Solved

listed on blacklists

Posted on 2016-10-10
20
74 Views
Last Modified: 2016-10-12
Hi Experts,

what can I do when I am listed on some blacklists.
For some reason we are listed on 2 lists.
Firewall is setup and all other spam settings are up to date.

Do you have any ideas ?
0
Comment
Question by:Eprs_Admin
  • 8
  • 4
  • 3
  • +3
20 Comments
 
LVL 13

Assisted Solution

by:John Tsioumpris
John Tsioumpris earned 62 total points
ID: 41836725
Have you setup your system to  send email ONLY through  Exchange and block port 25 for everyone else...
Also a common scenario where you get blacklisted is by setting your Exchange to send NDRs....i know it ...crazy ...but NDR still counts as a spam....
1
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 62 total points
ID: 41836741
You also need to check your computers to see if they are sending out spam. Look at Exchange logs to see if this is happening.

Once you have cleaned up the issues, you need to apply to the blacklisting agencies to be removed.
0
 

Author Comment

by:Eprs_Admin
ID: 41836846
ok, how can I check  exchange to check if spam is sent out ?
0
 
LVL 61

Accepted Solution

by:
btan earned 252 total points
ID: 41836854
You can do self assessment as well and trace down the server that is internet accessible, there would be some service being abused e.g. open email relay or web server being compromised with web shell or mal-advert having to redirect user (when click) to other ill reputed websites

This is a blacklist check to test a mail server IP address against over 100 DNS based email blacklists. (Commonly called Realtime blacklist, DNSBL or RBL). http://mxtoolbox.com/blacklists.aspx

To get off your server from a blacklist and want to be removed, you have to contact the blacklist owner directly. Each blacklist database has its own criteria for flagging IP addresses and compiling its own list of online offenders.

To get off the list, I suggest you do the following self-check first
- your network and mail server are configured correctly (besides those I mentioned earlier, also include the basic check for correct both forward and reverse DNS records, as well as SMTP banners)
- Scan all computers on your network for viruses
- Patch your server to the latest security hotfixes and released patches
- Check and validate the hardening of your router (e.g. no default account/password, no unnecessary service, insecure protocol and weak cipher etc)
- Check all account and enforce strong passphrase
- Check audit trail to see any past failed consecutive login attempt by user or admin (this may lead to specific exploitation attempts to send spam etc.)

Once fix on the above are completed without any major findings, you are more assured when you engage those blacklist support group to request the removal with proof. Another mean is to wait after your clean up for around one to two week, where some provider will repeat their blacklist check that are time based ... See this http://www.dnsbl.info/blacklist-removal.php

Just make sure there is also no anomalous activity detected in your regular scan and check esp those email and web systems accessible from internet . You can check (again) yourself in the blacklist again regularly - http://whatismyipaddress.com/blacklist-check
1
 
LVL 23

Assisted Solution

by:Dr. Klahn
Dr. Klahn earned 62 total points
ID: 41837352
Side note:  There are some networks that are permanently blacklisted due to their ISPs' ongoing toleration of spam and other hostile activity.  If you check your status and find out that you're on one of those networks, there are only two solutions:

  • Install a VPN and tunnel out through a more reputable hosting service
  • Switch to a different ISP
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41838005
which blacklists are you blacklisted on ?

there are high chances that you are actually sending out spam, or are an open relay, or a backscatterer ( @john DSNs do not "count as spam" but sending DSNs back to obviously spoofed addresses do. use SPF )... the list of things to check is huge

each blacklist has it's own policy and you can read their docs in order to determine what you're doing wrong. sometimes you can contact them if they blacklist you by mistake but that is unlikely. if you post this information, we'll be able to help more efficiently

if you have your own server, make sure that individual computers do not access port 25 on the internet so at least you only deal with the server's traffic which i assume you can monitor if needed.
1
 

Author Comment

by:Eprs_Admin
ID: 41838010
SORBS and BACKSCATTERER
0
 
LVL 26

Assisted Solution

by:skullnobrains
skullnobrains earned 62 total points
ID: 41838122
backscatterer

- apply SPF to your INcoming email, and possibly alternatives such as senderid as well, but basically spf to start with

- check that you are not using filtering software that sends a mail back to the emitter to notify them they have been sending spam or viruses. if possible, apply early rejects.

- make sure mail to non existent users is rejected during the smtp session and not answered to with a dsn

- maybe apply a blacklist such as sorbs or spamhouse on your incoming email

- go there and post results : http://www.backscatterer.org/?target=test

---

sorbs

go there : http://www.sorbs.net/lookup.shtml and post results

---

note that in both cases, using the delisting tool is not the point. what is important is they tell you why you are listed. i know a few useful steps for backscatterer ; sorbs has more different reasons they can blacklist you for : most likely a zombie on your network

information regarding your setup might be useful. given the above, i'd assume a single exchange server behind a nat firewall, no proxy or extra smtp server, and a commercial antivirus product ?
1
 
LVL 61

Assisted Solution

by:btan
btan earned 252 total points
ID: 41838303
This is a good one-stop listing of the contacts for removal by the various blacklist : http://blog.online-domain-tools.com/2015/01/26/how-to-get-removed-from-blacklists/

For SORBS -  There is no charge for removal from (http://www.sorbs.net/delisting/overview.shtml) in specific to the various SORBS proxy, vulnerability, relay, zombie, spam or DUHL databases. But first it is a good start as shared by expert to know the blacklisted is via its database search then the delisting can be more detailed. E.g http://www.sorbs.net/lookup.shtml

For BACKSCATTER, the Backscatter Blacklists are specifically looking at a type of traffic from an email server IP Address related to a Non-Delivery Report/Receipt (NDR). It is due to the incorrect automated bounce messages sent by mail servers, typically as a side effect of incoming spam from a Denial of Service (DoS) or Directory-Harvesting attack on a mail server.

You will likely need to have your spam control soln to have the recipient filtering turn on to drop messages destined for invalid recipients causing the NDR. Also there is need to have the Email server be able to verify the source against spoofed attempt. This is where SPF and DKIM (and DMARC as a whole) will help in this case. As a whole the filtering is be accepting email from the internet on legit recipient and reject the email at the point of delivery, at the edge if invalid or Unauthorised.

For recipient filtering : http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
For checking your IP on www.mxtoolbox.com/blacklists.aspx to see if your IP have been listed in which blacklist
For delisting on Backscatter (for example if you are on the Spam Eating Monkey Blacklis) : http://spameatingmonkey.com/delist.html
1
 

Author Comment

by:Eprs_Admin
ID: 41839558
Hi I have installed SPF on my external DNS Portal.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:Eprs_Admin
ID: 41839561
Another question I have is, on my EXCHANGE HUB CAS servers I see many emails in the send queue, but these have weired names ....
How can it be that my sent queue is rising every day ?
0
 
LVL 61

Expert Comment

by:btan
ID: 41839582
Should have the anti spam enabled to do the filtering see for example exchange edge setup or you can check your anti spam soln

Recipient Filter agent   Recipient filtering compares the message recipients on the RCPT TO: SMTP command to an administrator-defined Recipient Block list. If a match is found, the message isn't permitted to enter the organization. The recipient filter also compares recipients on inbound messages to the local recipient directory to determine whether the message is addressed to valid recipients. When a message isn't addressed to valid recipients, the message is rejected.
https://technet.microsoft.com/en-us/library/jj218660(v=exchg.150).aspx
1
 

Author Comment

by:Eprs_Admin
ID: 41839830
ok we use EXCH2007.
We have no EDGE servers just HUB CAS.
0
 

Author Comment

by:Eprs_Admin
ID: 41839833
Hi John,

an NDR is a non delivery report , right ?
Can you show me how to disable this in my exchange domain  ?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41839839
You would have to look at your Exchange documentation for deleting emails (Non-delivery reports are a form of email). I don't have Exchange any more as we have outsourced all this at our clients.
0
 

Author Comment

by:Eprs_Admin
ID: 41839880
ok I will check....
0
 

Author Closing Comment

by:Eprs_Admin
ID: 41839881
I think we solved this problem.
From one list we are off and the rest is planned.
Also we increased our security against SPAM.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41839936
Thank you for the update and good that you are making progress.
0
 
LVL 61

Expert Comment

by:btan
ID: 41840068
For Exchange, only the Edge Server role or Hub Transport Role has such filtering capability. Otherwise you need to leverage your anti-spam soln. See "Adding this functionality to your Hub Transport servers" http://www.msexchange.org/articles-tutorials/exchange-server-2007/security-message-hygiene/exchange-server-2007-spam-filtering-features-without-using-exchange-server-2007-edge-server.html
1
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41840070
Hi I have installed SPF on my external DNS Portal.

this tells other servers how how to handle email that originates from your domain name

you need to apply SPF on your incoming traffic. this is a filtering module that will query for records similar as the one you setup, and let your server reject connections from spoofed domains which greatly reduces the amount of backscatter you send. this helps not being blacklisted at backscatterer.org, rfc-ignorant.org, sorbs, and a few others.

basically backscatter is not about traffic you send, it's about traffic you bounce.

Another question I have is, on my EXCHANGE HUB CAS servers I see many emails in the send queue, but these have weired names ....

trace the origins of these mail. if they come from the outside, you're probably accidentally relaying traffic you should not be relaying. if they come from the inside, have a look at the box(es) that send(s) them. they most likely have a virus.

an NDR is a non delivery report , right ?
Can you show me how to disable this in my exchange domain  ?

i'd advice against doing this. legit DSNs are useful. you'll end up having remote users mistyping your email address and they'll never notice and you'll likely get blacklisted at rfc-ignorant.org at some point

--

please do not rely on delisting tools. unless you correct the reason why you were blacklisted in the first place this means that you misconfigured something and/or someone is using your resources in order to send spam, and you'll be blacklisted again in no time. please use the links i provided and type in your external ip in order to know why they blacklisted you
1

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now