• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13114
  • Last Modified:

How do I fix the MTA poor reputation?

When certain users in my network send outgoing emails I get this message back:

Tue, 10 Jun 2008 15:48:37 -0400
Failed to send to identified host,
*******@cdw.com: [12.32.91.180], 554-mail3.cdw.com
554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
--- Message non-deliverable.


Any ideas?



0
GFCU
Asked:
GFCU
  • 7
  • 5
5 Solutions
 
Stacy SpearPresident/Principal ConsultantCommented:
You have been identified as sending spam. First thing is secure your server:

http://www.amset.info/exchange/smtp-openrelay.asp
http://www.amset.info/exchange/filter-unknown.asp
http://www.amset.info/exchange/spam-cleanup.asp

The next thing is to ensure that nothing on your network can send port 25 traffic other than your exchange server at your firewall. Also, ensure port 587 is blocked.

After all that is done, go find out where you are blacklisted, www.mxtoolbox.com can help there and follow the procedures to remove yourself. Once removed from the blacklists, that should greatly increase your reputation scores.
0
 
GFCUAuthor Commented:
I tried to telnet and in this step:

You should get a response back similar to the following:

220 mail.server.domain Microsoft ESMTP MAIL Service, Version: 6.0.2790.0 Ready at

I didn't get anything back.  It said that the connection was lost.  Also I looked up my mail server on mxtoolbox.com and it said:

Relay Check: OK - This server is not an open relay.

That's  right, right?

********************
Also,
The filter check box is not checked, but I don't necessarily want to check it if it opens you up to directory harvest attacks.  Even if you can do that "tar pitting" thing.  What are your thoughts?


********************
Also,
I did that "Check whether you are under an NDR Attack" thing and that came back good - all those other things on the third link that you gave, should I check?

0
 
GFCUAuthor Commented:
I can see that I am still listed in the blacklists.

Also, on a side note:
My setup is an internal exchange server, and then off an optional port on my firewall I have a mail filter server that all mail get routed through.  The mail filter server is the server that is blacklisted.  I ran virus checks, took care of all threats, updated the OS, and updated the mail filter app.  Within the mail filter app there is a place where you can check connecting IP Addresses against specified realtime blackhole lists.  Might this be the cause of my problem?  It says that: "This feature can block legitimate mail servers."  And this is checking against three different blacklist sites.

I found where you can put in exclusion servers.  Is this the right track to follow?

0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
GFCUAuthor Commented:
**Is it possible to get put on those blacklists if people that you just send normal email to report you as spam??**
0
 
Stacy SpearPresident/Principal ConsultantCommented:
No, your server is sending spam, not receiving it. where did you try to connect from? Try it from an external location or via mxtoolbox.com will also show the connection.

Once you lock down your server, then you need to request from each blacklist site to get removed. Some have online forms to do so, but some you may have to call. If you haven't locked it down properly however, you will be back.
0
 
GFCUAuthor Commented:
I tried connecting from an outside connection but it was on dial-up and I am wondering if the connection was so slow that it just dropped off.  I am going to try this again as soon as I can - maybe find a higher speed connection.


I did that thing where you can see events in the event viewer and I got this:

This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "<INTERNAL IP ADDRESS>" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for support@domain.com  ". The full command sent was "rcpt TO: <support@domain.com>".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


Is this supporting evidence that the server is indeed relaying spam?  
0
 
Stacy SpearPresident/Principal ConsultantCommented:
Was it trying to relay for your own domain or another?

Dialup connection should be plenty fast to allow a hand jammed SMTP test.
0
 
GFCUAuthor Commented:
I think that this may be a server inside my organization trying to relay out.


I put where it was not my domain.

This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "<MY DOMAIN INTERNAL IP ADDRESS>" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for support@NOT_MY_DOMAIN.com  ". The full command sent was "rcpt TO: <support@NOT_MY_DOMAIN.com>".  This will probably cause the connection to fail.



I'm working on that telnet test again - I'll let you know what I come up with as soon as the dial-up line here becomes available to me again.  Thanks for your help so far!
0
 
GFCUAuthor Commented:
The telnet connection keeps dropping.  I found a website that checks if you are relaying or not and the results looked ok.

I checked all of the things in the articles that you told me about (everything checked out good), updated that server with os updates, filter app updates, anti-virus updates, and also installed other anti-spyware apps and updated them.  I ran scans using the anti-virus software and the anti-spyware software and I deleted/quarantined whatever needed to be.  A couple of days ago I saw that we were not listed on the black list any more.  I did not contact them in anyway asking them to take us off, they just did it automatically.

I think that we are alright for now.    
0
 
Stacy SpearPresident/Principal ConsultantCommented:
You need to add that internal server to the allowed relay list under the SMTP virtual server properties.
0
 
Stacy SpearPresident/Principal ConsultantCommented:
Great on the blacklisting. Some of them are pretty asinine on removing server, but as you've seen most are not.
0
 
GFCUAuthor Commented:
I think that that IP for that server is already listed within that list.  You mean that relay restriction exception list, right?

Well I really appreciate your help.  Thank you very much.

I'm going to keep a close eye on this issue and the blacklist and see what happens within the next week or so and if I have any issues or get and calls on email issues regarding this, I'm sure you'll most likely be hearing from me again.  Thanks again darkstar3d!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now