Domain is being blacklisted

Posted on 2009-04-30
Last Modified: 2013-11-16

We haven't had this issue since we installed Ironport C150 for blocking spam. It's been a year. Two days ago our outgoing emails started bouncing back. I checked couple of blacklists and our domain is there. I submitted removal requests but they relist us again. How can I figure out which computer is sending out junk? What could happen that all of a sudden Ironport isn't scanning outgoing emails? I checked the licenses and they're all good. What should I do in this case?

We have SBS 2008 and Exchange 2007. I used network repair wizard recently. I don't think that is the problem. I checked the send connector in Exchange Management Console. I went to Organization Configuration -> Hub Transport -> Send Connectors Tab -> Properties of Windows SBS Internet Send [Name of Our Server] -> Network Tab -> Route mail through the following smart hosts -> Our Ironport IP There is also Address Space tab which says Specify the address space to which this connector will route email. In our case type = smtp, address = *, cost = 1. Include all subdomains checked. Scoped send connector unchecked. Should I change * to here too?

Thank you.
Question by:RealSnaD
    LVL 6

    Accepted Solution

    First,  your router should be set to keep of log of incoming and outgoing activity.  It Not Turn that feature on.  From there you should be able to determin which lan IP is slamming the internet.  If you are getting blacklisted and emails are being bouced back it means you have a system on network thats spewing spam out of port 25.  Your router/firewall should be configured to only allow traffic on ports 25 and 110 to and from your exchange server.  It looks ike IronPort is not seeing the outgoing mails because they are being spewed from a comprised workstation thats sending them through your router directly.
    LVL 65

    Assisted Solution

    Domains are not blacklisted - hosts are.

    There should be a reason why the host is being blacklisted. I would expect that it is a compromised workstation if you are using a spam appliance - unless the appliance has been configured incorrectly.

    Can workstations connect to remote SMTP servers? If they can, then you need to block that activity. That will quickly show which workstation is sending out the spam and you will be able to deal with it.

    Ideally you would want two IP addresses, one exclusively for email and the SBS server and another for everything else. Then if something like this happens, your server doesn't get caught in the crossfire.

    LVL 7

    Author Comment

    Anti-spam wasn't enabled on outgoing emails in IronPort. Anti-virus, however, was. I enabled anti-spam on outgoing. We'll see how it goes.
    LVL 7

    Author Comment

    Thank you for your suggestions! Question about TonySt comment. We are blocking 25 port like this in our Cisco 1841 router:

    access-list 127 permit tcp host any eq smtp
    access-list 127 deny   tcp any any eq smtp
    access-list 127 permit ip any any

    and then on inside interface we have:

    ip access-group 127 in

    You might not be familiar with Cisco ACLs but this is how it is done. My question is should I grant permission for traffic on port 25 to my exchange server ( or to IronPort ( Right now as you can see it is IronPort.

    LVL 6

    Expert Comment

    Is the IronPort configured to send incoming outgoing port 25 traffic only to the exhange server ??
    or is the ironport excepting port 25 traffic from the entire lan ??

    In any case the above blocking is correct, if the only IP addess alowed to send port 25 traffic to and from the IronPort is the exchange server.   If the other workstations were allowed to send port 25 traffic to the IronPort and the IronPort was not blocking spam then you have identified your leak.  That still means there is a source in your lan though of the bad stuff and you still have to find that.
    LVL 7

    Author Comment

    IronPort is configured only to the exchange server. Ok, I am going to see if we get relisted again within 48 hours. I will close the question then. Thank you!
    LVL 7

    Author Closing Comment

    Thank you! Everything is working just fine. I still have to submit several removal requests but most blacklists don't have us listed anymore.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Get an idea of what you should include in an email disclaimer with these Top 5 email disclaimer tips.
    Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
    This video discusses moving either the default database or any database to a new volume.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now