We help IT Professionals succeed at work.

How to Check on why my domain was Balckisted by CBL

aij170278
aij170278 asked
on
Medium Priority
898 Views
Last Modified: 2012-05-06
Hi,

Recently we have had situartion where the staff could not send Emails to External Users.

I check the Error messages and found out that we were Blacklisted.

I removed it and all was good but the same thing happend and again it was blocked by CBL.

I tried to get in contact with CBL but they do not have any of there contacts listed.

Will any of you out there have any  information on how to get in contact with CBL.

Things I have checked.
Scan Mail and IMSS are working fine and have not reported any spams.
All Emails going out are sent to my IMSS server which relays it to External Sites.
I have checked and done a Scan for Virus and Malware on my Network and everything came clean.

The Changes to my Network are:
1. I have put in a WEB Server but it is in its own DMZ
2. I have Installed Exchange2007 CAS and MB Server
3. I have enabled Outlook anywhere on my CAS Server

I am trying to get this sorted out so that my Domain does not get blacklisted again.

thanks
Comment
Watch Question

If your office is setup to use network address translation, and you're all sharing the same public IP address, the e-mail may not be going out of your e-mail server that is getting your IP address blacklisted. I recommend this blog article:

http://www.spamstopshere.com/blog/2008/04/09/locking-down-your-outgoing-e-mail/
Dave HoweSoftware and Hardware Engineer

Commented:
CBL is a composite list - the block response should tell you which source list provided the block though. Try telnetting from your mail server to an affected mail server, manually entering "helo" (enter) then "MAIL FROM: <your email address>" (enter) and if that works, then "RCPT TO: <their email address>" (enter) - without the quotes.

should get a 4xx or 5xx response at some point saying which block list is denying you access.
Dave HoweSoftware and Hardware Engineer

Commented:
oh - or there is a cgi tool here:

http://cbl.abuseat.org/lookup.cgi

I sometimes forget those :)

Author

Commented:
Hi ,

I managed to get in contact with the CBL Team via Email. below is the responce from them:

The IP 203.96.72.226 was detected most recently at:

2009:02:11 ~08:00 UTC+/- 15 minutes (approximately 6 hours ago)

sending email in such a way as to strongly indicate that the IP itself was operating an open http or socks proxy, or a trojan spam package.

You will need to examine the machine for a spam trojan or open proxy. Up-to-date anti-virus tools are essential.

If the IP is a NAT firewall, we strongly recommend configuring the firewall to prevent machines on your network connecting to the Internet on port 25, except for machines that are supposed to be mail servers.

Useful links:

http://www.ftc.gov/secureyourserver/
http://spamlinks.net (see "Securing your System" and "proxies") http://www.fr2.cyberabuse.org/?page=abuse-proxy

For more information on securing NAT firewalls/gateways, please see http://cbl.abuseat.org/nat.html


Note: 203.96.72.226 appeared to be suspicious because it was using the following name to identify itself during email (port 25) connections via the SMTP HELO/EHLO commands:

203-96-72-226.cid.global-gateway.net.nz

This MAY have been spamware, or it would be a misconfiguration in your mail server. The CBL attempts to distinguish real mail server software from malware SMTP clients by expecting users to name their mail server[s] to indicate who _they_ are, not some random home PC in a generic end-user pool that's probably infected.

By causing your mail server to claim to be, for example,

mail.

Chances are you won't be relisted.

If you're running Qmail, please see: http://cbl.abuseat.org/qmailhelp.html

This entry has already been delisted from the CBL. Unless otherwise stated, the CBL will relist this IP if the underlying issues are not resolved, and the CBL detects the same thing again.


the part CBL are saying following name 203-96-72-226.cid.global-gateway.net.nz
to identify itself during email (port 25) connections via the SMTP HELO/EHLO commands:
should not be the case becuase cid.global-gateway.net.nz is out Telecom Router which connects us to the Internet. Our SMTP HELO/EHLO should be smtp.lecom.co.nz(172.29.103.42)

How do I go about checking my Exchange2007 Server to see what the SMTP HELO/EHLO settings are?
Thanks
Looks like they gave you the same advice as me.

Author

Commented:
Hi,

Have checked my Exchange Servers, WEB servers and Firewall rules.

One I came to know is the the ISP who host our Public IP address did not have any PTR Record pointing the IP to us.

One Thing I have come across Logs in my Firewall is:
There is SMTP communication coming from IP adress(which are already blocked on SPAMHAUS) and the detination is 172.0.0.4

Can anyone advice on this I have attached the file




Exchange-Expert.doc
Sorry, I don't have word. The images don't show in wordpad. If you read the article I referred you to, it indicates that you will want to set up firewall rules on your network firewall to only allow outgoing e-mail connections from your e-mail server and log everything else. You should be able to tell which IP address on your local network is trying to violate this rule as the traffic will be logged. You also need to be wary of wireless routers on your network.
Software and Hardware Engineer
Commented:
To be honest - provided your isp provides a smarthost, I would just use that as outbound sending target and let them worry about the rest.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.