Solved

Spam block list

Posted on 2009-07-08
23
672 Views
Last Modified: 2013-12-09
My Firewall wan port IP is listed in spam blocklist, do i need to worry.

Check image.
0
Comment
Question by:VINOD MORE
  • 11
  • 5
  • 4
  • +1
23 Comments
 
LVL 9

Accepted Solution

by:
dexIT earned 50 total points
Comment Utility
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
I used http://www.mxtoolbox.com
and i see IP listed in 4 spam blocking sites

Now what next...
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Have I posted this correct Zones?
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
OK

Any comments
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Anybody??
0
 
LVL 19

Assisted Solution

by:Redimido
Redimido earned 200 total points
Comment Utility
Hi

you need to go out from those lists as soon as possible

So, next step is go to each of those lists and investigate WHY they tagged you. it can be your mailserver is sending spam (due to a vulnerability or an internal pc virus-infected,owned,etc) or even maybe due your WAN port is connected to a DSL dynamic ip, in which case you will never be out of that kind of lists. (for dynamic ip's, you can use an email forwarding service like the one offered by dyndns.com, or dnsmadeeasy.com)

hope that help.
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Our mailserver is at Dubai, and we are in India. Postfix is our mailserver and we have POP3 accounts.

BTW
I have heard that to resolve this issue I have configured firewalls wan port ip with a reverse DNS entry.
So what should be reverse DNS entry??

What is email forwarding? Details pls?
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Any more comments.
0
 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
Comment Utility
Hi vinodmore,

Usually DNS works in the forward direction by converting a human-friendly name to an IP. A reverse DNS entry is a mapping which will turn something like: system.someisp.com into 206.54.122.12.

This is very useful for mail delivery: MX (mail exchangers) are normally identified by name (to keep things easy for humans), but the MTA (mail transport agents) effectively require an IP address...

The reason that you need a qualified RDNS for your mail server, is a lot of SPAM filters simply reject mail which comes in from a server with no RDNS, or from an address which is tied to a dynamic address pool (DSL modems, dial-up modems, PPP connections). The RDNS should identify your sending server as belonging to your corporate domain.

As one of the previous experts indicated (this is very important!), you will most likely not be able to assign your own RDNS, if the IP you are using belongs to some dynamic address.

If you are able to provide some more information about your IP address and domain name, I could help. Otherwise, it will be difficult without some tangible information.

Regards,

NotLogical
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Ok here is there whole story

We don't have mail server at our location (Mumbai, India), our mail server is at Dubai and we have configured POP3 accounts on it. Mail server is Postfix.

We just have Internet Leased Line with Firewall in between.
So firewall's wan port IP which is x.x.x.x get listed in Spam blocking sites.
If IP gets listed in these sites outgoing mails are blocked.

We don't have any domain or mail server at our location, we are just on work-group  environment.

So I want to resolve this issue of IP getting listed in Spam blocking sites.

@ NotLogical
IP has been provided by ISP, we have Internet Leased Line.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
Comment Utility
Hi vinodmore,

I do understand what you are trying to accomplish...

As far as I can tell, you have two options:
* Ask the ISP to provide you another IP address. There is a chance that the address you received was blacklisted some time ago for distributing SPAM. Before you accept your new address, check to ensure it is not blacklisted. Here is another question: is there a chance that the whole ISP is blacklisted? If so, you will have a very hard time to get your IP off the blacklist. This should be your ISP's job - not yours.
* Work through some of the blacklists (again, this was suggested previously) to see why the blocking came into effect. You can contact various blacklist owners to let them know that you are a new owner of the IP, and ask them to remove you.

Again, I could help you with things, but without an exact IP, it will be difficult (all is see on my side is a bunch of "x's").

Cheers,

NotLogical
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
@ NotLogical

I guess IP was not blacklisted previously, Also as you say even if I ask for new IP that might too get listed in few days or weeks time. So that won't be permanent solution. ISP may not help in fixing blacklisting cause they just take care of link up or down.

Do you think any internal system infected virus/worm/trojan/botnet would be causing sending spam mails so IP getting listed. For info we use Symantec Endpoint Protection 11.


Ok IP is 114.143.226.235
0
 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
Comment Utility
Hi vinodmore,

One of the common reasons for having your IP blacklisted, is running an open-relay SMTP server. This can happen if there is a misconfiguration of the server, or a relaying policy is not in place.

An open relay allows a third-party to send emails through your mail server. It makes it appear as if you (your company, or people in your organization) are sending SPAM. This can be fixed by tweaking Postfix's configuration. Please see here: http://www.postfix.org/SMTPD_ACCESS_README.html

I would also suggest that you look at Postfix's logs. Does it appear that you have lots of email being sent through your server - more than you expect?

If you are suspicious about malware on your network, here is a very effective way of dealing with it:
* Add a rule on your firewall to limit outgoing SMTP connections to ONLY reach your Postfix mail sever. This is good policy regardless: your Postfix server should be sending/receiving all outgoing mail for your organization.
* Add a rule so that your firewall logs all denied connections. Look at this list: if you seem to have more than a couple of connections per hour, you may have a problem.

Also, I am not able to reach the IP you specified. I could only perform a limited amount of research.

It would appear that your specific address is listed as delivering SPAM. Please check some of the points indicated above. Once you are sure that everything is okay on your side, request for your IP to be removed from the blacklists. If everything on your side is clean, you will be good to go!

Also - very importantly: there is no RDNS for your IP block. I cannot stress the importance of having proper RDNS...

Regards,

NotLogical
0
 
LVL 19

Assisted Solution

by:Redimido
Redimido earned 200 total points
Comment Utility
Hi

Your problem is you are using a leased line to send your emails.
that is the wrong approach, because as I commented, leased line ip-blocks are usually treated as all-spam generators.

your best bet is to configure the email server in Dubai to accept SMTP-AUTH (which it could be accepting as is very usual) and then configure your local postfix to RELAY to the Dubai server. that server will in turn relay your email to the internet.
to do that, here is a howto:
http://www.cyberciti.biz/faq/postfix-smtp-authentication-for-mail-servers/

Another approach is to lease a fixed ip address from your ISP and request reverse dns.
normal dns is name -> ip
reverse dns is ip -> name, and is used to verify you have a fixed ip assigned, as 95%++ of spam is coming from leased lines.

hope this help
Regards!
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
@ NotLogical

Server doesn't look to be open-relay SMTP server.
Tested on website www.mxtoolbox.com, check image attached.

No idea about server-side Postfix issues, cause server is not managed by myself.

About adding rule i use Cyberoam C25i UTM box.
Any ideas how to configure in it. Would be great help.

About Reverse DNS
You are saying that its not required in my case to resolve the issue.

@ Redimido
Leased line are problems??
But this is common type of internet connectivity in India for corporates.
I don't think there's any alternative to this.

We don't have any local postfix server or mail server or domain, we are on plain work-group environment.

My previous ISP configured mail.tajtv.com as an Reverse DNS entry for me.


This getting quite tricky. Huuhh





0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Image attached
SMTP-diag.JPG
0
 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
Comment Utility
Hi vinodmore,

I do not have any ideas about your UTM box, without some documentation.

I looked at the blacklist status of your Postfix server. It is only listed on one blacklist. I still would ask whomever is running this server to check the logs, to ensure that some other user is not abusing it. Otherwise, you will end up on more blacklists. You can then request to be removed from the list...

Here is another change you should make - I eluded to it earlier. Please use your Postfix server as your outgoing SMTP server for all of your in-house mail clients. Two reasons for this:
1. Because your UTM IP address is blackslisted (a lot of dynamic ranges are perpetually blacklisted).
2. It is good practice to use a single outgoing mail server. This could be your incoming mail server or your ISP's mail server.

If you can, block all other outgoing connections on port 25. Limit them to only reach your Postfix server.

Based on all of this, unless you have an outgoing SMTP server behind your UTM, there should be no reason for worrying that your UTM IP is blacklisted.

Cheers,

NotLogical
0
 
LVL 19

Assisted Solution

by:Redimido
Redimido earned 200 total points
Comment Utility
Hey vinodmore, I think I confused Leased Line with DSL or dynamic ip access.

if you have a fixed ip you can ask your ISP to add reverse DNS for you to the mail.tajtv.com domain.

however, it is good to create a SPF record on your DNS to tell the other email servers the Dubai and this postfix server can send emails from the tajtv.com domain.

this site can help to create the SPF record:
https://support.fluidhosting.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=230
http://www.openspf.org/
and some graphic explanation from microsoft (the one who pushed for SPF):
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 
LVL 1

Author Comment

by:VINOD MORE
Comment Utility
Now experts finally what do you suggest me to do to resolve the issue?
0
 
LVL 8

Assisted Solution

by:NotLogical
NotLogical earned 250 total points
Comment Utility
Summarizing the ideas of all the Experts:

- Ensure you have proper RDNS on your Postfix server.
- Add an SPF record to your DNS for your Postfix server.
- Do not send email directly from your leased-line. Use your Postfix server as an incoming and outgoing server.
- If you are unable to go through your Postfix server as outgoing, use your upstream ISP's (the one which provided you the leased line) mail server as an outgoing server.

Once this is configured correctly, you will have better results.

Other Experts - have I missed something?

Thanks,

NotLogical
0
 
LVL 19

Assisted Solution

by:Redimido
Redimido earned 200 total points
Comment Utility
I mostly agree with NotLogical.

The fact is I do not see any big trouble. As an email administrator (postmaster) you will be very often in this situation. there will be many false-positives that you will solve very easily, but the general recommendations to minimize problems are the ones NotLogical recommended.

I would still want to categorize a little further:

If you want to use your leased line to send emails for the same domain that has its server in Dubai, then there should not be any problem provided you:
   1. add the SPF record to your DNS to tell the other servers BOTH servers are allowed to send email, the Dubai one and this postfix server
   2. have the RDNS set correctly to your Postfix server.

If you do not want to do that, then configure your postfix to forward all email to the Dubai server and have that one send the emails (I would not recommend that solution since you will increase the traffic and it is not necessary).
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

For those of you actively in the Malware fightling business, we now have available an amazing new tool in the malware wars (first recommended to me by rpggamergirl (http://www.experts-exchange.com/M_3598771.html), the Zone Advisor for the Virus and …
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now