Announcement

Collapse
No announcement yet.

Exchange Blacklist

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Exchange Blacklist

    I have found that my IP address is blacklisted and now I can't send mail to hardly anyone through my exchange server. One site..CBL i think said that the problem was Cutwail spambot and I scanned everything for it and didn't find it anywhere.

    I also read about maybe I have an open relay.
    The problem may be from "bounce backs" UUBE's?

    What can I check on my setup to get un-blacklisted?

    Here is the reject message I got:
    Your message did not reach some or all of the intended recipients.

    Subject:WV UsersSent:10/17/2008 21:20
    The following recipient(s) could not be reached:

    [email protected] on 10/17/2008 21:20
    There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
    <ntsrvr05.masoncountyoes.com #5.5.0 smtp;550 Message has been refused because your mail server's IP 208.180.142.116 appears to be blacklisted (see http://www.spamhaus.org)>

    Thanks
    Last edited by medic 66; 18th October 2008, 16:18.

  • #2
    Re: Exchange Blacklist

    Also i should say Exchange 2003. About 40 users use OWA from the Internet.
    4 users use PC's with Outlook 2003 from inside the office only. If they travel they use OWA.

    Firewall has ports open for the SSL, POP, SMTP connection pointing to the internal IP address of the mail server.

    Comment


    • #3
      Re: Exchange Blacklist

      Make sure you are not an open relay first.

      All the info you need is on Sembee's excellent site.

      http://www.amset.info/exchange/spam-cleanup.asp

      follow that and hopefully you will be ok.

      Comment


      • #4
        Re: Exchange Blacklist

        Originally posted by Octagon View Post
        Make sure you are not an open relay first.

        All the info you need is on Sembee's excellent site.

        http://www.amset.info/exchange/spam-cleanup.asp

        follow that and hopefully you will be ok.
        OK....I did that and according to all of those instructions....I am RELAY SECURE.

        Since I am secure, do I need to do the rest of the instructions listed their about relaying and such or do i need to start working on another angle?

        Thanks

        Comment


        • #5
          Re: Exchange Blacklist

          Try this that I wrote instead.
          http://blog.sembee.co.uk/post/One-mo...isted-etc.aspx

          It doesn't have to be your server that is causing the problem.

          Simon.
          Last edited by Sembee; 16th August 2011, 09:47. Reason: URL Correction
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Exchange Blacklist

            Sembee...I am going to check the link out right now. I thought that I would throw out in the mean time that when I checked out the Message Tracking Center here is what was in their:

            1)Things that had been sent by our users
            2)the e-mail addresses of those who sent us mail
            3)[email protected] and out from each was Delivery Status Notification (Success) or (Failure)

            Nothing else from the postmaster was going out. And the success messages were genuie that I had requested.

            Is this OK?

            Comment


            • #7
              Re: Exchange Blacklist

              I also found this in the event viewer on my server:

              This is an SMTP protocol log for virtual server ID 1, connection #20. The client at "118.167.137.248" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for [email protected] ". The full command sent was "rcpt TO: <[email protected]>". This will probably cause the connection to fail.

              AND THIS ONE

              This is an SMTP protocol log for virtual server ID 1, connection #19. The client at "118.167.137.38" sent a "rcpt" command, and the SMTP server responded with "550 5.7.1 Unable to relay for [email protected] ". The full command sent was "rcpt TO: <[email protected]>". This will probably cause the connection to fail.

              About 14 of these combinations in the event viewer.

              Comment


              • #8
                Re: Exchange Blacklist

                If a workstation has been compromised then you will see nothing in the message tracking logs as the messages will be going straight out to the internet.

                The event log messages that you have posted are fine - they just show that Exchange is doing its job - it is rejecting an attempt to relay through your server.

                Simon.
                --
                Simon Butler
                Exchange MVP

                Blog: http://blog.sembee.co.uk/
                More Exchange Content: http://exchange.sembee.info/
                Exchange Resources List: http://exbpa.com/
                In the UK? Hire me: http://www.sembee.co.uk/

                Sembee is a registered trademark, used here with permission.

                Comment


                • #9
                  Re: Exchange Blacklist

                  I have followed all of the instructions that I have been given/found. The only thing that shows up in my quers are legitimate messages that I have sent.

                  Other than that, just what is in the event viewer is what is still concerning me. On another server, I found where the administrator account was attempted to be logged onto by my exchange server.

                  I changed the administrator account password.....

                  I think my exchange server is messed up......

                  Comment


                  • #10
                    Re: Exchange Blacklist

                    As I have already posted, and is in my blog posting - if a workstation is sending out the spam you will not see anything in the queues. If you only have a single external IP address then an email leaving the site will appear to come from the same IP address as your Exchange server.

                    I don't know what else I can say about the event log posting other than what I have already said. The reason you are seeing them is because logging is turned up high and is showing you Exchange rejecting the messages. Someone is trying to relay through your server, the server is rejecting it. Every server on the internet would log something similar.

                    Exchange talks to the other servers, again you may have logging turned up too high and are seeing things that are normal activity.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: Exchange Blacklist

                      Originally posted by medic 66 View Post
                      The client at "118.167.137.248" sent a "rcpt" command
                      Medic66 - assuming you haven't changed the IP then this is a host in Taipei, Taiwan. I assume this isn't you therefore you should be glad it is successfully blocked!

                      On a further note UCEPROTECT still list your original IP address implying the received spam from that IP address within the last 7 days.
                      Check it on www.uceprotect.net
                      cheers
                      Andy

                      Please read this before you post:


                      Quis custodiet ipsos custodes?

                      Comment


                      • #12
                        Re: Exchange Blacklist

                        Sembee..thank you for the information. I guess my mail server must be working OK then.

                        I will keep monitoring..........

                        Comment


                        • #13
                          Re: Exchange Blacklist

                          Originally posted by AndyJG247 View Post
                          Medic66 - assuming you haven't changed the IP then this is a host in Taipei, Taiwan. I assume this isn't you therefore you should be glad it is successfully blocked!

                          On a further note UCEPROTECT still list your original IP address implying the received spam from that IP address within the last 7 days.
                          Check it on www.uceprotect.net
                          AndyJG247...that is a nice site. The IP address that was listed was the exact copy of what was in the original message.

                          It would seem then I beleive the 10-16 was the listed date for my IP address.

                          Do you beleive it would be safe to assume then that someone brought a home laptop in to our network to play on the internet and that was the cause of our blacklisting then AndyJG247?

                          Comment


                          • #14
                            Re: Exchange Blacklist

                            I wouldn't say it was a "nice site" it is just one of many that is only as good as the people that use it. You can use sites like mxtoolbox.com to check multiple blacklists.

                            I can't comment on how your problem originated. If the only things in your tracking logs are valid emails then another host internally is the source. Ideally port 25 should be blocked to all your internal hosts apart from those you specifically want send from which is probably just your Exchange box.
                            cheers
                            Andy

                            Please read this before you post:


                            Quis custodiet ipsos custodes?

                            Comment

                            Working...
                            X