Solved

Delivery Status Notification Delay

Posted on 2010-09-23
25
905 Views
Last Modified: 2012-05-10
I asked this question before but kind of gave up.  My SMTP server seems to be blacklisted on backscatter.org.  Here is what it says on their site:  

 
Testresult for 67.200.162.XXX

This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does not mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
If you don't know what BACKSCATTER or Sender Callouts are, click the links above to get clue how to stop that kind of abuse.


To track down what happened investigate your smtplogs near 08.09.2010 15:13 CEST +/-1 minute.

You will either find that your system tried to send bounces or autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which got rejected at remote systems.

Read the rejection texts carefully and it shouldn't be a big deal to figure out what caused or renewed your listing.


History:
20.04.2009 13:26 CEST	listed	
03.10.2009 15:25 CEST	expired	
05.01.2010 01:05 CET	listed	
02.02.2010 01:25 CET	expired	
02.02.2010 04:59 CET	listed	
02.03.2010 05:25 CET	expired	
29.05.2010 11:25 CEST	listed	
26.06.2010 12:25 CEST	expired	
29.06.2010 17:51 CEST	listed	

A total of 11 Impacts were detected during this listing. Last was 08.09.2010 15:13 CEST +/- 1 minute.
Earliest date this IP can expire is 06.10.2010 15:13 CEST.



This IP is temporary listed.
The listing will expire automatically and free of charge 4 weeks after the last abuse is seen from that IP.
Expedited manual expressdelisting is available as an option, in case you do not want to wait for the automatic and free expiration.
You will be charged 101 USD using one of the following payment services.
WARNING: Before requesting expressdelisting make sure the problem which caused the listing is fixed, otherwise you are at risk to get listed again if new abuse becomes known.

Open in new window


Notice how the most recent problem was on 9-8-10.  I have no idea what is causing this problem.  I didn't know how to find my SMTP exchange logs, but looked it up and apparently it was logging nothing.  So I turned them on with IIS setting enabled and set them to hourly.  Please, someone make a suggestion to track down my problem.  I am sure no one on our domain is spamming, and my wifi encryptions would take months to crack...  Surely it's a simple problem?

Thanks
0
Comment
Question by:clcinc
  • 12
  • 7
  • 6
25 Comments
 
LVL 3

Expert Comment

by:init2winit_Dan
Comment Utility
please check your domain name at mxtoolbox.com
0
 

Author Comment

by:clcinc
Comment Utility
That's how I found out that I was blacklisted on backscatter.  It says I am listed on there.  The code posted above is the result of clicking detail and testing at http://www.backscatterer.org/?ip=67.200.162.XXX .
ee.bmp
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Do you have a public IP / or you are using the random IP assigned by ADSL/SDSL.

Rather than pay $100 to back scatterer - I'd get a public IP from ISP.
0
 

Author Comment

by:clcinc
Comment Utility
I don't understand that question sunnyc7.  Do you mean get a new IP address assigned to me from my ISP?  Would that not cause all kinds of config issues on my server?  I'm really new to this section of the field and apologize if I seem ignorant.

thanks
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Backscatter has listed your IP for ABC reasons
 http://www.backscatterer.org/?ip=67.200.162.XXX .

You may / may not be spamming.
a) First check that you have a clean install of exchange and you have no hygiene issues.
b) Ensure that you are not a ADSL/SDSL connection where your IP is constantly changing - this will get your IP flagged.

You can spend time with backscatter guys and try to sort this out, but this doesnt work out in the end.

I'd suggest get a new static IP from your ISP.
configure your firewall with the new IP
Add your ISP's DNS details.
Configure your MX records to point to the new IP.

Before you make this change, sign-up for www.mxsave.com
This will ensure that your emails are not lost when you are making the IP change

Check my comment here
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26317605.html
0
 
LVL 3

Expert Comment

by:init2winit_Dan
Comment Utility
well i would test to find out if your an open relay and try to fix all the problems first. then request to be de-listed at backscatter and or change your IP. this is a common problem for SMB's also you may want to find if your ISP provides you with a relay server this would allow you to relay to there smart host that protects your ip from blacklisting
0
 

Author Comment

by:clcinc
Comment Utility
Just talked to my ISP and they said that they only issue static IP's.  They said that there is a range of IP addresses already assigned to me and that all I need to do is "open the port and reconfigure my end."  

I'm worried that if I change my IP, this will just happen again, and again.  How can I track down the problem and stop it.  

BTW, I entered in the XXX at  the end of my IP.  Not sure why you reposted it?  I just thought maybe you thought that they listed it that way and concluded the ABC blacklist from this.
0
 
LVL 3

Expert Comment

by:init2winit_Dan
Comment Utility
that is why i would run smtp test at mxtoolbox this will give you some insight of what could be wrong also you need to verify why this is going on before you get new IP. Some reasons for black list, open relay, viruses (end-users as well), reverse DNS, you use DHCP IP from ISP, your IP from your ISP is a flagged block of IP's due to residential service.
0
 

Author Comment

by:clcinc
Comment Utility
@init   Here are the results
HELO please-read-policy.mxtoolbox.com
250 clcserver1.morpheus.clcinc.org Hello [10.10.0.2] [31 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com....Sender OK [47 ms]
RCPT TO: <test@example.com>
530 Relaying not allowed [47 ms]
QUIT
221 2.0.0 clcserver1.morpheus.clcinc.org Service closing transmission channel [47 ms]

I do not understand this but there were no errors returned.  Can you see a problem here?
0
 
LVL 3

Expert Comment

by:init2winit_Dan
Comment Utility
      21      ftp      Success      94 ms
       25      smtp      Success      94 ms
       80      http      Success      94 ms
       110      pop3      Success      94 ms
       443      https      Success      94 ms
       3389      remote desktop      Success      94 ms

i would change your 3389 port ASAP!
i do not see any problems from the outside so maybe you where listed from a mass mail that was valid or something however i do not believe that you would get hit for a mail relay if you where to try the path of de-listing with backscatter I have added your IP to the remove list there Earliest date this IP can expire is 06.10.2010 15:13 CEST.
0
 
LVL 3

Expert Comment

by:init2winit_Dan
Comment Utility
at this point if this is not halting mail from your domain out to folks I would let it go till the expire date. if it is impacting business then change your SMTP pop3 80 (any mail trafic) to go to a new IP in your block from the isp depended on the firewall you may have to configure that to take inbound from new ip to the internal ip of mailserver
0
 

Author Comment

by:clcinc
Comment Utility
Would you mind elaborating why RDP on 3389 in not safe?  Do you think this is a part of the reason I am having issues?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:init2winit_Dan
Comment Utility
well it is a well known port and it has some simple hacks so anyone can remote desktop control the server that is behind that port. what i would do if you need RDP on the outside is on the sever use reg-edit to change port to an unused port any will do that is not common. then change your firewall to use the new port. security in obscurity. best-practice would not to have RDP service open to the net but many org's do. just a heads up security thing. i do not believe the 2 are related but i saw it and figure give you a heads up.
0
 

Author Comment

by:clcinc
Comment Utility

Being listed with Backscatterer probably just means that is spoofing the "From field" of a forged email to be from someone on my domain, correct?  This is causing "backscatter."  So, is there a way on the server to retrieve an email header or something similar to pinpoint the spoof?

I know someone has been doing that in the past, because many users report spam from other users.  
0
 

Author Comment

by:clcinc
Comment Utility
more info:!
WARNING: mail.clcinc.org points to a CNAME-Record.
This violates RFC 2181 Section 10.2
Please request your Admin or Provider to fix this.

help here please?
0
 
LVL 3

Expert Comment

by:init2winit_Dan
Comment Utility
may look up sfp for exchange 2003 there are some commands in the protocol and the message delivery of EMS that can be changed to configure the server to verify the sender address and also look up a tar-pitting for exchange 2003 it is a registry hack but you need exchange sp2
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Being listed with Backscatterer probably just means that is spoofing the "From field" of a forged email to be from someone on my domain, correct?  This is causing "backscatter."
>> Wrong.
Backscatterer is a name of the org which is monitoring your subnet.
The general idea is all RBL providers cannot monitor everything.

Here's what backscatter means.
http://en.wikipedia.org/wiki/Backscatter_(e-mail)

can you run a full virus scan of your exchange server - just to rule out any virus / trojans causing this.
0
 

Author Comment

by:clcinc
Comment Utility
I am running the scan now.  I'm sure it will take hours upon hours.  I will get back on the thread tomorrow.  Thanks for the explanation of Backscatter, it is quite helpful.  Could you please tell me how to prevent it?  I know that there is an option on the Wikipedia page, but I'm unsure of which one to use.
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Prevent BackScatter
> use VamSoft ORF

It has out of the box functionality to prevent backscatter and other types of spam

www.vamsoft.com/orf

30 day free trial.
$239 per server
Really cheap and good solution compared to other AVs
0
 

Author Comment

by:clcinc
Comment Utility
Another guy I work closely with recently installed assp. Do you think that it will work to prevent backscatter?
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
Can you uninstall that and go with a known solution like trend / ORF
No symantec.

I havent reviewed ASSP - will check
0
 

Author Comment

by:clcinc
Comment Utility
sunny- one more thing, please...   do you know how to fix this:
more info:!
WARNING: mail.clcinc.org points to a CNAME-Record.
This violates RFC 2181 Section 10.2
Please request your Admin or Provider to fix this.

Thanks
0
 
LVL 28

Expert Comment

by:sunnyc7
Comment Utility
where are you getting this error ?
0
 

Author Comment

by:clcinc
Comment Utility
The company that is affiliated with backscatterer.  http://www.uceprotect.net/en/rblcheck.php?ipr=67.200.162.154  
It also says that I have had 15 level one spammers within the past 15 days.
The Overview section of this page: http://en.wikipedia.org/wiki/MX_record shows a bit about that error.  
Here is the section 10.2 of RFC 2181, whatever that is:
10.2. PTR records

   Confusion about canonical names has lead to a belief that a PTR
   record should have exactly one RR in its RRSet.  This is incorrect,
   the relevant section of RFC1034 (section 3.6.2) indicates that the
   value of a PTR record should be a canonical name.  That is, it should
   not be an alias.  There is no implication in that section that only
   one PTR record is permitted for a name.  No such restriction should
   be inferred.

   Note that while the value of a PTR record must not be an alias, there
   is no requirement that the process of resolving a PTR record not
   encounter any aliases.  The label that is being looked up for a PTR
   value might have a CNAME record.  That is, it might be an alias.  The
   value of that CNAME RR, if not another alias, which it should not be,
   will give the location where the PTR record is found.  That record
   gives the result of the PTR type lookup.  This final result, the
   value of the PTR RR, is the label which must not be an alias.

0
 

Accepted Solution

by:
clcinc earned 0 total points
Comment Utility
installed ASSP.  This stopped the backchatter
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Add a SafeSender to Exchange 6 23
Powershell Script Error Handling 7 31
Intunes without company portal 3 35
outlook 3 15
Utilizing an array to gracefully append to a list of EmailAddresses
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now