Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

How to Check on why my domain was Balckisted by CBL

Posted on 2009-02-10
8
Medium Priority
?
803 Views
Last Modified: 2012-05-06
Hi,

Recently we have had situartion where the staff could not send Emails to External Users.

I check the Error messages and found out that we were Blacklisted.

I removed it and all was good but the same thing happend and again it was blocked by CBL.

I tried to get in contact with CBL but they do not have any of there contacts listed.

Will any of you out there have any  information on how to get in contact with CBL.

Things I have checked.
Scan Mail and IMSS are working fine and have not reported any spams.
All Emails going out are sent to my IMSS server which relays it to External Sites.
I have checked and done a Scan for Virus and Malware on my Network and everything came clean.

The Changes to my Network are:
1. I have put in a WEB Server but it is in its own DMZ
2. I have Installed Exchange2007 CAS and MB Server
3. I have enabled Outlook anywhere on my CAS Server

I am trying to get this sorted out so that my Domain does not get blacklisted again.

thanks
0
Comment
Question by:aij170278
  • 3
  • 3
  • 2
8 Comments
 
LVL 4

Expert Comment

by:AdamsConsulting
ID: 23608765
If your office is setup to use network address translation, and you're all sharing the same public IP address, the e-mail may not be going out of your e-mail server that is getting your IP address blacklisted. I recommend this blog article:

http://www.spamstopshere.com/blog/2008/04/09/locking-down-your-outgoing-e-mail/
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 23610116
CBL is a composite list - the block response should tell you which source list provided the block though. Try telnetting from your mail server to an affected mail server, manually entering "helo" (enter) then "MAIL FROM: <your email address>" (enter) and if that works, then "RCPT TO: <their email address>" (enter) - without the quotes.

should get a 4xx or 5xx response at some point saying which block list is denying you access.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 23610141
oh - or there is a cgi tool here:

http://cbl.abuseat.org/lookup.cgi

I sometimes forget those :)
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:aij170278
ID: 23615073
Hi ,

I managed to get in contact with the CBL Team via Email. below is the responce from them:

The IP 203.96.72.226 was detected most recently at:

2009:02:11 ~08:00 UTC+/- 15 minutes (approximately 6 hours ago)

sending email in such a way as to strongly indicate that the IP itself was operating an open http or socks proxy, or a trojan spam package.

You will need to examine the machine for a spam trojan or open proxy. Up-to-date anti-virus tools are essential.

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.

Useful links:

http://www.ftc.gov/secureyourserver/
http://spamlinks.net (see "Securing your System" and "proxies") http://www.fr2.cyberabuse.org/?page=abuse-proxy

For more information on securing NAT firewalls/gateways, please see http://cbl.abuseat.org/nat.html


Note: 203.96.72.226 appeared to be suspicious because it was using the following name to identify itself during email (port 25) connections via the SMTP HELO/EHLO commands:

203-96-72-226.cid.global-gateway.net.nz

This MAY have been spamware, or it would be a misconfiguration in your mail server. The CBL attempts to distinguish real mail server software from malware SMTP clients by expecting users to name their mail server[s] to indicate who _they_ are, not some random home PC in a generic end-user pool that's probably infected.

By causing your mail server to claim to be, for example,

mail.

Chances are you won't be relisted.

If you're running Qmail, please see: http://cbl.abuseat.org/qmailhelp.html

This entry has already been delisted from the CBL. Unless otherwise stated, the CBL will relist this IP if the underlying issues are not resolved, and the CBL detects the same thing again.


the part CBL are saying following name 203-96-72-226.cid.global-gateway.net.nz
to identify itself during email (port 25) connections via the SMTP HELO/EHLO commands:
should not be the case becuase cid.global-gateway.net.nz is out Telecom Router which connects us to the Internet. Our SMTP HELO/EHLO should be smtp.lecom.co.nz(172.29.103.42)

How do I go about checking my Exchange2007 Server to see what the SMTP HELO/EHLO settings are?
Thanks
0
 
LVL 4

Expert Comment

by:AdamsConsulting
ID: 23617229
Looks like they gave you the same advice as me.
0
 

Author Comment

by:aij170278
ID: 23626206
Hi,

Have checked my Exchange Servers, WEB servers and Firewall rules.

One I came to know is the the ISP who host our Public IP address did not have any PTR Record pointing the IP to us.

One Thing I have come across Logs in my Firewall is:
There is SMTP communication coming from IP adress(which are already blocked on SPAMHAUS) and the detination is 172.0.0.4

Can anyone advice on this I have attached the file




Exchange-Expert.doc
0
 
LVL 4

Expert Comment

by:AdamsConsulting
ID: 23628203
Sorry, I don't have word. The images don't show in wordpad. If you read the article I referred you to, it indicates that you will want to set up firewall rules on your network firewall to only allow outgoing e-mail connections from your e-mail server and log everything else. You should be able to tell which IP address on your local network is trying to violate this rule as the traffic will be logged. You also need to be wary of wireless routers on your network.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 1500 total points
ID: 23630991
To be honest - provided your isp provides a smarthost, I would just use that as outbound sending target and let them worry about the rest.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Loops Section Overview
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question