can't give the advice.
Keep checking every couple of days to make sure you don't pop up again and if you do - raise a question on EE and get some more advice.
Business Accounts
Answer for Membership
by: alanhardistyPosted on 2009-09-10 at 04:11:18ID: 25299034
You get listed because something inside your organisation, or outside your organisation using authentication is sending out spam via your server, or directly from inside the network.
Your best bet is to lock down port 25 on your firewall to only allow traffic out from the server's IP address only. This will stop other Spam sending bots from being able to transmit their crap.
Keep you AV software up-to-date and run regular scans of spyware software such as MalwareBytes - www.malwarebytes.org.
In terms of why you got listed - if you check the blacklisting site - they will give you a reason why you were listed in the first place. If you have removed the listing, then you will have lost the ability to find out why. If it hapens again, dig a little deeper and find out why. It may be a virus infection / trojan that got onto a machine.