Solved

Understanding Blacklist and How do I stop from getting Blacklisted on Backscatter

Posted on 2012-03-20
37
1,089 Views
Last Modified: 2012-03-28
According to the test on Backscatter.org About 3 times  year we get blacklisted on backscatter.org. If we get blacklisted, Does that mean certain senders will not be able to send to us? I have only one customer that cannot deliver mail to our system. He claims this is why. I want to make sure I understand this. Also, Below are the test results I ran from Backscatter.org test/remove tool.  I really dont understand what it all means or how to fix our problem....These IP addresses all point to www.timeanddate.com.


This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.


To track down what happened investigate your smtplogs near 20.03.2012 11:44 CET +/-1 minute.

You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.

Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.


History:01.07.2010 17:18 CEST listed  
31.07.2010 18:25 CEST expired  
12.08.2010 09:04 CEST listed  
09.09.2010 09:25 CEST expired  
25.10.2010 07:52 CEST listed  
22.11.2010 07:25 CET expired  
10.12.2010 18:30 CET listed  
18.08.2011 18:25 CEST expired  
03.10.2011 11:59 CEST listed  
31.10.2011 11:25 CET expired  
06.11.2011 03:30 CET listed  
04.12.2011 04:25 CET expired  
15.12.2011 13:52 CET listed  
12.01.2012 14:25 CET expired  
28.01.2012 22:23 CET listed  

A total of 18 Impacts were detected during this listing. Last was 20.03.2012 11:44 CET +/- 1 minute.
Earliest date this IP can expire is 17.04.2012 12:44 CEST.
 
0
Comment
Question by:Johne75
  • 17
  • 14
  • 4
  • +1
37 Comments
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37742318
Usually blacklisting of your IP means you will not be able to send emails to the domains which uses the black list in which your domain is black listed.
0
 

Author Comment

by:Johne75
ID: 37742365
This is what I thought too...anyone else have comments too support this or the circumstance where this is not true?  Also, I could use assistance in understanding the results shown above and help correcting it. The only thing I can think of causing this is our users who use out of office replies. to everyone not just internal users but I dont know how to properly troubleshoot.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 37742385
As said above, blacklist are usually used for not being able to send email out to other users.

I would check on your machines to make sure that you don't have a virus sending out spam. If you have a firewall, only allow the mail server to send out on port 25, block all other machines. Once you find the source of the problem, you can go to each of the blacklist sites that you are on, and petition them to remove you. They usually have a form to fill out.

However don't do this until you have cleared up the issue, because it will take longer to get off the blacklist with each time you are re-listed, depending on the blacklist
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37742398
Explanation for being black listed and as explained by back scatter is right. There is also technique used by spammers to increase the network traffic and considered as an attacked.

http://en.wikipedia.org/wiki/Backscatter_(email)
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37742518
To avoid further being black listed. Use an anti-virus in your network/domain and a good anti-spam software on all  your internet facing email servers. Also block open relay on your exchange system.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 37742834
The reason for being on the Backscatterer blacklist is because your server sends Non-Delivery reports back to email addresses that were forged by spammers and because you hit an address that hasn't been published (they are hidden for spammers to find), you get blacklisted.

If your mail server receives emails directly from the Internet, you simply need to configure Recipient Filtering and that will resolve the Backscatterer listing permanently.

If a 3rd party receives your emails and passes them on to your server, your 3rd party needs to perform Recipient Filtering.

Anti-Spam software (which usually performs Recipient Filtering) will also solve the problem if you receive mail directly to your server, but not if you use a 3rd party first.

It is the lack of Recipient Filtering that is the ONLY reason for being listed on Backscatterer.
0
 

Author Comment

by:Johne75
ID: 37742954
OK here are some further notes.
We have Symantec AV with VIPRE Spam Filtering. Top of the line. Port 25 is only used by our exchange server. Ran full scan no viruses except one harmless tracking cookie detected. Open Relay,  I read is off by default in 2007 but we do have an internal IP for a copy machine and also have our IP for our online store listed for receive connectors. Our old online store IP is still in there which I need to delete. I still see a lot of info in my research on autoresponders and there are a few individuals that like to use the OOF. Should I restrict to internal users only? Also, I read that recipient filtering is for the Edge Transport. We do not Have the ET we use Vipre. Do I need to consult Vipre about Recipient Filtering?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37742967
Sounds like Vipre isn't Recipient Filtering so - yes, please check its settings.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37742998
You can also Recipient Filter on a Hub Transport server but you need to install the Anti-Spam tools which are not installed by default.

As you have Vipre it isn't needed.
0
 

Author Comment

by:Johne75
ID: 37757324
I have contacted Vipre we checked and settings are where they need to be. They pointed the finger at exchange and directed me to turn off NDR in unified messaging. Problem is we dont use Unified Messaging. They could not help me any further. I did see NDR option in Hub transport. Should I turn that off?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37757342
It isn't a problem with sending NDR's.  The problem is that you are sending NDR's back to spammers and if you are recipient filtering properly, then your server would not be responsible for sending back an NDR email to a spammer using a forged address and you would not be blacklisted.

If something accepts the message before Exchange receives the message, then Exchange (on your server) will be responsible for sending back an NDR message.  If your Anti-Spam software Recipient Filters correctly, it should reject the message before passing it on to Exchange and then Exchange won't need to send an NDR message back because only genuine emails will be delivered to Exchange.

Do your emails get delivered directly to your server or to a 3rd party first?
0
 

Author Comment

by:Johne75
ID: 37757364
Direct to server
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37757379
I don't think your Vipre software is working properly then.  Can you please drop me an email to alan @ it-eye.co.uk and then I will send some emails to made-up addresses on your server and see what comes back.
0
 

Author Comment

by:Johne75
ID: 37757391
sure the email will come from johne@domain.com. I did turn off the ndr on the hub transport. Should I turn it back on first?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37757410
Yes please.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37757448
Your server is not filtering recipients unless you have an email account setup as bollocks@domain.com on your server!

I just tried using telnet and your server responded as Recipient OK, which means it will accept the message and then pass it on to Exchange and then Exchange will send the NDR.

VIPRE is not working properly - guaranteed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37757456
The only possible alternative to VIPRE not working properly is that you have setup a catch-all account and thus accept mail to anything@domain.com - which I would hope isn't the case.
0
 

Author Comment

by:Johne75
ID: 37757463
OK I will shout back at them and let you know.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37757484
Some ammunition from a telnet test to your server:

220 mail.yourdomain.com Microsoft ESMTP MAIL Service ready at Fri, 23 Mar 2012 11
:02:45 -0400
ehlo mail.spammer.com
250-mail.yourdomain.com Hello [My_IP_Address]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from: alan@mydomain.co.uk
250 2.1.0 Sender OK
rcpt to: anycrapusername@yourdomain.com
250 2.1.5 Recipient OK - This is the proof of no Recipient Filtering!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37757562
If you don't get anywhere with Vipre - I would suggest ripping it out and installing a 30-day trial of Vamsoft ORF which is priced at $239 per server and actually works, and works incredibly well.  We use it and get virtually no spam at all (I have had 36 spam messages since January 2011 using Vamsoft).
0
 

Author Comment

by:Johne75
ID: 37766082
OK I sent all the info to Vipre here is the response.

Case Subject: Getting blacklisted on Backscatter.org

John,

With the 'do not send ndr' set, what is the result of the test messages sent to your domain to non-existent users?

Please provide a copy of the NDR returned, if any.

Thanks!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37766182
You don't want to turn off NDR's.  It is an RFC requirement to have NDR messages sent, so disabling them isn't tackling the problem - it is bypassing the problem.

If you disable the NDR messages - there isn't going to be an NDR returned - but that isn't the problem, the problem is Recipient Filtering isn't working and that is what they need to get working.

Do not settle for disabling NDR's as the solution to this problem.

Once they have Recipient Filtering working properly, then the problem will be resolved.  Any other fix is a workaround and I wouldn't be happy with that.

Are you able to backup the Vipre settings and then remove the software, install a trial of Vamsoft ORF and then enable Recipient filtering in ORF?  It will prove that their software is the problem - and you may actually be much happier with ORF.

If not - you can then remove ORF, reinstall VIPRE and put back the configuration to how it was, having proven that ORF does Recipient Filter and VIPRE doesn't.
0
 

Author Comment

by:Johne75
ID: 37766905
I have not uninstalled Vipre and would prefer not to if Vipre can do it with some configuration or changes to settings. I am swamped.

Here is his response to your comments.

I understand with the NDRs turned off in exchange none are sent out but with them turned on they are.  From my understanding, you do not want to leave the NDRs turned off.  

Please note that we do not filter outbound emails for spam, only inbound emails.  We can not prevent an NDR from being sent out by Exchange.

What are your thoughts and is he saying Reipient filtering should stop the ndrs going to spammers but Vipre doesnt do that? Can you explain that a little more?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37767038
VIPRE should be checking the Recipient's on your server and if valid it should allow the email through and if invalid, it should reject immediately.  The problem is that it doesn't care if the recipient is valid or not and is therefore accepting any old crap email address and passing the crap to exchange, which forces Exchange to issue the NDR.

What it should be doing is rejecting invalid recipients which forces the sender to produce the NDR not you.

That is where you need to get to with VIPRE - until you are there - you haven't solved the problem.
0
 

Author Comment

by:Johne75
ID: 37770792
ohhh brother....I am not sure what to think at this point...here is what he says...

Vipre does not do directory harvesting.  You will need to change your Exchange servers Recipient Filtering settings to stop the NDRs from going out.  I'm not sure who your source is, but he's giving you some bad information on what VIPRE Email Security of Exchange is capable of doing.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37770804
I'm not suggesting that VIPRE can do that - just suggesting that it should be doing it, so if it isn't capable, then IMHO - it isn't worth using.  What is the exact product that you are using for Anti-Spam from VIPRE.  I'll see if I can see anything useful that they are missing / misinterpreting.

It's now your decision.  If you want to continue with VIPRE - your only option seems to be to disable NDR's which you shouldn't do as it is against RFC requirements.

What I would be doing is ripping out VIPRE and installing something that can handle Recipient Filtering, such as Vamsoft ORF, which we use and it is bloody brilliant!
0
 

Author Comment

by:Johne75
ID: 37770841
Vipre Email Security version 3.1.25811

Also, what about recipient filtering on the hub transport? Would that make sense?

http://technet.microsoft.com/en-us/library/bb201691.aspx
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37770864
Recipient Filtering should be done at the point of entry - as soon as you accept the message and the Recipient isn't valid - you have to send back an NDR.

Vipre will be the point of entry and if it is accepting messages for invalid recipients you get this problem and blacklisted.

Just reading their manual - BRB.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37770874
Not seeing anything to do with Recipient Filtering.  There is Policies and Recipients, so perhaps you have to setup a Policy per user - which seems utter madness.

What do you want to do from here?
0
 

Author Comment

by:Johne75
ID: 37770998
alanhardistry,
I greatly appreciate all of your input, quick responses and explanations! It has certainly been a learning experience. I have put in a few more words to Vipre support and waiting a response. The only problem I am having with all of this is Vipre is a well known product and has been around for years and we have used it for a very long time...even when it was ninja and owned by sunbelt. I just took a class with a microsoft partner on exchange 2010 two weeks ago to upgrade my skills. The instructor had nothing but great things to say about VIPRE and loves it. My only point here is there are plenty of companies out there using it so what are they doing for this problem?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37773865
I don't know the software unfortunately, but I do know Exchange and how to deal with Spam effectively.

If you can ask them how their software is supposed to reject emails for recipients that don't exist I would be interested to see what they say.  If it can be done - that is what you need to do.  if it can't be done, then it is a major flaw in their software and I wouldn't use it for a second longer.  It certainly isn't the job of Exchange to do this if there is anti-spam software installed.

I would hope that it can be done and that you are talking to the wrong technical person or asking the wrong question and the tech isn't clued up enough to see what you are trying to achieve.

If Vipre can't work out the difference between a good recipient and an invalid recipient then it is a major flaw in the software.

We use the Vipre Anti-Virus software and it is brilliant, but I have my reservations about your Anti-Spam software because no end of searching on Google yields no results for "Recipient Filtering" with "Vipre Anti Spam" which suggests to me it simply cannot do it and it should.

With respect to the Exchange trainer - they are trained to teach how Exchange works not necessarily how it is used in the real world.  I have used Exchange for the past 12 years and have been using Anti-Spam software very effectively for the past 6 or so years, most recently using Vamsoft ORF and my customers and those who have it installed on their servers (most of my customers) have been delighted at it's abilities.

I am not trying to push ORF to you - but you are missing an essential tool in your arsenal in the fight against spam and Recipient Filtering is what you seem to be missing.

Your question states that you have had this problem numerous times a year - well none of my customers have been blacklisted on Backscatterer.org because they all utilise recipient filtering.

Here is the response from my server when I try to send a made up email to my server:

220 server.mydomain.local Microsoft ESMTP MAIL Service ready at Tue, 27 Mar 2
012 22:02:34 +0100
ehlo mail.customerdomain.co.uk
250-server.mydomain.local Hello [94.195.xxx.xxx]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
mail from: user@customerdomain.co.uk
250 2.1.0 Sender OK
rcpt to: madeuprecipient@mydomain.co.uk
550 5.1.1 Bad destination mailbox address (madeuprecipient@mydomain.co.uk).

That's the difference between Recipient Filtering on my server and the lack of it on your server.  Mine won't get me listed on Backscatter.org - yours will (and has) gotten you blacklisted.

The fact that this has happened before numerous times should tell you that you software is the cause of your problems (based on what you know now).  If you keep using the same software and expect to see different results - you are going to be disappointed.  If you change the software - I can guarantee the problem will be resolved and you won't be breaking RFC guidelines to achieve it (as Vipre have suggested you do).
0
 
LVL 7

Expert Comment

by:abdulalikhan
ID: 37773913
Well explained alanhardisty
0
 

Author Comment

by:Johne75
ID: 37777329
OK, Thanks Again! I have talked with sales and tech support at GFI (aquired sunbelt maker of Vipre) Vipre does not have this capability. GFI since aquiring Sunbelt has made no changes to Vipre and have no plans to. Vipre will be going away they say. The Solution is GFI's Email Essentials. http://www.gfi.com/anti-spam-software-exchange This has Directory Harvesting http://support.gfi.com/manuals/en/me11/me11manual-1-19.html We are due to renew this July and they will allow me to install this now and roll it into our maintenance schedule we had with Vipre that renews in July. This looks like it is exactly what I need. Do you agree?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37777394
They call it Directory Harvesting!  But reading about it, it should do the job happily:

Extract from - http://kbase.gfi.com/showarticle.asp?id=KBID002019

"NOTE: Starting from GFI MailEssentials 10.1, you can configure the Directory Harvesting feature which will check the recipients' email address with your Active Directory to determine if the email is destined to an existent recipient. If the recipient email address is not found in Active Directory the email will be blocked."

:) - Finally you will be off Backscatterer.org permanently.
0
 

Author Comment

by:Johne75
ID: 37777887
hahaha yep Directory Harvesting! Thanks for all of your help! Now to find the best solution for points in all of this correspondence between us!
0
 

Author Closing Comment

by:Johne75
ID: 37777912
If you use Vipre, (which I do) Vipre does NOT have recipient filtering. GFI aquired sunbelt and has no intentions of changing Vipre and it will soon reach its end of life (they didnt say when). The proper solution would be GFI's product called Email Essentials. This has recipient Filtering which they call directory harvesting!<br /><br />PS thanks again alanhardistry!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now