• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 919
  • Last Modified:

Strange message in Exchange SMTP server logs.....

I have seeing a strange entry in my Exchange SMTP Virtual server logs.

Every 15 minutes or so, I see this entry:

2003-11-18 23:41:13 204.97.230.37 OutboundConnectionResponse SMTPSVC1 (MYSERVERNAME) - 25 - - 558+Your+network+address+is+blacklisted,+his+means+that+spam+is+detected+from+you.+If+you+think+this+is+not+correct,+please+contact+abuse@gawab.com(#5.7.1) 0 0 155 0 453 SMTP - - - -

I have checked every black list in the world that I can find, and we are not listed in any, nor are we an open relay, nor are we spamming.  the strange thing is that this entry is always all by itself.  There is no other connection related data accompaying it, and no evidence that my mail server is attempting to send messages to this "Gawab.com" domain or the IP address listed.

Someone help!

Eric
0
ericmalone
Asked:
ericmalone
  • 9
  • 8
  • 2
  • +1
1 Solution
 
Netman66Commented:
Have a look at this:

http://support.microsoft.com/default.aspx?scid=kb;[LN];324059

Error 5.7.1 is a Relaying Denied error for Non-Deliver Report.

It's possible a spammer is sending you email that it to a bogus account and your server is accepting it - and then issuing a NDR to the originator which gets flagged at the ISP.

0
 
Netman66Commented:
What version is Exchange?
0
 
chicagoanCommented:
Doen't matter what version of exchange, sombody doesn't want your mail.
You'd have to check the MX records for the destination of the mail that's queued up and see if any point to
gawab.com
alex4all.com or
alexandria.cc
(the free email domains that gawab offers)
in addition, the mail could be destined for any of the paid domains gawab hosts.
If somebody spammed you with a gawab hosted return address, the flurry of replies could have tripped their spam-o-nator.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
owensleftfootCommented:
Does your server have its own dns record? If not then you need to specify your isps mail server as a relay. Some servers do reverse dns lookups and if your server does not appear they regard you as a spammer.
0
 
ericmaloneAuthor Commented:
We are running Exchange 2K on Win2K server.

Looking at our queue, we always have roughly 50-75 NDRs going out all the time.  They do in fact look like NDRs sent in response to spam being sent our way.

Is it wise to turn off the sending of all NDRs, or is there other steps I can take to battle this?

0
 
chicagoanCommented:
owensleftfoot's comment about relaying through your ISP's mail exchanger is valid, they're a lor less likely to be blackholed and you get the mailout of your queue on the first pass
0
 
ericmaloneAuthor Commented:
Yes, our mail server does have its own mx record (which has priority over the ISP's mail server).

Also, the mail server does have a reverse lookup (PTR) record as well, so there are no issues with that.  I have checked at www.dnsstuff.com and numerous other blacklist lookups, and we are not listed.

I guess my question isn't so much how can I get off "gawab.com's" supposed blacklist..  We are not an open relay, and I am positive that spam is not originating from my network.....rather, I am now seeing how many NDRs are going out from my "postmaster@domain.com" account as a response to spam we receive that is sent to users that don't exist in my organization.  

What can/should I do about this?
0
 
chicagoanCommented:

The MX and PTR records are examined by some anti-spam schemes and having them is proper protocol.
gawab probably examines incoming mail for content or watches volume and zapped you for returning mail, the reply to address of which could have been spoofed.


You'd have to contact gawab as described in the message (from some other mail account, apparently) and ask to get off their list.





0
 
ericmaloneAuthor Commented:
We are obviously receiving spam from many sources, and Exchange automatically sends back the NDR.  What can I do about the high volume of NDRs going out from my server?  

Or is there anything I can even do about it?
0
 
ericmaloneAuthor Commented:

chicagoan, Is there a convenient way to, as you said: "check the MX records for the destination of the mail that's queued up" ....other than looking in each queue one at a time?  There must be 30-40 different queues set up in my SMTP server queue, all trying to send out NDRs.


But, too, I am still looking for a solution as to what can be done to minimize all the NDRs going out in the first place.
0
 
chicagoanCommented:
the server shown in the transient error would be the MX record (or the A record if ther is no MX record)

The only way you can stop the bounces is to null route the spam in the first place.
0
 
ericmaloneAuthor Commented:
Sorry, not familiar with what you mean by "null route the spam".

0
 
chicagoanCommented:
do something to detect incoming spam and do not attempt to deliver or return it
send it to the bit bucket

0
 
ericmaloneAuthor Commented:
chicagoan,

Sorry to keep asking, but this is really my first venture into spam/NDR blocking, so perhaps you can explain further or point me to a more detailed reference.

For instance, I wouldn't know where to begin in order to "detect incoming spam" or send it to a "?bit bucket?"

thx....eric
0
 
chicagoanCommented:
you'd need to go with a third party product

you'll also have to get management on board as to policies and spend some time tuning to achieve a balance between filtering nothing and false positives (blocking legitimate mail)

if your anti-virus vendor offers a package, that's one place to start, otherwise:

http://productfinder.infoworld.com/search/keyword/infoworld/Microsoft%20Exchange%202000%20Spam%20Control%20Software/Microsoft%20Exchange%202000%20Spam%20Control%20Software
 
0
 
ericmaloneAuthor Commented:

Would you reccommend turning off outgoing NDRs in MS Exchange 2K?
0
 
chicagoanCommented:
well, what happens when the consulting company that HR contracted to supply them with IT salary ranges for this year's reviews send it to HT@yourdomain.com and, not getting the information, use last year's numbers?

your mom doesn't type too well... you never get her dutch pecan apple pie recipe for thanksgiving dinner and end up serving tiramisu hastily concocted with twinkies instant coffee and dream whip since the gas station was the only thing open - your boss is appalled and instructs HR to drop your eval a point and as they're using old data, you end up making less than you did last year

another guest is impressed with your three hour monolgue on the merits of color coding patch cables after dinner and emails you an offer to be CIO of his new internet startup, unfortunately he sends the email to ericbaloney@yourdomain.com as by that time three bottles of sambuca lay empty in the recycle bin....
 

bounces are a part of email, spam control initiatives can usually garner some support for funding as not only is a nuisance but employees spend paid hours dealing with it... go ask for some money!


0
 
ericmaloneAuthor Commented:

Interesting "examples".........yikes.  I'm not sure whether to be offended or laugh myself silly.

I'll go ask for some money I guess.
0
 
chicagoanCommented:
OMG!! no insult intended!
just a worse-case scenario ;-)
0
 
ericmaloneAuthor Commented:

No worries.....thank for the help!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

  • 9
  • 8
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now