Outgoing SMTP Address Blacklisted by anti-spam database
Hello,
I recently started having email issues. My customers emails are bouncing back. I ran a blacklist check using my outgoing smtp IP address to find that I have been blacklisted by SORBS and BACKSCATTER. I am running Symantec Mail Security for MS Exchange on my Exhange 2003 sever. But I guess this isnt enough.
I seems like someone is abusive our smpt address..What can I implement in order to remove us and avoid this from happening again?
please help
--------------------------
Listed below is the output from BACKSCATTER
This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.
To track down what happened investigate your smtplogs near 08.09.2013 16:56 CEST +/-1 minute.
You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.
So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.
Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.
History:
08.07.2010 17:21 CEST listed
10.01.2012 16:25 CET expired
18.01.2012 00:46 CET listed
28.03.2012 01:25 CEST expired
22.04.2012 06:48 CEST listed
05.08.2012 15:25 CEST expired
08.08.2012 16:36 CEST listed
22.09.2012 13:25 CEST expired
23.09.2012 22:40 CEST listed
07.02.2013 17:25 CET expired
17.02.2013 04:38 CET listed
A total of 88 Impacts were detected during this listing. Last was 08.09.2013 16:56 CEST +/- 1 minute.
Earliest date this IP can expire is 06.10.2013 16:56 CEST.
--
Thx
t
I recently started having email issues. My customers emails are bouncing back. I ran a blacklist check using my outgoing smtp IP address to find that I have been blacklisted by SORBS and BACKSCATTER. I am running Symantec Mail Security for MS Exchange on my Exhange 2003 sever. But I guess this isnt enough.
I seems like someone is abusive our smpt address..What can I implement in order to remove us and avoid this from happening again?
please help
--------------------------
Listed below is the output from BACKSCATTER
This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.
To track down what happened investigate your smtplogs near 08.09.2013 16:56 CEST +/-1 minute.
You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.
So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.
Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.
History:
08.07.2010 17:21 CEST listed
10.01.2012 16:25 CET expired
18.01.2012 00:46 CET listed
28.03.2012 01:25 CEST expired
22.04.2012 06:48 CEST listed
05.08.2012 15:25 CEST expired
08.08.2012 16:36 CEST listed
22.09.2012 13:25 CEST expired
23.09.2012 22:40 CEST listed
07.02.2013 17:25 CET expired
17.02.2013 04:38 CET listed
A total of 88 Impacts were detected during this listing. Last was 08.09.2013 16:56 CEST +/- 1 minute.
Earliest date this IP can expire is 06.10.2013 16:56 CEST.
--
Thx
t
Backscatter basically means you don't have recipient filtering turned on.
The server accepts all email at your domain, whether the recipient is valid or not, then attempts to NDR the message back.
http://exchange.sembee.info/2003/smtp/filter-unknown.asp
Simon.
The server accepts all email at your domain, whether the recipient is valid or not, then attempts to NDR the message back.
http://exchange.sembee.info/2003/smtp/filter-unknown.asp
Simon.
ASKER
my server is not open relay. Is it a must for me to make it an open relay server? I don't want the entire world to be able to send mail using my server. Maybe I am missing something here.
I believe my smtp logging has been enabled. But I am not sure as to how to filter for maximun request comes from which IP
I believe my smtp logging has been enabled. But I am not sure as to how to filter for maximun request comes from which IP
ASKER
thanks folks.
I have looked into both solutions. Simon, your solutions seems easier..but after reading on directory harvest attacks, i am a bit paranoid.
t
I have looked into both solutions. Simon, your solutions seems easier..but after reading on directory harvest attacks, i am a bit paranoid.
t
ASKER
after comparing my ESM settings with the link provided, it seems like i have recipient filter enabled. The only think i was missing is the tar pit feature.
anything else i can do? I am not sure about making my smtp server open relay. My managers are not agreeing with me :/
anything else i can do? I am not sure about making my smtp server open relay. My managers are not agreeing with me :/
You don't want to make your server an open relay - that will make your problems a whole lot worse.
You need to simply configure Recipient Filtering to solve the Backscatterer listing.
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html
You need to simply configure Recipient Filtering to solve the Backscatterer listing.
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html
The tarpit deals with directory harvest attacks.
You need to configure the recipient filter though.
Simon.
You need to configure the recipient filter though.
Simon.
ASKER
In ESM, Message Delivery Properties -> recipient Filtering - I already had "filter recipients who are not in the Directory" was already check on. Do I need to further tweak this?
anything that I can do with SMSME?
anything that I can do with SMSME?
ASKER
I just ran a blacklist check with my other block of IP's (comcast block) and I seem to be in the database as well. We do not send anything from this block. But I am having issue surfing the web at times. It seems like DNS temporarily goes down for a few seconds.
APEWS.org
APEWS.org
ASKER
More important, is the other block of IP's which has disrupted my mail flow. These two blocks dont see each other. But it could be related. is there anything else I can do?
ASKER
aside from the "filter recipients who are not in the Directory" was already check on. Do I need to configure anything else here?
ASKER
i thought Symantec mail security for ms exchange would have taken care of these loopholes
Recipient filtering should have stopped backscatter.
Have you looked at the backscatter blacklist to see when you were added?
http://www.backscatterer.org/
However for the option in Exchange to work correctly, Exchange must be what answers email from the internet. If something else does that instead, like a router/firewall, AV product etc then it doesn't work correctly.
You can confirm what is answering the external email by doing a telnet test from an external host
telnet host.example.com 25
You should get a banner like this:
220 host.example.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Tue, 10 Sep 2013 08:18:36 +0100
If it says anything else then it isn't Exchange answering the inbound traffic.
Simon.
Have you looked at the backscatter blacklist to see when you were added?
http://www.backscatterer.org/
However for the option in Exchange to work correctly, Exchange must be what answers email from the internet. If something else does that instead, like a router/firewall, AV product etc then it doesn't work correctly.
You can confirm what is answering the external email by doing a telnet test from an external host
telnet host.example.com 25
You should get a banner like this:
220 host.example.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Tue, 10 Sep 2013 08:18:36 +0100
If it says anything else then it isn't Exchange answering the inbound traffic.
Simon.
ASKER
Oh I see,
I will test by using telnet from an external computer.
In the meantime, is there a way to stop the NDR's from been sent to users who are NOT in AD?
Do you think doing so will stop the masses of NDR's which is probably what is blacklisting me?
I will test by using telnet from an external computer.
In the meantime, is there a way to stop the NDR's from been sent to users who are NOT in AD?
Do you think doing so will stop the masses of NDR's which is probably what is blacklisting me?
ASKER
I just confirmed that exchange is indeed answers to external email.
however, I also have Symantec Mail Security for Microsoft Exchange 6.5.7.279 configured, i wonder if i can do anything here? I have configured the whitelist/blacklist..
I have not configured this feature: bypass real-time blacklist and spam detection for message sent to the following
I wonder if this would do the trick since everything else seems to be configured correctly
however, I also have Symantec Mail Security for Microsoft Exchange 6.5.7.279 configured, i wonder if i can do anything here? I have configured the whitelist/blacklist..
I have not configured this feature: bypass real-time blacklist and spam detection for message sent to the following
I wonder if this would do the trick since everything else seems to be configured correctly
That list sounds like a way to Whitelist emails sent to a specific address. It won't help you with Backscatter.
I used to use Symantec Mail Security - but stopped using it as it let way to much spam through.
I used to use Symantec Mail Security - but stopped using it as it let way to much spam through.
The recipient filter should stop the server from Accepting email for non-existant users. However you may want to test it using telnet to confirm it is working correctly.
Simon.
Simon.
ASKER
I already had the recipient filter enabled on my exchange server. But my actual SMTP server relays smtp traffic to my exchange. I wonder if any configurations need to take place on this server?
Recipient Filtering has to be setup at the first server that receives mail for your domain, otherwise it accepts the mail, passes it on to the next server and then that server determines the recipient is invalid and is forced to send back an NDR message.
If you have an SMTP Server that relays to your Exchange box, then you MUST setup Recipient Filtering on there to get round the Backscatter problem.
If you have an SMTP Server that relays to your Exchange box, then you MUST setup Recipient Filtering on there to get round the Backscatter problem.
ASKER
ok thanks again.
I am now looking at my smtp server..I see a few config options in IIS. Is this where I am suppose to be looking? i dont see a recipient filtering option on this box. But I do see relay restrictions.
I am now looking at my smtp server..I see a few config options in IIS. Is this where I am suppose to be looking? i dont see a recipient filtering option on this box. But I do see relay restrictions.
Why do you have an SMTP Server as well as an Exchange Server? What is it used for?
ASKER
i have this to relay smtp traffic to my exchange servers. I have several exchange servers on different domains.
ASKER
To be exact, I have 2 different exchange 2003 servers
Does the SMTP Relay server sit in the domain and can it query AD to pull a list of email addresses that exist on both Exchange Servers?
If it can then you need to setup Anti-Spam on the SMTP server and enable recipient filtering.
If not, how many static IP addresses do you have?
If it can then you need to setup Anti-Spam on the SMTP server and enable recipient filtering.
If not, how many static IP addresses do you have?
ASKER
We have a couple spare IP's in our block. We want to fix the issue and then change our IP.
The smtp server sits in a workgroup by itself. In IIS i see about 8 of the domains this server handles. but i wondering what needs to be configured here..
The smtp server sits in a workgroup by itself. In IIS i see about 8 of the domains this server handles. but i wondering what needs to be configured here..
If you have multiple IP's - what is the need for the SMTP Server?
You can assign each Exchange server a Public IP and then forward that IP's port 25 to the relevant Exchange server and as long as you are Recipient Filtering on each Exchange server, then the problem will be solved.
What is your logic for having the SMTP server?
Alan
You can assign each Exchange server a Public IP and then forward that IP's port 25 to the relevant Exchange server and as long as you are Recipient Filtering on each Exchange server, then the problem will be solved.
What is your logic for having the SMTP server?
Alan
ASKER
we have a vpn service running on this server as well..but it happens to be our smtp server as well..no sure about the logic or design process, but it was in place when i got here.
recipient filtering is has been enabled on my exchange servers even before backscatter blacklisted me. I am not sure what to do next :\
recipient filtering is has been enabled on my exchange servers even before backscatter blacklisted me. I am not sure what to do next :\
To haveRecipient Filtering work, invalid emails destined for non-existent recipients has to be rejected at the point of entry into your network. If it isn't, Backscatter is the result.
You either need to configure LDAP access to the domains to query AD and the valid email addresses on the SMTP server or do away with it and have mail arrive direct to the exchange servers where Recipient Filtering can be carried out.
You either need to configure LDAP access to the domains to query AD and the valid email addresses on the SMTP server or do away with it and have mail arrive direct to the exchange servers where Recipient Filtering can be carried out.
ASKER
For the time being, I disabled NDR's on the Exchange servers.
That is not a long-term solution as you are violating the RFC standards for email.
Alan
Alan
ASKER
oh. I see. I will enable them...but i am still been blacklisted by backscatter I just confirmed by looking at one of my email headers that my SMTP server..which is the server which relays incoming mail to my exchange.
All I can find on this server is the SMTP virtual server in IIS. I am wondering what can configure on this server to stop the backscattering
All I can find on this server is the SMTP virtual server in IIS. I am wondering what can configure on this server to stop the backscattering
Please see my last but one comment advising you what needs to be done.
Alan
Alan
ASKER
oh i see..
i tested using gmail..i emailed dylandylan@mydomain.com
a few minutes later i receive an ndr stating that the user is unknown..this is weird because i disabled NDR's on my exchange server
it seems like my dmz/smtp server is sending the ndr's..
I am familiar with LDAP..but have never implemented such a solution..I need to look into this.
thx
i tested using gmail..i emailed dylandylan@mydomain.com
a few minutes later i receive an ndr stating that the user is unknown..this is weird because i disabled NDR's on my exchange server
it seems like my dmz/smtp server is sending the ndr's..
I am familiar with LDAP..but have never implemented such a solution..I need to look into this.
thx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You have to block outgoing port 25 to all execpt exchange server.
Check if you server is open relay using http://mxtoolbox.com.
Enable smtp log and check the maximum request comes from which IP address.
check this from support.microsoft.com for open relay.
http://support.microsoft.com/kb/324958