Solved

Server Blacklisted - What to do now?

Posted on 2007-11-18
9
7,309 Views
Last Modified: 2009-05-21
OK I USED THE MXTOOLBOX. COM TO FIND OUT IF MY SERVER WAS BLACKLISTED.  SO NOW IT IS.  BELOW IS WHAT IT SAYS

Blacklist Name   Status Reason TTL Response Time (ms)
FIVETENFREE  LISTED Return codes were: 127.0.0.9 86198 1781
FIVETENIGNORE  LISTED Return codes were: 127.0.0.9 86198 1766
FIVETENKLEZ  LISTED Return codes were: 127.0.0.9 86198 1766
FIVETENMULTI  LISTED Return codes were: 127.0.0.9 86198 1766
FIVETENOPTIN  LISTED Return codes were: 127.0.0.9 86198 1750
FIVETENOTHER  LISTED Return codes were: 127.0.0.9 86198 1750
FIVETENSINGLE  LISTED Return codes were: 127.0.0.9 86198 1750
FIVETENSRC  LISTED Return codes were: 127.0.0.9 86198 1750
FIVETENTCPA  LISTED Return codes were: 127.0.0.9 86198 1734
FIVETENWEBFORM  LISTED Return codes were: 127.0.0.9 86198 1734
AHBL  OK   0 16
BGISOCBL  OK   0 0
CASA-CBL  OK   0 16
CASA-CBL+  OK   0 16
CASA-CDL  OK   0 0
CBL  OK   0 16
CLUECENTRAL  OK   0 0
CYBERLOGIC  OK   0 562
DEADBEEF  OK   0 547
DNSBLINFO  OK   0 547
DNSBLNETAUOHPS  OK   0 547
DNSBLNETAUOMRS  OK   0 531
DNSBLNETAUOSPS  OK   0 531
DNSBLNETAUOSRS  OK   0 531
DNSBLNETAUOWFS  OK   0 516
DNSBLNETAUOWPS  OK   0 516
DNSBLNETAURDTS  OK   0 516
DNSBLNETAURICN  OK   0 531
DNSBLNETAURMST  OK   0 516
DNSBLNETAUT1  OK   0 516
DSBL  OK   0 516
DSBLALL  OK   0 500
DSBLMULTI  OK   0 500
DUINV  OK   0 500
DULRU  OK   0 500
EMAILBASURA  OK   0 484
FABELSOURCES  OK   0 484
GIRL  OK   0 531
GRIP  OK   0 516
HIL  OK   0 516
HIL  OK   0 516
ICMFORBIDDEN  OK   0 703
INFORMATIONWAVE  OK   0 703
INTERSIL  OK   0 703
JAMMDNSBL  OK   0 688
KEMPTBL  OK   0 688
KUNDENSERVER  OK   0 688
LASHBACK  OK   0 672
LNSGBLOCK  OK   0 672
LNSGBULK  OK   0 672
LNSGDUL  OK   0 672
LNSGMULTI  OK   0 656
LNSGOR  OK   0 656
LNSGSRC  OK   0 656
MSRBL-Combined  OK   0 641
MSRBL-Images  OK   0 641
MSRBL-Phising  OK   0 641
MSRBL-Spam  OK   0 641
MSRBL-Viruses  OK   0 625
NERD  OK   0 625
NETHERRELAYS  OK   0 625
NETHERUNSURE  OK   0 609
NJABL  OK   0 609
NJABLDUL  OK   0 609
NJABLDYNA  OK   0 609
NJABLFORMMAIL  OK   0 609
NJABLMULTI  OK   0 609
NJABLPROXIES  OK   0 609
NJABLSOURCES  OK   0 594
NLKUNBLACKLIST  OK   0 594
NLKUNWHITELIST  OK   0 594
NOFALSEPOSITIVE  OK   0 578
NOMOREFUNN  OK   0 578
ORVEDB  OK   0 1062
OSPAM  OK   0 1047
PDL  OK   0 1047
PSBL  OK   0 1047
RANGERSBL  OK   0 1031
REDHAWK  OK   0 1031
RRBL  OK   0 1031
RSBL  OK   0 1016
SATOS  OK   0 1016
SCHULTE  OK   0 1016
SDERB  OK   0 1016
SENDERBASE  OK   0 1000
SERVICESNET  OK   0 1000
SNARK  OK   0 984
SOLID  OK   0 984
SORBS-BLOCK  OK   0 969
SORBS-DUHL  OK   0 984
SORBS-HTTP  OK   0 969
SORBS-MISC  OK   0 984
SORBS-SMTP  OK   0 969
SORBS-SOCKS  OK   0 969
SORBS-SPAM  OK   0 953
SORBS-WEB  OK   0 953
SORBS-ZOMBIE  OK   0 938
SPAMBAG  OK   0 938
SPAMCANNIBAL  OK   0 922
SPAMCOP  OK   0 922
Spamhaus-ZEN  OK   0 906
SPAMSOURCES  OK   0 1359
SPEWS1  OK   0 1359
SPEWS2  OK   0 1344
TECHNOVISION  OK   0 1344
TQMCUBE  OK   0 1328
TRIUMF  OK   0 1328
UCEB  OK   0 1312
UCEPROTECTL1  OK   0 1312
UCEPROTECTL2  OK   0 1297
UCEPROTECTL3  OK   0 1297
US  OK   0 1281
VIRBL  OK   0 1266
WPBL  OK   0 1266
WSFF  OK   0 1250
WYTNIJ  OK   0 1234
ZONEEDIT  OK   0 1234
CSMA  TIMEOUT   0 0
HILLI  TIMEOUT   0 0
ORID  TIMEOUT Return codes were: ERROR, Reponse code=2  0 0
SPAMRBL  TIMEOUT Return codes were: ERROR, Reponse code=2  0 0
 
 
WHAT DO I DO??  IT SAYS ON THE PAGE FOR THE EXPLAINATION WHY

127.0.0.9  WHICH MEANS
misc - Miscellaneous includes (but is NOT limited to) the following groups. Note that this does NOT include misc.spam which is listed under spam above.
1) /24 blocks of addresses containing systems that are apparently sending bulk email (in volumes apparently comparable with the volume from AOL, Earthlink, Google), with any of the following attributes: missing or bogus reverse dns, reverse dns names in domains with no web server, or domains with boilerplate web content.
2) Systems that are strongly suspected of being multistage open relays (where I have not been able to identify the input stage) or open proxies.
3) Any system that delivers spam here, that appears to be running MS SMTPSVC, and that appears to have relayed the message from China, Korea, Brazil, or any known open proxy. These are generally systems that have enabled the guest account, and spammers are using them as open relays, even though they do require SMTP AUTH. Enabling the guest account allows anyone to relay thru them.

MY DNS IS HOSTED BY AT&T.  I WAS TOLD THAT ALL I NEEDED TO DO WITH DNS WAS PUT IN FORWARDERS IN THE FORWARD LOOKUP ZONE TO FORWARD ALL LOOKUPS TO MY ISP.  MY INTERNAL IS .LOCAL AND MY EXTERNAL .ORG.  MY FORWARD LOOKUP ZONE IS FOR .LOCAL.  IS THIS MY PROBLEM????  DO I NEED TO MAKE A FORWARD LOOKUP ZONE FOR .ORG IN MY DNS???  I NEED HELP PLEASE HELP???

THANKS
0
Comment
Question by:amoos
  • 4
  • 2
9 Comments
 
LVL 104

Expert Comment

by:Sembee
ID: 20308480
You are only listed on the FIVETEN lists - and I don't think anyone takes them seriously. If they do then they are fools, the false positive rates are very high with those. Lists from that group will blacklist for the least little reason - and they will blacklist entire subnets - so you may find that they have blacklisted your entire ISP.
Unless you are getting failures from that blacklist I would ignore it.

Simon.
0
 
LVL 17

Accepted Solution

by:
upul007 earned 500 total points
ID: 20308515
To get a clear idea of the status of your domain, run the www.dnsreport.com - DNS report tool. See which items are in Red and yellow.

Please also download the tool SMTPDiag from www.microsoft.com and run it on the Exchange server as well.

Please let us know what the tests give out.
0
 

Author Comment

by:amoos
ID: 20308520
OK THANK YOU.  THAT MAKES ME FEEL BETTER.  NOW I DID WANT TO KNOW IF YOU COULD TELL ME IF MY DNS IS SETUP CORRECTLY.  I HAVE MY INTERNAL DNS SETUP AS .LOCAL THIS IS MY PRIVATE, MY EXTERNAL IS .ORG WHICH IS FOR THE INTERNET.  THE ONLY FORAWARD LOOKUP ZONE THAT I HAVE IN MY DNS IS FOR .LOCAL WHICH HAS FORWARDERS TO  MY ISP.  IS THIS CORRECT???  I WAS TOLD I DID NOT NEED REVERSE DNS BECAUSE MY ISP WOULD BE DOING THAT.  MY REAL QUESTION IS SINCE MY ISP HOSTS ALL DNS THEN 1)DO I NEED A FORWARD LOOKUP ZONE FOR .ORG IN ADDITION TO MY .LOCAL??? AND 2) WHAT I AM MOST CONFUSED ABOUT IS IF I WAS TO MAKE ANOTHER FORWARD LOOKUP ZONE FOR .ORG WOULD I PUT MX RECORDS IN THAT ZONE OR THE .LOCAL ZONE???  VERY CONFUSED

CAN YOU TEST MY SMTP BANNER FROM WHERE EVER YOU ARE SO YOU CAN VERIFY THAT THE SERVER IS PRESENTING THE RIGHT BANNER??

BY THE WAY I HAVE A WATCHGUARD FIREWALL AND I HAVE ALL THE ASSIGNED IP'S THAT THE ISP GAVE ME POINTING TO WHERE THEY ARE SUPPOSE TO SO THERE IS NO PROBLEM WITH THAT.

HELP
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:amoos
ID: 20308537
THIS IS WHAT THE DNSTUFF REPORT GAVE ME

Category Status Test Name Information
Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

cmtu.mt.ns.els-gms.att.net. [12.127.16.69 (NO GLUE)] [US]
cbru.br.ns.els-gms.att.net. [199.191.128.105 (NO GLUE)] [US]
[These were obtained from b0.org.afilias-nst.org]
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
WARN Glue at parent nameservers WARNING. The parent servers (I checked with b0.org.afilias-nst.org.) are not providing glue for all your nameservers. This means that they are supplying the NS records (host.example.com), but not supplying the A records (192.0.2.53), which can cause slightly slower connections, and may cause incompatibilities with some non-RFC-compliant programs. This is perfectly acceptable behavior per the RFCs. This will usually occur if your DNS servers are not in the same TLD as your domain (for example, a DNS server of "ns1.example.org" for the domain "example.com"). In this case, you can speed up the connections slightly by having NS records that are in the same TLD as your domain.
PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

cbru.br.ns.els-gms.att.net. [199.191.128.105] [TTL=86400]
cmtu.mt.ns.els-gms.att.net. [12.127.16.69] [TTL=86400]
 
PASS Open DNS servers OK. Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).  
PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.  
PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
PASS Missing (stealth) nameservers OK. All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers.
PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.  
PASS No CNAMEs for domain OK. There are no CNAMEs for OP-TN.ORG. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
WARN Nameservers on separate class C's WARNING: We cannot test to see if your nameservers are all on the same Class C (technically, /24) range, because the root servers are not sending glue. We plan to add such a test later, but today you will have to manually check to make sure that they are on separate Class C ranges. Your nameservers should be at geographically dispersed locations. You should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
PASS TCP Allowed OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
INFO Nameservers versions [For security reasons, this test is limited to members]
PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA INFO SOA record Your SOA record [TTL=86400] is:

Primary nameserver: cbru.br.ns.els-gms.att.net.
Hostmaster E-mail address: rm-hostmaster.ems.att.com.
Serial #: 2
Refresh: 10800
Retry: 3600
Expire: 604800
Default TTL: 86400
 
PASS NS agreement on SOA Serial # OK. All your nameservers agree that your SOA serial number is 2. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNSreport only checks the NS records listed at the parent servers (not any stealth servers).
 
PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: cbru.br.ns.els-gms.att.net.. That server is listed at the parent servers, which is correct.
 
PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: rm-hostmaster@ems.att.com. (techie note: we have changed the initial '.' to an '@' for display purposes).  
WARN SOA Serial Number WARNING: Your SOA serial number is: 2. That is OK, but the recommended format (per RFC1912 2.2) is YYYYMMDDnn, where 'nn' is the revision. For example, if you are making the 3rd change on 02 May 2006, you would use 2006050203. This number must be incremented every time you make a DNS change.
PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 10800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.
PASS SOA RETRY value OK. Your SOA RETRY interval is : 3600 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.
PASS SOA EXPIRE value OK. Your SOA EXPIRE time: 604800 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 86400 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 1 MX record is:

10 mail.op-tn.org. [TTL=86400] IP=12.189.231.181 [TTL=86400] [US]
 
PASS Low port test OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports (this specific lookup must be cached), but is a good indication that it does not.
PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters.
PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
INFO Multiple MX records NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable.
PASS Differing MX-A records OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).
PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
PASS Reverse DNS entries for MX records OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS entries are:

181.231.189.12.in-addr.arpa mail.op-tn.org. [TTL=86400]
 
Mail PASS Connect to mail servers OK: I was able to connect to all of your mailservers.
WARN Mail server host name in greeting WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

mail.op-tn.org claims to be invalid hostname 'SMTP': <br />   220 SMTP service ready <br />
PASS Acceptance of NULL <> sender OK: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).
PASS Acceptance of postmaster address OK: All of your mailservers accept mail to postmaster@OP-TN.ORG (as required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1).
PASS Acceptance of abuse address OK: All of your mailservers accept mail to abuse@OP-TN.ORG.
INFO Acceptance of domain literals WARNING: One or more of your mailservers does not accept mail in the domain literal format (user@[0.0.0.0]). Mailservers are technically required RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses. Not accepting domain literals can make it more difficult to test your mailserver, and can prevent you from receiving E-mail from people reporting problems with your mailserver. However, it is unlikely that any problems will occur if the domain literals are not accepted (mailservers at many common large domains have this problem).

mail.op-tn.org's postmaster@[12.189.231.181] response:<br /> >>> RCPT TO:<postmaster@[12.189.231.181]><br /> <<< 550 Requested action not taken: mailbox unavailable <br />  
PASS Open relay test OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.

mail.op-tn.org OK: 550 Requested action not taken: mailbox unavailable <br />
WARN SPF record Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).  
WWW
 INFO WWW Record Your www.OP-TN.ORG A record is:

www.op-tn.org. A 12.189.231.183 [TTL=86400] [US]
 
PASS All WWW IPs public OK. All of your WWW IPs appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site.
PASS CNAME Lookup OK. Some domains have a CNAME record for their WWW server that requires an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. There are no CNAMEs for www.OP-TN.ORG, which is good.
INFO Domain A Lookup Your OP-TN.ORG A record is:

op-tn.org. A 12.189.231.183 [TTL=86400]
 


Legend:

UPDATE NOTICE November 2007:
We have made the decision to remove the Single Point of Failure test included in DNSreport. This test was developed and enhanced over the past five years along with our other tools. The initial design of the Single Point of Failure test depended on the typical connectivity profiles prevalent at the time. As connectivity has become more robust the methodology employed makes less sense and creates more false positives. Our development team is working on an enhanced Single Point of Failure test for a future release.
Rows with a FAIL indicate a problem that in most cases really should be fixed.
Rows with a WARN indicate a possible minor problem, which often is not worth pursuing.

Note that all information is accessed in real-time (except where noted), so this is the freshest information about your domain.
Note that automated usage is not tolerated without the purchase of an Automated Usage plan; please only view the DNS report directly with your web browser.
 
I DO NOT SEE ANYTHING BAD.  THE ONE WARNING THAT I SAW ABOUT THE MAIL.OP-TN.ORG HAS NOT BEEN A WORRY OF OURS BECAUSE IT HAS ALWAYS BEEN THAT WAY FROM THE CONTRACTOR WHO PUT THIS TOGETHER A LONG TIME AGO AND NOW HE WAS LET GO.  SO WHAT DO YOU THINK???
0
 

Author Comment

by:amoos
ID: 20308553
sorry i did not mean to affend you or anyone else.   i really need your help. here was my last question.

this is what the dnsstuff report gave.  again i am very sorry if i affended anyone with the uppercase.  i did not mean to affend anyone

Category Status Test Name Information
Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion.
INFO NS records at parent servers Your NS records at the parent servers are:

cmtu.mt.ns.els-gms.att.net. [12.127.16.69 (NO GLUE)] [US]
cbru.br.ns.els-gms.att.net. [199.191.128.105 (NO GLUE)] [US]
[These were obtained from b0.org.afilias-nst.org]
PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there.
WARN Glue at parent nameservers WARNING. The parent servers (I checked with b0.org.afilias-nst.org.) are not providing glue for all your nameservers. This means that they are supplying the NS records (host.example.com), but not supplying the A records (192.0.2.53), which can cause slightly slower connections, and may cause incompatibilities with some non-RFC-compliant programs. This is perfectly acceptable behavior per the RFCs. This will usually occur if your DNS servers are not in the same TLD as your domain (for example, a DNS server of "ns1.example.org" for the domain "example.com"). In this case, you can speed up the connections slightly by having NS records that are in the same TLD as your domain.
PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records.
NS INFO NS records at your nameservers Your NS records at your nameservers are:

cbru.br.ns.els-gms.att.net. [199.191.128.105] [TTL=86400]
cmtu.mt.ns.els-gms.att.net. [12.127.16.69] [TTL=86400]
 
PASS Open DNS servers OK. Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers).  
PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers.
PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records.
PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical.  
PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded.
PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names).
PASS Number of nameservers OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7.
PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain.
PASS Missing (stealth) nameservers OK. All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers.
PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers.  
PASS No CNAMEs for domain OK. There are no CNAMEs for OP-TN.ORG. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present.
WARN Nameservers on separate class C's WARNING: We cannot test to see if your nameservers are all on the same Class C (technically, /24) range, because the root servers are not sending glue. We plan to add such a test later, but today you will have to manually check to make sure that they are on separate Class C ranges. Your nameservers should be at geographically dispersed locations. You should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.
PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays.
PASS TCP Allowed OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems.
INFO Nameservers versions [For security reasons, this test is limited to members]
PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests.
SOA INFO SOA record Your SOA record [TTL=86400] is:

Primary nameserver: cbru.br.ns.els-gms.att.net.
Hostmaster E-mail address: rm-hostmaster.ems.att.com.
Serial #: 2
Refresh: 10800
Retry: 3600
Expire: 604800
Default TTL: 86400
 
PASS NS agreement on SOA Serial # OK. All your nameservers agree that your SOA serial number is 2. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNSreport only checks the NS records listed at the parent servers (not any stealth servers).
 
PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: cbru.br.ns.els-gms.att.net.. That server is listed at the parent servers, which is correct.
 
PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: rm-hostmaster@ems.att.com. (techie note: we have changed the initial '.' to an '@' for display purposes).  
WARN SOA Serial Number WARNING: Your SOA serial number is: 2. That is OK, but the recommended format (per RFC1912 2.2) is YYYYMMDDnn, where 'nn' is the revision. For example, if you are making the 3rd change on 02 May 2006, you would use 2006050203. This number must be incremented every time you make a DNS change.
PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 10800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates.
PASS SOA RETRY value OK. Your SOA RETRY interval is : 3600 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed.
PASS SOA EXPIRE value OK. Your SOA EXPIRE time: 604800 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 86400 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching.
MX INFO MX Record Your 1 MX record is:

10 mail.op-tn.org. [TTL=86400] IP=12.189.231.181 [TTL=86400] [US]
 
PASS Low port test OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports (this specific lookup must be cached), but is a good indication that it does not.
PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters.
PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail.
PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it.
PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3).
PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records).
INFO Multiple MX records NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable.
PASS Differing MX-A records OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records).
PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources.
PASS Reverse DNS entries for MX records OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS entries are:

181.231.189.12.in-addr.arpa mail.op-tn.org. [TTL=86400]
 
Mail PASS Connect to mail servers OK: I was able to connect to all of your mailservers.
WARN Mail server host name in greeting WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

mail.op-tn.org claims to be invalid hostname 'SMTP': <br />   220 SMTP service ready <br />
PASS Acceptance of NULL <> sender OK: All of your mailservers accept mail from "<>". You are required (RFC1123 5.2.9) to receive this type of mail (which includes reject/bounce messages and return receipts).
PASS Acceptance of postmaster address OK: All of your mailservers accept mail to postmaster@OP-TN.ORG (as required by RFC822 6.3, RFC1123 5.2.7, and RFC2821 4.5.1).
PASS Acceptance of abuse address OK: All of your mailservers accept mail to abuse@OP-TN.ORG.
INFO Acceptance of domain literals WARNING: One or more of your mailservers does not accept mail in the domain literal format (user@[0.0.0.0]). Mailservers are technically required RFC1123 5.2.17 to accept mail to domain literals for any of its IP addresses. Not accepting domain literals can make it more difficult to test your mailserver, and can prevent you from receiving E-mail from people reporting problems with your mailserver. However, it is unlikely that any problems will occur if the domain literals are not accepted (mailservers at many common large domains have this problem).

mail.op-tn.org's postmaster@[12.189.231.181] response:<br /> >>> RCPT TO:<postmaster@[12.189.231.181]><br /> <<< 550 Requested action not taken: mailbox unavailable <br />  
PASS Open relay test OK: All of your mailservers appear to be closed to relaying. This is not a thorough check, you can get a thorough one here.

mail.op-tn.org OK: 550 Requested action not taken: mailbox unavailable <br />
WARN SPF record Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to add an SPF record ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).  
WWW
 INFO WWW Record Your www.OP-TN.ORG A record is:

www.op-tn.org. A 12.189.231.183 [TTL=86400] [US]
 
PASS All WWW IPs public OK. All of your WWW IPs appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site.
PASS CNAME Lookup OK. Some domains have a CNAME record for their WWW server that requires an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. There are no CNAMEs for www.OP-TN.ORG, which is good.
INFO Domain A Lookup Your OP-TN.ORG A record is:

op-tn.org. A 12.189.231.183 [TTL=86400]
 


Legend:

UPDATE NOTICE November 2007:
We have made the decision to remove the Single Point of Failure test included in DNSreport. This test was developed and enhanced over the past five years along with our other tools. The initial design of the Single Point of Failure test depended on the typical connectivity profiles prevalent at the time. As connectivity has become more robust the methodology employed makes less sense and creates more false positives. Our development team is working on an enhanced Single Point of Failure test for a future release.
Rows with a FAIL indicate a problem that in most cases really should be fixed.
Rows with a WARN indicate a possible minor problem, which often is not worth pursuing.

Note that all information is accessed in real-time (except where noted), so this is the freshest information about your domain.
Note that automated usage is not tolerated without the purchase of an Automated Usage plan; please only view the DNS report directly with your web browser.
 
0
 

Author Comment

by:amoos
ID: 20308564
i am not infront of the server right now to run the smtpdiag tool.  is there anyway that you or one of your associates could test my smtp banner from where you are and tell me if it is presenting what it is suppose to be??

do you think that i need to make another forward lookup zone for .org in my dns and have the forwarders in there??

thanks
0
 
LVL 17

Expert Comment

by:upul007
ID: 20313095
Hi,

The firebox will have a 1 to 1 nat set up so that emails are forwarded to your email server. and vice versa.

Going by what you have said, and the DNS report above, your DNS records are pretty much ok. Since the ISP is doing the DNS hosting and the firbox is taking care of the routing, there is no need for you to enable anything other than DNS for internal usage.

What is the banner that you refer to?




0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now