Relaying denied. Blacklist Removal?

Some emails are getting bounced back from external mail servers. We receive error messages like so:

You do not have permission to send to this recipient.  For assistance, contact your system administrator. <mailserver.mydomain.com #5.7.1 smtp;551 5.7.1 <user@mydomain.com>... Relaying denied>

I notice we are on a blacklist from a MXToolbox Report. Result showed:

ICMFORBIDDEN  LISTED Return codes were: 127.0.0.50 82723 1373


I need to know if the two problems are related, and how do I get off the blacklist?

Our environment:
Exchange Server 2003 SP2
Windows Server 2003 SP2
HIBS_ICTAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
If you are blacklisted you neeed to know why you are blacklisted and get off them, but only after sorting out why you were on them in the first place.
What is your IP Address (I will obscure it after posting).  I can check and see if I can see why you are listed.
Alan
GiladnCTO/CIOCommented:
first see where you are blacklisted, the ISP is sometimes the source depending on what checks the receiving server does.
enter you ip\dns name here  

http://www.mxtoolbox.com/blacklists.aspx

are you blacklisted and if so on what level?
next try

http://www.blacklistalert.org./
 and comment back with results..

Gilad
HIBS_ICTAuthor Commented:
IP Address: 210.54.xxx.xxx

Results from Blacklist Alert::

0spam.fusionzero.com OK
aspews.ext.sorbs.net OK
bl.spamcop.net OK
bl.spamcannibal.org OK
blackholes.five-ten-sg.com OK
blackholes.intersil.net OK
bogons.cymru.com OK
cbl.abuseat.org OK
combined.njabl.org OK
db.wpbl.info OK
dnsbl.ahbl.org OK
dnsbl.inps.de OK
dnsbl.sorbs.net OK
dnsbl.rangers.eu.org OK
dnsbl-0.uceprotect.net OK
dnsbl-1.uceprotect.net OK
dnsbl-2.uceprotect.net OK
dnsbl-3.uceprotect.net OK
dyna.spamrats.com OK
ips.backscatterer.org OK
ix.dnsbl.manitu.net OK
l2.apews.org OK
no-more-funn.moensted.dk OK
noptr.spamrats.com OK
psbl.surriel.com OK
rbl.efnet.org OK
spam.spamrats.com OK
spamguard.leadmon.net OK
t1.dnsbl.net.au OK
tor.dan.me.uk OK
tor.dnsbl.sectoor.de OK
ubl.unsubscore.com OK
virbl.dnsbl.bit.nl OK
zen.spamhaus.org OK

--------------------------------------------------------------------------------
Result in LHSBL Whitelists (Alphabetic order):

ips.whitelisted.org NOT WHITELISTED Read about this way to exclude an IP from UCEPROTECT Level2/3
list.dnswl.org NOT WHITELISTED

--------------------------------------------------------------------------------

abuse.rfc-ignorant.org OK
bogusmx.rfc-ignorant.org OK
dsn.rfc-ignorant.org OK
dynamic.rhs.mailpolice.com OK
l1.apews.org OK
list.anonwhois.net OK
multi.surbl.org OK
multi.uribl.com OK
postmaster.rfc-ignorant.org OK
rddn.dnsbl.net.au OK
rhsbl.ahbl.org OK
rhsbl.sorbs.net OK
webmail.rhs.mailpolice.com OK
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

GiladnCTO/CIOCommented:
so you are not blacklisted.

is this a new mail server setup? was the blacklist error sudden? what is your configuration and what server is it?
HIBS_ICTAuthor Commented:
When running the blacklist check from MX Toolbox it tells me that we are blacklisted. i.e:
ICMFORBIDDEN  LISTED Return codes were: 127.0.0.50 82723 1373

No, this isn't a new server setup. We are running Exchange 2003 on a Server 2003 box.
Alan HardistyCo-OwnerCommented:
Not seen that Blacklist before.  Lots of suggestions that you are an open relay in the lick on the blacklist site (mxtoolbox).
Checking on www.checkor.com shows you are not an open relay.
How is your DNS configured on your server?  What is your Servers DNS 1 / 2 record and are you using DNS Forwarders on your DNS server?
GiladnCTO/CIOCommented:
try to do this:

open a command line (start-->run-->cmd)

type :
NSLOOKUP
set type=mx
domain.com(your domain)
you should get a result, try to do
telnet "result of nslookup" 25
what did you get?
Alan HardistyCo-OwnerCommented:
Your server is responding as hibsnt03.yourdomain.nz and your mx record is configured as smtp.yourdomain.nz
Your Reverse DNS record is configured as cricket.yourdomain.nz
All 3 need to match if you don't want problems sending mail.
Your FQDN on your SMTP Virtual Server (Delivery Tab> Advanced Button) needs to change to a name that resolves correctly in DNS and cricket or smtp.yourdomain.nz both resolve, so please change the FQDN to either.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HIBS_ICTAuthor Commented:
thanks for the advice so far. I've changed the SMTP Virtual Server FQDN to smtp.mydomain. This should now make 2 of those matching.

Cricket is actually a website on our domain. After you mentioning that I had a look at our dns records, I notice our IP address has multiple A Records. Is this why it might be getting confused? Should there only be 1 A Record, and the rest should be CNAME (aliases)?
HIBS_ICTAuthor Commented:
I keep getting a different result for Reverse DNS when running a check to the IP. is that normal?
Also, I still have a problem with being on the ICMFORBIDDEN blacklist. I've gone to the site but it doesn't give me much help.
Alan HardistyCo-OwnerCommented:
Yikes!
You do have a few entries for Reverse DNS:
Answer:
210.54.xxx.xxx PTR record: stagechallenge.yourdomain.nz. [TTL 86400s] [A=None] *ERROR* There is no A record for stagechallenge.yourdomain.nz. (may be negatively cached).
210.54.xxx.xxx PTR record: is.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: ftp.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: www.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: arts.yourdomain.nz. [TTL 86400s] [A=None] *ERROR* There is no A record for arts.hibs.school.nz. (may be negatively cached).
210.54.xxx.xxx PTR record: dice.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: enet.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: mail.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: pop3.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: smtp.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: rugby.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: hockey.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: soccer.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: cricket.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: intranet.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: students.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: elearning.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: basketball.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]
210.54.xxx.xxx PTR record: hibsremote.yourdomain.nz. [TTL 86400s] [A=210.54.xxx.xxx]

Who the heck setup your DNS records and Reverse DNS?
I have never seen that many Reverse DNS records before and cannot see any need for more than one.
I'll check in with another Exchange Expert (or two) and see what they think.
GiladnCTO/CIOCommented:
alanhardisty is right, blacklist checks are made also on reverse dns..
you should have only one pointing to you real server (same as mx record 100)
Alan HardistyCo-OwnerCommented:
Right - I have spoken to another Exchange Genius and both he and I are of the opinion that you only need one Reverse DNS record, so please lose all but one and ideally keep smtp.yourdomain.nz and then see if life has improved.
Alan HardistyCo-OwnerCommented:
It may also be worth having a read of the following article for clarification:
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2370-Exchange-DNS-Configuration.html 
HIBS_ICTAuthor Commented:
thanks for all your help.
I've now changed our Reverse DNS Records to only have smtp.mydomain. This should now mean all my records are consistent.

1. A record for smtp.mydomain
2. MX record for smtp.mydomain pointing to the A record
3. Exchange Virtual SMTP connector FQDN smtp.mydomain

Now, any ideas how to get off the ICMForbidden blacklist? When I go to the site http://sunsite.icm.edu.pl/spam/bh.html it doesn't help me at all.
Alan HardistyCo-OwnerCommented:
You are looking much tidier now :)
Not got a clue how to get off the ICMFORBIDDEN site - it's Polish and I don't speak a word!
Sorry.
Alan HardistyCo-OwnerCommented:
To make everything completely tidy, you might want to add an SPF record too.
Alan HardistyCo-OwnerCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.