server bounced email.

i am relaying emails from my server to thru my ISP, which has been working except just recently routine text emails have been bouncing

the service log bounce error

Jan  6 11:31:01 culser postfix/smtp[14808]: E10DE19C627: to=<@gmail.com>, relay=smtp.rcn.com[ unknownip ]:25, delay=0.57, delays=0.02/0.01/0.37/0.17, dsn=5.7.1, status=bounced (host smtp.rcn.com[69.168.97.78] said: 554 5.7.1 [P4] Message blocked due to spam content in the message. (in reply to end of DATA command))

I am running Debian Linux, and using Postfix email transport.
i have the main.cf file attached

I had a simular issue a few months back posted on this site.

please advise
main.txt
culserAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kenfcampCommented:
The message was blocked because spam was detected

First you really shouldn't post IP's and/or email addresses. Perhaps you can edit that information out.

That being said, it appears the IP in question is on the Sorbs SPAM List
https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3a69.168.97.78&run=toolpage

Perhaps this is some (if not all) of your problem

Ken
arnoldCommented:
seems your ISP received complaints and thus they are blocking you to get themselves off the list as kenfcamp pointed out.

69.168.97.78
culserAuthor Commented:
hi guys

sorry for putting ips and domains i will edit them out and thank you for letting me know
also 69.168...... is not my ip nor is it my isp service ip.   I have RCN as my provider.  I have no idea where this ip came from but it is showning in the logs.

also did you see the main.txt postfix file.  
A few months ago i had a simular issue , the expert that got back to me advise me to editor out a spam settng in the main.cf file which solved the issue until now.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

arnoldCommented:
The 69.198 smtp.rcn.com is what you have configured as the mail relay through which your server relays messages.
In your postfix config,

relayhost = smtp.rcn.com:25

tells your postfix to deliver all messages generated on or received by your system to that one.
 
Potentially, you have a dynamic IP and thus will be blocked by several if you attempt to directly deliver the messages.
http:/mxtoolbox.com/blacklists.aspx


enter your IP and you will see if your IP is on a blacklist.

Not sure what you are sending, but since I do not have an account with the same vendor, it is hard to determine whether they are outright blocking you, or whether the message being transmitted is actually analyzed before it is permitted to enter their queue for further processing.
Send yourself a test message through your server and see whether it to gets rejected, or whether it is permitted.

SORBS is a
culserAuthor Commented:
going to http:/mxtoolbox.com/blacklists.aspx
the 69.98 .... ip is not my ip, the 69.98 ip is blacklisted

69.98 is not RCN's IP

smtp.rcn.com is the relay we have been using for years to relay our server messages as we have permission from our ISP to do so.


my ip is also blacklisted on the BARRACUDA list, but i do not know how that came to be.  

we have a static IP thru RCN
we are using our own server to host our sites and for our customers to contact us sending text messages via HTML form which is relayed to thru our  ISP then to our gmail account. ( we do not have a mail server at this time.)

when i send a test email from my server to my gmail account i get the same bounce log message with the rcn relay  ( 69.168 .... wrong ip address )

1) why is my ISP being logged as this 69.168 ?  if you look up RCN's ip you will see it is not this 69 .168
2( how do i get my IP off this blacklist
3) how can i check if some other malicious is using our server to spam ,
4) our server log shows hundreds of other ip's trying to telnet into our system.
5) Is it worth while signing up with https://mxtoolbox.com/  to solve the problem.
arnoldCommented:
My typo, 69.168.97.78 is the ip to which SMTP.rcn.com resolves.

Use the ip you have, http://whatismyip.com on the blacklists test.

Call your provider if they are blocking all your outgoing messages.
This is the only way to resolve the error reflected in your log.
The sorbs listing of your ISP ip can not be resolved by you, only their tech folks .....
culserAuthor Commented:
yes i said my IP is being blacklist, I will call my ISP to resolve.
Thank you all for your help.
culserAuthor Commented:
Barracuda did remove my ip from there list. And they considered the matter closed,
Then today i discovered my emails were being bounced

Jan 13 19:49:33 culser postfix/smtp[6772]: 70D5919C627: to=<myemail@gmail.com>, relay=smtp.rcn.com[unknown ip]:25, delay=0.45, delays=0.05/0.01/0.26/0.13, dsn=5.7.1, status=bounced (host smtp.rcn.com[unknown ip] said: 554 5.7.1 [P4] Message blocked due to spam content in the message. (in reply to end of DATA command))

what could be the problem.

Please advise
arnoldCommented:
Not sure why. Barracuda had you black listed, but they provide a custom appliance.
The block here is from your ISP, rcn.com
You may have to look at configuring smtp_auth before sending through them.

But before going down this path, contact your ISP to resolve the reason/s that got your ip blacklisted by the ISP.

Revalidating your nail server/system setup to make sure you are not being used by spammers to send email, I.e. Web based form that can and was being used to generate mass mail.

Often, a way to mitigate this type of abuse, the reciepient of any form has to be explicitly defined in the processing side, or destination fo abs authorized. Meaning only you as the recipient of the submitted data would be valid.



I.e. These forms are designed for visitors to contact you or your organization.
culserAuthor Commented:
Hi Arnold,

Can you explain smtp_auth ? is that in the postfix Main.cf file ?
Is it possible that a 3rd party is using our IP to spam using HTML forms ?
Is it possible that a 3rd party can use the to: protocol to spam?
If we change our IP with that deter a 3rd party from spamming thru us.?

We use web forms on our website for our customers to contact us.
some time ago we discovered that 3rd parties were simulating our form, adding a long list of emails to the "subject" line and spaming thru us.
We responded by using a script that checks to see if "@" are in the subject line.
arnoldCommented:
If the issue between your system and rcn.....
You could configure postfix to authenticate as a client before sending a message in an effort to overcome the anonymous sending block.

It is in no way guarantees to work which us why I suggest you contact your ISP to resolve the current situation and check whether the client auth could get you unblocked.
arnoldCommented:
See the following dealing with configuring and providing the credentials for postfix to use when transmitting a message through another server..

https://linode.com/docs/email/postfix/postfix-smtp-debian7/

While you might not be using OS based on debian, the application here, postfix is the same. the changes might refer to the location/reference where the configs are .....
arnoldCommented:
Oh, missed the other questions.
Spammers look at contact-us contact forms.

they then look at the source and try to generate a request to the processing of the form including the sender, recipient, subject, body of the message as referenced in the HTML of the form.
If the processing of the form does not restrict to whom the mailing is sent, it will process all requests as valid emails. The mail server is configured to accept and relay messages submitted through the web server. this flow makes the web server => mail server function as an open relay that spammers will use to send spam through.

Yes, though this option is blocked by most mailservers unless you modified it.
user%foreigndestination.com@yourmailserver.com

the user%foreigndestination.com would then be re-transmitted after the conversion to user@foreigndestination.com

Changing your IP will merely delay until it is discovered again. They may have identified your site and thus no matter the change of IP, they have the hostname www.yourdomain.com as an example so when you change your IP you will update the public record

On the processing of the data, make sure the destination/recipient is always an email address that you authorize.

http://www.postfix.org/ADDRESS_REWRITING_README.html
http://www.postfix.org/postconf.5.html#append_at_myorigin
culserAuthor Commented:
Hello Arnold,

in the main.cf i have specified only certain emails to be emailed with "sendmail"
authorized_submit_users = /etc/postfix/authusers

authusersfile:
          email1@xxx.com, email2@xxx.com, ect .....

will this keep out the spammers ?
arnoldCommented:
The one you reference is for users authenticating to send messages through your. Server.
The option I am referring to is that when your postfix tries to relay through your ISP, rcn.com it will authenticate itself to their server as you, and then they may allow your server to transmit, but after a time they would block even your login from sending through them unless you resolve the referenced possibility that your system is being misused to send out spam.
arnoldCommented:
Another option, make sure your postfix setup stores the bounced messages that could not be delivered to the sender (double bounce) this way you can look and see whether you San identify the source, I.e were these messages sent by one of your users authorized to send through your server, or were they generated through your web form.
The full message header view, the Received: line farthest from the top is the one that should reflect how the message got into your system

From webform, it will either indicate it was picked up (injected through sendmail) or from itself such that the web firm uses an SMTP session to send the message.
The external, it will reflect the external IP of the user, it might include X-Auth-user like option indicating the user ......... This needs to be part of your configuration whether the server should record this information.....
culserAuthor Commented:
hi Arnorld,
We are the only User on our server.
We use "Sendmail" to transport messages from our web forms to certain select gmail emails.
If a user completes an order on our eCommerce site we are emailed the order alert, and the customer who made the order is also notified.
Many times the customers are new / never emailed before ... i wonder if authorized_submit_users will block them ..

to clarify, when are server sends emails it also relays thru our ISP, forms, and test emails ect ... all emails sent by our server are relayed via our ISP, this is the only way we can send our emails currently until we get an email server of our own set up.
when we relay we are authenticating ( ssl login relay ) .... but we are still getting blocked because as you said our server is being misused.

Our server stores every activity even the bounced mails. but the full message headers i don't know about i have never seen them.
in our log we did record a rogue ip which is neither ours nor our ISP's ... how can we block these bad IP's ??
arnoldCommented:
While your intended use is to send the data from your web form to specific addresses, the same process can be abused if not restricted toas I noted to the specified recipients within.

You actually are not required to relay through your ISP, unless the ISP is blocking your outgoing connections on port 25.
The message consists of the header block and the message separated by a single empty line. Depending where you are viewing these message, it migh require you to display full message headers which are commonly hidden in mail. Clients displaying only from, to, cc, subject, date, message-Id.

A connection from external source to ve blocked is.....
Making sure the user accounts you have setup change their passwords if that is the method these mailings got in.

Deal with the web form first.
culserAuthor Commented:
So my question is how can we restrict this abuse of our forms ?

If we don't relay thru our ISP emails will not get delivered.

i found some of the mails with headers some are from us testing the system to trouble shoot the bounces, and many are from "wordpress" new user sign up.  on certain sites we have "wordpress" blog which users can sign up for , but in most cases these are fake users or advertising which we want to end.

also on our linux system when we type in "host" site or domain name ... our IP is presented    and anothe message  "domains" mail is handled by 10   ctmail  ... exactly what does that mean ?
arnoldCommented:
Look at the form, refer to the action to which the form is submitted.
In the logic of the form processing validate the designated reciepient (to, email. Etc) to match a list of email addresses encoded in this application.
I.e. If $to == 'user@gmail.com' then send
Else do nothing, do not send this email, but store the data for review or for potential reporting as abusive to the provider based on the IP.

much depends on what you want and need.

They will not get delivered because of the ISP blocking external outgoing port 25 connections..
The public ip, is on a dynamic blacklist?

I do not know what your setup is nor on what .....

I can only answer in a best guess abstract.

Narrow down the spam possibilities are from.
If through the webform, fix the issue.
Then once resolved, have your ISP unblock your ip.
Make sure you are not causing this issue based on what you set as the sender of the message. I.e. You use gmail.com address that the ISP checks and gmail.com does not authorize your IP as an originator of their domain email.
I.r. Changing and using the sender as your OEM user@mydomain.com where if there are restrictions, SPF, etc that thus server's ip is authorized to originated emails fir mydomain.com senders.

Without the actual understanding what you gave, how you gave it setup, how your ISP restricts your ip access to external port 25, it is impossible to know whether if you remove the relayhost definition, that the emails will not be delivered.

Try it, on the Linux pick. Recipient to whom you wish to send a test message.
Locate the MX records for the recipients donain
nslookup -q=mx recipientdonain.com

Use telnet to connect to one of the listed mx records in port 25
If the vonnection fails, timesout, try another if the listed mx records just in case the one you choose is offline for a reason.
Once connected, engage in an SMTP session
Helo yourservername
Mail from: <youremailaddress>
Rcpt to: <recipientaddress>
Data
From: <youremailaddress>
To: <recipientaddress>
Subject: test

This is the body of the message, while the preceding after Data is the visible header.
The servers through which the message goes through will add the Received: line reflecting the path the message takes to get delivered to the recipient.
End the message with a single period on an otherwise empty line such as:
.

After each instruction you are expecting a 2xx except for after data where you expect a 3xx.

For testing use your own email addresses with other providers.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.