Link to home
Start Free TrialLog in
Avatar of Ronald Hicks
Ronald HicksFlag for United States of America

asked on

I've been blacklisted. Can anyone help.

Exchange 2010 on Server 2008 R2.  My mail host is 1and1.com.  The IP address cited in the message,  70.108.255.84, is indeed my static IP address issued by Verizon.

A couple of places I'm sending to are blocking.  The reply message at the end of my words, after the line with all the ++++++

I am able to send successfully to many other recipients.  

How can I run this down?

Is there a way to look at the entire message stream going forth from my Exchange server to see if it has become someone else's zombie spammer?

--ron


++++++++++++++++++BEGIN QUOTED TEXT+++++++++++

From: Microsoft Outlook
Sent: Friday, June 28, 2013 1:50 PM
To: Quigley, Jim
Subject: Undeliverable: RE: Sermons?


box429.bluehost.com rejected your message to the following e-mail addresses:

Potter, Deborah at Newslab (potter@newslab.org)


box429.bluehost.com gave this error:
Message rejected because (mail.stalbansdc.org) [70.108.255.84]:44577 is blacklisted.

A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:

Generating server: SAEC4.StAlbansParish.local

potter@newslab.org
box429.bluehost.com #550-Message rejected because (mail.stalbansdc.org) [70.108.255.84]:44577 is 550 blacklisted. ##

Original message headers:

Received: from SAEC4.StAlbansParish.local ([fe80::80d9:d729:a266:e7dd]) by
 SAEC4.StAlbansParish.local ([fe80::80d9:d729:a266:e7dd%11]) with mapi id
 14.01.0438.000; Fri, 28 Jun 2013 13:50:16 -0500
From: "Quigley, Jim" <JimQ@StAlbansDC.org>
To: "Potter, Deborah at Newslab" <potter@newslab.org>
CC: "Quigley, Jim" <JimQ@StAlbansDC.org>
Subject: RE: Sermons?
Thread-Topic: Sermons?
Thread-Index: AQHOdCGogM4jYd9R70aNzJ+qA/UfjZlLdxUI
Date: Fri, 28 Jun 2013 18:50:15 +0000
Message-ID: <560AEAE6A0F50148A0C89FD64FB7EDE712FB3652@SAEC4.StAlbansParish.local>
References: <CAMfc58f=JeFoJHZ5YyVRSij4EAyFUbFvQtBQjFYwwzjRfVJfbQ@mail.gmail.com>
In-Reply-To: <CAMfc58f=JeFoJHZ5YyVRSij4EAyFUbFvQtBQjFYwwzjRfVJfbQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [216.15.50.145]
Content-Type: multipart/alternative;
      boundary="_000_560AEAE6A0F50148A0C89FD64FB7EDE712FB3652SAEC4StAlbansPa_"
MIME-Version: 1.0
 ++++++++++++++++++END QUOTED TEXT+++++++++++++++++++
ASKER CERTIFIED SOLUTION
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Also consider asking Verizon for a different Static IP address. I have to do that with my own ISP. They purchased a block of IP's, some of which had been blacklisted.

..... Thinkpads_User
Avatar of Ronald Hicks

ASKER

Alan, could you please elaborate on your first sentence beginning with "okay",  how do I block a port?  On the mail server or the clients. One of my users opened a bogus Dun and Bradstreet message this morning.  Could be the cause.
Alan, could you please elaborate on your first sentence beginning with "okay",  how do I block a port?  On the mail server or the clients. One of my users opened a bogus Dun and Bradstreet message this morning.  Could be the cause.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You can (or should be able to) configure your firewall / router to block outbound TCP port 25 for all IP's other than your server, so if your server has an internal IP of 192.168.0.2, then you should block the range 192.168.0.3-192.168.0.254.  This will prevent and SMTP traffic being sent out and blacklisting your mail server.

If your user opened a bogus D&B email, that is the most likely computer.

Was that around the time of the spam report? :
It was last detected at 2013-07-16 13:00 GMT (+/- 30 minutes)

Alan
Use rotation of  ip while sending the mail trying configuring interspire marketer for bulk mailing
My SonicWall already has rules that block SMTP for all IP addresses except my mail server.

What else can I try?
I mdant to add that I am starting to go through the tools in MXToolBox.  I'm not sure what to type in each dialog box though.  Learning.

My latest check of my BL status says that my site last evidenced Trojan, spam etc traffic 30 hours ago.  Is that a clue to anything?  That much time, I mean?
If the last occurrence was 30 hours ago, that means the problem has stopped (for now) and hopefully won't happen again, but if you already block port 25 outbound, then you could have an infected computer using your Exchange Server to send out mail.

Did you also check on http://www.mailradar.com/openrelay/ in case you are an open relay.

Alan
I'm wondering if Constant Contact could be a factor.  We use it once a week to send to about 400, maybe 600 people.  All of whom subscribed, of course.

  I had thought that that volume of mail would be counted against some IP address other than mine, but i'm wondering now.  One of our addresses is listed as the From, but it seems that would be just a ReplyTo field that we filled in when we set it up.  

Is is possible that all those messages look to BL sites like they are coming from my little-ol Exchange Server and not from the big-ol Constant Contact server in the sky?
My very first comment tells you the problem is the Cutwail Spambot and that's not the same as sending via Constant Contact.

You have / had a virus - pure and simple.  Was anyone in that day that isn't usually?

The email that was opened from D&B - is the machine on still that the message was opened on?

Alan
Related to the above, I have a couple of  groups in Exchange that we use a few times a week.  The biggest is about 30 names, all members of the parish or staff.   One of the members of one of the groups is one of the recipients that we cannot send to.  Her ISP is one of the ones that block us.  Are BL sites sensitive to those small numbers of addresses in an email to a group?
BL Sites list IP Addresses.  If their Anti-Spam software uses a BL that you are on, then you will find it hard to get your emails to them.

You are also listed on b.barracudacentral.org - so there are a few places you need to de-list from before your mail-flow returns to normal and you don't have Reverse DNS on your Static IP (assuming it is static), so that needs fixing by calling your ISP and getting that setup too.

Alan
Re the D&B message.  The user tells me now that he didn't open it; but I would have sworn that he told me two days ago that he did.

Further, I checked his machine and discovered to my horror that it had no AV installed.  I must have gotten interrupted a week ago when I was converting machines from one to another and not finished his.  I installed the AVG for Business that we're using and it found about 20+ Trojan and other viruses.  I think it is clean now, but that could have been the problem.  I'll see if I can capture the report and post it here.  Perhaps the name or names of some of them will be known malware of this sort.
Okay - sounds like that may well have been the problem.

When did you run the scan on the PC roughly?
Attached are screen prints of the details of the viruses found in two scans on the machine that I'm paying most attention to now.  It is a little distressing that the second one, a day after the first, found the same things.  A scan just now came up clean.  Does a perusal of the details indicate to anyone malware that would generate mail traffic?
AVG-Report-20130716-233521.doc
AVG-Report-20130717-122408.doc
What time Zone are you in?

You are in Washington aren't you?
Yes, Washington DC; in the shadow of the Washington National Cathedral.

I googled all the viruses listed in the two AVG scan reports attached to a prevous comment and none jumped out at me as likely to be responsible for botnet spamming, but some are the kind that snoop on activity and transmit to the mother ship.
I just checked my IP address, and it shows not listed.  I don't understand this because I didn't do anything yet to de-list it.  I'm still working on finding out why I was listed in the first place.


+++++++++++++++++++++++BEGIN QUOTED TEXT+++++++++++++++
IP Address 70.108.255.84 is not listed in the CBL.

Please note: Due to processing changes inside the CBL, it is possible that a very new listing (less than an hour old) cannot be seen with this tool. If you're sure that the IP is listed (eg: you have been directed here by the Spamhaus or some other lookup page), please try again in an hour.


It was previously listed, but was removed at 2013-07-17 20:56 GMT (15 hours, 13 minutes ago)

At the time of removal, this was the explanation for this listing:
This IP is infected (or NATting for a computer that is infected) with the cutwail spambot. In other words, it's participating in a botnet.

If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

This IP is infected (or NATting for a computer that is infected) with a spam-sending infection. In other words, it's participating in a botnet. If you simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

How to resolve future problems and prevent relisting
+++++++++++++++++END QUOTED TEXT++++++++++++++++++++++
I delisted you :) As the report had been a long time ago - it seemed rude not to.
alanhardisty,  In my understanding, this is temporary solution. to just like remove the ip address from RBL, we need to pay something. otherwise it will come again this problem.

suggest me, if i am wrong.
You should never need to pay anyone to be delisted from a Block List.

You can optionally pay to be express de-listed from some sites, but paying is not the normal method of being de-listed.

The problem will happen again if you get an infection even if you pay someone, so what is the point of paying anyone?
Great alanhardisty ! I understood. Thanks...
Just bumping points up.
Alan.  Thanks for sticking me through this.

Perarduaadastra. Thanks for the MXToolbox reference.

vijayhakcers. Thanks for pursuing the pay-to-delist question so it got clarified.

I'm in search now for a good spam filtering service.  I think I'm using spamhaus, but it might have gotten turned off somewhere as I am being inundated with spam now; many in oriental characters.   But that will be a new question

Ron Hicks
Give Vamsoft a trial for 42 days and then see if it works for you like it works for me and all our customers.

www.vamsoft.com

Alan