Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 923
  • Last Modified:

Delivery Status Notification Delay

I asked this question before but kind of gave up.  My SMTP server seems to be blacklisted on backscatter.org.  Here is what it says on their site:  

 
Testresult for 67.200.162.XXX

This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does not mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
If you don't know what BACKSCATTER or Sender Callouts are, click the links above to get clue how to stop that kind of abuse.


To track down what happened investigate your smtplogs near 08.09.2010 15:13 CEST +/-1 minute.

You will either find that your system tried to send bounces or autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which got rejected at remote systems.

Read the rejection texts carefully and it shouldn't be a big deal to figure out what caused or renewed your listing.


History:
20.04.2009 13:26 CEST	listed	
03.10.2009 15:25 CEST	expired	
05.01.2010 01:05 CET	listed	
02.02.2010 01:25 CET	expired	
02.02.2010 04:59 CET	listed	
02.03.2010 05:25 CET	expired	
29.05.2010 11:25 CEST	listed	
26.06.2010 12:25 CEST	expired	
29.06.2010 17:51 CEST	listed	

A total of 11 Impacts were detected during this listing. Last was 08.09.2010 15:13 CEST +/- 1 minute.
Earliest date this IP can expire is 06.10.2010 15:13 CEST.



This IP is temporary listed.
The listing will expire automatically and free of charge 4 weeks after the last abuse is seen from that IP.
Expedited manual expressdelisting is available as an option, in case you do not want to wait for the automatic and free expiration.
You will be charged 101 USD using one of the following payment services.
WARNING: Before requesting expressdelisting make sure the problem which caused the listing is fixed, otherwise you are at risk to get listed again if new abuse becomes known.

Open in new window


Notice how the most recent problem was on 9-8-10.  I have no idea what is causing this problem.  I didn't know how to find my SMTP exchange logs, but looked it up and apparently it was logging nothing.  So I turned them on with IIS setting enabled and set them to hourly.  Please, someone make a suggestion to track down my problem.  I am sure no one on our domain is spamming, and my wifi encryptions would take months to crack...  Surely it's a simple problem?

Thanks
0
clcinc
Asked:
clcinc
  • 12
  • 7
  • 6
1 Solution
 
init2winit_DanCommented:
please check your domain name at mxtoolbox.com
0
 
clcincAuthor Commented:
That's how I found out that I was blacklisted on backscatter.  It says I am listed on there.  The code posted above is the result of clicking detail and testing at http://www.backscatterer.org/?ip=67.200.162.XXX .
ee.bmp
0
 
sunnyc7Commented:
Do you have a public IP / or you are using the random IP assigned by ADSL/SDSL.

Rather than pay $100 to back scatterer - I'd get a public IP from ISP.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
clcincAuthor Commented:
I don't understand that question sunnyc7.  Do you mean get a new IP address assigned to me from my ISP?  Would that not cause all kinds of config issues on my server?  I'm really new to this section of the field and apologize if I seem ignorant.

thanks
0
 
sunnyc7Commented:
Backscatter has listed your IP for ABC reasons
 http://www.backscatterer.org/?ip=67.200.162.XXX .

You may / may not be spamming.
a) First check that you have a clean install of exchange and you have no hygiene issues.
b) Ensure that you are not a ADSL/SDSL connection where your IP is constantly changing - this will get your IP flagged.

You can spend time with backscatter guys and try to sort this out, but this doesnt work out in the end.

I'd suggest get a new static IP from your ISP.
configure your firewall with the new IP
Add your ISP's DNS details.
Configure your MX records to point to the new IP.

Before you make this change, sign-up for www.mxsave.com
This will ensure that your emails are not lost when you are making the IP change

Check my comment here
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26317605.html
0
 
init2winit_DanCommented:
well i would test to find out if your an open relay and try to fix all the problems first. then request to be de-listed at backscatter and or change your IP. this is a common problem for SMB's also you may want to find if your ISP provides you with a relay server this would allow you to relay to there smart host that protects your ip from blacklisting
0
 
clcincAuthor Commented:
Just talked to my ISP and they said that they only issue static IP's.  They said that there is a range of IP addresses already assigned to me and that all I need to do is "open the port and reconfigure my end."  

I'm worried that if I change my IP, this will just happen again, and again.  How can I track down the problem and stop it.  

BTW, I entered in the XXX at  the end of my IP.  Not sure why you reposted it?  I just thought maybe you thought that they listed it that way and concluded the ABC blacklist from this.
0
 
init2winit_DanCommented:
that is why i would run smtp test at mxtoolbox this will give you some insight of what could be wrong also you need to verify why this is going on before you get new IP. Some reasons for black list, open relay, viruses (end-users as well), reverse DNS, you use DHCP IP from ISP, your IP from your ISP is a flagged block of IP's due to residential service.
0
 
clcincAuthor Commented:
@init   Here are the results
HELO please-read-policy.mxtoolbox.com
250 clcserver1.morpheus.clcinc.org Hello [10.10.0.2] [31 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com....Sender OK [47 ms]
RCPT TO: <test@example.com>
530 Relaying not allowed [47 ms]
QUIT
221 2.0.0 clcserver1.morpheus.clcinc.org Service closing transmission channel [47 ms]

I do not understand this but there were no errors returned.  Can you see a problem here?
0
 
init2winit_DanCommented:
      21      ftp      Success      94 ms
       25      smtp      Success      94 ms
       80      http      Success      94 ms
       110      pop3      Success      94 ms
       443      https      Success      94 ms
       3389      remote desktop      Success      94 ms

i would change your 3389 port ASAP!
i do not see any problems from the outside so maybe you where listed from a mass mail that was valid or something however i do not believe that you would get hit for a mail relay if you where to try the path of de-listing with backscatter I have added your IP to the remove list there Earliest date this IP can expire is 06.10.2010 15:13 CEST.
0
 
init2winit_DanCommented:
at this point if this is not halting mail from your domain out to folks I would let it go till the expire date. if it is impacting business then change your SMTP pop3 80 (any mail trafic) to go to a new IP in your block from the isp depended on the firewall you may have to configure that to take inbound from new ip to the internal ip of mailserver
0
 
clcincAuthor Commented:
Would you mind elaborating why RDP on 3389 in not safe?  Do you think this is a part of the reason I am having issues?
0
 
init2winit_DanCommented:
well it is a well known port and it has some simple hacks so anyone can remote desktop control the server that is behind that port. what i would do if you need RDP on the outside is on the sever use reg-edit to change port to an unused port any will do that is not common. then change your firewall to use the new port. security in obscurity. best-practice would not to have RDP service open to the net but many org's do. just a heads up security thing. i do not believe the 2 are related but i saw it and figure give you a heads up.
0
 
clcincAuthor Commented:

Being listed with Backscatterer probably just means that is spoofing the "From field" of a forged email to be from someone on my domain, correct?  This is causing "backscatter."  So, is there a way on the server to retrieve an email header or something similar to pinpoint the spoof?

I know someone has been doing that in the past, because many users report spam from other users.  
0
 
clcincAuthor Commented:
more info:!
WARNING: mail.clcinc.org points to a CNAME-Record.
This violates RFC 2181 Section 10.2
Please request your Admin or Provider to fix this.

help here please?
0
 
init2winit_DanCommented:
may look up sfp for exchange 2003 there are some commands in the protocol and the message delivery of EMS that can be changed to configure the server to verify the sender address and also look up a tar-pitting for exchange 2003 it is a registry hack but you need exchange sp2
0
 
sunnyc7Commented:
Being listed with Backscatterer probably just means that is spoofing the "From field" of a forged email to be from someone on my domain, correct?  This is causing "backscatter."
>> Wrong.
Backscatterer is a name of the org which is monitoring your subnet.
The general idea is all RBL providers cannot monitor everything.

Here's what backscatter means.
http://en.wikipedia.org/wiki/Backscatter_(e-mail)

can you run a full virus scan of your exchange server - just to rule out any virus / trojans causing this.
0
 
clcincAuthor Commented:
I am running the scan now.  I'm sure it will take hours upon hours.  I will get back on the thread tomorrow.  Thanks for the explanation of Backscatter, it is quite helpful.  Could you please tell me how to prevent it?  I know that there is an option on the Wikipedia page, but I'm unsure of which one to use.
0
 
sunnyc7Commented:
Prevent BackScatter
> use VamSoft ORF

It has out of the box functionality to prevent backscatter and other types of spam

www.vamsoft.com/orf

30 day free trial.
$239 per server
Really cheap and good solution compared to other AVs
0
 
clcincAuthor Commented:
Another guy I work closely with recently installed assp. Do you think that it will work to prevent backscatter?
0
 
sunnyc7Commented:
Can you uninstall that and go with a known solution like trend / ORF
No symantec.

I havent reviewed ASSP - will check
0
 
clcincAuthor Commented:
sunny- one more thing, please...   do you know how to fix this:
more info:!
WARNING: mail.clcinc.org points to a CNAME-Record.
This violates RFC 2181 Section 10.2
Please request your Admin or Provider to fix this.

Thanks
0
 
sunnyc7Commented:
where are you getting this error ?
0
 
clcincAuthor Commented:
The company that is affiliated with backscatterer.  http://www.uceprotect.net/en/rblcheck.php?ipr=67.200.162.154  
It also says that I have had 15 level one spammers within the past 15 days.
The Overview section of this page: http://en.wikipedia.org/wiki/MX_record shows a bit about that error.  
Here is the section 10.2 of RFC 2181, whatever that is:
10.2. PTR records

   Confusion about canonical names has lead to a belief that a PTR
   record should have exactly one RR in its RRSet.  This is incorrect,
   the relevant section of RFC1034 (section 3.6.2) indicates that the
   value of a PTR record should be a canonical name.  That is, it should
   not be an alias.  There is no implication in that section that only
   one PTR record is permitted for a name.  No such restriction should
   be inferred.

   Note that while the value of a PTR record must not be an alias, there
   is no requirement that the process of resolving a PTR record not
   encounter any aliases.  The label that is being looked up for a PTR
   value might have a CNAME record.  That is, it might be an alias.  The
   value of that CNAME RR, if not another alias, which it should not be,
   will give the location where the PTR record is found.  That record
   gives the result of the PTR type lookup.  This final result, the
   value of the PTR RR, is the label which must not be an alias.

0
 
clcincAuthor Commented:
installed ASSP.  This stopped the backchatter
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 12
  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now