Solved

Strange message in Exchange SMTP server logs.....

Posted on 2003-11-18
20
904 Views
Last Modified: 2012-08-13
I have seeing a strange entry in my Exchange SMTP Virtual server logs.

Every 15 minutes or so, I see this entry:

2003-11-18 23:41:13 204.97.230.37 OutboundConnectionResponse SMTPSVC1 (MYSERVERNAME) - 25 - - 558+Your+network+address+is+blacklisted,+his+means+that+spam+is+detected+from+you.+If+you+think+this+is+not+correct,+please+contact+abuse@gawab.com(#5.7.1) 0 0 155 0 453 SMTP - - - -

I have checked every black list in the world that I can find, and we are not listed in any, nor are we an open relay, nor are we spamming.  the strange thing is that this entry is always all by itself.  There is no other connection related data accompaying it, and no evidence that my mail server is attempting to send messages to this "Gawab.com" domain or the IP address listed.

Someone help!

Eric
0
Comment
Question by:ericmalone
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 2
  • +1
20 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 9775624
Have a look at this:

http://support.microsoft.com/default.aspx?scid=kb;[LN];324059

Error 5.7.1 is a Relaying Denied error for Non-Deliver Report.

It's possible a spammer is sending you email that it to a bogus account and your server is accepting it - and then issuing a NDR to the originator which gets flagged at the ISP.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 9775671
What version is Exchange?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9776304
Doen't matter what version of exchange, sombody doesn't want your mail.
You'd have to check the MX records for the destination of the mail that's queued up and see if any point to
gawab.com
alex4all.com or
alexandria.cc
(the free email domains that gawab offers)
in addition, the mail could be destined for any of the paid domains gawab hosts.
If somebody spammed you with a gawab hosted return address, the flurry of replies could have tripped their spam-o-nator.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Expert Comment

by:owensleftfoot
ID: 9778713
Does your server have its own dns record? If not then you need to specify your isps mail server as a relay. Some servers do reverse dns lookups and if your server does not appear they regard you as a spammer.
0
 

Author Comment

by:ericmalone
ID: 9781244
We are running Exchange 2K on Win2K server.

Looking at our queue, we always have roughly 50-75 NDRs going out all the time.  They do in fact look like NDRs sent in response to spam being sent our way.

Is it wise to turn off the sending of all NDRs, or is there other steps I can take to battle this?

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9781518
owensleftfoot's comment about relaying through your ISP's mail exchanger is valid, they're a lor less likely to be blackholed and you get the mailout of your queue on the first pass
0
 

Author Comment

by:ericmalone
ID: 9781650
Yes, our mail server does have its own mx record (which has priority over the ISP's mail server).

Also, the mail server does have a reverse lookup (PTR) record as well, so there are no issues with that.  I have checked at www.dnsstuff.com and numerous other blacklist lookups, and we are not listed.

I guess my question isn't so much how can I get off "gawab.com's" supposed blacklist..  We are not an open relay, and I am positive that spam is not originating from my network.....rather, I am now seeing how many NDRs are going out from my "postmaster@domain.com" account as a response to spam we receive that is sent to users that don't exist in my organization.  

What can/should I do about this?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9781755

The MX and PTR records are examined by some anti-spam schemes and having them is proper protocol.
gawab probably examines incoming mail for content or watches volume and zapped you for returning mail, the reply to address of which could have been spoofed.


You'd have to contact gawab as described in the message (from some other mail account, apparently) and ask to get off their list.





0
 

Author Comment

by:ericmalone
ID: 9782202
We are obviously receiving spam from many sources, and Exchange automatically sends back the NDR.  What can I do about the high volume of NDRs going out from my server?  

Or is there anything I can even do about it?
0
 

Author Comment

by:ericmalone
ID: 9782518

chicagoan, Is there a convenient way to, as you said: "check the MX records for the destination of the mail that's queued up" ....other than looking in each queue one at a time?  There must be 30-40 different queues set up in my SMTP server queue, all trying to send out NDRs.


But, too, I am still looking for a solution as to what can be done to minimize all the NDRs going out in the first place.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9783066
the server shown in the transient error would be the MX record (or the A record if ther is no MX record)

The only way you can stop the bounces is to null route the spam in the first place.
0
 

Author Comment

by:ericmalone
ID: 9783920
Sorry, not familiar with what you mean by "null route the spam".

0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9784149
do something to detect incoming spam and do not attempt to deliver or return it
send it to the bit bucket

0
 

Author Comment

by:ericmalone
ID: 9784772
chicagoan,

Sorry to keep asking, but this is really my first venture into spam/NDR blocking, so perhaps you can explain further or point me to a more detailed reference.

For instance, I wouldn't know where to begin in order to "detect incoming spam" or send it to a "?bit bucket?"

thx....eric
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 250 total points
ID: 9785152
you'd need to go with a third party product

you'll also have to get management on board as to policies and spend some time tuning to achieve a balance between filtering nothing and false positives (blocking legitimate mail)

if your anti-virus vendor offers a package, that's one place to start, otherwise:

http://productfinder.infoworld.com/search/keyword/infoworld/Microsoft%20Exchange%202000%20Spam%20Control%20Software/Microsoft%20Exchange%202000%20Spam%20Control%20Software
 
0
 

Author Comment

by:ericmalone
ID: 9798219

Would you reccommend turning off outgoing NDRs in MS Exchange 2K?
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9798343
well, what happens when the consulting company that HR contracted to supply them with IT salary ranges for this year's reviews send it to HT@yourdomain.com and, not getting the information, use last year's numbers?

your mom doesn't type too well... you never get her dutch pecan apple pie recipe for thanksgiving dinner and end up serving tiramisu hastily concocted with twinkies instant coffee and dream whip since the gas station was the only thing open - your boss is appalled and instructs HR to drop your eval a point and as they're using old data, you end up making less than you did last year

another guest is impressed with your three hour monolgue on the merits of color coding patch cables after dinner and emails you an offer to be CIO of his new internet startup, unfortunately he sends the email to ericbaloney@yourdomain.com as by that time three bottles of sambuca lay empty in the recycle bin....
 

bounces are a part of email, spam control initiatives can usually garner some support for funding as not only is a nuisance but employees spend paid hours dealing with it... go ask for some money!


0
 

Author Comment

by:ericmalone
ID: 9798391

Interesting "examples".........yikes.  I'm not sure whether to be offended or laugh myself silly.

I'll go ask for some money I guess.
0
 
LVL 18

Expert Comment

by:chicagoan
ID: 9798431
OMG!! no insult intended!
just a worse-case scenario ;-)
0
 

Author Comment

by:ericmalone
ID: 9798440

No worries.....thank for the help!
0

Featured Post

Enroll in June's Course of the Month

June's Course of the Month is now available! Every 10 seconds, a consumer gets hit with ransomware. Refresh your knowledge of ransomware best practices by enrolling in this month's complimentary course for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question