Solved

SBS 2008 Exchange Server being Blacklisted

Posted on 2010-09-22
16
1,008 Views
Last Modified: 2012-05-10
Not a good day :(

I've recently installed an SBS08 server running Exchange 2007 at one of my clients. Today they have been black listed on BARRACUDA BRBL. The server is set to use our ISP's smart-host (mail.opptonline.net) and yet it still has gotten blacklisted. I have confirmed in the Send Connector that the smart host is really really there.

I have attached email headers. When the user send an email. exchange pops back the attached message headers.

Domain.com is my company who is sending the mail which is being blocked.
Keyetv.com is the receiving domain of my blocked mails.
Diagnostic information for administrators:

Generating server: mta1.srv.hcvlny.cv.net (tcp-daemon)

MHunter@keyetv.com
mx2.nexstar.tv (TCP|167.206.4.196|44643|72.249.102.22|25) (barracuda2.nexstar.tv ESMTP [aa0f8fe95058f7c9c41d87fb394acd2f]) #<mx2.nexstar.tv (TCP|167.206.4.196|44643|72.249.102.22|25) (barracuda2.nexstar.tv ESMTP [aa0f8fe95058f7c9c41d87fb394acd2f]) #5.0.0 smtp;554 Service unavailable; Client host [mta1.srv.hcvlny.cv.net] blocked using Barracuda Reputation; http://bbl.barracudacentral.com/q.cgi?ip=96.56.121.10> #SMTP#

Original message headers:

Return-Path: <USER@domain.com>
Received: from tcp-daemon.mta1.srv.hcvlny.cv.net by mta1.srv.hcvlny.cv.net
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007)) id
 <0L960038R2QOU000@mta1.srv.hcvlny.cv.net>; Wed, 22 Sep 2010 17:08:48 -0400
 (EDT)
Received: from remote.domain.com (mail.domain.com [96.56.121.99])
 by mta1.srv.hcvlny.cv.net
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
 with ESMTP id <0L96003A12QN6KT0@mta1.srv.hcvlny.cv.net> for
 USER@keyetv.com; Wed, 22 Sep 2010 17:08:48 -0400 (EDT)
Received: from DCWSBS08.domain.local ([fe80::842a:a619:3a60:40e4])
 by DCWSBS08.domain.local ([fe80::842a:a619:3a60:40e4%10]) with mapi; Wed,
 22 Sep 2010 17:08:47 -0400
Date: Wed, 22 Sep 2010 17:08:44 -0400
From: Jane Doe <USER@domain.com>
Subject: FW: Post and Pre Logs for Deluxe
To: "USER@keyetv.com" <USER@keyetv.com>
Message-ID: <A947870028054547BFBCBBD69A1D430F37EDD56D@DCWSBS08.dcwcorp.local>
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="Boundary_(ID_+Uh/6Nr3XbRvwhWHvPgpTQ)"
Content-Language: en-US
Importance: high
Accept-Language: en-US
X-Priority: 1
Thread-topic: Post and Pre Logs for Deluxe
Thread-index: ActUPqy8ZLdBvQ1mQ7miHd+tQtynqQBcIsUAATq8UGAAAAgbsA==
acceptlanguage: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Reporting-MTA: dns; mta1.srv.hcvlny.cv.net (tcp-daemon)

Final-recipient: RFC822; USER@keyetv.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mx2.nexstar.tv (TCP|167.206.4.196|44643|72.249.102.22|25)
(barracuda2.nexstar.tv ESMTP [aa0f8fe95058f7c9c41d87fb394acd2f])
X-Supplementary-Info: <mx2.nexstar.tv
(TCP|167.206.4.196|44643|72.249.102.22|25) (barracuda2.nexstar.tv ESMTP
[aa0f8fe95058f7c9c41d87fb394acd2f]) #5.0.0 smtp;554 Service unavailable;
Client host [mta1.srv.hcvlny.cv.net] blocked using Barracuda Reputation;
http://bbl.barracudacentral.com/q.cgi?ip=96.56.121.99>

Open in new window

0
Comment
Question by:VCSLI
  • 6
  • 6
16 Comments
 
LVL 4

Expert Comment

by:cmartell
ID: 33740692
Your smart host (8.5.1.44) is not blacklisted.  It looks like the culprit IP was 96.56.121.99 but it is not blacklisted now so it looks like Barracuda has delisted the IP and you should be able to send that email now.

You can check your IPs here:
http://www.barracudacentral.org/lookups/ip-reputation

or use the last line in the header
http://bbl.barracudacentral.com/q.cgi?ip=96.56.121.99
0
 

Author Comment

by:VCSLI
ID: 33740700
I change the IP for the post due to privacy. The real IP is 96.56.121.10. It is Blacklisted.

Barracuda has removed it but now Tiopan has added it.
0
 
LVL 4

Accepted Solution

by:
cmartell earned 500 total points
ID: 33740778
Your ip may have been used by a spammer previously if you are bing blacklisted everywhere.  Or possibly your ISP allowed spamming activity and the whole range of IPs is blacklisted.

Herre are instructions to be delisted from Tiopan
http://www.tiopan.com/blacklist.php
0
 

Author Comment

by:VCSLI
ID: 33740809
I have already emailed them.

The point is, how do i prevent the server from being blacklisted? I thought using a smart-host was enough since email isn't seen as being sent from the server. If i change the PTR, will that help? What shall i change it to? remote.domain.com (mail server address)? If i have to fight daily with blacklists, thats not going to be a good thing...

I can hear angry people already. :(

There has to be a way to prevent this from happening to begin with.
0
 
LVL 4

Assisted Solution

by:cmartell
cmartell earned 500 total points
ID: 33740851
blacklists go by reputation.  If you are constantly being blacklisted then someone in your organization is spamming or your ISP has a reputation for allowing spamming.  Blacklists can make mistakes but if it happens frequently then you have to do some investigating to find out why.  There is nothing yo can do to prevent being blacklisted other than ensuring that there is no spam originating from your IP.

I suppose you could add an SPF record to your DNS to be sure somebody isn't forging your domain into their spam email headers.
http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
0
 

Author Comment

by:VCSLI
ID: 33740856
The network is entirely clean. There are no non domain joined computers on it. All client computers are running fully updated AV software. The setup is less than a week old.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Expert Comment

by:scraane
ID: 33742295
Well, to be save, if you have a firewall, just block port 25 outgoing. Only open it for your SBS server.

I had a client with up to date AV, but still one desktop was spamming.
0
 

Author Comment

by:VCSLI
ID: 33749580
Port 25 blocked on all but the server. I enabled logging to tell me which machine is trying to send out on the port. Hopefully this will shed some light if this is indeed the issue. Will post back in a few days.
0
 
LVL 4

Assisted Solution

by:cmartell
cmartell earned 500 total points
ID: 33750617
There probably isn't anything wrong with your network if it's only a week old.  It culd be that a range of IPs is blacklisted and youre on that range.  If you continue to be blacklisted I would call your ISP.  
0
 

Author Closing Comment

by:VCSLI
ID: 33758945
Ok well  have blocked port 25 on all outbound traffic except the Exchange server. Will see how things go. Thanks everyone for the advice.
0
 

Author Comment

by:VCSLI
ID: 33760367
I have not seen anything pop up in the firewall log. It doesn't seem like any computer in the network was ever sending out on port 25. I cant say for sure if its resolved or if we'll be blacklisted again next week. Will have to see how things go. The advice offered was all very well written and well understood, but i dont know if it specifically solved my issue.
0
 
LVL 4

Assisted Solution

by:cmartell
cmartell earned 500 total points
ID: 33761211
Like I said in my first posts, you "resolve " the issue by going to the RBL website and asking them to delist your IP.  There is nothing else you can do short of getting a new IP (which may not help if you are on a range of black listed IPs) or going to a different ISP.  If the previous owner of your IP was a spammer then you are probably on a bunch of black lists and you will have to request removal as you discover them.
0
 
LVL 4

Expert Comment

by:cmartell
ID: 33761233
I provided you with a resolution and you awarded the points to scraane who only gave you a troubleshooting tip to see if there was a problem on your network.  If you had found a problem then you could have taken advice from scraane or someone else to fix it and awarded the points accordingly but there is no problem on your network so as it stands I have provided the only resolution.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now