Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 13097
  • Last Modified:

How do I fix the MTA poor reputation?

When certain users in my network send outgoing emails I get this message back:

Tue, 10 Jun 2008 15:48:37 -0400
Failed to send to identified host,
*******@cdw.com: [12.32.91.180], 554-mail3.cdw.com
554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.
--- Message non-deliverable.


Any ideas?



0
GFCU
Asked:
GFCU
  • 7
  • 5
5 Solutions
 
Stacy SpearPresident/Principal ConsultantCommented:
You have been identified as sending spam. First thing is secure your server:

http://www.amset.info/exchange/smtp-openrelay.asp
http://www.amset.info/exchange/filter-unknown.asp
http://www.amset.info/exchange/spam-cleanup.asp

The next thing is to ensure that nothing on your network can send port 25 traffic other than your exchange server at your firewall. Also, ensure port 587 is blocked.

After all that is done, go find out where you are blacklisted, www.mxtoolbox.com can help there and follow the procedures to remove yourself. Once removed from the blacklists, that should greatly increase your reputation scores.
0
 
GFCUAuthor Commented:
I tried to telnet and in this step:

You should get a response back similar to the following:

220 mail.server.domain Microsoft ESMTP MAIL Service, Version: 6.0.2790.0 Ready at

I didn't get anything back.  It said that the connection was lost.  Also I looked up my mail server on mxtoolbox.com and it said:

Relay Check: OK - This server is not an open relay.

That's  right, right?

********************
Also,
The filter check box is not checked, but I don't necessarily want to check it if it opens you up to directory harvest attacks.  Even if you can do that "tar pitting" thing.  What are your thoughts?


********************
Also,
I did that "Check whether you are under an NDR Attack" thing and that came back good - all those other things on the third link that you gave, should I check?

0
 
GFCUAuthor Commented:
I can see that I am still listed in the blacklists.

Also, on a side note:
My setup is an internal exchange server, and then off an optional port on my firewall I have a mail filter server that all mail get routed through.  The mail filter server is the server that is blacklisted.  I ran virus checks, took care of all threats, updated the OS, and updated the mail filter app.  Within the mail filter app there is a place where you can check connecting IP Addresses against specified realtime blackhole lists.  Might this be the cause of my problem?  It says that: "This feature can block legitimate mail servers."  And this is checking against three different blacklist sites.

I found where you can put in exclusion servers.  Is this the right track to follow?

0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
GFCUAuthor Commented:
**Is it possible to get put on those blacklists if people that you just send normal email to report you as spam??**
0
 
Stacy SpearPresident/Principal ConsultantCommented:
No, your server is sending spam, not receiving it. where did you try to connect from? Try it from an external location or via mxtoolbox.com will also show the connection.

Once you lock down your server, then you need to request from each blacklist site to get removed. Some have online forms to do so, but some you may have to call. If you haven't locked it down properly however, you will be back.
0
 
GFCUAuthor Commented:
I tried connecting from an outside connection but it was on dial-up and I am wondering if the connection was so slow that it just dropped off.  I am going to try this again as soon as I can - maybe find a higher speed connection.


I did that thing where you can see events in the event viewer and I got this:

This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "<INTERNAL IP ADDRESS>" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for support@domain.com  ". The full command sent was "rcpt TO: <support@domain.com>".  This will probably cause the connection to fail.

For more information, click http://www.microsoft.com/contentredirect.asp.


Is this supporting evidence that the server is indeed relaying spam?  
0
 
Stacy SpearPresident/Principal ConsultantCommented:
Was it trying to relay for your own domain or another?

Dialup connection should be plenty fast to allow a hand jammed SMTP test.
0
 
GFCUAuthor Commented:
I think that this may be a server inside my organization trying to relay out.


I put where it was not my domain.

This is an SMTP protocol log for virtual server ID 1, connection #2. The client at "<MY DOMAIN INTERNAL IP ADDRESS>" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for support@NOT_MY_DOMAIN.com  ". The full command sent was "rcpt TO: <support@NOT_MY_DOMAIN.com>".  This will probably cause the connection to fail.



I'm working on that telnet test again - I'll let you know what I come up with as soon as the dial-up line here becomes available to me again.  Thanks for your help so far!
0
 
GFCUAuthor Commented:
The telnet connection keeps dropping.  I found a website that checks if you are relaying or not and the results looked ok.

I checked all of the things in the articles that you told me about (everything checked out good), updated that server with os updates, filter app updates, anti-virus updates, and also installed other anti-spyware apps and updated them.  I ran scans using the anti-virus software and the anti-spyware software and I deleted/quarantined whatever needed to be.  A couple of days ago I saw that we were not listed on the black list any more.  I did not contact them in anyway asking them to take us off, they just did it automatically.

I think that we are alright for now.    
0
 
Stacy SpearPresident/Principal ConsultantCommented:
You need to add that internal server to the allowed relay list under the SMTP virtual server properties.
0
 
Stacy SpearPresident/Principal ConsultantCommented:
Great on the blacklisting. Some of them are pretty asinine on removing server, but as you've seen most are not.
0
 
GFCUAuthor Commented:
I think that that IP for that server is already listed within that list.  You mean that relay restriction exception list, right?

Well I really appreciate your help.  Thank you very much.

I'm going to keep a close eye on this issue and the blacklist and see what happens within the next week or so and if I have any issues or get and calls on email issues regarding this, I'm sure you'll most likely be hearing from me again.  Thanks again darkstar3d!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now