• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1350
  • Last Modified:

Understanding Blacklist and How do I stop from getting Blacklisted on Backscatter

According to the test on Backscatter.org About 3 times  year we get blacklisted on backscatter.org. If we get blacklisted, Does that mean certain senders will not be able to send to us? I have only one customer that cannot deliver mail to our system. He claims this is why. I want to make sure I understand this. Also, Below are the test results I ran from Backscatter.org test/remove tool.  I really dont understand what it all means or how to fix our problem....These IP addresses all point to www.timeanddate.com.


This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.


To track down what happened investigate your smtplogs near 20.03.2012 11:44 CET +/-1 minute.

You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.

Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.


History:01.07.2010 17:18 CEST listed  
31.07.2010 18:25 CEST expired  
12.08.2010 09:04 CEST listed  
09.09.2010 09:25 CEST expired  
25.10.2010 07:52 CEST listed  
22.11.2010 07:25 CET expired  
10.12.2010 18:30 CET listed  
18.08.2011 18:25 CEST expired  
03.10.2011 11:59 CEST listed  
31.10.2011 11:25 CET expired  
06.11.2011 03:30 CET listed  
04.12.2011 04:25 CET expired  
15.12.2011 13:52 CET listed  
12.01.2012 14:25 CET expired  
28.01.2012 22:23 CET listed  

A total of 18 Impacts were detected during this listing. Last was 20.03.2012 11:44 CET +/- 1 minute.
Earliest date this IP can expire is 17.04.2012 12:44 CEST.
 
0
Johne75
Asked:
Johne75
  • 17
  • 14
  • 4
  • +1
1 Solution
 
abdulalikhanCommented:
Usually blacklisting of your IP means you will not be able to send emails to the domains which uses the black list in which your domain is black listed.
0
 
Johne75Author Commented:
This is what I thought too...anyone else have comments too support this or the circumstance where this is not true?  Also, I could use assistance in understanding the results shown above and help correcting it. The only thing I can think of causing this is our users who use out of office replies. to everyone not just internal users but I dont know how to properly troubleshoot.
0
 
ryan80Commented:
As said above, blacklist are usually used for not being able to send email out to other users.

I would check on your machines to make sure that you don't have a virus sending out spam. If you have a firewall, only allow the mail server to send out on port 25, block all other machines. Once you find the source of the problem, you can go to each of the blacklist sites that you are on, and petition them to remove you. They usually have a form to fill out.

However don't do this until you have cleared up the issue, because it will take longer to get off the blacklist with each time you are re-listed, depending on the blacklist
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
abdulalikhanCommented:
Explanation for being black listed and as explained by back scatter is right. There is also technique used by spammers to increase the network traffic and considered as an attacked.

http://en.wikipedia.org/wiki/Backscatter_(email)
0
 
abdulalikhanCommented:
To avoid further being black listed. Use an anti-virus in your network/domain and a good anti-spam software on all  your internet facing email servers. Also block open relay on your exchange system.
0
 
Alan HardistyCommented:
The reason for being on the Backscatterer blacklist is because your server sends Non-Delivery reports back to email addresses that were forged by spammers and because you hit an address that hasn't been published (they are hidden for spammers to find), you get blacklisted.

If your mail server receives emails directly from the Internet, you simply need to configure Recipient Filtering and that will resolve the Backscatterer listing permanently.

If a 3rd party receives your emails and passes them on to your server, your 3rd party needs to perform Recipient Filtering.

Anti-Spam software (which usually performs Recipient Filtering) will also solve the problem if you receive mail directly to your server, but not if you use a 3rd party first.

It is the lack of Recipient Filtering that is the ONLY reason for being listed on Backscatterer.
0
 
Johne75Author Commented:
OK here are some further notes.
We have Symantec AV with VIPRE Spam Filtering. Top of the line. Port 25 is only used by our exchange server. Ran full scan no viruses except one harmless tracking cookie detected. Open Relay,  I read is off by default in 2007 but we do have an internal IP for a copy machine and also have our IP for our online store listed for receive connectors. Our old online store IP is still in there which I need to delete. I still see a lot of info in my research on autoresponders and there are a few individuals that like to use the OOF. Should I restrict to internal users only? Also, I read that recipient filtering is for the Edge Transport. We do not Have the ET we use Vipre. Do I need to consult Vipre about Recipient Filtering?
0
 
Alan HardistyCommented:
Sounds like Vipre isn't Recipient Filtering so - yes, please check its settings.
0
 
Alan HardistyCommented:
You can also Recipient Filter on a Hub Transport server but you need to install the Anti-Spam tools which are not installed by default.

As you have Vipre it isn't needed.
0
 
Johne75Author Commented:
I have contacted Vipre we checked and settings are where they need to be. They pointed the finger at exchange and directed me to turn off NDR in unified messaging. Problem is we dont use Unified Messaging. They could not help me any further. I did see NDR option in Hub transport. Should I turn that off?
0
 
Alan HardistyCommented:
It isn't a problem with sending NDR's.  The problem is that you are sending NDR's back to spammers and if you are recipient filtering properly, then your server would not be responsible for sending back an NDR email to a spammer using a forged address and you would not be blacklisted.

If something accepts the message before Exchange receives the message, then Exchange (on your server) will be responsible for sending back an NDR message.  If your Anti-Spam software Recipient Filters correctly, it should reject the message before passing it on to Exchange and then Exchange won't need to send an NDR message back because only genuine emails will be delivered to Exchange.

Do your emails get delivered directly to your server or to a 3rd party first?
0
 
Johne75Author Commented:
Direct to server
0
 
Alan HardistyCommented:
I don't think your Vipre software is working properly then.  Can you please drop me an email to alan @ it-eye.co.uk and then I will send some emails to made-up addresses on your server and see what comes back.
0
 
Johne75Author Commented:
sure the email will come from johne@domain.com. I did turn off the ndr on the hub transport. Should I turn it back on first?
0
 
Alan HardistyCommented:
Yes please.
0
 
Alan HardistyCommented:
Your server is not filtering recipients unless you have an email account setup as bollocks@domain.com on your server!

I just tried using telnet and your server responded as Recipient OK, which means it will accept the message and then pass it on to Exchange and then Exchange will send the NDR.

VIPRE is not working properly - guaranteed.
0
 
Alan HardistyCommented:
The only possible alternative to VIPRE not working properly is that you have setup a catch-all account and thus accept mail to anything@domain.com - which I would hope isn't the case.
0
 
Johne75Author Commented:
OK I will shout back at them and let you know.
0
 
Alan HardistyCommented:
Some ammunition from a telnet test to your server:

220 mail.yourdomain.com Microsoft ESMTP MAIL Service ready at Fri, 23 Mar 2012 11
:02:45 -0400
ehlo mail.spammer.com
250-mail.yourdomain.com Hello [My_IP_Address]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING
mail from: alan@mydomain.co.uk
250 2.1.0 Sender OK
rcpt to: anycrapusername@yourdomain.com
250 2.1.5 Recipient OK - This is the proof of no Recipient Filtering!
0
 
Alan HardistyCommented:
If you don't get anywhere with Vipre - I would suggest ripping it out and installing a 30-day trial of Vamsoft ORF which is priced at $239 per server and actually works, and works incredibly well.  We use it and get virtually no spam at all (I have had 36 spam messages since January 2011 using Vamsoft).
0
 
Johne75Author Commented:
OK I sent all the info to Vipre here is the response.

Case Subject: Getting blacklisted on Backscatter.org

John,

With the 'do not send ndr' set, what is the result of the test messages sent to your domain to non-existent users?

Please provide a copy of the NDR returned, if any.

Thanks!
0
 
Alan HardistyCommented:
You don't want to turn off NDR's.  It is an RFC requirement to have NDR messages sent, so disabling them isn't tackling the problem - it is bypassing the problem.

If you disable the NDR messages - there isn't going to be an NDR returned - but that isn't the problem, the problem is Recipient Filtering isn't working and that is what they need to get working.

Do not settle for disabling NDR's as the solution to this problem.

Once they have Recipient Filtering working properly, then the problem will be resolved.  Any other fix is a workaround and I wouldn't be happy with that.

Are you able to backup the Vipre settings and then remove the software, install a trial of Vamsoft ORF and then enable Recipient filtering in ORF?  It will prove that their software is the problem - and you may actually be much happier with ORF.

If not - you can then remove ORF, reinstall VIPRE and put back the configuration to how it was, having proven that ORF does Recipient Filter and VIPRE doesn't.
0
 
Johne75Author Commented:
I have not uninstalled Vipre and would prefer not to if Vipre can do it with some configuration or changes to settings. I am swamped.

Here is his response to your comments.

I understand with the NDRs turned off in exchange none are sent out but with them turned on they are.  From my understanding, you do not want to leave the NDRs turned off.  

Please note that we do not filter outbound emails for spam, only inbound emails.  We can not prevent an NDR from being sent out by Exchange.

What are your thoughts and is he saying Reipient filtering should stop the ndrs going to spammers but Vipre doesnt do that? Can you explain that a little more?
0
 
Alan HardistyCommented:
VIPRE should be checking the Recipient's on your server and if valid it should allow the email through and if invalid, it should reject immediately.  The problem is that it doesn't care if the recipient is valid or not and is therefore accepting any old crap email address and passing the crap to exchange, which forces Exchange to issue the NDR.

What it should be doing is rejecting invalid recipients which forces the sender to produce the NDR not you.

That is where you need to get to with VIPRE - until you are there - you haven't solved the problem.
0
 
Johne75Author Commented:
ohhh brother....I am not sure what to think at this point...here is what he says...

Vipre does not do directory harvesting.  You will need to change your Exchange servers Recipient Filtering settings to stop the NDRs from going out.  I'm not sure who your source is, but he's giving you some bad information on what VIPRE Email Security of Exchange is capable of doing.
0
 
Alan HardistyCommented:
I'm not suggesting that VIPRE can do that - just suggesting that it should be doing it, so if it isn't capable, then IMHO - it isn't worth using.  What is the exact product that you are using for Anti-Spam from VIPRE.  I'll see if I can see anything useful that they are missing / misinterpreting.

It's now your decision.  If you want to continue with VIPRE - your only option seems to be to disable NDR's which you shouldn't do as it is against RFC requirements.

What I would be doing is ripping out VIPRE and installing something that can handle Recipient Filtering, such as Vamsoft ORF, which we use and it is bloody brilliant!
0
 
Johne75Author Commented:
Vipre Email Security version 3.1.25811

Also, what about recipient filtering on the hub transport? Would that make sense?

http://technet.microsoft.com/en-us/library/bb201691.aspx
0
 
Alan HardistyCommented:
Recipient Filtering should be done at the point of entry - as soon as you accept the message and the Recipient isn't valid - you have to send back an NDR.

Vipre will be the point of entry and if it is accepting messages for invalid recipients you get this problem and blacklisted.

Just reading their manual - BRB.
0
 
Alan HardistyCommented:
Not seeing anything to do with Recipient Filtering.  There is Policies and Recipients, so perhaps you have to setup a Policy per user - which seems utter madness.

What do you want to do from here?
0
 
Johne75Author Commented:
alanhardistry,
I greatly appreciate all of your input, quick responses and explanations! It has certainly been a learning experience. I have put in a few more words to Vipre support and waiting a response. The only problem I am having with all of this is Vipre is a well known product and has been around for years and we have used it for a very long time...even when it was ninja and owned by sunbelt. I just took a class with a microsoft partner on exchange 2010 two weeks ago to upgrade my skills. The instructor had nothing but great things to say about VIPRE and loves it. My only point here is there are plenty of companies out there using it so what are they doing for this problem?
0
 
Alan HardistyCommented:
I don't know the software unfortunately, but I do know Exchange and how to deal with Spam effectively.

If you can ask them how their software is supposed to reject emails for recipients that don't exist I would be interested to see what they say.  If it can be done - that is what you need to do.  if it can't be done, then it is a major flaw in their software and I wouldn't use it for a second longer.  It certainly isn't the job of Exchange to do this if there is anti-spam software installed.

I would hope that it can be done and that you are talking to the wrong technical person or asking the wrong question and the tech isn't clued up enough to see what you are trying to achieve.

If Vipre can't work out the difference between a good recipient and an invalid recipient then it is a major flaw in the software.

We use the Vipre Anti-Virus software and it is brilliant, but I have my reservations about your Anti-Spam software because no end of searching on Google yields no results for "Recipient Filtering" with "Vipre Anti Spam" which suggests to me it simply cannot do it and it should.

With respect to the Exchange trainer - they are trained to teach how Exchange works not necessarily how it is used in the real world.  I have used Exchange for the past 12 years and have been using Anti-Spam software very effectively for the past 6 or so years, most recently using Vamsoft ORF and my customers and those who have it installed on their servers (most of my customers) have been delighted at it's abilities.

I am not trying to push ORF to you - but you are missing an essential tool in your arsenal in the fight against spam and Recipient Filtering is what you seem to be missing.

Your question states that you have had this problem numerous times a year - well none of my customers have been blacklisted on Backscatterer.org because they all utilise recipient filtering.

Here is the response from my server when I try to send a made up email to my server:

220 server.mydomain.local Microsoft ESMTP MAIL Service ready at Tue, 27 Mar 2
012 22:02:34 +0100
ehlo mail.customerdomain.co.uk
250-server.mydomain.local Hello [94.195.xxx.xxx]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250-XRDST
250 XSHADOW
mail from: user@customerdomain.co.uk
250 2.1.0 Sender OK
rcpt to: madeuprecipient@mydomain.co.uk
550 5.1.1 Bad destination mailbox address (madeuprecipient@mydomain.co.uk).

That's the difference between Recipient Filtering on my server and the lack of it on your server.  Mine won't get me listed on Backscatter.org - yours will (and has) gotten you blacklisted.

The fact that this has happened before numerous times should tell you that you software is the cause of your problems (based on what you know now).  If you keep using the same software and expect to see different results - you are going to be disappointed.  If you change the software - I can guarantee the problem will be resolved and you won't be breaking RFC guidelines to achieve it (as Vipre have suggested you do).
0
 
abdulalikhanCommented:
Well explained alanhardisty
0
 
Johne75Author Commented:
OK, Thanks Again! I have talked with sales and tech support at GFI (aquired sunbelt maker of Vipre) Vipre does not have this capability. GFI since aquiring Sunbelt has made no changes to Vipre and have no plans to. Vipre will be going away they say. The Solution is GFI's Email Essentials. http://www.gfi.com/anti-spam-software-exchange This has Directory Harvesting http://support.gfi.com/manuals/en/me11/me11manual-1-19.html We are due to renew this July and they will allow me to install this now and roll it into our maintenance schedule we had with Vipre that renews in July. This looks like it is exactly what I need. Do you agree?
0
 
Alan HardistyCommented:
They call it Directory Harvesting!  But reading about it, it should do the job happily:

Extract from - http://kbase.gfi.com/showarticle.asp?id=KBID002019

"NOTE: Starting from GFI MailEssentials 10.1, you can configure the Directory Harvesting feature which will check the recipients' email address with your Active Directory to determine if the email is destined to an existent recipient. If the recipient email address is not found in Active Directory the email will be blocked."

:) - Finally you will be off Backscatterer.org permanently.
0
 
Johne75Author Commented:
hahaha yep Directory Harvesting! Thanks for all of your help! Now to find the best solution for points in all of this correspondence between us!
0
 
Johne75Author Commented:
If you use Vipre, (which I do) Vipre does NOT have recipient filtering. GFI aquired sunbelt and has no intentions of changing Vipre and it will soon reach its end of life (they didnt say when). The proper solution would be GFI's product called Email Essentials. This has recipient Filtering which they call directory harvesting!<br /><br />PS thanks again alanhardistry!
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

  • 17
  • 14
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now