Outgoing SMTP Address Blacklisted by anti-spam database

Hello,

I recently started having email issues. My customers emails are bouncing back. I ran a blacklist check using my outgoing smtp IP address to find that I have been blacklisted by SORBS and BACKSCATTER. I am running Symantec Mail Security for MS Exchange on my Exhange 2003 sever. But I guess this isnt enough.

I seems like someone is abusive our smpt address..What can I implement in order to remove us and avoid this from happening  again?

please help

---------------------------------------------------------
Listed below is the output from BACKSCATTER

This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.


To track down what happened investigate your smtplogs near 08.09.2013 16:56 CEST +/-1 minute.

You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.

Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.


History:
08.07.2010 17:21 CEST      listed      
10.01.2012 16:25 CET      expired      
18.01.2012 00:46 CET      listed      
28.03.2012 01:25 CEST      expired      
22.04.2012 06:48 CEST      listed      
05.08.2012 15:25 CEST      expired      
08.08.2012 16:36 CEST      listed      
22.09.2012 13:25 CEST      expired      
23.09.2012 22:40 CEST      listed      
07.02.2013 17:25 CET      expired      
17.02.2013 04:38 CET      listed      

A total of 88 Impacts were detected during this listing. Last was 08.09.2013 16:56 CEST +/- 1 minute.
Earliest date this IP can expire is 06.10.2013 16:56 CEST.
--

Thx
t
tobe1424Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

R--RCommented:
The outgoing email uses smarthost or DNS.
You have to block outgoing port 25 to all execpt exchange server.
Check if you server is open relay using http://mxtoolbox.com.
Enable smtp log and check the maximum request comes from which IP address.

check this from support.microsoft.com for open relay.

http://support.microsoft.com/kb/324958
1
Simon Butler (Sembee)ConsultantCommented:
Backscatter basically means you don't have recipient filtering turned on.
The server accepts all email at your domain, whether the recipient is valid or not, then attempts to NDR the message back.
http://exchange.sembee.info/2003/smtp/filter-unknown.asp

Simon.
0
tobe1424Author Commented:
my server is not open relay. Is it a must for me to make it an open relay server? I don't want the entire world to be able to send mail using my server. Maybe I am missing something here.

I believe my smtp logging has been enabled. But I am not sure as to how to filter for maximun request comes from which IP
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

tobe1424Author Commented:
thanks folks.

I have looked into both solutions. Simon, your solutions seems easier..but after reading on directory harvest attacks, i am a bit paranoid.

t
0
tobe1424Author Commented:
after comparing my ESM settings with the link provided, it seems like i have recipient filter enabled. The only think i was missing is the tar pit feature.

anything else i can do? I am not sure about making my smtp server open relay. My managers are not agreeing with me :/
0
Alan HardistyCo-OwnerCommented:
You don't want to make your server an open relay - that will make your problems a whole lot worse.

You need to simply configure Recipient Filtering to solve the Backscatterer listing.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html
0
Simon Butler (Sembee)ConsultantCommented:
The tarpit deals with directory harvest attacks.
You need to configure the recipient filter though.

Simon.
0
tobe1424Author Commented:
In ESM, Message Delivery Properties -> recipient Filtering - I already had "filter recipients who are not in the Directory" was already check on. Do I need to further tweak this?

anything that I can do with SMSME?
0
tobe1424Author Commented:
I just ran a blacklist check with my other block of IP's (comcast block) and I seem to be in the database as well. We do not send anything from this block. But I am having issue surfing the web at times. It seems like DNS temporarily goes down for a few seconds.

APEWS.org

RBL for other block of IP's
0
tobe1424Author Commented:
More important, is the other block of IP's which has disrupted my mail flow. These two blocks dont see each other. But it could be related. is there anything else I can do?
0
tobe1424Author Commented:
aside from the "filter recipients who are not in the Directory" was already check on. Do I need to configure anything else here?
0
tobe1424Author Commented:
i thought Symantec mail security for ms exchange would have taken care of these loopholes
0
Simon Butler (Sembee)ConsultantCommented:
Recipient filtering should have stopped backscatter.
Have you looked at the backscatter blacklist to see when you were added?
http://www.backscatterer.org/

However for the option in Exchange to work correctly, Exchange must be what answers email from the internet. If something else does that instead, like a router/firewall, AV product etc then it doesn't work correctly.

You can confirm what is answering the external email by doing a telnet test from an external host

telnet host.example.com 25

You should get a banner like this:

220 host.example.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Tue, 10 Sep 2013 08:18:36 +0100

If it says anything else then it isn't Exchange answering the inbound traffic.

Simon.
0
tobe1424Author Commented:
Oh I see,

I will test by using telnet from an external computer.

In the meantime, is there a way to stop the NDR's from been sent to users who are NOT in AD?

Do you think doing so will stop the masses of NDR's which is probably what is blacklisting me?
0
tobe1424Author Commented:
I just confirmed that exchange is indeed answers to external email.

however, I also have Symantec Mail Security for Microsoft Exchange 6.5.7.279 configured, i wonder if i can do anything here? I have configured the whitelist/blacklist..

I have not configured this feature: bypass real-time blacklist and spam detection for message sent to the following

I wonder if this would do the trick since everything else seems to be configured correctly
0
Alan HardistyCo-OwnerCommented:
That list sounds like a way to Whitelist emails sent to a specific address.  It won't help you with Backscatter.

I used to use Symantec Mail Security - but stopped using it as it let way to much spam through.
0
Simon Butler (Sembee)ConsultantCommented:
The recipient filter should stop the server from Accepting email for non-existant users. However you may want to test it using telnet to confirm it is working correctly.

Simon.
0
tobe1424Author Commented:
I already had the recipient filter enabled on my exchange server. But my actual SMTP server relays smtp traffic to my exchange. I wonder if any configurations need to take place on this server?
0
Alan HardistyCo-OwnerCommented:
Recipient Filtering has to be setup at the first server that receives mail for your domain, otherwise it accepts the mail, passes it on to the next server and then that server determines the recipient is invalid and is forced to send back an NDR message.

If you have an SMTP Server that relays to your Exchange box, then you MUST setup Recipient Filtering on there to get round the Backscatter problem.
0
tobe1424Author Commented:
ok thanks again.

I am now looking at my smtp server..I see a few config options in IIS. Is this where I am suppose to be looking? i dont see a recipient filtering option on this box. But I do see relay restrictions.

smtp virtual server prop
smtp relay restrictions
0
Alan HardistyCo-OwnerCommented:
Why do you have an SMTP Server as well as an Exchange Server?  What is it used for?
0
tobe1424Author Commented:
i have this to relay smtp traffic to my exchange servers. I have several exchange servers on different domains.
0
tobe1424Author Commented:
To be exact, I have 2 different exchange 2003 servers
0
Alan HardistyCo-OwnerCommented:
Does the SMTP Relay server sit in the domain and can it query AD to pull a list of email addresses that exist on both Exchange Servers?

If it can then you need to setup Anti-Spam on the SMTP server and enable recipient filtering.

If not, how many static IP addresses do you have?
0
tobe1424Author Commented:
We have a couple spare IP's in our block. We want to fix the issue and then change our IP.

The smtp server sits in a workgroup by itself. In IIS i see about 8 of the domains this server handles. but i wondering what needs to be configured here..
0
Alan HardistyCo-OwnerCommented:
If you have multiple IP's - what is the need for the SMTP Server?

You can assign each Exchange server a Public IP and then forward that IP's port 25 to the relevant Exchange server and as long as you are Recipient Filtering on each Exchange server, then the problem will be solved.

What is your logic for having the SMTP server?

Alan
0
tobe1424Author Commented:
we have a vpn service running on this server as well..but it happens to be our smtp server as well..no sure about the logic or design process, but it was in place when i got here.

recipient filtering is has been enabled on my exchange servers even before backscatter blacklisted me. I am not sure what to do next :\
0
Alan HardistyCo-OwnerCommented:
To haveRecipient Filtering work, invalid emails destined for non-existent recipients has to be rejected at the point of entry into your network.  If it isn't, Backscatter is the result.

You either need to configure LDAP access to the domains to query AD and the valid email addresses on the SMTP server or do away with it and have mail arrive direct to the exchange servers where Recipient Filtering can be carried out.
0
tobe1424Author Commented:
For the time being, I disabled NDR's on the Exchange servers.
0
Alan HardistyCo-OwnerCommented:
That is not a long-term solution as you are violating the RFC standards for email.

Alan
0
tobe1424Author Commented:
oh. I see. I will enable them...but i am still been blacklisted by backscatter I just confirmed by looking at one of my email headers that my SMTP server..which is the server which relays incoming mail to my exchange.

All I can find on this server is the SMTP virtual server in IIS. I am wondering what can configure on this server to stop the backscattering
0
Alan HardistyCo-OwnerCommented:
Please see my last but one comment advising you what needs to be done.

Alan
0
tobe1424Author Commented:
oh i see..

i tested using gmail..i emailed dylandylan@mydomain.com

a few minutes later i receive an ndr stating that the user is unknown..this is weird because i disabled NDR's on my exchange server

it seems like my dmz/smtp server is sending the ndr's..

I am familiar with LDAP..but have never implemented such a solution..I need to look into this.

thx
0
Alan HardistyCo-OwnerCommented:
That is because your SMTP server is accepting the mail, passing it to your Exchange server where it finds the recipient isn't valid and passes it back to the SMTP server to send an NDR.

If the SMTP server didn't accept the email in the first place because it could validate the recipients on your Exchange Server, you would not get an NDR from the SMTP server.

That is the problem in a nutshell.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
AntiSpam

From novice to tech pro — start learning today.