No announcement yet.


  • Filter
  • Time
  • Show
Clear All
new posts

  • Blacklisting


    I have a situation where my mail server is constantly getting blacklisted. From my troubleshooting I have narrowed the issue down to two things, a client computer sending from my public IP address has a virus (the clients contact the router directly I am not using a windows 2003 firewall).

    Or there is some sort of relaying going through the exchange 2003 box, I have checked all the security settings and run the Microsoft Exchange best practices and Microsoft Baseline security which don't show up any issues.

    In order to try and work out what is going on I have implemented a smarthost to send mail. This helps but our public IP address is still getting blacklisted and the domain name is blacklisted as well on some mailservers. The main two entities that are blacklisting us are spamcop and spamhaus.

    In the queues folder in the mailroot I have from time to time noticed emails addressed to domain users and other ficticious users @ourdomainname with spam like messages. I manually delete these messages when I see them.

    What procautions or tests can I run to see that the mail server is not relaying mail and possibly block viruses from sending from this public IP address / Mail server. I have done a port scan and most of our ports are blocked on our routers wan interface, however I have noticed that recently port 1001 (which is a common trojan port) shows up as stealthed, but not blocked?.

    My internal clients are going quite nuts at this point as this has been a bit of a long standing issue.

    Any help you can offer me here would be greatly appreciated it is getting to a bit of a desperate stage.


    Last edited by Cogent; 20th June 2006, 02:44.

  • #2
    Re: Blacklisting

    Viruses coming from machines on your network is one problem you should identify and take care of right away.

    Black listed mail servers are a dime a dozen. As I have been running an exchange server out of my basement for a few years now on broadband, I can tell you a few things that will get you blacklisted:

    1. Open relay on your mail server. There is no excuse for this. This will get you black listed faster than you can say jack rabbit, and rightfully so. There are websites on the internet that will test your mail server for an open relay. You should also know the simple procedure for locking down your SMTP virtual server from being an open relay. If you don't know how, ask.

    2. Hosting a mail server on broadband. DSL or Cable Modem, doesn't matter. There is a list of IP addresses circulating the internet and making its way into the hands of ISPs and others who run mail servers. The list basically identifies all ranges of well known broadband IP addresses. Many organizations, companies, universities, and ISPs black list every broadband IP address on the list because broadband mail servers are a common source of SPAM/etc. The SPAM problem has gotten so bad over the years that a common and widely adopted approach is to proactively black list all the broadband mail servers even if most of them are "good guys". AOL was one of the first to champion this policy. I spent many hours arguing with them on the phone a few years ago when they were blocking outbound email from my hosted customers. I got nowhere with them; they were firm on their policy. Worse yet, many others have now adopted that same policy. I have a mental note of many ISPs which will no longer accept my email which is a pain because if I have to email someone at that ISP, I have to forward the email through my work email address. The alternative here is to co-locate your mail server in a reputable data center but the cost for that is significant and you lose the convenience of performing scheduled maintenance on box in your basement.

    3. This ties into #2. Your mail server's FQDN in the header doesn't match the reverse lookup record currently maintained in DNS. IE. My mail server's FQDN is c3po.boche.mcse, however, the reverse lookup record (or ptr record) for my server's IP address as seen on the internet is c3po.boche.mcse <> and therefore is another reason for blacklisting.
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+ - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.


    • #3
      Re: Blacklisting


      I just checked the smtp virtual circuit and anonymous authentication was was allowed along with basic and integrated authentication on the access tab. I have now removed this setting.

      Should I contact the ISP hosting my domain name and ask them to update my records or is there a way to do it in my servers DNS. When I do an NSlookup on the domain I get two different responses for and, could this contribute to the blacklist?, would the mail servers be resolving the mail record or just the domain record??.

      Thanks for your help.




      • #4
        Re: Blacklisting


        The server passed all third party tests I ran on it for relaying mail. Have the email running through a smarthost but the IP address of the server is still getting blacklisted.

        When you do an Nslookup on the mail dns record for the domain it still shows up the IP address which is blacklisted, I imagine this is the reason why we are still experiencing mail issues when we aren't sending from this IP address.

        Presently the server is not firewalling the traffic all client computers contact the router / gateway directly and get onto the internet. Do you think that if I installed a second network card in the server and ran the Windows 2003 firewall that I might be able to block any virus / malware traffic on the network?.

        Also can you recommend an easy to use network sniffer that might help me to identify which pc is causing the problem on the network.

        Thanks heaps for all your help, I am very grateful.


        • #5
          Re: Blacklisting

          Running anti-virus software on all the machines on your network will usually rat out the infected server. However, if you would like to take the sniffer approach, I like using Microsoft Network Monitor (SMS version). Ethereal is also a decent sniffer that is more intuitive. You may be able to talk to your ISP on the phone and they may identify an infected computer for you. You may not have an infected computer. Some ISPs will shut off your service if you have a rogue computer that is infected with a virus. It takes a phone call from you to get the service turned back on and you will need to ensure that you have taken care of the infected computer or your service will get shut off again.
          VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
 - VMware Virtualization Evangelist
          My advice has no warranties. Follow at your own risk.


          • #6
            Re: Blacklisting

            Personally I would get my hands on a real firewall - something like a small Netscreen or a PIX 501. Then setup the rules so that the only machine that can send email out is the Exchange server, and the only address it can send to is the smart host.

            Then turn up logging and wait. The compromised machine will show up very quickly.

            In fact those rules could be left in place. There are very few reasons why users should be sending smtp email, if anyone tries you can see immediately and go and have a quiet word.

            As already pointed out - your ISP will very soon block your access. You have been lucky to get away with it so far. I have known ISPs to block access because of a single report and you have to prove to them that you are clean before the service will be reinstated. Fine in a small company - but get over 80 or 90 machines and it becomes a problem.

            Simon Butler
            Exchange MVP

            More Exchange Content:
            Exchange Resources List:
            In the UK? Hire me:

            Sembee is a registered trademark, used here with permission.