Solved

Strange message in Exchange SMTP server logs.....

Posted on 2003-11-18
20
872 Views
Last Modified: 2012-08-13
I have seeing a strange entry in my Exchange SMTP Virtual server logs.

Every 15 minutes or so, I see this entry:

2003-11-18 23:41:13 204.97.230.37 OutboundConnectionResponse SMTPSVC1 (MYSERVERNAME) - 25 - - 558+Your+network+address+is+blacklisted,+his+means+that+spam+is+detected+from+you.+If+you+think+this+is+not+correct,+please+contact+abuse@gawab.com(#5.7.1) 0 0 155 0 453 SMTP - - - -

I have checked every black list in the world that I can find, and we are not listed in any, nor are we an open relay, nor are we spamming.  the strange thing is that this entry is always all by itself.  There is no other connection related data accompaying it, and no evidence that my mail server is attempting to send messages to this "Gawab.com" domain or the IP address listed.

Someone help!

Eric
0
Comment
Question by:ericmalone
  • 9
  • 8
  • 2
  • +1
20 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
Have a look at this:

http://support.microsoft.com/default.aspx?scid=kb;[LN];324059

Error 5.7.1 is a Relaying Denied error for Non-Deliver Report.

It's possible a spammer is sending you email that it to a bogus account and your server is accepting it - and then issuing a NDR to the originator which gets flagged at the ISP.

0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
What version is Exchange?
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
Doen't matter what version of exchange, sombody doesn't want your mail.
You'd have to check the MX records for the destination of the mail that's queued up and see if any point to
gawab.com
alex4all.com or
alexandria.cc
(the free email domains that gawab offers)
in addition, the mail could be destined for any of the paid domains gawab hosts.
If somebody spammed you with a gawab hosted return address, the flurry of replies could have tripped their spam-o-nator.
0
 
LVL 17

Expert Comment

by:owensleftfoot
Comment Utility
Does your server have its own dns record? If not then you need to specify your isps mail server as a relay. Some servers do reverse dns lookups and if your server does not appear they regard you as a spammer.
0
 

Author Comment

by:ericmalone
Comment Utility
We are running Exchange 2K on Win2K server.

Looking at our queue, we always have roughly 50-75 NDRs going out all the time.  They do in fact look like NDRs sent in response to spam being sent our way.

Is it wise to turn off the sending of all NDRs, or is there other steps I can take to battle this?

0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
owensleftfoot's comment about relaying through your ISP's mail exchanger is valid, they're a lor less likely to be blackholed and you get the mailout of your queue on the first pass
0
 

Author Comment

by:ericmalone
Comment Utility
Yes, our mail server does have its own mx record (which has priority over the ISP's mail server).

Also, the mail server does have a reverse lookup (PTR) record as well, so there are no issues with that.  I have checked at www.dnsstuff.com and numerous other blacklist lookups, and we are not listed.

I guess my question isn't so much how can I get off "gawab.com's" supposed blacklist..  We are not an open relay, and I am positive that spam is not originating from my network.....rather, I am now seeing how many NDRs are going out from my "postmaster@domain.com" account as a response to spam we receive that is sent to users that don't exist in my organization.  

What can/should I do about this?
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility

The MX and PTR records are examined by some anti-spam schemes and having them is proper protocol.
gawab probably examines incoming mail for content or watches volume and zapped you for returning mail, the reply to address of which could have been spoofed.


You'd have to contact gawab as described in the message (from some other mail account, apparently) and ask to get off their list.





0
 

Author Comment

by:ericmalone
Comment Utility
We are obviously receiving spam from many sources, and Exchange automatically sends back the NDR.  What can I do about the high volume of NDRs going out from my server?  

Or is there anything I can even do about it?
0
 

Author Comment

by:ericmalone
Comment Utility

chicagoan, Is there a convenient way to, as you said: "check the MX records for the destination of the mail that's queued up" ....other than looking in each queue one at a time?  There must be 30-40 different queues set up in my SMTP server queue, all trying to send out NDRs.


But, too, I am still looking for a solution as to what can be done to minimize all the NDRs going out in the first place.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
the server shown in the transient error would be the MX record (or the A record if ther is no MX record)

The only way you can stop the bounces is to null route the spam in the first place.
0
 

Author Comment

by:ericmalone
Comment Utility
Sorry, not familiar with what you mean by "null route the spam".

0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
do something to detect incoming spam and do not attempt to deliver or return it
send it to the bit bucket

0
 

Author Comment

by:ericmalone
Comment Utility
chicagoan,

Sorry to keep asking, but this is really my first venture into spam/NDR blocking, so perhaps you can explain further or point me to a more detailed reference.

For instance, I wouldn't know where to begin in order to "detect incoming spam" or send it to a "?bit bucket?"

thx....eric
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
Comment Utility
you'd need to go with a third party product

you'll also have to get management on board as to policies and spend some time tuning to achieve a balance between filtering nothing and false positives (blocking legitimate mail)

if your anti-virus vendor offers a package, that's one place to start, otherwise:

http://productfinder.infoworld.com/search/keyword/infoworld/Microsoft%20Exchange%202000%20Spam%20Control%20Software/Microsoft%20Exchange%202000%20Spam%20Control%20Software
 
0
 

Author Comment

by:ericmalone
Comment Utility

Would you reccommend turning off outgoing NDRs in MS Exchange 2K?
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
well, what happens when the consulting company that HR contracted to supply them with IT salary ranges for this year's reviews send it to HT@yourdomain.com and, not getting the information, use last year's numbers?

your mom doesn't type too well... you never get her dutch pecan apple pie recipe for thanksgiving dinner and end up serving tiramisu hastily concocted with twinkies instant coffee and dream whip since the gas station was the only thing open - your boss is appalled and instructs HR to drop your eval a point and as they're using old data, you end up making less than you did last year

another guest is impressed with your three hour monolgue on the merits of color coding patch cables after dinner and emails you an offer to be CIO of his new internet startup, unfortunately he sends the email to ericbaloney@yourdomain.com as by that time three bottles of sambuca lay empty in the recycle bin....
 

bounces are a part of email, spam control initiatives can usually garner some support for funding as not only is a nuisance but employees spend paid hours dealing with it... go ask for some money!


0
 

Author Comment

by:ericmalone
Comment Utility

Interesting "examples".........yikes.  I'm not sure whether to be offended or laugh myself silly.

I'll go ask for some money I guess.
0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
OMG!! no insult intended!
just a worse-case scenario ;-)
0
 

Author Comment

by:ericmalone
Comment Utility

No worries.....thank for the help!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now