Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13051
  • Last Modified:

How do I fix the MTA poor reputation?

When certain users in my network send outgoing emails I get this message back:

Tue, 10 Jun 2008 15:48:37 -0400
Failed to send to identified host,
*******@cdw.com: [12.32.91.180], 554-mail3.cdw.com
554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
--- Message non-deliverable.


Any ideas?



0
GFCU
Asked:
GFCU
  • 7
  • 5
5 Solutions
 
Stacy SpearCommented:
You have been identified as sending spam. First thing is secure your server:

http://www.amset.info/exchange/smtp-openrelay.asp
http://www.amset.info/exchange/filter-unknown.asp
http://www.amset.info/exchange/spam-cleanup.asp

The next thing is to ensure that nothing on your network can send port 25 traffic other than your exchange server at your firewall. Also, ensure port 587 is blocked.

After all that is done, go find out where you are blacklisted, www.mxtoolbox.com can help there and follow the procedures to remove yourself. Once removed from the blacklists, that should greatly increase your reputation scores.
0
 
GFCUAuthor Commented:
I tried to telnet and in this step:

You should get a response back similar to the following:

220 mail.server.domain Microsoft ESMTP MAIL Service, Version: 6.0.2790.0 Ready at

I didn't get anything back.  It said that the connection was lost.  Also I looked up my mail server on mxtoolbox.com and it said:

Relay Check: OK - This server is not an open relay.

That's  right, right?

********************
Also,
The filter check box is not checked, but I don't necessarily want to check it if it opens you up to directory harvest attacks.  Even if you can do that "tar pitting" thing.  What are your thoughts?


********************
Also,
I did that "Check whether you are under an NDR Attack" thing and that came back good - all those other things on the third link that you gave, should I check?

0
 
GFCUAuthor Commented:
I can see that I am still listed in the blacklists.

Also, on a side note:
My setup is an internal exchange server, and then off an optional port on my firewall I have a mail filter server that all mail get routed through.  The mail filter server is the server that is blacklisted.  I ran virus checks, took care of all threats, updated the OS, and updated the mail filter app.  Within the mail filter app there is a place where you can check connecting IP Addresses against specified realtime blackhole lists.  Might this be the cause of my problem?  It says that: "This feature can block legitimate mail servers."  And this is checking against three different blacklist sites.

I found where you can put in exclusion servers.  Is this the right track to follow?

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
GFCUAuthor Commented:
**Is it possible to get put on those blacklists if people that you just send normal email to report you as spam??**
0
 
Stacy SpearCommented:
No, your server is sending spam, not receiving it. where did you try to connect from? Try it from an external location or via mxtoolbox.com will also show the connection.

Once you lock down your server, then you need to request from each blacklist site to get removed. Some have online forms to do so, but some you may have to call. If you haven't locked it down properly however, you will be back.
0
 
GFCUAuthor Commented:
I tried connecting from an outside connection but it was on dial-up and I am wondering if the connection was so slow that it just dropped off.  I am going to try this again as soon as I can - maybe find a higher speed connection.


I did that thing where you can see events in the event viewer and I got this:

This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "<INTERNAL IP ADDRESS>" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for support@domain.com  ". The full command sent was "rcpt TO: <support@domain.com>".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


Is this supporting evidence that the server is indeed relaying spam?  
0
 
Stacy SpearCommented:
Was it trying to relay for your own domain or another?

Dialup connection should be plenty fast to allow a hand jammed SMTP test.
0
 
GFCUAuthor Commented:
I think that this may be a server inside my organization trying to relay out.


I put where it was not my domain.

This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "<MY DOMAIN INTERNAL IP ADDRESS>" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for support@NOT_MY_DOMAIN.com  ". The full command sent was "rcpt TO: <support@NOT_MY_DOMAIN.com>".  This will probably cause the connection to fail.



I'm working on that telnet test again - I'll let you know what I come up with as soon as the dial-up line here becomes available to me again.  Thanks for your help so far!
0
 
GFCUAuthor Commented:
The telnet connection keeps dropping.  I found a website that checks if you are relaying or not and the results looked ok.

I checked all of the things in the articles that you told me about (everything checked out good), updated that server with os updates, filter app updates, anti-virus updates, and also installed other anti-spyware apps and updated them.  I ran scans using the anti-virus software and the anti-spyware software and I deleted/quarantined whatever needed to be.  A couple of days ago I saw that we were not listed on the black list any more.  I did not contact them in anyway asking them to take us off, they just did it automatically.

I think that we are alright for now.    
0
 
Stacy SpearCommented:
You need to add that internal server to the allowed relay list under the SMTP virtual server properties.
0
 
Stacy SpearCommented:
Great on the blacklisting. Some of them are pretty asinine on removing server, but as you've seen most are not.
0
 
GFCUAuthor Commented:
I think that that IP for that server is already listed within that list.  You mean that relay restriction exception list, right?

Well I really appreciate your help.  Thank you very much.

I'm going to keep a close eye on this issue and the blacklist and see what happens within the next week or so and if I have any issues or get and calls on email issues regarding this, I'm sure you'll most likely be hearing from me again.  Thanks again darkstar3d!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now