Solved

Getting blacklisted by Spamhaus & Others

Posted on 2012-04-10
30
909 Views
Last Modified: 2012-08-16
We have repeatedly been blacklisted by Spamhaus.org and other "anti-spam" associations and I'm having a really hard time figuring out why.  The only information we are able to obtain is which of our IP addresses were blacklisted.  I would really like to see the emails that supposedly are coming from our network but I am unable to find out how to get this info.  Since we have multiple ISP's and multiple IP addresses we can easily fix the problem until the blacklist is removed but I would like to know why/how this is happening.

We have done the following:

1. Configured inbound/outbound policies on our firewall to only allow traffic from our Exchange Server and our anti-spam appliance (Barracuda) on port 25.  Every other device is restricted from using port 25.

2. The Barracuda is configured to only allow outgoing mail from our Domain.  I can see a lot of emails that seem to be trying to send out but the Barracuda blocks them.  This seems the most troubling to me because I am not sure how another device (external) would use our Barracuda to try and send email.

3. Obviously have anti-virus/spyware actively running on all our PCs.

Thanks for any advice you can give.
0
Comment
Question by:mgcIT
  • 12
  • 10
  • 6
  • +2
30 Comments
 
LVL 9

Expert Comment

by:Geodash
ID: 37829828
What flavor of Exchange are you using.

First off I would check for NDR attacks - take a look here http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27197611.html

Also, go into exchange and look a the queues, see if they are backing up or going out?
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37829831
0
 
LVL 18

Expert Comment

by:Don S.
ID: 37829836
Often the black listing isn't spam realted but rather it's related to not having a valid RDNS entry for your IP address, or for having an address in a range that is not designated as static addresses by your ISP.  Work with your ISP for both of those issues.
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37829837
Alan posts a lot obout NDR attacks - check out his article too

http://alanhardisty.wordpress.com/2010/07/12/how-to-close-an-open-relay-in-exchange-2007-2010/
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37829847
Monitoring
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830029
ok, it looks like we are not an open relay but I did get this warning:

Warning - Reverse DNS does not match SMTP Banner

Can someone give a brief explanation of what this means?

Thanks again.
0
 
LVL 9

Assisted Solution

by:Geodash
Geodash earned 100 total points
ID: 37830044
0
 
LVL 9

Assisted Solution

by:Geodash
Geodash earned 100 total points
ID: 37830050
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830135
ok looks like I have some reading to do.  I'm not an exchange admin so it will take me some time to grasp all of this.  

In order to close out this question can you please confirm the following:

1. Would the "Reverse DNS..." warning I posted earlier cause our IPs to be blacklisted?
2. MXtoolbox is showing the internal FQDN name of our exchange server when I query mail.mydomain.com.  For example I get this:
220 server.domain.local Microsoft ESMTP MAIL Service ready at Tue, 10 Apr 2012 14:16:10 -0700.  This needs to be fixed as well correct?
3. Lastly is there any way to know for sure why Spamhaus would blacklist us?  Rather than trying to guess what the problem is, are there records available that specifically tell us why?

Thanks.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830184
Please post your Exchange version before taking this question any further as the version is relevant to the solution and also relevant as to whether you can ignore some of the information you have posted or not.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830189
Production server is Exchange 2007, however we also have 2010 running and are prepping for a migration.  Only a few of us in the IT Department are using 2010.

Not sure if it matters, but both instances of Exchange use the same Barracuda appliance for spam filtering.

Thanks.
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37830192
Yes, that is true
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830213
Okay - thanks.

If you run tests and your barracuda is what receives emails - then the Reverse DNS and Banner won't necessarily match and it isn't important anyway as this is the receiving part.  What matters is the Reverse DNS Record that is setup on your sending IP Address and if it resolves back to the same IP Address in DNS when doing a lookup.

As for why you are getting blacklisted - at present there isn't enough information to go on to explain why.  Can you please send me a test email to alan @ it-eye.co.uk then we may be able to see why you might be having problems.  I will keep the domain off the site and if you send me an email, please advise that you have sent me one.  If any participating experts want to know the details of the domain / sending IP etc, please drop me an email and I will let you have the info, providing you keep the info to yourselves and don't post the domain name / IP address on EE.

Thanks

Alan
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830247
Thanks Alan.. I will send you an email shortly.  I will also have a colleague send an email so you can see one from both Exchange server version.  I'll use "EE Email Test" as the subject line.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830256
Thank you - Will post once I either receive the email or my Anti-Spam logs tell me that you tried!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 18

Author Comment

by:mgcIT
ID: 37830263
Emails sent...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830269
Okay - temporarily rejected for now - but I have enough info to start some testing :)

BRB
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830290
Okay - you don't have Reverse DNS configured as yet and your Barracuda's FQDN of barracuda.domain.com can't be used as that resolve to a different IP, so do you have a DNS A record that resolves to your sending IP Address of xxx.xxx.xxx.2?

Your sending IP isn't currently blacklisted on any blacklist sites I can find.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830339
No, the IP isn't currently blocked... we submitted a false positive report like we always do and they remove the block with a day or 2.  However, this is a pain because we get many emails bounced back until the blacklist is removed.

The sending IP that you are seeing is probably the gateway address and not the IP of the mail server.  Are you seeing 65.xx.xxx.2?  This also is confusing because the gateway is usually what gets blacklisted.

Again, I'm not the exchange admin but am needing more explanation that what he is currently giving me which is why I am posting here.

I don't know what barracuda.domain.com is for but believe it was an alternate A record because we have multiple ISPs for redundancy that all flow through a FatPipe Appliance.  The other A records that I'm aware of (for mail purposes) are:

mail.domain.com (barracuda I believe)
webmail.domain.com (EX 2007)
exchange.domain.com (EX 2010)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830347
Yes - I am seeing the 65.xxx.xxx.2 IP Address as the connecting IP.  This is what others will see and will be checking too, so not sure why other IP Addresses are getting blacklisted.

Two test emails received and you should have received my OOF message.

Looking at the email headers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830358
Okay - the headers only show 1 external IP address and that is of your Barracuda, which is to be expected.

The path was Achilles.internaldomain.local / Morpheus.internaldomain.local / Barracuda.externaldomain.com / My Server (I have changed the internal domain as no point showing the real domain name!)

So - no reason at all for any IP Address other than your Barracuda to get Blacklisted and if you are behind a Barracuda then I would be surprised if that IP would be getting blacklisted anywhere.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830364
>>so not sure why other IP Addresses are getting blacklisted.

No, I meant this IS the IP Address that gets blacklisted.  However it is NOT the IP Address that is tied to an A record.  It is merely a gateway address that the Fatpipe Appliance (load balancer) uses for each of the internet connections that plug into the device.  Maybe this is part of our problem...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830375
Okay - so you need to add Reverse DNS to the IP Address because it is currently an ISP Generic DNS record and that WILL get you blacklisted.

So create a new A Record called something like outbound.domain.com and then ask your ISP to setup Reverse DNS as outbound.domain.com on your fixed IP Address and that should make your RFC compliant and you should be free from blacklists unless there are other issues afoot (would be nice to have seen why you got blacklisted).
0
 
LVL 11

Expert Comment

by:Khandakar Ashfaqur Rahman
ID: 37830378
If it is composite blacklisting check out here:
http://cbl.abuseat.org/lookup.cgi?ip=
Enter your IP address and it'll show when it was detected.Not all the site like Spamcop will give you evidence of the spam.Then check your server log.Analyze header if you get any delivery failed message.You'll get source IP of the message.Also be sure that your server is not open relay.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830399
Does it matter that the IP tied to outbound.domain.com would be used for all outbound traffic?  Again, this is basically a gateway so there will be more than just email traffic originating from this IP.

Also, since we have multiple ISPs for redundancy I assume we would have to setup outbound1.domain.com, outbound2.domain.com, etc..?  Is that correct?  Or do i create a single A record and point it to multiple IP addresses?
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 400 total points
ID: 37830419
That could get interesting!

I would setup separate A records - one for each ISP IP Address and then setup Reverse DNS on each ISP's IP Address accordingly.

ISP1
DNS A Record: outbound1.yourdomain.com - 123.123.123.123
IP: 123.123.123.123 - Reverse DNS - Outbound1.yourdomain.com

ISP2
DNS A Record: outbound2.yourdomain.com - 234.234.234.234
IP: 234.234.234.234 - Reverse DNS - Outbound2.yourdomain.com

ISP3
DNS A Record: outbound3.yourdomain.com - 231.231.231.231
IP: 231.231.231.231 - Reverse DNS - Outbound3.yourdomain.com

That hopefully makes sense and confirms your thinking.

That way if one ISP connection drops, Reverse DNS will be configured properly and mail should still flow.

You might want to create an SPF record that includes all your ISP's IP Address as allowed to send mail on behalf of your server too.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830450
ok yea that makes sense.

and just to be clear.. I wouldn't need to change anything on the Exchange servers or barracuda right?  No additional MX records, etc... ?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830458
No - nothing needs to change on the Exchange servers or Barracuda.

Your inbound mail arrives at a different IP and isn't related to being blacklisted, so that part is fine.
0
 
LVL 18

Author Comment

by:mgcIT
ID: 37830557
for clarification, is the Reverse DNS setup by the ISP, or the domain host/provider?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 37830562
It is whoever provides you the IP Address, which is usually the ISP.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now