WestonGroup
asked on
Domain Name listed in RBL
Exchange 2003
Email is working however some emails are not being delievered to some domains and are being stuck in the queue
I did a check of our domain name on DNSstuff.com and it says 6 Blacklists Domain is listed on RBL
which is causing emails not to be delievered. How do I fix this and prevent it?
We have antivirus/spam running on all computers and email servers so not sure what to do to get our emails flowing again
Email is working however some emails are not being delievered to some domains and are being stuck in the queue
I did a check of our domain name on DNSstuff.com and it says 6 Blacklists Domain is listed on RBL
which is causing emails not to be delievered. How do I fix this and prevent it?
We have antivirus/spam running on all computers and email servers so not sure what to do to get our emails flowing again
Emm...
There are various reasons you might be on a blacklist, the main one being that your SMTP server is acting as an open relay. Connections may also be rejected by certain mail hosts if you do not have a reverse (PTR) address for your mail host.
For relay info, check out http://support.microsoft.com/kb/895853
For DNS ptr guidance check out http://support.microsoft.com/kb/300171
hth.
There are various reasons you might be on a blacklist, the main one being that your SMTP server is acting as an open relay. Connections may also be rejected by certain mail hosts if you do not have a reverse (PTR) address for your mail host.
For relay info, check out http://support.microsoft.com/kb/895853
For DNS ptr guidance check out http://support.microsoft.com/kb/300171
hth.
ASKER
Neither were the case
I checked our domain and it said CBL listed us
ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.
ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL stop letting you delist it.
This is identified as the Cutwail spambot
I ran a removal tool which found a trojan which I removed and requested delisting 2 days ago but it's still being listed...
I can't see to find how to fix this
I checked our domain and it said CBL listed us
ATTENTION: At the time of detection, this IP was infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating or facilitating a botnet sending spam or spreading virus/spam trojans.
ATTENTION: if you simply repeatedly remove this IP address from the CBL without correcting the problem, the CBL WILL stop letting you delist it.
This is identified as the Cutwail spambot
I ran a removal tool which found a trojan which I removed and requested delisting 2 days ago but it's still being listed...
I can't see to find how to fix this
"or NATting for a computer infected"
- Ensure no system bar your mail gateways can make outbound smtp connections.
- Check your mail logs to see whether you might still be sending trashy mails, what internal clients are connecting etc.
- Make sure every host on your network has up to date AV and has run and the removal tool for this trojan.
"I can't see to find how to fix this"
Don't despair...
- Ensure no system bar your mail gateways can make outbound smtp connections.
- Check your mail logs to see whether you might still be sending trashy mails, what internal clients are connecting etc.
- Make sure every host on your network has up to date AV and has run and the removal tool for this trojan.
"I can't see to find how to fix this"
Don't despair...
Enable SMTP Logging and See how is using your SMTP Server to send Emails
or configure the Firewall to log all the SMTP Traffic
or configure the Firewall to log all the SMTP Traffic
Hi,
I had exactly the same issue, it a NDR spam, solved it by disabling the NDR reports on Exchange. Don't forget to double-check Your server for any trojans/malware. If You don't find any, block on Your firewall the outbound connection on port 25 for Your whole network, except the mailserver itself (this is best practise, regardless this issue). Then go to the Exchange Management console and select the Organization configuration-Hub transport. Select the Remote domains tab and doubleclick the default item (if You have any other in the list, repeat the next step for all required items). On the properties dialog box, select the Message format tab, and clear the checkbox at Allow non-delivery reports, then click okay. Also, if You use the exchange anti-spam features, disable the Reject messages option on the Anti-spam-Content filter-Actions tab.
Afterwards, go to CBL and delist Your server IP address.
It more a workaround than solution, since You should PREVENT the spam messages delivery to non-existent addresses in Your organization, but this is quite impossible without some CISCO, Sonicwall or similar hardware DPI device (or dedicated server for the email black-hole).
It about the following scenario:
Spammer sends out email to Your domain to non-existing user. Exchange recieves the email, since its anti-spam features doesn't interpret the message as spam. Once it gets through the spam-filter check, the server tries to deliver message to user mailbox. Since no such user (and no such email alias) exists in Your organization, Exchange generates the NDR report and send it out back to the address stated in the original spam message at the Sender header. Thus, Your Exchange sends out NDR report for every spam that passes through the anti-spam filter, even when its addressed to non-existent email. Therefore, it basically generates more spam, since it replies to spam email with another email. The CBL then correctly interprets this as a spam-bot and includes Your mailserver's IP address in the blacklist.
Hope this helps You.
Martin
I had exactly the same issue, it a NDR spam, solved it by disabling the NDR reports on Exchange. Don't forget to double-check Your server for any trojans/malware. If You don't find any, block on Your firewall the outbound connection on port 25 for Your whole network, except the mailserver itself (this is best practise, regardless this issue). Then go to the Exchange Management console and select the Organization configuration-Hub transport. Select the Remote domains tab and doubleclick the default item (if You have any other in the list, repeat the next step for all required items). On the properties dialog box, select the Message format tab, and clear the checkbox at Allow non-delivery reports, then click okay. Also, if You use the exchange anti-spam features, disable the Reject messages option on the Anti-spam-Content filter-Actions tab.
Afterwards, go to CBL and delist Your server IP address.
It more a workaround than solution, since You should PREVENT the spam messages delivery to non-existent addresses in Your organization, but this is quite impossible without some CISCO, Sonicwall or similar hardware DPI device (or dedicated server for the email black-hole).
It about the following scenario:
Spammer sends out email to Your domain to non-existing user. Exchange recieves the email, since its anti-spam features doesn't interpret the message as spam. Once it gets through the spam-filter check, the server tries to deliver message to user mailbox. Since no such user (and no such email alias) exists in Your organization, Exchange generates the NDR report and send it out back to the address stated in the original spam message at the Sender header. Thus, Your Exchange sends out NDR report for every spam that passes through the anti-spam filter, even when its addressed to non-existent email. Therefore, it basically generates more spam, since it replies to spam email with another email. The CBL then correctly interprets this as a spam-bot and includes Your mailserver's IP address in the blacklist.
Hope this helps You.
Martin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Listen
You have to check your ANTISPAM update and make sure that its protecting your local net from sending SPAM Emails
Make sure that sending Email list with several dead Email account will be consider as a SPAM and your IP will be blacked again
Enter MXTOOLBOX.com
check your IP and Request Removal for your Black List it may take about 24 hour