Relaying denied. Blacklist Removal?

Some emails are getting bounced back from external mail servers. We receive error messages like so:

You do not have permission to send to this recipient.  For assistance, contact your system administrator. < #5.7.1 smtp;551 5.7.1 <>... Relaying denied>

I notice we are on a blacklist from a MXToolbox Report. Result showed:

ICMFORBIDDEN  LISTED Return codes were: 82723 1373

I need to know if the two problems are related, and how do I get off the blacklist?

Our environment:
Exchange Server 2003 SP2
Windows Server 2003 SP2
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
If you are blacklisted you neeed to know why you are blacklisted and get off them, but only after sorting out why you were on them in the first place.
What is your IP Address (I will obscure it after posting).  I can check and see if I can see why you are listed.
first see where you are blacklisted, the ISP is sometimes the source depending on what checks the receiving server does.
enter you ip\dns name here

are you blacklisted and if so on what level?
next try
 and comment back with results..

HIBS_ICTAuthor Commented:
IP Address:


Result in LHSBL Whitelists (Alphabetic order): NOT WHITELISTED Read about this way to exclude an IP from UCEPROTECT Level2/3 NOT WHITELISTED

-------------------------------------------------------------------------------- OK OK OK OK OK OK OK OK OK OK OK OK OK
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

so you are not blacklisted.

is this a new mail server setup? was the blacklist error sudden? what is your configuration and what server is it?
HIBS_ICTAuthor Commented:
When running the blacklist check from MX Toolbox it tells me that we are blacklisted. i.e:
ICMFORBIDDEN  LISTED Return codes were: 82723 1373

No, this isn't a new server setup. We are running Exchange 2003 on a Server 2003 box.
Alan HardistyCo-OwnerCommented:
Not seen that Blacklist before.  Lots of suggestions that you are an open relay in the lick on the blacklist site (mxtoolbox).
Checking on shows you are not an open relay.
How is your DNS configured on your server?  What is your Servers DNS 1 / 2 record and are you using DNS Forwarders on your DNS server?
try to do this:

open a command line (start-->run-->cmd)

type :
set type=mx domain)
you should get a result, try to do
telnet "result of nslookup" 25
what did you get?
Alan HardistyCo-OwnerCommented:
Your server is responding as and your mx record is configured as
Your Reverse DNS record is configured as
All 3 need to match if you don't want problems sending mail.
Your FQDN on your SMTP Virtual Server (Delivery Tab> Advanced Button) needs to change to a name that resolves correctly in DNS and cricket or both resolve, so please change the FQDN to either.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HIBS_ICTAuthor Commented:
thanks for the advice so far. I've changed the SMTP Virtual Server FQDN to smtp.mydomain. This should now make 2 of those matching.

Cricket is actually a website on our domain. After you mentioning that I had a look at our dns records, I notice our IP address has multiple A Records. Is this why it might be getting confused? Should there only be 1 A Record, and the rest should be CNAME (aliases)?
HIBS_ICTAuthor Commented:
I keep getting a different result for Reverse DNS when running a check to the IP. is that normal?
Also, I still have a problem with being on the ICMFORBIDDEN blacklist. I've gone to the site but it doesn't give me much help.
Alan HardistyCo-OwnerCommented:
You do have a few entries for Reverse DNS:
Answer: PTR record: [TTL 86400s] [A=None] *ERROR* There is no A record for (may be negatively cached). PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [A=None] *ERROR* There is no A record for (may be negatively cached). PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] [] PTR record: [TTL 86400s] []

Who the heck setup your DNS records and Reverse DNS?
I have never seen that many Reverse DNS records before and cannot see any need for more than one.
I'll check in with another Exchange Expert (or two) and see what they think.
alanhardisty is right, blacklist checks are made also on reverse dns..
you should have only one pointing to you real server (same as mx record 100)
Alan HardistyCo-OwnerCommented:
Right - I have spoken to another Exchange Genius and both he and I are of the opinion that you only need one Reverse DNS record, so please lose all but one and ideally keep and then see if life has improved.
Alan HardistyCo-OwnerCommented:
It may also be worth having a read of the following article for clarification: 
HIBS_ICTAuthor Commented:
thanks for all your help.
I've now changed our Reverse DNS Records to only have smtp.mydomain. This should now mean all my records are consistent.

1. A record for smtp.mydomain
2. MX record for smtp.mydomain pointing to the A record
3. Exchange Virtual SMTP connector FQDN smtp.mydomain

Now, any ideas how to get off the ICMForbidden blacklist? When I go to the site it doesn't help me at all.
Alan HardistyCo-OwnerCommented:
You are looking much tidier now :)
Not got a clue how to get off the ICMFORBIDDEN site - it's Polish and I don't speak a word!
Alan HardistyCo-OwnerCommented:
To make everything completely tidy, you might want to add an SPF record too.
Alan HardistyCo-OwnerCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.