Keep getting Blacklisted

Our external IP keeps getting blacklisted.  Have tested with the following site;

Niether report an open relay.  

Also am receiving email to our domain from our domain.  Headers on these emails contain an IP addresses that are not ours.  Sending email user is a valid user on our system.
Who is Participating?
jesusrulesmeConnect With a Mentor Commented:
You are likely an open relay.  Here is a test.

If you are, here is a tutorial to prevent relaying.
Oh.  Another possibility is that you have an infected machine on your network.  Make sure your firewall is restricted to only send out port 25 from your Exchange server.
MesthaConnect With a Mentor Commented:
If you only have one IP address the most likely source is a compromised workstation. If your server was an open relay then it is easy to spot as the queues would be full of messages.

I wrote this blog posting last year which has explained what has probably happened.

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

BudAuthor Commented:
It's not an Open Relay.  Have already check that as indicated in my orginal message.
Britt ThompsonSr. Systems EngineerCommented:
Once you get hung up like this is difficult to get rid of it in a timely fashion before your ISP blocks port 25 on you. The best and most efficient way to stop your server from getting compromised or even having a client on you network cause the IP block is to use a filtering service like AppRiver's Secure Tide.

All of your mail is filtered before it reaches your domain and either using your firewall or Exchange connection settings you block all traffic on port 25 except from the AppRiver filtering servers. Your MX records change to filtering servers and they relay to your turn, no spammers can get into your server. AppRiver is the service I'm familiar with but there's others I'm sure. They do a free trial and it can be up and running today with your problems fixed.
Not sure how a filtering service would help if a workstation is compromised. Most workstations are not compromised via email, it is usually a drive by download on a web site, clicking on or installing something. All a filtering service will do is protect the server - and to be honest, if a server is setup correctly then it is very hard for Exchange to be abused.

Britt ThompsonSr. Systems EngineerCommented:
The filtering service allows all inbound traffic on port 25 to be blocked completely through your firewall and allow only the Exchange server to send mail out. Obviously, you know what you're talking about but the filtering service also will limit up to 80% of the mail that's delivered to your domain limiting the amount of viruses and garbage email that makes it to mailboxes.

It's not the cheapest solution but it's an instant solution and a solution that can prevent potential problems. Like you said, up-to-date antivirus isn't enough and these days antivirus has become pretty useless for stuff like this.

That is a great article you wrote. I didn't know the compromised workstation would generate the error logs with the bot couldn't send.

BudAuthor Commented:
Mestha, can you expand on this line from your blog:  "A compromised machine will quickly show on the logs when it cannot connect. You can then go and find the machine and deal with it."

What logs will this compromised machine apprear in?
I think you have a workstation with some malware thats spamming the planet using port 25.
1.You need to find that workstation and clean it up. You can Identify it by checking the logs on your router.
2. You need to set the NAT rules (port blocking) to allow port 25/110 access to only your exchange server.
3. After running for a few hours, recheck the router logs to be sure the only IP using port 25/110 is your exchange server.
4. Do a check to find out where you are blacklisted:
and request removal. In most cases you have to provide them with a statement that you have corrected the problem.  If you request removal too many times without fixing the cause then they it will be harder to get de-listed.
You have taken the line out of context. If you read it with the line immediately beforehand it is clear that I mean the firewall logs.

If you block port 25 with logging enabled, then each time the bot attempts to send out it will be logged. The internal IP address will show and you can then find the machine and kick the user off it.


The following checklist is your best friend to fight spam-bots and keep your MX record away from blacklists:

1) Authorized servers only: Allow your authorized mail server or anti-spam solution (ex. ironmail/ironport/barracuda..etc) to send SMTP (tcp/25) traffic outside your network. Otherwise, you'll face the blacklisting penalty and it would take a while to clear your IP.

2) Don't leave the Wifi LAN un-firewalled: I found many customers who got blacklisted becuase they forgot to secure the Wifi LAN and allowed Any traffic to leave. They didn't calculated the risk of infected laptops. Start with allowing common protocols such as HTTP/HTTPS/POP3/, turn on AV scanning, DPI (Deep Packet Inspection), Web Filtering (ex. SurfControl).

3) Know your traffic: You should be aware of every inbound/outbound bit in your network. There are a lot of solutions which will sniff and study the type of generated traffic on the wire, so you can get a full picture of what's going on at the moment. Check the following vendors and their solutions:

4) MX reputation monitoring: This is a very nice way for early warning before they blacklist your IP. These monitoring services will evaluate the "reputation" level and warn you. For instance,

5) Antivirus & HIPS: I don't need to discuss too much about this point. Many MX blacklisting incidents happened due to a computer left without installing antivirus scanner. So, always scan your network and push the AV client.  Don't allow untrusted laptops to use your network unless they are protected and clean. Some companies follow the rule of: keep your laptop off, we will give your ours !. HIPS is an excellent layer of defense that complements the AV scanner.

6) FW/Router Logs: You need to enable logging of any rule that allow outbound SMTP traffic, so you can later check the source of any suspicious spam traffic from inside-to-outside.

Technical Notes:

First of all, I would recommend blocking all outbound traffic to port 25 except your mail/antispam servers. Becuase there is no need to leave this big threat open.

You should use a combination of sniffers and port scanners to detect spam bots, Check the following

1) Wireshark, download it from (

You need to connect it to a managed switch with the support of monitoring port (Cisco calls it SPAN). Or use a Hub. The last option is to use a network TAP ( from some vendor like NetOptics (

2) Another sniffing tool is Tcpick (linux based), download it from (

Here how to sniff port 25:

#tcpick -i eth0 -C -bCU -T1 "port 25"

3) Nmap is the best port scanning tool, download it from (

here how to scan for port 25 (change with your network range)

#nmap -sS -p 25

4) TCPDump is another good sniffer, download it from (

Here how to sniff port 25

#tcpdump -i eth0 port 25

A Symantec Certified Specialist @ your service
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.