• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 930
  • Last Modified:

Getting blacklisted by Spamhaus & Others

We have repeatedly been blacklisted by Spamhaus.org and other "anti-spam" associations and I'm having a really hard time figuring out why.  The only information we are able to obtain is which of our IP addresses were blacklisted.  I would really like to see the emails that supposedly are coming from our network but I am unable to find out how to get this info.  Since we have multiple ISP's and multiple IP addresses we can easily fix the problem until the blacklist is removed but I would like to know why/how this is happening.

We have done the following:

1. Configured inbound/outbound policies on our firewall to only allow traffic from our Exchange Server and our anti-spam appliance (Barracuda) on port 25.  Every other device is restricted from using port 25.

2. The Barracuda is configured to only allow outgoing mail from our Domain.  I can see a lot of emails that seem to be trying to send out but the Barracuda blocks them.  This seems the most troubling to me because I am not sure how another device (external) would use our Barracuda to try and send email.

3. Obviously have anti-virus/spyware actively running on all our PCs.

Thanks for any advice you can give.
0
mgcIT
Asked:
mgcIT
  • 12
  • 10
  • 6
  • +2
3 Solutions
 
GeodashCommented:
What flavor of Exchange are you using.

First off I would check for NDR attacks - take a look here http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27197611.html

Also, go into exchange and look a the queues, see if they are backing up or going out?
0
 
Don S.Commented:
Often the black listing isn't spam realted but rather it's related to not having a valid RDNS entry for your IP address, or for having an address in a range that is not designated as static addresses by your ISP.  Work with your ISP for both of those issues.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
GeodashCommented:
Alan posts a lot obout NDR attacks - check out his article too

http://alanhardisty.wordpress.com/2010/07/12/how-to-close-an-open-relay-in-exchange-2007-2010/
0
 
Alan HardistyCo-OwnerCommented:
Monitoring
0
 
mgcITAuthor Commented:
ok, it looks like we are not an open relay but I did get this warning:

Warning - Reverse DNS does not match SMTP Banner

Can someone give a brief explanation of what this means?

Thanks again.
0
 
GeodashCommented:
0
 
GeodashCommented:
0
 
mgcITAuthor Commented:
ok looks like I have some reading to do.  I'm not an exchange admin so it will take me some time to grasp all of this.  

In order to close out this question can you please confirm the following:

1. Would the "Reverse DNS..." warning I posted earlier cause our IPs to be blacklisted?
2. MXtoolbox is showing the internal FQDN name of our exchange server when I query mail.mydomain.com.  For example I get this:
220 server.domain.local Microsoft ESMTP MAIL Service ready at Tue, 10 Apr 2012 14:16:10 -0700.  This needs to be fixed as well correct?
3. Lastly is there any way to know for sure why Spamhaus would blacklist us?  Rather than trying to guess what the problem is, are there records available that specifically tell us why?

Thanks.
0
 
Alan HardistyCo-OwnerCommented:
Please post your Exchange version before taking this question any further as the version is relevant to the solution and also relevant as to whether you can ignore some of the information you have posted or not.
0
 
mgcITAuthor Commented:
Production server is Exchange 2007, however we also have 2010 running and are prepping for a migration.  Only a few of us in the IT Department are using 2010.

Not sure if it matters, but both instances of Exchange use the same Barracuda appliance for spam filtering.

Thanks.
0
 
GeodashCommented:
Yes, that is true
0
 
Alan HardistyCo-OwnerCommented:
Okay - thanks.

If you run tests and your barracuda is what receives emails - then the Reverse DNS and Banner won't necessarily match and it isn't important anyway as this is the receiving part.  What matters is the Reverse DNS Record that is setup on your sending IP Address and if it resolves back to the same IP Address in DNS when doing a lookup.

As for why you are getting blacklisted - at present there isn't enough information to go on to explain why.  Can you please send me a test email to alan @ it-eye.co.uk then we may be able to see why you might be having problems.  I will keep the domain off the site and if you send me an email, please advise that you have sent me one.  If any participating experts want to know the details of the domain / sending IP etc, please drop me an email and I will let you have the info, providing you keep the info to yourselves and don't post the domain name / IP address on EE.

Thanks

Alan
0
 
mgcITAuthor Commented:
Thanks Alan.. I will send you an email shortly.  I will also have a colleague send an email so you can see one from both Exchange server version.  I'll use "EE Email Test" as the subject line.
0
 
Alan HardistyCo-OwnerCommented:
Thank you - Will post once I either receive the email or my Anti-Spam logs tell me that you tried!
0
 
mgcITAuthor Commented:
Emails sent...
0
 
Alan HardistyCo-OwnerCommented:
Okay - temporarily rejected for now - but I have enough info to start some testing :)

BRB
0
 
Alan HardistyCo-OwnerCommented:
Okay - you don't have Reverse DNS configured as yet and your Barracuda's FQDN of barracuda.domain.com can't be used as that resolve to a different IP, so do you have a DNS A record that resolves to your sending IP Address of xxx.xxx.xxx.2?

Your sending IP isn't currently blacklisted on any blacklist sites I can find.
0
 
mgcITAuthor Commented:
No, the IP isn't currently blocked... we submitted a false positive report like we always do and they remove the block with a day or 2.  However, this is a pain because we get many emails bounced back until the blacklist is removed.

The sending IP that you are seeing is probably the gateway address and not the IP of the mail server.  Are you seeing 65.xx.xxx.2?  This also is confusing because the gateway is usually what gets blacklisted.

Again, I'm not the exchange admin but am needing more explanation that what he is currently giving me which is why I am posting here.

I don't know what barracuda.domain.com is for but believe it was an alternate A record because we have multiple ISPs for redundancy that all flow through a FatPipe Appliance.  The other A records that I'm aware of (for mail purposes) are:

mail.domain.com (barracuda I believe)
webmail.domain.com (EX 2007)
exchange.domain.com (EX 2010)
0
 
Alan HardistyCo-OwnerCommented:
Yes - I am seeing the 65.xxx.xxx.2 IP Address as the connecting IP.  This is what others will see and will be checking too, so not sure why other IP Addresses are getting blacklisted.

Two test emails received and you should have received my OOF message.

Looking at the email headers.
0
 
Alan HardistyCo-OwnerCommented:
Okay - the headers only show 1 external IP address and that is of your Barracuda, which is to be expected.

The path was Achilles.internaldomain.local / Morpheus.internaldomain.local / Barracuda.externaldomain.com / My Server (I have changed the internal domain as no point showing the real domain name!)

So - no reason at all for any IP Address other than your Barracuda to get Blacklisted and if you are behind a Barracuda then I would be surprised if that IP would be getting blacklisted anywhere.
0
 
mgcITAuthor Commented:
>>so not sure why other IP Addresses are getting blacklisted.

No, I meant this IS the IP Address that gets blacklisted.  However it is NOT the IP Address that is tied to an A record.  It is merely a gateway address that the Fatpipe Appliance (load balancer) uses for each of the internet connections that plug into the device.  Maybe this is part of our problem...
0
 
Alan HardistyCo-OwnerCommented:
Okay - so you need to add Reverse DNS to the IP Address because it is currently an ISP Generic DNS record and that WILL get you blacklisted.

So create a new A Record called something like outbound.domain.com and then ask your ISP to setup Reverse DNS as outbound.domain.com on your fixed IP Address and that should make your RFC compliant and you should be free from blacklists unless there are other issues afoot (would be nice to have seen why you got blacklisted).
0
 
Khandakar Ashfaqur RahmanExpert/ConsultantCommented:
If it is composite blacklisting check out here:
http://cbl.abuseat.org/lookup.cgi?ip=
Enter your IP address and it'll show when it was detected.Not all the site like Spamcop will give you evidence of the spam.Then check your server log.Analyze header if you get any delivery failed message.You'll get source IP of the message.Also be sure that your server is not open relay.
0
 
mgcITAuthor Commented:
Does it matter that the IP tied to outbound.domain.com would be used for all outbound traffic?  Again, this is basically a gateway so there will be more than just email traffic originating from this IP.

Also, since we have multiple ISPs for redundancy I assume we would have to setup outbound1.domain.com, outbound2.domain.com, etc..?  Is that correct?  Or do i create a single A record and point it to multiple IP addresses?
0
 
Alan HardistyCo-OwnerCommented:
That could get interesting!

I would setup separate A records - one for each ISP IP Address and then setup Reverse DNS on each ISP's IP Address accordingly.

ISP1
DNS A Record: outbound1.yourdomain.com - 123.123.123.123
IP: 123.123.123.123 - Reverse DNS - Outbound1.yourdomain.com

ISP2
DNS A Record: outbound2.yourdomain.com - 234.234.234.234
IP: 234.234.234.234 - Reverse DNS - Outbound2.yourdomain.com

ISP3
DNS A Record: outbound3.yourdomain.com - 231.231.231.231
IP: 231.231.231.231 - Reverse DNS - Outbound3.yourdomain.com

That hopefully makes sense and confirms your thinking.

That way if one ISP connection drops, Reverse DNS will be configured properly and mail should still flow.

You might want to create an SPF record that includes all your ISP's IP Address as allowed to send mail on behalf of your server too.
0
 
mgcITAuthor Commented:
ok yea that makes sense.

and just to be clear.. I wouldn't need to change anything on the Exchange servers or barracuda right?  No additional MX records, etc... ?
0
 
Alan HardistyCo-OwnerCommented:
No - nothing needs to change on the Exchange servers or Barracuda.

Your inbound mail arrives at a different IP and isn't related to being blacklisted, so that part is fine.
0
 
mgcITAuthor Commented:
for clarification, is the Reverse DNS setup by the ISP, or the domain host/provider?
0
 
Alan HardistyCo-OwnerCommented:
It is whoever provides you the IP Address, which is usually the ISP.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 12
  • 10
  • 6
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now