Solved

Spam block list

Posted on 2009-07-08
23
673 Views
Last Modified: 2013-12-09
My Firewall wan port IP is listed in spam blocklist, do i need to worry.

Check image.
0
Comment
Question by:VINOD MORE
  • 11
  • 5
  • 4
  • +1
23 Comments
 
LVL 9

Accepted Solution

by:
dexIT earned 50 total points
ID: 24804162
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24810119
I used http://www.mxtoolbox.com
and i see IP listed in 4 spam blocking sites

Now what next...
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24810681
Have I posted this correct Zones?
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24820215
OK

Any comments
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24820380
Anybody??
0
 
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 200 total points
ID: 24827204
Hi

you need to go out from those lists as soon as possible

So, next step is go to each of those lists and investigate WHY they tagged you. it can be your mailserver is sending spam (due to a vulnerability or an internal pc virus-infected,owned,etc) or even maybe due your WAN port is connected to a DSL dynamic ip, in which case you will never be out of that kind of lists. (for dynamic ip's, you can use an email forwarding service like the one offered by dyndns.com, or dnsmadeeasy.com)

hope that help.
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24833206
Our mailserver is at Dubai, and we are in India. Postfix is our mailserver and we have POP3 accounts.

BTW
I have heard that to resolve this issue I have configured firewalls wan port ip with a reverse DNS entry.
So what should be reverse DNS entry??

What is email forwarding? Details pls?
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24837012
Any more comments.
0
 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
ID: 24837044
Hi vinodmore,

Usually DNS works in the forward direction by converting a human-friendly name to an IP. A reverse DNS entry is a mapping which will turn something like: system.someisp.com into 206.54.122.12.

This is very useful for mail delivery: MX (mail exchangers) are normally identified by name (to keep things easy for humans), but the MTA (mail transport agents) effectively require an IP address...

The reason that you need a qualified RDNS for your mail server, is a lot of SPAM filters simply reject mail which comes in from a server with no RDNS, or from an address which is tied to a dynamic address pool (DSL modems, dial-up modems, PPP connections). The RDNS should identify your sending server as belonging to your corporate domain.

As one of the previous experts indicated (this is very important!), you will most likely not be able to assign your own RDNS, if the IP you are using belongs to some dynamic address.

If you are able to provide some more information about your IP address and domain name, I could help. Otherwise, it will be difficult without some tangible information.

Regards,

NotLogical
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24837200
Ok here is there whole story

We don't have mail server at our location (Mumbai, India), our mail server is at Dubai and we have configured POP3 accounts on it. Mail server is Postfix.

We just have Internet Leased Line with Firewall in between.
So firewall's wan port IP which is x.x.x.x get listed in Spam blocking sites.
If IP gets listed in these sites outgoing mails are blocked.

We don't have any domain or mail server at our location, we are just on work-group  environment.

So I want to resolve this issue of IP getting listed in Spam blocking sites.

@ NotLogical
IP has been provided by ISP, we have Internet Leased Line.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
ID: 24837276
Hi vinodmore,

I do understand what you are trying to accomplish...

As far as I can tell, you have two options:
* Ask the ISP to provide you another IP address. There is a chance that the address you received was blacklisted some time ago for distributing SPAM. Before you accept your new address, check to ensure it is not blacklisted. Here is another question: is there a chance that the whole ISP is blacklisted? If so, you will have a very hard time to get your IP off the blacklist. This should be your ISP's job - not yours.
* Work through some of the blacklists (again, this was suggested previously) to see why the blocking came into effect. You can contact various blacklist owners to let them know that you are a new owner of the IP, and ask them to remove you.

Again, I could help you with things, but without an exact IP, it will be difficult (all is see on my side is a bunch of "x's").

Cheers,

NotLogical
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24837369
@ NotLogical

I guess IP was not blacklisted previously, Also as you say even if I ask for new IP that might too get listed in few days or weeks time. So that won't be permanent solution. ISP may not help in fixing blacklisting cause they just take care of link up or down.

Do you think any internal system infected virus/worm/trojan/botnet would be causing sending spam mails so IP getting listed. For info we use Symantec Endpoint Protection 11.


Ok IP is 114.143.226.235
0
 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
ID: 24840089
Hi vinodmore,

One of the common reasons for having your IP blacklisted, is running an open-relay SMTP server. This can happen if there is a misconfiguration of the server, or a relaying policy is not in place.

An open relay allows a third-party to send emails through your mail server. It makes it appear as if you (your company, or people in your organization) are sending SPAM. This can be fixed by tweaking Postfix's configuration. Please see here: http://www.postfix.org/SMTPD_ACCESS_README.html

I would also suggest that you look at Postfix's logs. Does it appear that you have lots of email being sent through your server - more than you expect?

If you are suspicious about malware on your network, here is a very effective way of dealing with it:
* Add a rule on your firewall to limit outgoing SMTP connections to ONLY reach your Postfix mail sever. This is good policy regardless: your Postfix server should be sending/receiving all outgoing mail for your organization.
* Add a rule so that your firewall logs all denied connections. Look at this list: if you seem to have more than a couple of connections per hour, you may have a problem.

Also, I am not able to reach the IP you specified. I could only perform a limited amount of research.

It would appear that your specific address is listed as delivering SPAM. Please check some of the points indicated above. Once you are sure that everything is okay on your side, request for your IP to be removed from the blacklists. If everything on your side is clean, you will be good to go!

Also - very importantly: there is no RDNS for your IP block. I cannot stress the importance of having proper RDNS...

Regards,

NotLogical
0
 
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 200 total points
ID: 24847032
Hi

Your problem is you are using a leased line to send your emails.
that is the wrong approach, because as I commented, leased line ip-blocks are usually treated as all-spam generators.

your best bet is to configure the email server in Dubai to accept SMTP-AUTH (which it could be accepting as is very usual) and then configure your local postfix to RELAY to the Dubai server. that server will in turn relay your email to the internet.
to do that, here is a howto:
http://www.cyberciti.biz/faq/postfix-smtp-authentication-for-mail-servers/

Another approach is to lease a fixed ip address from your ISP and request reverse dns.
normal dns is name -> ip
reverse dns is ip -> name, and is used to verify you have a fixed ip assigned, as 95%++ of spam is coming from leased lines.

hope this help
Regards!
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24856629
@ NotLogical

Server doesn't look to be open-relay SMTP server.
Tested on website www.mxtoolbox.com, check image attached.

No idea about server-side Postfix issues, cause server is not managed by myself.

About adding rule i use Cyberoam C25i UTM box.
Any ideas how to configure in it. Would be great help.

About Reverse DNS
You are saying that its not required in my case to resolve the issue.

@ Redimido
Leased line are problems??
But this is common type of internet connectivity in India for corporates.
I don't think there's any alternative to this.

We don't have any local postfix server or mail server or domain, we are on plain work-group environment.

My previous ISP configured mail.tajtv.com as an Reverse DNS entry for me.


This getting quite tricky. Huuhh





0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24856635
Image attached
SMTP-diag.JPG
0
 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
ID: 24860143
Hi vinodmore,

I do not have any ideas about your UTM box, without some documentation.

I looked at the blacklist status of your Postfix server. It is only listed on one blacklist. I still would ask whomever is running this server to check the logs, to ensure that some other user is not abusing it. Otherwise, you will end up on more blacklists. You can then request to be removed from the list...

Here is another change you should make - I eluded to it earlier. Please use your Postfix server as your outgoing SMTP server for all of your in-house mail clients. Two reasons for this:
1. Because your UTM IP address is blackslisted (a lot of dynamic ranges are perpetually blacklisted).
2. It is good practice to use a single outgoing mail server. This could be your incoming mail server or your ISP's mail server.

If you can, block all other outgoing connections on port 25. Limit them to only reach your Postfix server.

Based on all of this, unless you have an outgoing SMTP server behind your UTM, there should be no reason for worrying that your UTM IP is blacklisted.

Cheers,

NotLogical
0
 
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 200 total points
ID: 24861819
Hey vinodmore, I think I confused Leased Line with DSL or dynamic ip access.

if you have a fixed ip you can ask your ISP to add reverse DNS for you to the mail.tajtv.com domain.

however, it is good to create a SPF record on your DNS to tell the other email servers the Dubai and this postfix server can send emails from the tajtv.com domain.

this site can help to create the SPF record:
https://support.fluidhosting.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=230
http://www.openspf.org/
and some graphic explanation from microsoft (the one who pushed for SPF):
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
LVL 1

Author Comment

by:VINOD MORE
ID: 24876533
Now experts finally what do you suggest me to do to resolve the issue?
0
 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
ID: 24879421
Summarizing the ideas of all the Experts:

- Ensure you have proper RDNS on your Postfix server.
- Add an SPF record to your DNS for your Postfix server.
- Do not send email directly from your leased-line. Use your Postfix server as an incoming and outgoing server.
- If you are unable to go through your Postfix server as outgoing, use your upstream ISP's (the one which provided you the leased line) mail server as an outgoing server.

Once this is configured correctly, you will have better results.

Other Experts - have I missed something?

Thanks,

NotLogical
0
 
LVL 19

Assisted Solution

by:Gabriel Orozco
Gabriel Orozco earned 200 total points
ID: 24880886
I mostly agree with NotLogical.

The fact is I do not see any big trouble. As an email administrator (postmaster) you will be very often in this situation. there will be many false-positives that you will solve very easily, but the general recommendations to minimize problems are the ones NotLogical recommended.

I would still want to categorize a little further:

If you want to use your leased line to send emails for the same domain that has its server in Dubai, then there should not be any problem provided you:
   1. add the SPF record to your DNS to tell the other servers BOTH servers are allowed to send email, the Dubai one and this postfix server
   2. have the RDNS set correctly to your Postfix server.

If you do not want to do that, then configure your postfix to forward all email to the Dubai server and have that one send the emails (I would not recommend that solution since you will increase the traffic and it is not necessary).
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

PREFACE The purpose of this guide is to provide information to successfully install the MS SQL client tools for the Symantec Endpoint Protection Manager (SEPM) to function properly when installed on Windows 2008. AUDIENCE Information Technology…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now