Solved

My IP address is on the CBL blacklist.  How can solve this problem?

Posted on 2011-03-15
49
10,814 Views
Last Modified: 2012-08-13
When a few co-workers send e-mail, they get a response such as:

mail.baileygardiner.com gave this error:
Your server IP address is in the SpamCop database, bye
 -----

When I go to http://www.spamhaus.org, I find:

63.204.100.82 is not listed in the SBL
63.204.100.82 is not listed in the PBL
63.204.100.82 is listed in the XBL, because it appears in: CBL

When I go to the CBL lookup utility, I get this message:

IP Address 63.204.100.82 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

Please help!
0
Comment
Question by:WeThePeople
  • 19
  • 18
  • 6
  • +3
49 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 35140025
You either have a virus or are sending out spam.  Please check your Exchange Queues and see if you have lots of mail queuing.

If you don't - please block TCP port 25 for ALL IP Addresses internally on your firewall apart from your Exchange Server IP Address.  That should stop the problem, but not resolve an internal infection on your LAN.
0
 
LVL 7

Expert Comment

by:waleeda
ID: 35140029
you can send them email to remove your IP from their list

i already has done this for you :)

check the below:

CBL Removal

Removal of the IP address 63.204.100.82 from the CBL is now pending.

This means that your removal request has been accepted and your IP address WILL be delisted as soon as possible.

The CBL lookup page will already show that the IP address has been removed, but it takes a little longer for mail servers to notice the removal.

It should take no more than an hour or two before all servers that use the CBL notice the removal. Do not contact us to try to speed up removal - it's not possible to speed it up any more than it already is. Please be patient.


reference:
http://cbl.abuseat.org/removeNEW.cgi?ip=63.204.100.82&timestamp=1300207717&hash=178f6aa4da955a893d5dc49ef95d4b7a
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35140042
@waleeda - NEVER request an IP is delisted before the problem is solved.   If you do this and the problem is not resolved, the IP will get listed again and de-listing will become harder.
0
 
LVL 3

Expert Comment

by:AndrewK80
ID: 35140044
first off you need to check for virus' or anything that could be sending out spam mail. There's no point getting yourself removed and then getting added immediatley.

Once you are certain your systems are clean, there's usually a process to get yourself removed from the CBL lists via the page which showed the listing.

As a worst case, you can configure your e-mail server to send out via an SMTP provided by your isp. Most have one avaliable.
0
 
LVL 7

Expert Comment

by:waleeda
ID: 35140075
@ alanhardisty
at least you will fix the sending email issue then you can troubleshoot the internal network infection issue, because if you are waiting it will affect the sending functionality for the email service also it might affect the business
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35140096
Not necessarily as if you have popped up on one IP Blacklist - then you will probably pop up on another.  You need to tackle the problem first and then clean up.  Cleaning up before resolving the problem is incredibly stupid IMHO.
0
 
LVL 7

Expert Comment

by:waleeda
ID: 35140110
some external domain will block if you are listed

so the users will start complaining
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35140132
It is currently listed on multiple IP Blacklists - so delisting on one is fruitless if you are trying to get mail-flow returing to normal:


Blacklist      Status      Reason      TTL      ResponseTime
BARRACUDA       LISTED      Detail
Return codes were: 127.0.0.2      900      265
CBL       LISTED      Blocked - see Detail
Return codes were: 127.0.0.2      3600      265
SPAMCOP       LISTED      Blocked - see Detail
Return codes were: 127.0.0.2      2100      281
Spamhaus-ZEN       LISTED      Detail
Return codes were: 127.0.0.4      900      328
UCEPROTECTL1       LISTED      IP 63.204.100.82 is UCEPROTECT-Level 1 listed. See Detail
Return codes were: 127.0.0.2      2100      312
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35140215
Please refer to my earlier comment http:#a35140025 - Block outbound TCP port 25 for ALL internal IP Addresses apart from your Exchange Server and then monitor the blacklist sites for the date / time of the last infection report - if the date / time doesn't change, then you have stopped the problem (not resolved it), then you can request de-listing and then you have to find and tackle the infected computer or computers on your LAN and something like Malwarebytes - www.malwarebytes.org should help you to find the infected computer.

To check the blacklist sites, please visit www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org
0
 
LVL 32

Expert Comment

by:it_saige
ID: 35140845
alan is correct.  From personal experience it is best to stop the spam by temporarily band-aiding the issue (block access to port 25 for all clients except for your mail server).  After you have verified that your firewall rules are in place and that further listings are no longer occuring (bear in mind that you can still be added to lists not because you actually are spamming, but simply because you appear on another list), you can delist your ip.

To assist in finding the culprit client, you can even add logging to the deny rule and watch your firewall logs for activity on the port (so long as your router/firewall supports this).  Once you track down the culprit, you can clean the infected party(ies).

-saige-
0
 

Author Comment

by:WeThePeople
ID: 35141477
I have no idea how to "(block access to port 25 for all clients except for your mail server). "

I know the ip address of our server that is running exchange 2010.

I know how to edit the settings in the router.



0
 
LVL 7

Expert Comment

by:waleeda
ID: 35141538
from the router instead of enabling the port 25 from the whole internal network to the whole external network, you can edit this rule by enabling the port 25 SMTP from you exchange server only to external network
0
 

Author Comment

by:WeThePeople
ID: 35141542
To Alan Hardisty,

Where can I go to get the information (you presented above)  that shows all the blacklists that I am on?

Thank you.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 35141597
Refer to alan's post: http:#a35140215.  He has the links of two of the RBL's listed.

-saige-
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35141601
The links are in my last comment.  mxtoolbox.com and blacklistalert.org

If you router is ip 10.0.0.1 and your server is 10.0.0.2, then you create a rule to allow port 25 (SMTP) outbound from ip 10.0.0.2 and block 10.0.0.3 to 10.0.0.254
0
 
LVL 32

Expert Comment

by:it_saige
ID: 35141617
0
 

Author Comment

by:WeThePeople
ID: 35141972
There is a pinhole name = smtp, protocol = tcp, where the internal port = 25, the external port = 25, and the internal ip address is the address of the server.
0
 

Author Comment

by:WeThePeople
ID: 35141994
The pinhole mentioned above is in the router.  
To me, this means only the mail server is sending/receiving information over port 25.

Is there a way to determine if a client computer who is a member of the domain, is sending information over port 25?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35142094
The pinhole is allowing port 25 inbound and presumably outbound.

To test a client, use telnet (might have to install it first if using windows vista / 7), then try connecting to my mail server from a command prompt.

telnet mail.sohomail.co.uk 25

If you can connect, then the port is open for your clients too.  If not, then it seems that it isn't and then you face the possibility of your server spamming, or a client spamming via Outlook Anywhere, or an authenticated relay attack!!
0
 
LVL 32

Expert Comment

by:it_saige
ID: 35142170
Depending on your firewall, the rule oulined above is probably more just for inbound rules specifically.  What brand and model of firewall are you using?

-saige-
0
 

Author Comment

by:WeThePeople
ID: 35142505
I did find a computer loaded with 14 viruses (java) and Fake AV.  I have since taken that computer off the network and will reformat the hard drive.  
0
 

Author Comment

by:WeThePeople
ID: 35142534
I have a netopia (motorola) 3347 dsl modem.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35142544
Did you try the telnet test?  Did you get a connection?
0
 

Author Comment

by:WeThePeople
ID: 35142742
On my computer, the telnet could not make a connection.  Should I try the computer with the viruses?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35142752
Yes please.
0
 

Author Comment

by:WeThePeople
ID: 35142793
Now on my computer, it does make a successful connection.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35143039
Okay - so port 25 is open for your users - which it shouldn't be if you want a safe / secure network.

You need to tighten up your firewall / router security or this problem will keep happening.
0
 

Author Comment

by:WeThePeople
ID: 35143071
I would say all the computers in the office are able to connect to
telnet mail.sohomail.co.uk 25

0
 

Author Comment

by:WeThePeople
ID: 35143080
how do I close port 25 on client computers (most use XP, some use Vista, some use Win 7.
0
 

Author Comment

by:WeThePeople
ID: 35143081
All my computers use Outlook 2010.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35143113
To close the port, you have to block it on your router / firewall / modem.  If you can't then change it to one that you can.
0
 

Author Comment

by:WeThePeople
ID: 35143322
What is the simplest way to block port 25 on all computers (except the Server)
0
 
LVL 6

Expert Comment

by:itnetworkn
ID: 35143331
I would do this from the firewall. Allow port 25 from your Exchange server, and then block it for everyone else. Let me know if you have any other questions, and I'll be happy to help further.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35143424
Having looked through the manual for your modem, it seems you can restrict inbound ports, but not outbound ports!

Time to buy a proper DSL router that can block outbound points.

Alan
0
 

Author Comment

by:WeThePeople
ID: 35143431
Alan, we purchased this router from AT&T, which they recommended, about 6 months ago.
0
 

Author Comment

by:WeThePeople
ID: 35143443
Inetworkn:

Regarding your statement "I would do this from the firewall. Allow port 25 from your Exchange server, and then block it for everyone else", how is this done..

 
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35143518
Sure - ask them where to block outbound port 25 for all internal workstations and wait for the response.  It is either not possible, or not easy to find in the manual.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35143527
Itnetworkn is posting the same suggestion I have already posted and am discussing now.  Unless he/she has knowledge of the particular modem, then AT&T is your best bet.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 35143642
Agreed.  Most likely the only thing that AT&T will be able to do is block port 25 for all, but it won't hurt to ask.  If AT&T can't help then you will have to use another router to tighten up security.  Bear in mind that you don't have to spend an exorbitant amount of money either.  If you have a computer that has been recently retired and can add a couple of network cards to it, you can install any number of open source firewalls on it.  Personally I use Pfsense (http://www.pfsense.org).

-saige-
0
 

Author Comment

by:WeThePeople
ID: 35143715
Would it not seem easy to say:

Router, if the traffic coming across port 25 is coming from the ip address of the server, then process it, otherwise block it.

Then, how do I instruct the router to do just that?  (By the way, I do have the router manual).
 

0
 
LVL 32

Expert Comment

by:it_saige
ID: 35143740
Essentially that is what you need to do but your router/firewall does not block outgoing requests according to one of the previous posts.

-saige-
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35145200
I have read the manual (quickly) online and can't find any way to block outbound traffic.  It might be allowing all outbound traffic by default and if that is the case, I would be buying a new router personally, as you need to be able to block outbound traffic!
0
 

Author Comment

by:WeThePeople
ID: 35158460
I ran a full system scan of the server and all computers (using symantec endpoint protection with the latest updates).  

All computers scanned okay except for one.  That computer was running very slow, and had a problem:

I got the following message:

Risk Name - HTTPS Tidserv Request 2
Attacking computer - jna0-0akq8x.com (91.207.192.22, 443)
Destination address - 192.169.1.119, 3968
Traffic Description - TCP, https

I downloaded the FixTDSS.exe tool (from Symantec) and it removed the threat and fixed the mbr (master boot record)  

I am no longer getting "warning messages" on that computer, and it is running really fast now.

Could this be the source of my problem?


0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35158534
Sure sounds like it.

I would still be investing in a router that you can block TCP port 25 outbound with as the next infection will see you having the same problem again and if you can avoid the hassle, then it would be good for the stress levels of all concerned.

Alan
0
 

Author Comment

by:WeThePeople
ID: 35158649
Thanks Alan.  I will check with AT&T and see if they offer a new asynchronous DSL router.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35158716
You might be better off buying your own - if you are using straight ADSL - then any router that has a built-in modem should be fine, just as long as you can block ports outbound.

We prefer to keep the ISP's router in the box, as quite often they can tweak (upgrade) the modem / router remotely and that has left us facing phone calls to fix an internet problem caused by the ISP upgrading the router without warning!

Also - if the ISP doesn't have their own router on the line - they won't touch it and won't ask the customer to factory reset it (usually), also preventing a lot of headaches as a factory reset ISP router usually loses the config needed to make servers work and of course they don't know / care as long as they get you back on the internet!
0
 

Author Comment

by:WeThePeople
ID: 35158956
I called AT&T Internet Tech Support.  They said my Netopia 3347 DSL router is the newest router for business use.  I told them I need to block port 25 and the Netopia does not allow me to do that.  They said I could go out and purchase any DSL router.  I thought I could only buy it from them.

I will go out and shop around for a new DSL router (if you know of a good one let me know).

I checked the ww.BlackListAlert.org web site and saw that we are only on 1 blacklist now (located in Europe).  They will remove us in 6 days (unless the same problem surfaces again).

Thanks for all your help.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 35159101
I guess the type of router depends on your budget.

You can get combined ADSL Modems and Routers or just routers - if you want to go cheap and cheerful, but will do the job, Netgear make some cheap combined devices such as the DGN1000 device, but you might want something more robust / business-like and the Sonicwall range or similar are better but don't include a DSL modem, so you would need to buy two devices.

I would chat to someone in a store near you (who you trust) and see what they have and suggest and perhaps before committing - post their suggestions and I (plus others) can add their $0.02 worth.
0
 

Author Closing Comment

by:WeThePeople
ID: 35184003
We had one rogue computer where the end-user did not renew their anti-virus software a few months ago.  We replaced that computer with a brand new one (with the latest a/v software and definitions).

Thanks for all your help.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Exchange vm and snapshots 4 36
exchange, virtualization 1 31
EXCHANGE 6 24
change EXCH2013 protocol 5 13
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now