Avatar of Robert Perez-Corona
Robert Perez-CoronaFlag for United States of America asked on

Outgoing SMTP Address Blacklisted by anti-spam database

Hello,

I recently started having email issues. My customers emails are bouncing back. I ran a blacklist check using my outgoing smtp IP address to find that I have been blacklisted by SORBS and BACKSCATTER. I am running Symantec Mail Security for MS Exchange on my Exhange 2003 sever. But I guess this isnt enough.

I seems like someone is abusive our smpt address..What can I implement in order to remove us and avoid this from happening  again?

please help

---------------------------------------------------------
Listed below is the output from BACKSCATTER

This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.


To track down what happened investigate your smtplogs near 08.09.2013 16:56 CEST +/-1 minute.

You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.

Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.


History:
08.07.2010 17:21 CEST      listed      
10.01.2012 16:25 CET      expired      
18.01.2012 00:46 CET      listed      
28.03.2012 01:25 CEST      expired      
22.04.2012 06:48 CEST      listed      
05.08.2012 15:25 CEST      expired      
08.08.2012 16:36 CEST      listed      
22.09.2012 13:25 CEST      expired      
23.09.2012 22:40 CEST      listed      
07.02.2013 17:25 CET      expired      
17.02.2013 04:38 CET      listed      

A total of 88 Impacts were detected during this listing. Last was 08.09.2013 16:56 CEST +/- 1 minute.
Earliest date this IP can expire is 06.10.2013 16:56 CEST.
--

Thx
t
AntiSpamExchangeEmail Servers

Avatar of undefined
Last Comment
Alan Hardisty

8/22/2022 - Mon
R--R

The outgoing email uses smarthost or DNS.
You have to block outgoing port 25 to all execpt exchange server.
Check if you server is open relay using http://mxtoolbox.com.
Enable smtp log and check the maximum request comes from which IP address.

check this from support.microsoft.com for open relay.

http://support.microsoft.com/kb/324958
Simon Butler (Sembee)

Backscatter basically means you don't have recipient filtering turned on.
The server accepts all email at your domain, whether the recipient is valid or not, then attempts to NDR the message back.
http://exchange.sembee.info/2003/smtp/filter-unknown.asp

Simon.
ASKER
Robert Perez-Corona

my server is not open relay. Is it a must for me to make it an open relay server? I don't want the entire world to be able to send mail using my server. Maybe I am missing something here.

I believe my smtp logging has been enabled. But I am not sure as to how to filter for maximun request comes from which IP
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
Robert Perez-Corona

thanks folks.

I have looked into both solutions. Simon, your solutions seems easier..but after reading on directory harvest attacks, i am a bit paranoid.

t
ASKER
Robert Perez-Corona

after comparing my ESM settings with the link provided, it seems like i have recipient filter enabled. The only think i was missing is the tar pit feature.

anything else i can do? I am not sure about making my smtp server open relay. My managers are not agreeing with me :/
Alan Hardisty

You don't want to make your server an open relay - that will make your problems a whole lot worse.

You need to simply configure Recipient Filtering to solve the Backscatterer listing.

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Simon Butler (Sembee)

The tarpit deals with directory harvest attacks.
You need to configure the recipient filter though.

Simon.
ASKER
Robert Perez-Corona

In ESM, Message Delivery Properties -> recipient Filtering - I already had "filter recipients who are not in the Directory" was already check on. Do I need to further tweak this?

anything that I can do with SMSME?
ASKER
Robert Perez-Corona

I just ran a blacklist check with my other block of IP's (comcast block) and I seem to be in the database as well. We do not send anything from this block. But I am having issue surfing the web at times. It seems like DNS temporarily goes down for a few seconds.

APEWS.org

RBL for other block of IP's
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER
Robert Perez-Corona

More important, is the other block of IP's which has disrupted my mail flow. These two blocks dont see each other. But it could be related. is there anything else I can do?
ASKER
Robert Perez-Corona

aside from the "filter recipients who are not in the Directory" was already check on. Do I need to configure anything else here?
ASKER
Robert Perez-Corona

i thought Symantec mail security for ms exchange would have taken care of these loopholes
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Simon Butler (Sembee)

Recipient filtering should have stopped backscatter.
Have you looked at the backscatter blacklist to see when you were added?
http://www.backscatterer.org/

However for the option in Exchange to work correctly, Exchange must be what answers email from the internet. If something else does that instead, like a router/firewall, AV product etc then it doesn't work correctly.

You can confirm what is answering the external email by doing a telnet test from an external host

telnet host.example.com 25

You should get a banner like this:

220 host.example.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Tue, 10 Sep 2013 08:18:36 +0100

If it says anything else then it isn't Exchange answering the inbound traffic.

Simon.
ASKER
Robert Perez-Corona

Oh I see,

I will test by using telnet from an external computer.

In the meantime, is there a way to stop the NDR's from been sent to users who are NOT in AD?

Do you think doing so will stop the masses of NDR's which is probably what is blacklisting me?
ASKER
Robert Perez-Corona

I just confirmed that exchange is indeed answers to external email.

however, I also have Symantec Mail Security for Microsoft Exchange 6.5.7.279 configured, i wonder if i can do anything here? I have configured the whitelist/blacklist..

I have not configured this feature: bypass real-time blacklist and spam detection for message sent to the following

I wonder if this would do the trick since everything else seems to be configured correctly
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Alan Hardisty

That list sounds like a way to Whitelist emails sent to a specific address.  It won't help you with Backscatter.

I used to use Symantec Mail Security - but stopped using it as it let way to much spam through.
Simon Butler (Sembee)

The recipient filter should stop the server from Accepting email for non-existant users. However you may want to test it using telnet to confirm it is working correctly.

Simon.
ASKER
Robert Perez-Corona

I already had the recipient filter enabled on my exchange server. But my actual SMTP server relays smtp traffic to my exchange. I wonder if any configurations need to take place on this server?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alan Hardisty

Recipient Filtering has to be setup at the first server that receives mail for your domain, otherwise it accepts the mail, passes it on to the next server and then that server determines the recipient is invalid and is forced to send back an NDR message.

If you have an SMTP Server that relays to your Exchange box, then you MUST setup Recipient Filtering on there to get round the Backscatter problem.
ASKER
Robert Perez-Corona

ok thanks again.

I am now looking at my smtp server..I see a few config options in IIS. Is this where I am suppose to be looking? i dont see a recipient filtering option on this box. But I do see relay restrictions.

smtp virtual server prop
smtp relay restrictions
Alan Hardisty

Why do you have an SMTP Server as well as an Exchange Server?  What is it used for?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
Robert Perez-Corona

i have this to relay smtp traffic to my exchange servers. I have several exchange servers on different domains.
ASKER
Robert Perez-Corona

To be exact, I have 2 different exchange 2003 servers
Alan Hardisty

Does the SMTP Relay server sit in the domain and can it query AD to pull a list of email addresses that exist on both Exchange Servers?

If it can then you need to setup Anti-Spam on the SMTP server and enable recipient filtering.

If not, how many static IP addresses do you have?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Robert Perez-Corona

We have a couple spare IP's in our block. We want to fix the issue and then change our IP.

The smtp server sits in a workgroup by itself. In IIS i see about 8 of the domains this server handles. but i wondering what needs to be configured here..
Alan Hardisty

If you have multiple IP's - what is the need for the SMTP Server?

You can assign each Exchange server a Public IP and then forward that IP's port 25 to the relevant Exchange server and as long as you are Recipient Filtering on each Exchange server, then the problem will be solved.

What is your logic for having the SMTP server?

Alan
ASKER
Robert Perez-Corona

we have a vpn service running on this server as well..but it happens to be our smtp server as well..no sure about the logic or design process, but it was in place when i got here.

recipient filtering is has been enabled on my exchange servers even before backscatter blacklisted me. I am not sure what to do next :\
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Alan Hardisty

To haveRecipient Filtering work, invalid emails destined for non-existent recipients has to be rejected at the point of entry into your network.  If it isn't, Backscatter is the result.

You either need to configure LDAP access to the domains to query AD and the valid email addresses on the SMTP server or do away with it and have mail arrive direct to the exchange servers where Recipient Filtering can be carried out.
ASKER
Robert Perez-Corona

For the time being, I disabled NDR's on the Exchange servers.
Alan Hardisty

That is not a long-term solution as you are violating the RFC standards for email.

Alan
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Robert Perez-Corona

oh. I see. I will enable them...but i am still been blacklisted by backscatter I just confirmed by looking at one of my email headers that my SMTP server..which is the server which relays incoming mail to my exchange.

All I can find on this server is the SMTP virtual server in IIS. I am wondering what can configure on this server to stop the backscattering
Alan Hardisty

Please see my last but one comment advising you what needs to be done.

Alan
ASKER
Robert Perez-Corona

oh i see..

i tested using gmail..i emailed dylandylan@mydomain.com

a few minutes later i receive an ndr stating that the user is unknown..this is weird because i disabled NDR's on my exchange server

it seems like my dmz/smtp server is sending the ndr's..

I am familiar with LDAP..but have never implemented such a solution..I need to look into this.

thx
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
Alan Hardisty

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question