Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 689
  • Last Modified:

Spam block list

My Firewall wan port IP is listed in spam blocklist, do i need to worry.

Check image.
0
VINOD MORE
Asked:
VINOD MORE
  • 11
  • 5
  • 4
  • +1
10 Solutions
 
dexITCommented:
0
 
VINOD MORELinux System AnalystAuthor Commented:
I used http://www.mxtoolbox.com
and i see IP listed in 4 spam blocking sites

Now what next...
0
 
VINOD MORELinux System AnalystAuthor Commented:
Have I posted this correct Zones?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
VINOD MORELinux System AnalystAuthor Commented:
OK

Any comments
0
 
VINOD MORELinux System AnalystAuthor Commented:
Anybody??
0
 
Gabriel OrozcoSolution ArchitectCommented:
Hi

you need to go out from those lists as soon as possible

So, next step is go to each of those lists and investigate WHY they tagged you. it can be your mailserver is sending spam (due to a vulnerability or an internal pc virus-infected,owned,etc) or even maybe due your WAN port is connected to a DSL dynamic ip, in which case you will never be out of that kind of lists. (for dynamic ip's, you can use an email forwarding service like the one offered by dyndns.com, or dnsmadeeasy.com)

hope that help.
0
 
VINOD MORELinux System AnalystAuthor Commented:
Our mailserver is at Dubai, and we are in India. Postfix is our mailserver and we have POP3 accounts.

BTW
I have heard that to resolve this issue I have configured firewalls wan port ip with a reverse DNS entry.
So what should be reverse DNS entry??

What is email forwarding? Details pls?
0
 
VINOD MORELinux System AnalystAuthor Commented:
Any more comments.
0
 
NotLogicalCommented:
Hi vinodmore,

Usually DNS works in the forward direction by converting a human-friendly name to an IP. A reverse DNS entry is a mapping which will turn something like: system.someisp.com into 206.54.122.12.

This is very useful for mail delivery: MX (mail exchangers) are normally identified by name (to keep things easy for humans), but the MTA (mail transport agents) effectively require an IP address...

The reason that you need a qualified RDNS for your mail server, is a lot of SPAM filters simply reject mail which comes in from a server with no RDNS, or from an address which is tied to a dynamic address pool (DSL modems, dial-up modems, PPP connections). The RDNS should identify your sending server as belonging to your corporate domain.

As one of the previous experts indicated (this is very important!), you will most likely not be able to assign your own RDNS, if the IP you are using belongs to some dynamic address.

If you are able to provide some more information about your IP address and domain name, I could help. Otherwise, it will be difficult without some tangible information.

Regards,

NotLogical
0
 
VINOD MORELinux System AnalystAuthor Commented:
Ok here is there whole story

We don't have mail server at our location (Mumbai, India), our mail server is at Dubai and we have configured POP3 accounts on it. Mail server is Postfix.

We just have Internet Leased Line with Firewall in between.
So firewall's wan port IP which is x.x.x.x get listed in Spam blocking sites.
If IP gets listed in these sites outgoing mails are blocked.

We don't have any domain or mail server at our location, we are just on work-group  environment.

So I want to resolve this issue of IP getting listed in Spam blocking sites.

@ NotLogical
IP has been provided by ISP, we have Internet Leased Line.
0
 
NotLogicalCommented:
Hi vinodmore,

I do understand what you are trying to accomplish...

As far as I can tell, you have two options:
* Ask the ISP to provide you another IP address. There is a chance that the address you received was blacklisted some time ago for distributing SPAM. Before you accept your new address, check to ensure it is not blacklisted. Here is another question: is there a chance that the whole ISP is blacklisted? If so, you will have a very hard time to get your IP off the blacklist. This should be your ISP's job - not yours.
* Work through some of the blacklists (again, this was suggested previously) to see why the blocking came into effect. You can contact various blacklist owners to let them know that you are a new owner of the IP, and ask them to remove you.

Again, I could help you with things, but without an exact IP, it will be difficult (all is see on my side is a bunch of "x's").

Cheers,

NotLogical
0
 
VINOD MORELinux System AnalystAuthor Commented:
@ NotLogical

I guess IP was not blacklisted previously, Also as you say even if I ask for new IP that might too get listed in few days or weeks time. So that won't be permanent solution. ISP may not help in fixing blacklisting cause they just take care of link up or down.

Do you think any internal system infected virus/worm/trojan/botnet would be causing sending spam mails so IP getting listed. For info we use Symantec Endpoint Protection 11.


Ok IP is 114.143.226.235
0
 
NotLogicalCommented:
Hi vinodmore,

One of the common reasons for having your IP blacklisted, is running an open-relay SMTP server. This can happen if there is a misconfiguration of the server, or a relaying policy is not in place.

An open relay allows a third-party to send emails through your mail server. It makes it appear as if you (your company, or people in your organization) are sending SPAM. This can be fixed by tweaking Postfix's configuration. Please see here: http://www.postfix.org/SMTPD_ACCESS_README.html

I would also suggest that you look at Postfix's logs. Does it appear that you have lots of email being sent through your server - more than you expect?

If you are suspicious about malware on your network, here is a very effective way of dealing with it:
* Add a rule on your firewall to limit outgoing SMTP connections to ONLY reach your Postfix mail sever. This is good policy regardless: your Postfix server should be sending/receiving all outgoing mail for your organization.
* Add a rule so that your firewall logs all denied connections. Look at this list: if you seem to have more than a couple of connections per hour, you may have a problem.

Also, I am not able to reach the IP you specified. I could only perform a limited amount of research.

It would appear that your specific address is listed as delivering SPAM. Please check some of the points indicated above. Once you are sure that everything is okay on your side, request for your IP to be removed from the blacklists. If everything on your side is clean, you will be good to go!

Also - very importantly: there is no RDNS for your IP block. I cannot stress the importance of having proper RDNS...

Regards,

NotLogical
0
 
Gabriel OrozcoSolution ArchitectCommented:
Hi

Your problem is you are using a leased line to send your emails.
that is the wrong approach, because as I commented, leased line ip-blocks are usually treated as all-spam generators.

your best bet is to configure the email server in Dubai to accept SMTP-AUTH (which it could be accepting as is very usual) and then configure your local postfix to RELAY to the Dubai server. that server will in turn relay your email to the internet.
to do that, here is a howto:
http://www.cyberciti.biz/faq/postfix-smtp-authentication-for-mail-servers/

Another approach is to lease a fixed ip address from your ISP and request reverse dns.
normal dns is name -> ip
reverse dns is ip -> name, and is used to verify you have a fixed ip assigned, as 95%++ of spam is coming from leased lines.

hope this help
Regards!
0
 
VINOD MORELinux System AnalystAuthor Commented:
@ NotLogical

Server doesn't look to be open-relay SMTP server.
Tested on website www.mxtoolbox.com, check image attached.

No idea about server-side Postfix issues, cause server is not managed by myself.

About adding rule i use Cyberoam C25i UTM box.
Any ideas how to configure in it. Would be great help.

About Reverse DNS
You are saying that its not required in my case to resolve the issue.

@ Redimido
Leased line are problems??
But this is common type of internet connectivity in India for corporates.
I don't think there's any alternative to this.

We don't have any local postfix server or mail server or domain, we are on plain work-group environment.

My previous ISP configured mail.tajtv.com as an Reverse DNS entry for me.


This getting quite tricky. Huuhh





0
 
VINOD MORELinux System AnalystAuthor Commented:
Image attached
SMTP-diag.JPG
0
 
NotLogicalCommented:
Hi vinodmore,

I do not have any ideas about your UTM box, without some documentation.

I looked at the blacklist status of your Postfix server. It is only listed on one blacklist. I still would ask whomever is running this server to check the logs, to ensure that some other user is not abusing it. Otherwise, you will end up on more blacklists. You can then request to be removed from the list...

Here is another change you should make - I eluded to it earlier. Please use your Postfix server as your outgoing SMTP server for all of your in-house mail clients. Two reasons for this:
1. Because your UTM IP address is blackslisted (a lot of dynamic ranges are perpetually blacklisted).
2. It is good practice to use a single outgoing mail server. This could be your incoming mail server or your ISP's mail server.

If you can, block all other outgoing connections on port 25. Limit them to only reach your Postfix server.

Based on all of this, unless you have an outgoing SMTP server behind your UTM, there should be no reason for worrying that your UTM IP is blacklisted.

Cheers,

NotLogical
0
 
Gabriel OrozcoSolution ArchitectCommented:
Hey vinodmore, I think I confused Leased Line with DSL or dynamic ip access.

if you have a fixed ip you can ask your ISP to add reverse DNS for you to the mail.tajtv.com domain.

however, it is good to create a SPF record on your DNS to tell the other email servers the Dubai and this postfix server can send emails from the tajtv.com domain.

this site can help to create the SPF record:
https://support.fluidhosting.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=230
http://www.openspf.org/
and some graphic explanation from microsoft (the one who pushed for SPF):
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
VINOD MORELinux System AnalystAuthor Commented:
Now experts finally what do you suggest me to do to resolve the issue?
0
 
NotLogicalCommented:
Summarizing the ideas of all the Experts:

- Ensure you have proper RDNS on your Postfix server.
- Add an SPF record to your DNS for your Postfix server.
- Do not send email directly from your leased-line. Use your Postfix server as an incoming and outgoing server.
- If you are unable to go through your Postfix server as outgoing, use your upstream ISP's (the one which provided you the leased line) mail server as an outgoing server.

Once this is configured correctly, you will have better results.

Other Experts - have I missed something?

Thanks,

NotLogical
0
 
Gabriel OrozcoSolution ArchitectCommented:
I mostly agree with NotLogical.

The fact is I do not see any big trouble. As an email administrator (postmaster) you will be very often in this situation. there will be many false-positives that you will solve very easily, but the general recommendations to minimize problems are the ones NotLogical recommended.

I would still want to categorize a little further:

If you want to use your leased line to send emails for the same domain that has its server in Dubai, then there should not be any problem provided you:
   1. add the SPF record to your DNS to tell the other servers BOTH servers are allowed to send email, the Dubai one and this postfix server
   2. have the RDNS set correctly to your Postfix server.

If you do not want to do that, then configure your postfix to forward all email to the Dubai server and have that one send the emails (I would not recommend that solution since you will increase the traffic and it is not necessary).
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 11
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now