SnTT: Resolving a Blacklist Issue06/02/2010 07:40:05 PMError transferring to foo.bar; SMTP Protocol Returned a Permanent Error 554 Service unavailable; Client host [127.0.0.1.mycompany.com] blocked by zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=127.0.0.1
Another could be something similar to this:
Error transferring to mail.yourdomain.COM; SMTP Protocol Returned a Permanent Error 550 5.7.1 127.0.0.1 has been blocked by Spamhaus
I think that if you work in messaging, the picture is becoming clear. Something is wrong with the IP Address of your outgoing SMTP server.
To make sure that there is really something amiss in messaging land, a little research is needed. There are several sites to assist you, I will outline my favorites. No matter the sites that you choose, the outcomes will be similar.
The first stop is TrustedSource. Entering your outbound SMTP server's IP Address, or the IP Address associated with your MX record, in the site's search box, you may be presented with a screen similar to this:
This graphic really shows you that there may be problem. Your eyes should be drawn to the last few days of outgoing mail originating from your server's IP Address. While this is alarming, we should still take the analysis a little farther.
Heading over to MXToolbox, you enter your domain name in the search box:
and click the MX Lookup button. The results may look similar to this:
Noticing that there is a link for "Blacklist Check," you click it. The results:
Where your IP Address is shown to be on a blacklist, MXToolbox provides a link for more details. In this example, we click on the link for CBL:
The nice thing about the "Details" links are that when you click them, you are usually taken to the page that will help you get your IP Address off of the selected blacklist. While this will reduce your time searching for answers, it does not reduce the time required to have your IP Address actually removed from the blacklist. Expect, in most cases, 24-48 hours until it is removed. Not pleasant, I know.
In this particular case, the work is still not done. Somewhere on the network is a workstation that, in my opinion, has been hijacked by a "bot," and will require a thorough cleaning before it will be permitted to plug back into the network. However, the Messaging Administrator now has the tools to get mail flowing out to the internet, without bouncing back to the sender because the organization is on a blacklist.
Technorati tag: Show-n-Tell Thursday SnTT
Comment posted by Albert Buendia06/03/2010 03:13:11 AM
Superb Gregg post !
Comment posted by Charles Robinson06/03/2010 08:45:33 AM
Homepage: http://www.cubert.net
That's some good information on how to track down the problem. I'm not pointing fingers, but client machines shouldn't be able to route mail out on port 25. You can restrict that on the router, firewall and in Domino.
Comment posted by Maria Helm06/03/2010 09:14:45 AM
Homepage: http://www.mariahelm.com
Nice walkthrough.
The problem might not be a client machine. The Domino server might be an open relay, receiving and forwarding on spam/malware from another source.
To prevent relaying:
In the server config, Router/SMTP > Restrictions and Controls > SMTP Inbound Controls... set the following Inbound Relay Controls fields:
"Deny messages to be sent to the following external internet domains: *"
"Deny messages from the following internet hosts to be sent to external internet domains:*"
(* means all)
Comment posted by Karl-Henry Martinsson06/03/2010 10:49:24 AM
Homepage: http://www.texasswede.com
Just a bit of caution: do not try to get removed from the blocklists until the issue have been fixed. many of then frown on that, and if more spam is sent out (or rather received by their spamtraps), you will be listed again, sometimes with a longer time before you are eligible to be removed. I knwo one site used to delist after 24 hrs the first time, but if more spam was received after that, the IP was blocked for a full month...
You can also go to the newsgroup news.admin.net-abuse.blocklisting, a moderated group discussing blocklisting.
Comment posted by MxToolBox06/04/2010 11:31:04 AM
Homepage: http://mxtoolbox.com
We agree, this is a great walk through and a good beginning to resolving problems with Blacklists. As Karl-Henry mentioned, we do not recommend requesting removal until you are sure the issue is fixed. If you continually request removal the Blacklists may make it harder to get removed.
Also as mentioned above, the Details link once you have completed a Blacklist lookup is information right from the Blacklist. Usually the list will give you a general idea of why they listed you and if it was your specific IP or just your range. If it is your specific IP, then we'd recommend closing outbound traffic on port 25 to all machines except for your mail server. Then of course make sure that your mail server is fully patched and scanned for any type of malicious code, viruses, malware, spyware, etc.Lastly, if you have a managed switch or router with the ability to monitor your traffic, you can do some snooping around there to see who might be the troublemaker.
Let us know if we can help with anything else.
@MxToolBox
Comment posted by Gregg Eldred06/08/2010 02:53:53 PM
Homepage: http://www.ns-tech.com/blog/geldred.nsf
Thank you, all, for your comments. I am hoping to update this post once I get a hold of the firewall logs. Taking all of the workstations off of the network and scanning them for malware led me to one bad apple. It seems that this issue has been resolved. But we have to wait for a couple of the blacklist sites to rescan the IP Address.
BlogSphere V1.3.1
Join The WebLog Revolution at BlogSphere.net
- 