Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.
My IP address is on the CBL blacklist. How can solve this problem?
When a few co-workers send e-mail, they get a response such as:
mail.baileygardiner.com gave this error:
Your server IP address is in the SpamCop database, bye
-----
When I go to http://www.spamhaus.org, I find:
63.204.100.82 is not listed in the SBL
63.204.100.82 is not listed in the PBL
63.204.100.82 is listed in the XBL, because it appears in: CBL
When I go to the CBL lookup utility, I get this message:
IP Address 63.204.100.82 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
Please help!
mail.baileygardiner.com gave this error:
Your server IP address is in the SpamCop database, bye
-----
When I go to http://www.spamhaus.org, I find:
63.204.100.82 is not listed in the SBL
63.204.100.82 is not listed in the PBL
63.204.100.82 is listed in the XBL, because it appears in: CBL
When I go to the CBL lookup utility, I get this message:
IP Address 63.204.100.82 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.
Please help!
Who is Participating?
you can send them email to remove your IP from their list
i already has done this for you :)
check the below:
CBL Removal
Removal of the IP address 63.204.100.82 from the CBL is now pending.
This means that your removal request has been accepted and your IP address WILL be delisted as soon as possible.
The CBL lookup page will already show that the IP address has been removed, but it takes a little longer for mail servers to notice the removal.
It should take no more than an hour or two before all servers that use the CBL notice the removal. Do not contact us to try to speed up removal - it's not possible to speed it up any more than it already is. Please be patient.
reference:
http://cbl.abuseat.org/removeNEW.cgi?ip=63.204.100.82×tamp=1300207717&hash=178f6aa4da955a893d5dc49ef95d4b7a
i already has done this for you :)
check the below:
CBL Removal
Removal of the IP address 63.204.100.82 from the CBL is now pending.
This means that your removal request has been accepted and your IP address WILL be delisted as soon as possible.
The CBL lookup page will already show that the IP address has been removed, but it takes a little longer for mail servers to notice the removal.
It should take no more than an hour or two before all servers that use the CBL notice the removal. Do not contact us to try to speed up removal - it's not possible to speed it up any more than it already is. Please be patient.
reference:
http://cbl.abuseat.org/removeNEW.cgi?ip=63.204.100.82×tamp=1300207717&hash=178f6aa4da955a893d5dc49ef95d4b7a
@waleeda - NEVER request an IP is delisted before the problem is solved. If you do this and the problem is not resolved, the IP will get listed again and de-listing will become harder.
first off you need to check for virus' or anything that could be sending out spam mail. There's no point getting yourself removed and then getting added immediatley.
Once you are certain your systems are clean, there's usually a process to get yourself removed from the CBL lists via the page which showed the listing.
As a worst case, you can configure your e-mail server to send out via an SMTP provided by your isp. Most have one avaliable.
Once you are certain your systems are clean, there's usually a process to get yourself removed from the CBL lists via the page which showed the listing.
As a worst case, you can configure your e-mail server to send out via an SMTP provided by your isp. Most have one avaliable.
@ alanhardisty
at least you will fix the sending email issue then you can troubleshoot the internal network infection issue, because if you are waiting it will affect the sending functionality for the email service also it might affect the business
at least you will fix the sending email issue then you can troubleshoot the internal network infection issue, because if you are waiting it will affect the sending functionality for the email service also it might affect the business
Not necessarily as if you have popped up on one IP Blacklist - then you will probably pop up on another. You need to tackle the problem first and then clean up. Cleaning up before resolving the problem is incredibly stupid IMHO.
It is currently listed on multiple IP Blacklists - so delisting on one is fruitless if you are trying to get mail-flow returing to normal:
Blacklist Status Reason TTL ResponseTime
BARRACUDA LISTED Detail
Return codes were: 127.0.0.2 900 265
CBL LISTED Blocked - see Detail
Return codes were: 127.0.0.2 3600 265
SPAMCOP LISTED Blocked - see Detail
Return codes were: 127.0.0.2 2100 281
Spamhaus-ZEN LISTED Detail
Return codes were: 127.0.0.4 900 328
UCEPROTECTL1 LISTED IP 63.204.100.82 is UCEPROTECT-Level 1 listed. See Detail
Return codes were: 127.0.0.2 2100 312
Blacklist Status Reason TTL ResponseTime
BARRACUDA LISTED Detail
Return codes were: 127.0.0.2 900 265
CBL LISTED Blocked - see Detail
Return codes were: 127.0.0.2 3600 265
SPAMCOP LISTED Blocked - see Detail
Return codes were: 127.0.0.2 2100 281
Spamhaus-ZEN LISTED Detail
Return codes were: 127.0.0.4 900 328
UCEPROTECTL1 LISTED IP 63.204.100.82 is UCEPROTECT-Level 1 listed. See Detail
Return codes were: 127.0.0.2 2100 312
Please refer to my earlier comment http:#a35140025 - Block outbound TCP port 25 for ALL internal IP Addresses apart from your Exchange Server and then monitor the blacklist sites for the date / time of the last infection report - if the date / time doesn't change, then you have stopped the problem (not resolved it), then you can request de-listing and then you have to find and tackle the infected computer or computers on your LAN and something like Malwarebytes - www.malwarebytes.org should help you to find the infected computer.
To check the blacklist sites, please visit www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org
To check the blacklist sites, please visit www.mxtoolbox.com/blacklists.aspx and www.blacklistalert.org
alan is correct. From personal experience it is best to stop the spam by temporarily band-aiding the issue (block access to port 25 for all clients except for your mail server). After you have verified that your firewall rules are in place and that further listings are no longer occuring (bear in mind that you can still be added to lists not because you actually are spamming, but simply because you appear on another list), you can delist your ip.
To assist in finding the culprit client, you can even add logging to the deny rule and watch your firewall logs for activity on the port (so long as your router/firewall supports this). Once you track down the culprit, you can clean the infected party(ies).
-saige-
To assist in finding the culprit client, you can even add logging to the deny rule and watch your firewall logs for activity on the port (so long as your router/firewall supports this). Once you track down the culprit, you can clean the infected party(ies).
-saige-
I have no idea how to "(block access to port 25 for all clients except for your mail server). "
I know the ip address of our server that is running exchange 2010.
I know how to edit the settings in the router.
I know the ip address of our server that is running exchange 2010.
I know how to edit the settings in the router.
from the router instead of enabling the port 25 from the whole internal network to the whole external network, you can edit this rule by enabling the port 25 SMTP from you exchange server only to external network
To Alan Hardisty,
Where can I go to get the information (you presented above) that shows all the blacklists that I am on?
Thank you.
Where can I go to get the information (you presented above) that shows all the blacklists that I am on?
Thank you.
The links are in my last comment. mxtoolbox.com and blacklistalert.org
If you router is ip 10.0.0.1 and your server is 10.0.0.2, then you create a rule to allow port 25 (SMTP) outbound from ip 10.0.0.2 and block 10.0.0.3 to 10.0.0.254
If you router is ip 10.0.0.1 and your server is 10.0.0.2, then you create a rule to allow port 25 (SMTP) outbound from ip 10.0.0.2 and block 10.0.0.3 to 10.0.0.254
FYI, those links were:
http://www.mxtoolbox.com/blacklists.aspx and http://www.blacklistalert.org/
-saige-
http://www.mxtoolbox.com/blacklists.aspx and http://www.blacklistalert.org/
-saige-
There is a pinhole name = smtp, protocol = tcp, where the internal port = 25, the external port = 25, and the internal ip address is the address of the server.
The pinhole mentioned above is in the router.
To me, this means only the mail server is sending/receiving information over port 25.
Is there a way to determine if a client computer who is a member of the domain, is sending information over port 25?
To me, this means only the mail server is sending/receiving information over port 25.
Is there a way to determine if a client computer who is a member of the domain, is sending information over port 25?
The pinhole is allowing port 25 inbound and presumably outbound.
To test a client, use telnet (might have to install it first if using windows vista / 7), then try connecting to my mail server from a command prompt.
telnet mail.sohomail.co.uk 25
If you can connect, then the port is open for your clients too. If not, then it seems that it isn't and then you face the possibility of your server spamming, or a client spamming via Outlook Anywhere, or an authenticated relay attack!!
To test a client, use telnet (might have to install it first if using windows vista / 7), then try connecting to my mail server from a command prompt.
telnet mail.sohomail.co.uk 25
If you can connect, then the port is open for your clients too. If not, then it seems that it isn't and then you face the possibility of your server spamming, or a client spamming via Outlook Anywhere, or an authenticated relay attack!!
Depending on your firewall, the rule oulined above is probably more just for inbound rules specifically. What brand and model of firewall are you using?
-saige-
-saige-
I did find a computer loaded with 14 viruses (java) and Fake AV. I have since taken that computer off the network and will reformat the hard drive.
Okay - so port 25 is open for your users - which it shouldn't be if you want a safe / secure network.
You need to tighten up your firewall / router security or this problem will keep happening.
You need to tighten up your firewall / router security or this problem will keep happening.
To close the port, you have to block it on your router / firewall / modem. If you can't then change it to one that you can.
I would do this from the firewall. Allow port 25 from your Exchange server, and then block it for everyone else. Let me know if you have any other questions, and I'll be happy to help further.
Having looked through the manual for your modem, it seems you can restrict inbound ports, but not outbound ports!
Time to buy a proper DSL router that can block outbound points.
Alan
Time to buy a proper DSL router that can block outbound points.
Alan
Inetworkn:
Regarding your statement "I would do this from the firewall. Allow port 25 from your Exchange server, and then block it for everyone else", how is this done..
Regarding your statement "I would do this from the firewall. Allow port 25 from your Exchange server, and then block it for everyone else", how is this done..
Sure - ask them where to block outbound port 25 for all internal workstations and wait for the response. It is either not possible, or not easy to find in the manual.
Itnetworkn is posting the same suggestion I have already posted and am discussing now. Unless he/she has knowledge of the particular modem, then AT&T is your best bet.
Agreed. Most likely the only thing that AT&T will be able to do is block port 25 for all, but it won't hurt to ask. If AT&T can't help then you will have to use another router to tighten up security. Bear in mind that you don't have to spend an exorbitant amount of money either. If you have a computer that has been recently retired and can add a couple of network cards to it, you can install any number of open source firewalls on it. Personally I use Pfsense (http://www.pfsense.org).
-saige-
-saige-
Would it not seem easy to say:
Router, if the traffic coming across port 25 is coming from the ip address of the server, then process it, otherwise block it.
Then, how do I instruct the router to do just that? (By the way, I do have the router manual).
Router, if the traffic coming across port 25 is coming from the ip address of the server, then process it, otherwise block it.
Then, how do I instruct the router to do just that? (By the way, I do have the router manual).
Essentially that is what you need to do but your router/firewall does not block outgoing requests according to one of the previous posts.
-saige-
-saige-
I have read the manual (quickly) online and can't find any way to block outbound traffic. It might be allowing all outbound traffic by default and if that is the case, I would be buying a new router personally, as you need to be able to block outbound traffic!
I ran a full system scan of the server and all computers (using symantec endpoint protection with the latest updates).
All computers scanned okay except for one. That computer was running very slow, and had a problem:
I got the following message:
Risk Name - HTTPS Tidserv Request 2
Attacking computer - jna0-0akq8x.com (91.207.192.22, 443)
Destination address - 192.169.1.119, 3968
Traffic Description - TCP, https
I downloaded the FixTDSS.exe tool (from Symantec) and it removed the threat and fixed the mbr (master boot record)
I am no longer getting "warning messages" on that computer, and it is running really fast now.
Could this be the source of my problem?
All computers scanned okay except for one. That computer was running very slow, and had a problem:
I got the following message:
Risk Name - HTTPS Tidserv Request 2
Attacking computer - jna0-0akq8x.com (91.207.192.22, 443)
Destination address - 192.169.1.119, 3968
Traffic Description - TCP, https
I downloaded the FixTDSS.exe tool (from Symantec) and it removed the threat and fixed the mbr (master boot record)
I am no longer getting "warning messages" on that computer, and it is running really fast now.
Could this be the source of my problem?
Sure sounds like it.
I would still be investing in a router that you can block TCP port 25 outbound with as the next infection will see you having the same problem again and if you can avoid the hassle, then it would be good for the stress levels of all concerned.
Alan
I would still be investing in a router that you can block TCP port 25 outbound with as the next infection will see you having the same problem again and if you can avoid the hassle, then it would be good for the stress levels of all concerned.
Alan
You might be better off buying your own - if you are using straight ADSL - then any router that has a built-in modem should be fine, just as long as you can block ports outbound.
We prefer to keep the ISP's router in the box, as quite often they can tweak (upgrade) the modem / router remotely and that has left us facing phone calls to fix an internet problem caused by the ISP upgrading the router without warning!
Also - if the ISP doesn't have their own router on the line - they won't touch it and won't ask the customer to factory reset it (usually), also preventing a lot of headaches as a factory reset ISP router usually loses the config needed to make servers work and of course they don't know / care as long as they get you back on the internet!
We prefer to keep the ISP's router in the box, as quite often they can tweak (upgrade) the modem / router remotely and that has left us facing phone calls to fix an internet problem caused by the ISP upgrading the router without warning!
Also - if the ISP doesn't have their own router on the line - they won't touch it and won't ask the customer to factory reset it (usually), also preventing a lot of headaches as a factory reset ISP router usually loses the config needed to make servers work and of course they don't know / care as long as they get you back on the internet!
I called AT&T Internet Tech Support. They said my Netopia 3347 DSL router is the newest router for business use. I told them I need to block port 25 and the Netopia does not allow me to do that. They said I could go out and purchase any DSL router. I thought I could only buy it from them.
I will go out and shop around for a new DSL router (if you know of a good one let me know).
I checked the ww.BlackListAlert.org web site and saw that we are only on 1 blacklist now (located in Europe). They will remove us in 6 days (unless the same problem surfaces again).
Thanks for all your help.
I will go out and shop around for a new DSL router (if you know of a good one let me know).
I checked the ww.BlackListAlert.org web site and saw that we are only on 1 blacklist now (located in Europe). They will remove us in 6 days (unless the same problem surfaces again).
Thanks for all your help.
I guess the type of router depends on your budget.
You can get combined ADSL Modems and Routers or just routers - if you want to go cheap and cheerful, but will do the job, Netgear make some cheap combined devices such as the DGN1000 device, but you might want something more robust / business-like and the Sonicwall range or similar are better but don't include a DSL modem, so you would need to buy two devices.
I would chat to someone in a store near you (who you trust) and see what they have and suggest and perhaps before committing - post their suggestions and I (plus others) can add their $0.02 worth.
You can get combined ADSL Modems and Routers or just routers - if you want to go cheap and cheerful, but will do the job, Netgear make some cheap combined devices such as the DGN1000 device, but you might want something more robust / business-like and the Sonicwall range or similar are better but don't include a DSL modem, so you would need to buy two devices.
I would chat to someone in a store near you (who you trust) and see what they have and suggest and perhaps before committing - post their suggestions and I (plus others) can add their $0.02 worth.
We had one rogue computer where the end-user did not renew their anti-virus software a few months ago. We replaced that computer with a brand new one (with the latest a/v software and definitions).
Thanks for all your help.
Thanks for all your help.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
All Courses
From novice to tech pro — start learning today.
If you don't - please block TCP port 25 for ALL IP Addresses internally on your firewall apart from your Exchange Server IP Address. That should stop the problem, but not resolve an internal infection on your LAN.