Our Exchange 2003 Server was on multiple blacklists. How can we prevent this in the future?

We have an Exchange 2003 server that had several users who were sending every message out with a read receipt, delivery receipt and high importance. At least one of the blacklists we requested to be delisted from had these items listed as a potential reason for being added.

I have done my best to verify security on the Exchange 2003 server, but would like to solicit any advice for making sure there are no features or settings active that may be causing problems. One issue that occurred was when we configured an external user to have POP3 access, a flood of SPAM starting coming through a few days later. We have since turned that off and the SPAM has stopped, but I would still like to make sure things are safe and if possible be able to use POP3 access as well without compromising security.

Any advice will be greatly appreciated.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Poly11Author Commented:
I would also like to add that even though we have been removed from most of the blacklists, we are still unable to send email to several well known domains. What is the best approach to fix this issue?
Kent DyerIT Security Analyst SeniorCommented:
Have you updated your RSOP (Resultant Set of Policies) on your domain?

I think I would start there.


There are various ways to limit the chances of being blacklisted.  One of the easiest is to ammend your DNS to include a statement showing where you emails can be sent from using Sender Policy Framework (SPF) eg:

@   TXT   v=spf include:outlook.com ~all

The following site provides a wizard to set this up - http://spfwizard.com/

ANother way is to ensure there is an rDNS entry on you mail IP - some ISPs will check if this is there before accepting mail.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

**error**  v=spf1
Poly11Author Commented:
I have no idea where to start with this: Have you updated your RSOP (Resultant Set of Policies) on your domain? If you have a link to a resource that would be appreciated.

I have also added the TXT record. Is there a resource available that can guide me through the critical areas to check to make sure things are secure?
If you're able to set up a SPF record, that's a good thing.  Unfortunately, not all hosts support them, and because of that I haven't seen any instance where not having one will get you on a blacklist.  You should definitely have a PTR record for the IP you're sending from.  Some recipients will just check for the existence of one, others will check whether the name matches your MX record.

Some companies have their own lists of IPs that they don't accept email from, usually because the IPs are listed as being dynamic or for home users.  Problem is you don't know if you're on the list until you get blocked (and hopefully receive a NDR).  If you're on a static IP, often you can just request that your IP be de-listed, but this has to be done for each company/domain (e.g. AT&T, Comcast, Earthlink).

Check your domain with a tool such as MX Toolbox http://www.mxtoolbox.com/ to see if any issues are noted.

There are almost always better ways to access your Exchange email than POP3, but if not in your case, then your best best for security is strong passwords, and making sure that you're not allowing unauthenticated relaying via SMTP.  You might also look into using SSL for your POP3 for greater security.
Poly11Author Commented:
Thank you, all has been good so far.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.