[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 851
  • Last Modified:

Black listed on 2 separate occasions - not sure why?

Hi Experts,
Recently our email domain/Public IP address has been blacklisted on two separate occasions over the past 3 weeks on two different black lists which caused outgoing/external email to get bounced. Incoming email seemed to be unaffected.

On the most recent occasion we got added to one black list on Friday and I got us removed on Saturday, but we are still getting a small number of emails that are being bounced back and not sure why - any ideas?. Im concerned we may get added again if we dont find out the cause of the issue. We are currently running SBS 2003 as our email server and have a Sonicwall email security/Spam appliance that filters email. We have AVG anti-virus installed on all servers and client computers.
Is there any way to find out why we got onto the blacklists in the first place?, any software tools available? Also really want to prevent us from getting onto any black lists in the future.

Two Example NDR’s we have received are the following:

The following recipient(s) cannot be reached:
1)
      firstanme@companya.co.uk on 17/10/2011 13:38
            This message was rejected due to the current administrative policy by the destination server.  Please retry at a later time.  If that fails, contact your system administrator.
            <mail.wisdom.ltd.uk #5.3.2 smtp;554 mx.ptn-ipin04.plus.net Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.>

2)

The following recipient(s) could not be reached:
 firstname.lastname@zzzcompnay.co.uk on 17/10/2011 16:55
            The e-mail system was unable to deliver the message, but did not report a specific reason.  Check the address and try again.  If it still fails, contact your system administrator.
            <mail.wisdom.ltd.uk #5.0.0 smtp;550 Invalid recipient <firstname.lastname@zzzcompnay.co.uk > (#5.1.1)>
0
kevin1983
Asked:
kevin1983
  • 24
  • 15
  • 3
2 Solutions
 
Hendrik WieseCommented:
Go to www.mxtoolbox.com

Also ask your service provider to create a PTR for you domain.
0
 
carlmdCommented:
The first example is due to reputation, but the second indicates the person you sent to at that domain does not exist. The second indicates the person is not at that email address. Typically due to a typo.

You didn't mention how large you installation is, but chances are some pc is sending spam. Where do you send your email, to a local exchange server or to an ISP directly. If you have a local mta then check the logs to see if anyone in particular is sending a lot of email. If you are sending spam then probably some of those emails are being bounced and returned to you. If you can look at the headers, of one those it might give you a clue. If you have one, please post it.
0
 
Hendrik WieseCommented:
The DNS PTR record for host name is your reverse lookup. You can also check your black list status at mxtoolbox.com
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
kevin1983Author Commented:
ive checked our blacklist status at: mxtoolbox.com and we dont appear to be listed on any blacklists at the moment
0
 
kevin1983Author Commented:
HendrikWiese:do you mean ask our internet service provider to setup a PTR for our public domain? - is there a way to check to see if we already have one setup?
0
 
kevin1983Author Commented:
carlmd:the second NDR had the correct recipient email address - the user has emailed that person before so dont think its a typo.

OUt setup is quite small and we send our email to a local exchange 2003 server (well a SBS 2003 server) and it uses the Sonicwall email security 300 appliance as a smart host. Which logs should I check and where do i find them? - if you can clarify where to check the headers ill post on here
0
 
carlmdCommented:
Try your lookup here, it will report reputation...

               http://www.spamhaus.org/lookup.lasso
0
 
kevin1983Author Commented:
....On the SMTP connector its set to forward all email to the sonicwall email security 300 box as a smart host.
0
 
carlmdCommented:
Check the exchange logs first, you are looking for a user sending an unusually large number of emails. Also look at the outgoing email queue to see if there are alot of messages queued. Typically with a spam sender you could see 1,000 or more.

Then check the logs on the Sonicwall as well, again looking for a spike in outgoing mail.

The headers would be helpful only if you get back a bounced spam email. They could tell you what user is sending those emails, assuming that is your problem.
0
 
Hendrik WieseCommented:
you can check if you have PTR setup using www.mxtoolbox.com

1. Go to www.mxtoolbox.com
2. Type in your domain name
3. Click on the MX Lookup button
4. Now take you mouse pointer over your IP address and click
5. Now it will check if you have a PTR setup if you don't have one it will obviously return no results
0
 
kevin1983Author Commented:
do you mean use the message tracking tool on exchange to list recent emails? - i had a look on our sonicwall ES300 box and cant see excessive outgoing email
0
 
kevin1983Author Commented:
HendrikWiese: not sure if ive done the check correctly, but looks like we have an A record but no reverse lookup found for our public IP address of 212.169.35.122  However the IP address for our A record for the public IP has a PTR record. Is this correct?
0
 
kevin1983Author Commented:
See attached screenshot from mxtoolbox mxtoolbox screenshot
0
 
Hendrik WieseCommented:
Your PTR seems fine, lets check the blacklist.

PTR Results below:
 PTR Results
0
 
kevin1983Author Commented:
if looks like A record 30 is on a blacklist -backscatter  and asks for payment to be removed from there website, see mxtoolbox screenshot
althought I think usually mail should always be going via the first A record (10) not 20 or 30.

 backscatter
0
 
kevin1983Author Commented:
still not sure which logs need to be checked on Exchange, please clarify
0
 
Hendrik WieseCommented:
The following record is still blacklisted:
 Black ListedIt is blacklisted at the following list:
 Black Listed Location
You can go to http://mxtoolbox.com/BlacklistSuggestions.aspx?ip=80.87.128.146 to resolve the issue and can also monitor here at a cost of $20/Month for 10 monitors.
0
 
Hendrik WieseCommented:
After going to http://mxtoolbox.com/BlacklistSuggestions.aspx?ip=80.87.128.146 they should be able to tell you why you were black listed in the first place.
0
 
kevin1983Author Commented:
what if we were to remove the 30 record? as email should only be going via 10 record.
80.87.128.146 is also configured on our sonicwall ES 300 as a backup email SMTP server which is a server hosted externally by the people who maintain our domain name - perhaps this is causing an issue.

THe backup SMTP server is only meant to be used to hold copies of emails in the event we have internal issue with our email server or internet connection preventing email from being delivered to us. Once the issue is resolved the backup SMTP server feed should send email onto us.
0
 
kevin1983Author Commented:
HendrikWiese:ok thanks i just completed the form, although it says they currently only respond to people is the US or canada and im based in UK so may not get an answer
0
 
Hendrik WieseCommented:
Hope they do help you though. But Yes removing the 30 record will also do the trick. Although everything should be going through your 10 record.
0
 
kevin1983Author Commented:
ok, so if everything is going through 30 i dont really understand why this would have an impact, unless just some emails have gone through 30. We dont really want to pay backscatter to get us removed as it doesnt seem right. We dont feel we have been doing anything wrong without knowing
0
 
Hendrik WieseCommented:
If you remove 30 (Although in theory it should not have gone through 30) then it will force the mails to go through 10 and 20
0
 
kevin1983Author Commented:
ok, ideally id still like to try to find out what caused the problems in the first place -where on exchange can I check to see if there has been excessive outgoing email.

we have scanned client computers for viruses/mailware in case they were sending out email but so far cant find any computers with issues
0
 
Hendrik WieseCommented:
This is a downfall with Exchange is proper reporting. You can use your Message Tracking under your tools to see if there was high message volumes. You can also then select all and copy to excel to sort and manage results.
0
 
kevin1983Author Commented:
OK ive done that and cant seen any excessive email being sent out from anyone, so i guess this suggests no users mailbox or client computer has been infected? or could junk email possibly still have been sent out without being logged on exchange and the sonicwall box?
0
 
Hendrik WieseCommented:
If you don't see anything suspicious on the user mailboxes then it would be safe to assume that no users was affected.
0
 
kevin1983Author Commented:
ok i guess thats good news in one way, any suggestions on how we might have got onto the blacklist in the first place?

Our sonicwall box seems to have an upgrade kerpersky anti-vrus service to check outgoing email for viruses,monitors excessive outgoing email, and defends against zombie computers, and can alert me if email is sent from an address not in our LDAP which im thinking might be worth paying for (annula fee) although if no users were infected this time perhaps its something else we need to do to prevent it happening again in future im just not sure what could be done  
0
 
Hendrik WieseCommented:
Not sure how we could see what the cause was besides paying to see the report from BACKSCATTERER. Might be worth paying for this ones off to eliminate the initial cause.
0
 
kevin1983Author Commented:
ok, something I just spotted is we recently had a number of outgoing emails from this emal address: postmaster@mail.wisdom.ltd.uk
0
 
Hendrik WieseCommented:
So you would need to stop those emails are this is properly the root cause of your issue.
0
 
kevin1983Author Commented:
they all seem to have the subject line: "Delivery report"

its not exactly a valid email address as our emails end with - wisdom.ltd.uk ie without the mail part
I think it might be an address setup on our Sonicwall email security box
0
 
Hendrik WieseCommented:
Yes that is possibly spam mails coming in to your domain and then the postmaster address replies with endless non delivery reports and thus the black list. You would have to stop those emails.
0
 
kevin1983Author Commented:
ok - I think ive found  where this address is setup on our soncwall box - see screenshot

I tried changind the address to a valid LDAP address but stil logging as seding out some email on the Sonicwall box and says even though its marked email as spam it has still delivered the email. Not to sure how to stop the emails going out unless I blank out the fields postmaster
0
 
kevin1983Author Commented:
seems like if i try to remove the address it wont let me save the config - an address has to be there of some sort
0
 
Hendrik WieseCommented:
It should be fine if you change it to an internal ldap address, as your ptr should also respond correctly. Which will stop the black listing issue
0
 
kevin1983Author Commented:
ok intrestingly is i set the address to administrator@wisdom.ltd.uk which is a valid LDAP address the sonicwall box is marking all the emails as likely spam but still delivering them, where when the address was  postmaster@mail.wisdom.ltd.uk  is was not markting the email as likely spam and was deleivering them.

I would of thought the postmaster@mail.wisdom.ltd.uk setup would have been marked as spam email not other way around

The host name of the sonicwall box is named: mail.wisdom.ltd.uk so I guess it defualted the postamster address from the host name.
0
 
kevin1983Author Commented:
I guess postmaster / NDR addreses are a requirment?, theres also a an optional Transient NDR setting on sonicwall box, (see screenshot) but not sure if this helps in any way MTA config
0
 
kevin1983Author Commented:
Various emails being set out to stange email address - concerned may still cause issues and put us onto blacklist  - see screenshot outgoingmail
0
 
kevin1983Author Commented:
but I guess not as you say the address is valid/ on our LDAP it should be ok now
0
 
Hendrik WieseCommented:
Yes because the email domain used to send the NDR's match the PTR domain. If my logic serves me right.
0
 
kevin1983Author Commented:
Thanks a lot experts for you help getting to the bottom of this, splt the points as thought only fair for this one. hopefully wont get added to black lists now - well not quite so easily at least.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 24
  • 15
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now