Link to home
Start Free TrialLog in
Avatar of Robert Perez-Corona
Robert Perez-CoronaFlag for United States of America

asked on

Outgoing SMTP Address Blacklisted by anti-spam database


I recently started having email issues. My customers emails are bouncing back. I ran a blacklist check using my outgoing smtp IP address to find that I have been blacklisted by SORBS and BACKSCATTER. I am running Symantec Mail Security for MS Exchange on my Exhange 2003 sever. But I guess this isnt enough.

I seems like someone is abusive our smpt address..What can I implement in order to remove us and avoid this from happening  again?

please help

Listed below is the output from BACKSCATTER

This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.

To track down what happened investigate your smtplogs near 08.09.2013 16:56 CEST +/-1 minute.

You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.

Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.

08.07.2010 17:21 CEST      listed      
10.01.2012 16:25 CET      expired      
18.01.2012 00:46 CET      listed      
28.03.2012 01:25 CEST      expired      
22.04.2012 06:48 CEST      listed      
05.08.2012 15:25 CEST      expired      
08.08.2012 16:36 CEST      listed      
22.09.2012 13:25 CEST      expired      
23.09.2012 22:40 CEST      listed      
07.02.2013 17:25 CET      expired      
17.02.2013 04:38 CET      listed      

A total of 88 Impacts were detected during this listing. Last was 08.09.2013 16:56 CEST +/- 1 minute.
Earliest date this IP can expire is 06.10.2013 16:56 CEST.

Avatar of R--R
Flag of India image

The outgoing email uses smarthost or DNS.
You have to block outgoing port 25 to all execpt exchange server.
Check if you server is open relay using
Enable smtp log and check the maximum request comes from which IP address.

check this from for open relay.
Backscatter basically means you don't have recipient filtering turned on.
The server accepts all email at your domain, whether the recipient is valid or not, then attempts to NDR the message back.

Avatar of Robert Perez-Corona


my server is not open relay. Is it a must for me to make it an open relay server? I don't want the entire world to be able to send mail using my server. Maybe I am missing something here.

I believe my smtp logging has been enabled. But I am not sure as to how to filter for maximun request comes from which IP
thanks folks.

I have looked into both solutions. Simon, your solutions seems easier..but after reading on directory harvest attacks, i am a bit paranoid.

after comparing my ESM settings with the link provided, it seems like i have recipient filter enabled. The only think i was missing is the tar pit feature.

anything else i can do? I am not sure about making my smtp server open relay. My managers are not agreeing with me :/
You don't want to make your server an open relay - that will make your problems a whole lot worse.

You need to simply configure Recipient Filtering to solve the Backscatterer listing.
The tarpit deals with directory harvest attacks.
You need to configure the recipient filter though.

In ESM, Message Delivery Properties -> recipient Filtering - I already had "filter recipients who are not in the Directory" was already check on. Do I need to further tweak this?

anything that I can do with SMSME?
I just ran a blacklist check with my other block of IP's (comcast block) and I seem to be in the database as well. We do not send anything from this block. But I am having issue surfing the web at times. It seems like DNS temporarily goes down for a few seconds.

User generated image
More important, is the other block of IP's which has disrupted my mail flow. These two blocks dont see each other. But it could be related. is there anything else I can do?
aside from the "filter recipients who are not in the Directory" was already check on. Do I need to configure anything else here?
i thought Symantec mail security for ms exchange would have taken care of these loopholes
Recipient filtering should have stopped backscatter.
Have you looked at the backscatter blacklist to see when you were added?

However for the option in Exchange to work correctly, Exchange must be what answers email from the internet. If something else does that instead, like a router/firewall, AV product etc then it doesn't work correctly.

You can confirm what is answering the external email by doing a telnet test from an external host

telnet 25

You should get a banner like this:

220 Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Tue, 10 Sep 2013 08:18:36 +0100

If it says anything else then it isn't Exchange answering the inbound traffic.

Oh I see,

I will test by using telnet from an external computer.

In the meantime, is there a way to stop the NDR's from been sent to users who are NOT in AD?

Do you think doing so will stop the masses of NDR's which is probably what is blacklisting me?
I just confirmed that exchange is indeed answers to external email.

however, I also have Symantec Mail Security for Microsoft Exchange configured, i wonder if i can do anything here? I have configured the whitelist/blacklist..

I have not configured this feature: bypass real-time blacklist and spam detection for message sent to the following

I wonder if this would do the trick since everything else seems to be configured correctly
That list sounds like a way to Whitelist emails sent to a specific address.  It won't help you with Backscatter.

I used to use Symantec Mail Security - but stopped using it as it let way to much spam through.
The recipient filter should stop the server from Accepting email for non-existant users. However you may want to test it using telnet to confirm it is working correctly.

I already had the recipient filter enabled on my exchange server. But my actual SMTP server relays smtp traffic to my exchange. I wonder if any configurations need to take place on this server?
Recipient Filtering has to be setup at the first server that receives mail for your domain, otherwise it accepts the mail, passes it on to the next server and then that server determines the recipient is invalid and is forced to send back an NDR message.

If you have an SMTP Server that relays to your Exchange box, then you MUST setup Recipient Filtering on there to get round the Backscatter problem.
ok thanks again.

I am now looking at my smtp server..I see a few config options in IIS. Is this where I am suppose to be looking? i dont see a recipient filtering option on this box. But I do see relay restrictions.

User generated image
User generated image
Why do you have an SMTP Server as well as an Exchange Server?  What is it used for?
i have this to relay smtp traffic to my exchange servers. I have several exchange servers on different domains.
To be exact, I have 2 different exchange 2003 servers
Does the SMTP Relay server sit in the domain and can it query AD to pull a list of email addresses that exist on both Exchange Servers?

If it can then you need to setup Anti-Spam on the SMTP server and enable recipient filtering.

If not, how many static IP addresses do you have?
We have a couple spare IP's in our block. We want to fix the issue and then change our IP.

The smtp server sits in a workgroup by itself. In IIS i see about 8 of the domains this server handles. but i wondering what needs to be configured here..
If you have multiple IP's - what is the need for the SMTP Server?

You can assign each Exchange server a Public IP and then forward that IP's port 25 to the relevant Exchange server and as long as you are Recipient Filtering on each Exchange server, then the problem will be solved.

What is your logic for having the SMTP server?

we have a vpn service running on this server as well..but it happens to be our smtp server as sure about the logic or design process, but it was in place when i got here.

recipient filtering is has been enabled on my exchange servers even before backscatter blacklisted me. I am not sure what to do next :\
To haveRecipient Filtering work, invalid emails destined for non-existent recipients has to be rejected at the point of entry into your network.  If it isn't, Backscatter is the result.

You either need to configure LDAP access to the domains to query AD and the valid email addresses on the SMTP server or do away with it and have mail arrive direct to the exchange servers where Recipient Filtering can be carried out.
For the time being, I disabled NDR's on the Exchange servers.
That is not a long-term solution as you are violating the RFC standards for email.

oh. I see. I will enable them...but i am still been blacklisted by backscatter I just confirmed by looking at one of my email headers that my SMTP server..which is the server which relays incoming mail to my exchange.

All I can find on this server is the SMTP virtual server in IIS. I am wondering what can configure on this server to stop the backscattering
Please see my last but one comment advising you what needs to be done.

oh i see..

i tested using gmail..i emailed

a few minutes later i receive an ndr stating that the user is unknown..this is weird because i disabled NDR's on my exchange server

it seems like my dmz/smtp server is sending the ndr's..

I am familiar with LDAP..but have never implemented such a solution..I need to look into this.

Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial