• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 137
  • Last Modified:

listed on blacklists

Hi Experts,

what can I do when I am listed on some blacklists.
For some reason we are listed on 2 lists.
Firewall is setup and all other spam settings are up to date.

Do you have any ideas ?
0
Eprs_Admin
Asked:
Eprs_Admin
  • 8
  • 4
  • 3
  • +3
6 Solutions
 
John TsioumprisSoftware & Systems EngineerCommented:
Have you setup your system to  send email ONLY through  Exchange and block port 25 for everyone else...
Also a common scenario where you get blacklisted is by setting your Exchange to send NDRs....i know it ...crazy ...but NDR still counts as a spam....
1
 
John HurstBusiness Consultant (Owner)Commented:
You also need to check your computers to see if they are sending out spam. Look at Exchange logs to see if this is happening.

Once you have cleaned up the issues, you need to apply to the blacklisting agencies to be removed.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
ok, how can I check  exchange to check if spam is sent out ?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
btanExec ConsultantCommented:
You can do self assessment as well and trace down the server that is internet accessible, there would be some service being abused e.g. open email relay or web server being compromised with web shell or mal-advert having to redirect user (when click) to other ill reputed websites

This is a blacklist check to test a mail server IP address against over 100 DNS based email blacklists. (Commonly called Realtime blacklist, DNSBL or RBL). http://mxtoolbox.com/blacklists.aspx

To get off your server from a blacklist and want to be removed, you have to contact the blacklist owner directly. Each blacklist database has its own criteria for flagging IP addresses and compiling its own list of online offenders.

To get off the list, I suggest you do the following self-check first
- your network and mail server are configured correctly (besides those I mentioned earlier, also include the basic check for correct both forward and reverse DNS records, as well as SMTP banners)
- Scan all computers on your network for viruses
- Patch your server to the latest security hotfixes and released patches
- Check and validate the hardening of your router (e.g. no default account/password, no unnecessary service, insecure protocol and weak cipher etc)
- Check all account and enforce strong passphrase
- Check audit trail to see any past failed consecutive login attempt by user or admin (this may lead to specific exploitation attempts to send spam etc.)

Once fix on the above are completed without any major findings, you are more assured when you engage those blacklist support group to request the removal with proof. Another mean is to wait after your clean up for around one to two week, where some provider will repeat their blacklist check that are time based ... See this http://www.dnsbl.info/blacklist-removal.php

Just make sure there is also no anomalous activity detected in your regular scan and check esp those email and web systems accessible from internet . You can check (again) yourself in the blacklist again regularly - http://whatismyipaddress.com/blacklist-check
1
 
Dr. KlahnPrincipal Software EngineerCommented:
Side note:  There are some networks that are permanently blacklisted due to their ISPs' ongoing toleration of spam and other hostile activity.  If you check your status and find out that you're on one of those networks, there are only two solutions:

  • Install a VPN and tunnel out through a more reputable hosting service
  • Switch to a different ISP
0
 
skullnobrainsCommented:
which blacklists are you blacklisted on ?

there are high chances that you are actually sending out spam, or are an open relay, or a backscatterer ( @john DSNs do not "count as spam" but sending DSNs back to obviously spoofed addresses do. use SPF )... the list of things to check is huge

each blacklist has it's own policy and you can read their docs in order to determine what you're doing wrong. sometimes you can contact them if they blacklist you by mistake but that is unlikely. if you post this information, we'll be able to help more efficiently

if you have your own server, make sure that individual computers do not access port 25 on the internet so at least you only deal with the server's traffic which i assume you can monitor if needed.
1
 
Eprs_AdminSystem ArchitectAuthor Commented:
SORBS and BACKSCATTERER
0
 
skullnobrainsCommented:
backscatterer

- apply SPF to your INcoming email, and possibly alternatives such as senderid as well, but basically spf to start with

- check that you are not using filtering software that sends a mail back to the emitter to notify them they have been sending spam or viruses. if possible, apply early rejects.

- make sure mail to non existent users is rejected during the smtp session and not answered to with a dsn

- maybe apply a blacklist such as sorbs or spamhouse on your incoming email

- go there and post results : http://www.backscatterer.org/?target=test

---

sorbs

go there : http://www.sorbs.net/lookup.shtml and post results

---

note that in both cases, using the delisting tool is not the point. what is important is they tell you why you are listed. i know a few useful steps for backscatterer ; sorbs has more different reasons they can blacklist you for : most likely a zombie on your network

information regarding your setup might be useful. given the above, i'd assume a single exchange server behind a nat firewall, no proxy or extra smtp server, and a commercial antivirus product ?
1
 
btanExec ConsultantCommented:
This is a good one-stop listing of the contacts for removal by the various blacklist : http://blog.online-domain-tools.com/2015/01/26/how-to-get-removed-from-blacklists/

For SORBS -  There is no charge for removal from (http://www.sorbs.net/delisting/overview.shtml) in specific to the various SORBS proxy, vulnerability, relay, zombie, spam or DUHL databases. But first it is a good start as shared by expert to know the blacklisted is via its database search then the delisting can be more detailed. E.g http://www.sorbs.net/lookup.shtml

For BACKSCATTER, the Backscatter Blacklists are specifically looking at a type of traffic from an email server IP Address related to a Non-Delivery Report/Receipt (NDR). It is due to the incorrect automated bounce messages sent by mail servers, typically as a side effect of incoming spam from a Denial of Service (DoS) or Directory-Harvesting attack on a mail server.

You will likely need to have your spam control soln to have the recipient filtering turn on to drop messages destined for invalid recipients causing the NDR. Also there is need to have the Email server be able to verify the source against spoofed attempt. This is where SPF and DKIM (and DMARC as a whole) will help in this case. As a whole the filtering is be accepting email from the internet on legit recipient and reject the email at the point of delivery, at the edge if invalid or Unauthorised.

For recipient filtering : http://www.msexchange.org/tutorials/Sender-Recipient-Filtering.html
For checking your IP on www.mxtoolbox.com/blacklists.aspx to see if your IP have been listed in which blacklist
For delisting on Backscatter (for example if you are on the Spam Eating Monkey Blacklis) : http://spameatingmonkey.com/delist.html
1
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hi I have installed SPF on my external DNS Portal.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Another question I have is, on my EXCHANGE HUB CAS servers I see many emails in the send queue, but these have weired names ....
How can it be that my sent queue is rising every day ?
0
 
btanExec ConsultantCommented:
Should have the anti spam enabled to do the filtering see for example exchange edge setup or you can check your anti spam soln

Recipient Filter agent   Recipient filtering compares the message recipients on the RCPT TO: SMTP command to an administrator-defined Recipient Block list. If a match is found, the message isn't permitted to enter the organization. The recipient filter also compares recipients on inbound messages to the local recipient directory to determine whether the message is addressed to valid recipients. When a message isn't addressed to valid recipients, the message is rejected.
https://technet.microsoft.com/en-us/library/jj218660(v=exchg.150).aspx
1
 
Eprs_AdminSystem ArchitectAuthor Commented:
ok we use EXCH2007.
We have no EDGE servers just HUB CAS.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
Hi John,

an NDR is a non delivery report , right ?
Can you show me how to disable this in my exchange domain  ?
0
 
John HurstBusiness Consultant (Owner)Commented:
You would have to look at your Exchange documentation for deleting emails (Non-delivery reports are a form of email). I don't have Exchange any more as we have outsourced all this at our clients.
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
ok I will check....
0
 
Eprs_AdminSystem ArchitectAuthor Commented:
I think we solved this problem.
From one list we are off and the rest is planned.
Also we increased our security against SPAM.
0
 
John HurstBusiness Consultant (Owner)Commented:
Thank you for the update and good that you are making progress.
0
 
btanExec ConsultantCommented:
For Exchange, only the Edge Server role or Hub Transport Role has such filtering capability. Otherwise you need to leverage your anti-spam soln. See "Adding this functionality to your Hub Transport servers" http://www.msexchange.org/articles-tutorials/exchange-server-2007/security-message-hygiene/exchange-server-2007-spam-filtering-features-without-using-exchange-server-2007-edge-server.html
1
 
skullnobrainsCommented:
Hi I have installed SPF on my external DNS Portal.

this tells other servers how how to handle email that originates from your domain name

you need to apply SPF on your incoming traffic. this is a filtering module that will query for records similar as the one you setup, and let your server reject connections from spoofed domains which greatly reduces the amount of backscatter you send. this helps not being blacklisted at backscatterer.org, rfc-ignorant.org, sorbs, and a few others.

basically backscatter is not about traffic you send, it's about traffic you bounce.

Another question I have is, on my EXCHANGE HUB CAS servers I see many emails in the send queue, but these have weired names ....

trace the origins of these mail. if they come from the outside, you're probably accidentally relaying traffic you should not be relaying. if they come from the inside, have a look at the box(es) that send(s) them. they most likely have a virus.

an NDR is a non delivery report , right ?
Can you show me how to disable this in my exchange domain  ?

i'd advice against doing this. legit DSNs are useful. you'll end up having remote users mistyping your email address and they'll never notice and you'll likely get blacklisted at rfc-ignorant.org at some point

--

please do not rely on delisting tools. unless you correct the reason why you were blacklisted in the first place this means that you misconfigured something and/or someone is using your resources in order to send spam, and you'll be blacklisted again in no time. please use the links i provided and type in your external ip in order to know why they blacklisted you
1

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 8
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now