Delivery Status Notification Delay
I asked this question before but kind of gave up. My SMTP server seems to be blacklisted on backscatter.org. Here is what it says on their site:
Notice how the most recent problem was on 9-8-10. I have no idea what is causing this problem. I didn't know how to find my SMTP exchange logs, but looked it up and apparently it was logging nothing. So I turned them on with IIS setting enabled and set them to hourly. Please, someone make a suggestion to track down my problem. I am sure no one on our domain is spamming, and my wifi encryptions would take months to crack... Surely it's a simple problem?
Thanks
Testresult for 67.200.162.XXX
This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does not mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
If you don't know what BACKSCATTER or Sender Callouts are, click the links above to get clue how to stop that kind of abuse.
To track down what happened investigate your smtplogs near 08.09.2010 15:13 CEST +/-1 minute.
You will either find that your system tried to send bounces or autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.
So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which got rejected at remote systems.
Read the rejection texts carefully and it shouldn't be a big deal to figure out what caused or renewed your listing.
History:
20.04.2009 13:26 CEST listed
03.10.2009 15:25 CEST expired
05.01.2010 01:05 CET listed
02.02.2010 01:25 CET expired
02.02.2010 04:59 CET listed
02.03.2010 05:25 CET expired
29.05.2010 11:25 CEST listed
26.06.2010 12:25 CEST expired
29.06.2010 17:51 CEST listed
A total of 11 Impacts were detected during this listing. Last was 08.09.2010 15:13 CEST +/- 1 minute.
Earliest date this IP can expire is 06.10.2010 15:13 CEST.
This IP is temporary listed.
The listing will expire automatically and free of charge 4 weeks after the last abuse is seen from that IP.
Expedited manual expressdelisting is available as an option, in case you do not want to wait for the automatic and free expiration.
You will be charged 101 USD using one of the following payment services.
WARNING: Before requesting expressdelisting make sure the problem which caused the listing is fixed, otherwise you are at risk to get listed again if new abuse becomes known.Notice how the most recent problem was on 9-8-10. I have no idea what is causing this problem. I didn't know how to find my SMTP exchange logs, but looked it up and apparently it was logging nothing. So I turned them on with IIS setting enabled and set them to hourly. Please, someone make a suggestion to track down my problem. I am sure no one on our domain is spamming, and my wifi encryptions would take months to crack... Surely it's a simple problem?
Thanks
please check your domain name at mxtoolbox.com
ASKER
That's how I found out that I was blacklisted on backscatter. It says I am listed on there. The code posted above is the result of clicking detail and testing at http://www.backscatterer.org/?ip=67.200.162.XXX .
ee.bmp
ee.bmp
Do you have a public IP / or you are using the random IP assigned by ADSL/SDSL.
Rather than pay $100 to back scatterer - I'd get a public IP from ISP.
Rather than pay $100 to back scatterer - I'd get a public IP from ISP.
ASKER
I don't understand that question sunnyc7. Do you mean get a new IP address assigned to me from my ISP? Would that not cause all kinds of config issues on my server? I'm really new to this section of the field and apologize if I seem ignorant.
thanks
thanks
Backscatter has listed your IP for ABC reasons
http://www.backscatterer.org/?ip=67.200.162.XXX .
You may / may not be spamming.
a) First check that you have a clean install of exchange and you have no hygiene issues.
b) Ensure that you are not a ADSL/SDSL connection where your IP is constantly changing - this will get your IP flagged.
You can spend time with backscatter guys and try to sort this out, but this doesnt work out in the end.
I'd suggest get a new static IP from your ISP.
configure your firewall with the new IP
Add your ISP's DNS details.
Configure your MX records to point to the new IP.
Before you make this change, sign-up for www.mxsave.com
This will ensure that your emails are not lost when you are making the IP change
Check my comment here
https://www.experts-exchange.com/questions/26317605/ETRN-Backup-for-SBS-2003-Mail.html
http://www.backscatterer.org/?ip=67.200.162.XXX .
You may / may not be spamming.
a) First check that you have a clean install of exchange and you have no hygiene issues.
b) Ensure that you are not a ADSL/SDSL connection where your IP is constantly changing - this will get your IP flagged.
You can spend time with backscatter guys and try to sort this out, but this doesnt work out in the end.
I'd suggest get a new static IP from your ISP.
configure your firewall with the new IP
Add your ISP's DNS details.
Configure your MX records to point to the new IP.
Before you make this change, sign-up for www.mxsave.com
This will ensure that your emails are not lost when you are making the IP change
Check my comment here
https://www.experts-exchange.com/questions/26317605/ETRN-Backup-for-SBS-2003-Mail.html
well i would test to find out if your an open relay and try to fix all the problems first. then request to be de-listed at backscatter and or change your IP. this is a common problem for SMB's also you may want to find if your ISP provides you with a relay server this would allow you to relay to there smart host that protects your ip from blacklisting
ASKER
Just talked to my ISP and they said that they only issue static IP's. They said that there is a range of IP addresses already assigned to me and that all I need to do is "open the port and reconfigure my end."
I'm worried that if I change my IP, this will just happen again, and again. How can I track down the problem and stop it.
BTW, I entered in the XXX at the end of my IP. Not sure why you reposted it? I just thought maybe you thought that they listed it that way and concluded the ABC blacklist from this.
I'm worried that if I change my IP, this will just happen again, and again. How can I track down the problem and stop it.
BTW, I entered in the XXX at the end of my IP. Not sure why you reposted it? I just thought maybe you thought that they listed it that way and concluded the ABC blacklist from this.
that is why i would run smtp test at mxtoolbox this will give you some insight of what could be wrong also you need to verify why this is going on before you get new IP. Some reasons for black list, open relay, viruses (end-users as well), reverse DNS, you use DHCP IP from ISP, your IP from your ISP is a flagged block of IP's due to residential service.
ASKER
@init Here are the results
HELO please-read-policy.mxtoolb
250 clcserver1.morpheus.clcinc
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com...
RCPT TO: <test@example.com>
530 Relaying not allowed [47 ms]
QUIT
221 2.0.0 clcserver1.morpheus.clcinc
I do not understand this but there were no errors returned. Can you see a problem here?
HELO please-read-policy.mxtoolb
250 clcserver1.morpheus.clcinc
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com...
RCPT TO: <test@example.com>
530 Relaying not allowed [47 ms]
QUIT
221 2.0.0 clcserver1.morpheus.clcinc
I do not understand this but there were no errors returned. Can you see a problem here?
21 ftp Success 94 ms
25 smtp Success 94 ms
80 http Success 94 ms
110 pop3 Success 94 ms
443 https Success 94 ms
3389 remote desktop Success 94 ms
i would change your 3389 port ASAP!
i do not see any problems from the outside so maybe you where listed from a mass mail that was valid or something however i do not believe that you would get hit for a mail relay if you where to try the path of de-listing with backscatter I have added your IP to the remove list there Earliest date this IP can expire is 06.10.2010 15:13 CEST.
25 smtp Success 94 ms
80 http Success 94 ms
110 pop3 Success 94 ms
443 https Success 94 ms
3389 remote desktop Success 94 ms
i would change your 3389 port ASAP!
i do not see any problems from the outside so maybe you where listed from a mass mail that was valid or something however i do not believe that you would get hit for a mail relay if you where to try the path of de-listing with backscatter I have added your IP to the remove list there Earliest date this IP can expire is 06.10.2010 15:13 CEST.
at this point if this is not halting mail from your domain out to folks I would let it go till the expire date. if it is impacting business then change your SMTP pop3 80 (any mail trafic) to go to a new IP in your block from the isp depended on the firewall you may have to configure that to take inbound from new ip to the internal ip of mailserver
ASKER
Would you mind elaborating why RDP on 3389 in not safe? Do you think this is a part of the reason I am having issues?
well it is a well known port and it has some simple hacks so anyone can remote desktop control the server that is behind that port. what i would do if you need RDP on the outside is on the sever use reg-edit to change port to an unused port any will do that is not common. then change your firewall to use the new port. security in obscurity. best-practice would not to have RDP service open to the net but many org's do. just a heads up security thing. i do not believe the 2 are related but i saw it and figure give you a heads up.
ASKER
Being listed with Backscatterer probably just means that is spoofing the "From field" of a forged email to be from someone on my domain, correct? This is causing "backscatter." So, is there a way on the server to retrieve an email header or something similar to pinpoint the spoof?
I know someone has been doing that in the past, because many users report spam from other users.
ASKER
more info:!
WARNING: mail.clcinc.org points to a CNAME-Record.
This violates RFC 2181 Section 10.2
Please request your Admin or Provider to fix this.
help here please?
WARNING: mail.clcinc.org points to a CNAME-Record.
This violates RFC 2181 Section 10.2
Please request your Admin or Provider to fix this.
help here please?
may look up sfp for exchange 2003 there are some commands in the protocol and the message delivery of EMS that can be changed to configure the server to verify the sender address and also look up a tar-pitting for exchange 2003 it is a registry hack but you need exchange sp2
Being listed with Backscatterer probably just means that is spoofing the "From field" of a forged email to be from someone on my domain, correct? This is causing "backscatter."
>> Wrong.
Backscatterer is a name of the org which is monitoring your subnet.
The general idea is all RBL providers cannot monitor everything.
Here's what backscatter means.
http://en.wikipedia.org/wiki/Backscatter_(e-mail)
can you run a full virus scan of your exchange server - just to rule out any virus / trojans causing this.
>> Wrong.
Backscatterer is a name of the org which is monitoring your subnet.
The general idea is all RBL providers cannot monitor everything.
Here's what backscatter means.
http://en.wikipedia.org/wiki/Backscatter_(e-mail)
can you run a full virus scan of your exchange server - just to rule out any virus / trojans causing this.
ASKER
I am running the scan now. I'm sure it will take hours upon hours. I will get back on the thread tomorrow. Thanks for the explanation of Backscatter, it is quite helpful. Could you please tell me how to prevent it? I know that there is an option on the Wikipedia page, but I'm unsure of which one to use.
Prevent BackScatter
> use VamSoft ORF
It has out of the box functionality to prevent backscatter and other types of spam
www.vamsoft.com/orf
30 day free trial.
$239 per server
Really cheap and good solution compared to other AVs
> use VamSoft ORF
It has out of the box functionality to prevent backscatter and other types of spam
www.vamsoft.com/orf
30 day free trial.
$239 per server
Really cheap and good solution compared to other AVs
ASKER
Another guy I work closely with recently installed assp. Do you think that it will work to prevent backscatter?
Can you uninstall that and go with a known solution like trend / ORF
No symantec.
I havent reviewed ASSP - will check
No symantec.
I havent reviewed ASSP - will check
ASKER
sunny- one more thing, please... do you know how to fix this:
more info:!
WARNING: mail.clcinc.org points to a CNAME-Record.
This violates RFC 2181 Section 10.2
Please request your Admin or Provider to fix this.
Thanks
more info:!
WARNING: mail.clcinc.org points to a CNAME-Record.
This violates RFC 2181 Section 10.2
Please request your Admin or Provider to fix this.
Thanks
where are you getting this error ?
ASKER
The company that is affiliated with backscatterer. http://www.uceprotect.net/en/rblcheck.php?ipr=67.200.162.154
It also says that I have had 15 level one spammers within the past 15 days.
The Overview section of this page: http://en.wikipedia.org/wiki/MX_record shows a bit about that error.
Here is the section 10.2 of RFC 2181, whatever that is:
10.2. PTR records
Confusion about canonical names has lead to a belief that a PTR
record should have exactly one RR in its RRSet. This is incorrect,
the relevant section of RFC1034 (section 3.6.2) indicates that the
value of a PTR record should be a canonical name. That is, it should
not be an alias. There is no implication in that section that only
one PTR record is permitted for a name. No such restriction should
be inferred.
Note that while the value of a PTR record must not be an alias, there
is no requirement that the process of resolving a PTR record not
encounter any aliases. The label that is being looked up for a PTR
value might have a CNAME record. That is, it might be an alias. The
value of that CNAME RR, if not another alias, which it should not be,
will give the location where the PTR record is found. That record
gives the result of the PTR type lookup. This final result, the
value of the PTR RR, is the label which must not be an alias.
It also says that I have had 15 level one spammers within the past 15 days.
The Overview section of this page: http://en.wikipedia.org/wiki/MX_record shows a bit about that error.
Here is the section 10.2 of RFC 2181, whatever that is:
10.2. PTR records
Confusion about canonical names has lead to a belief that a PTR
record should have exactly one RR in its RRSet. This is incorrect,
the relevant section of RFC1034 (section 3.6.2) indicates that the
value of a PTR record should be a canonical name. That is, it should
not be an alias. There is no implication in that section that only
one PTR record is permitted for a name. No such restriction should
be inferred.
Note that while the value of a PTR record must not be an alias, there
is no requirement that the process of resolving a PTR record not
encounter any aliases. The label that is being looked up for a PTR
value might have a CNAME record. That is, it might be an alias. The
value of that CNAME RR, if not another alias, which it should not be,
will give the location where the PTR record is found. That record
gives the result of the PTR type lookup. This final result, the
value of the PTR RR, is the label which must not be an alias.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.