Blacklisted out of the blue
Ok so we are having trouble emailing some of our customers so I do a quick check to find out why. Seems http://njabl.org/ is saying we are an open relay which I had thought I had closed up years ago. So I go thru google searching on how to find and close this, I followed MS idea some other random ideas and I am not seeing the issue. I run some tests on the web and it says I am fine. I have run the test on abuse.net and it says im ok but may or may not be an open relay. I am getting towards my wits end, can anyone help. Chris Drobny Network/System Administrator LMS Intellibound, Inc. office 770.724.0562 cell 404.797.9710 cdro...@lmsintellibound.com
Re: Blacklisted out of the blue
** Low Priority ** http://www.mxtoolbox.com/SuperTool.aspx?action=blacklist%3a then try this http://www.mxtoolbox.com/BlacklistSuggestions.aspx David Nowak Informations Security & Forensics Robinson Home Products An Employee Owned Company 2615 Walden Ave. Buffalo Ny 14225 ***NOTICE: Robinson Home Products limits all e-mail, including attachments, to 8MB. Your message will not be delivered if it exceeds this limit. Please create a shorter message, remove attachments, or consult your tech support if your message exceeds the 8MB limit.*** >>> cdro...@lmsintellibound.com 9/30/2009 10:07:34 AM >>> Ok so we are having trouble emailing some of our customers so I do a quick check to find out why. Seems http://njabl.org/ is saying we are an open relay which I had thought I had closed up years ago. So I go thru google searching on how to find and close this, I followed MS idea some other random ideas and I am not seeing the issue. I run some tests on the web and it says I am fine. I have run the test on abuse.net and it says im ok but may or may not be an open relay. I am getting towards my wits end, can anyone help. Chris Drobny Network/System Administrator LMS Intellibound, Inc. office 770.724.0562 cell 404.797.9710 cdro...@lmsintellibound.com
RE: Blacklisted out of the blue
Go to the source and ask the horse: http://njabl.org/method.html "If you would like your server tested, use telnet to connect to port 2500 on rt.njabl.org from the server you want tested. Your server will be tested and you will see the results of the test as it is run. Note: If you are not sure how your system was used as an open relay, you can telnet as instructed above and the SMTP conversation will display in real time as your system is (re)tested, demonstrating the combination of to/from addresses which result in your system acting as an open relay." From: Chris Drobny [mailto:cdro...@lmsintellibound.com] Sent: Wednesday, September 30, 2009 10:08 AM To: MS-Exchange Admin Issues Subject: Blacklisted out of the blue Ok so we are having trouble emailing some of our customers so I do a quick check to find out why. Seems http://njabl.org/ is saying we are an open relay which I had thought I had closed up years ago. So I go thru google searching on how to find and close this, I followed MS idea some other random ideas and I am not seeing the issue. I run some tests on the web and it says I am fine. I have run the test on abuse.net and it says im ok but may or may not be an open relay. I am getting towards my wits end, can anyone help. Chris Drobny Network/System Administrator LMS Intellibound, Inc. office 770.724.0562 cell 404.797.9710 cdro...@lmsintellibound.com
RE: Blacklisted out of the blue
I had this happen about 2 years ago, I signed up with MessageLabs, never had a problem since. Thank You ~Doug Rooney Sonoma Tilemakers IT Manager 7750 Bell Rd. Windsor Ca, 95492 (707) 837-8177 X211 (707) 837-9472 FAX i...@sonomatilemakers.com From: Chris Drobny [mailto:cdro...@lmsintellibound.com] Sent: Wednesday, September 30, 2009 7:08 AM To: MS-Exchange Admin Issues Subject: Blacklisted out of the blue Ok so we are having trouble emailing some of our customers so I do a quick check to find out why. Seems http://njabl.org/ is saying we are an open relay which I had thought I had closed up years ago. So I go thru google searching on how to find and close this, I followed MS idea some other random ideas and I am not seeing the issue. I run some tests on the web and it says I am fine. I have run the test on abuse.net and it says im ok but may or may not be an open relay. I am getting towards my wits end, can anyone help. Chris Drobny Network/System Administrator LMS Intellibound, Inc. office 770.724.0562 cell 404.797.9710 cdro...@lmsintellibound.com
RE: Blacklisted out of the blue
> Ok so we are having trouble emailing some of our customers so I do a > quick check to find out why. Seems http://njabl.org/ is saying we are an > open relay which I had thought I had closed up years ago. Looks like you should go through those barracuda settings again because spammers are likely abusing your public service. If you need to have mobile users relay mail from the field, you need to enable and require some kind of LDAP/AD authentication for all senders. If the barracuda doesn't support authenticated relaying via AD you will have to turn off all relaying except from your exchange server. In this case, the remote users will have to use a vpn of some sort in order to send mail as though they were in the office 220 barracuda.mail.lmsintellibound.com ESMTP Service ready helo lmsintellibound.com 250 Requested mail action okay, completed mail from: administra...@lmsintellibound.com 250 Requested mail action okay, completed rcpt to: x...@gmail.com 250 Requested mail action okay, completed data 354 Start mail input; end with . To: x...@gmail.com From: administra...@lmsintellibound.com Subject: Sent from an open relay Testing out the body cheers . 250 Requested mail action okay, completed quit Found in a mailbox moments later...woops Delivered-To: x...@gmail.com Received: by 10.231.16.65 with SMTP id n1cs224076iba; Wed, 30 Sep 2009 07:22:15 -0700 (PDT) Received: by 10.224.8.136 with SMTP id h8mr5707464qah.25.1254320534533; Wed, 30 Sep 2009 07:22:14 -0700 (PDT) Return-Path: Received: from barracuda.mail.lmsintellibound.com (mail.lmsintellibound.com [66.64.158.244]) by mx.google.com with ESMTP id 27si8524489ywh.104.2009.09.30.07.22.14; Wed, 30 Sep 2009 07:22:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of administra...@lmsintellibound.com designates 66.64.158.244 as permitted sender) client-ip=66.64.158.244; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of administra...@lmsintellibound.com designates 66.64.158.244 as permitted sender) smtp.mail=administra...@lmsintellibound.com To: x...@gmail.com From: administra...@lmsintellibound.com Subject: Sent from an open relay Message-Id: <20090930142153.4f3d923b...@barracuda.mail.lmsintellibound.com> Date: Wed, 30 Sep 2009 10:21:53 -0400 (EDT) Testing out the body cheers What's really bad here is that all the spam comes from your IP and the sender is also spoofed as you since you have locked down relaying from senders with a domain other than yours. Some chickenboner has probably discovered your service lately... ~JasonG
RE: Blacklisted out of the blue
Currently my people using email do have to VPN in so that isn't a problem. The barracuda is just for filtering spam coming in I don't think I have it relaying mail out. But maybe I am confused. Again nothing has changed in 3 years and I am just getting these open relay messages now. I fought this when I first put the box up and thought I had closed everything off. Chris Drobny Network/System Administrator LMS Intellibound, Inc. office 770.724.0562 cell 404.797.9710 cdro...@lmsintellibound.com -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Wednesday, September 30, 2009 10:42 AM To: MS-Exchange Admin Issues Subject: RE: Blacklisted out of the blue > Ok so we are having trouble emailing some of our customers so I do a > quick check to find out why. Seems http://njabl.org/ is saying we are an > open relay which I had thought I had closed up years ago. Looks like you should go through those barracuda settings again because spammers are likely abusing your public service. If you need to have mobile users relay mail from the field, you need to enable and require some kind of LDAP/AD authentication for all senders. If the barracuda doesn't support authenticated relaying via AD you will have to turn off all relaying except from your exchange server. In this case, the remote users will have to use a vpn of some sort in order to send mail as though they were in the office 220 barracuda.mail.lmsintellibound.com ESMTP Service ready helo lmsintellibound.com 250 Requested mail action okay, completed mail from: administra...@lmsintellibound.com 250 Requested mail action okay, completed rcpt to: x...@gmail.com 250 Requested mail action okay, completed data 354 Start mail input; end with . To: x...@gmail.com From: administra...@lmsintellibound.com Subject: Sent from an open relay Testing out the body cheers . 250 Requested mail action okay, completed quit Found in a mailbox moments later...woops Delivered-To: x...@gmail.com Received: by 10.231.16.65 with SMTP id n1cs224076iba; Wed, 30 Sep 2009 07:22:15 -0700 (PDT) Received: by 10.224.8.136 with SMTP id h8mr5707464qah.25.1254320534533; Wed, 30 Sep 2009 07:22:14 -0700 (PDT) Return-Path: Received: from barracuda.mail.lmsintellibound.com (mail.lmsintellibound.com [66.64.158.244]) by mx.google.com with ESMTP id 27si8524489ywh.104.2009.09.30.07.22.14; Wed, 30 Sep 2009 07:22:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of administra...@lmsintellibound.com designates 66.64.158.244 as permitted sender) client-ip=66.64.158.244; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of administra...@lmsintellibound.com designates 66.64.158.244 as permitted sender) smtp.mail=administra...@lmsintellibound.com To: x...@gmail.com From: administra...@lmsintellibound.com Subject: Sent from an open relay Message-Id: <20090930142153.4f3d923b...@barracuda.mail.lmsintellibound.com> Date: Wed, 30 Sep 2009 10:21:53 -0400 (EDT) Testing out the body cheers What's really bad here is that all the spam comes from your IP and the sender is also spoofed as you since you have locked down relaying from senders with a domain other than yours. Some chickenboner has probably discovered your service lately... ~JasonG
RE: Blacklisted out of the blue
> Currently my people using email do have to VPN in so that isn't a > problem. That's great, all you have to do is disable anonymous relaying > The barracuda is just for filtering spam coming in I don't > think I have it relaying mail out. Maybe you don't use it for relaying, but it clearly does support it (with the only stipulation being that the envelope from must include @lmsintellibound.com). How else could I have just sent a mail through your server to an arbitrary recipient? There's clearly no check on the senders IP address or any lookup beyond the domain to see if a sender is authorized to relay. Show the below to your barracuda support channel and they should be able to tell you how to prevent that. While you're at it make sure your barracuda is not configured to backscatter (this was default in older models). From another mailing list: On the Barracuda Spam Firewall, the option to turn spam bouncing off can be found in the Basic Tab under Spam Scoring. Near the bottom there is a check box for "Send Bounce." This is checked by default and should be unchecked. > > 220 barracuda.mail.lmsintellibound.com ESMTP Service ready > helo lmsintellibound.com > 250 Requested mail action okay, completed > mail from: administra...@lmsintellibound.com > 250 Requested mail action okay, completed > rcpt to: x...@gmail.com > 250 Requested mail action okay, completed > data > 354 Start mail input; end with . > To: x...@gmail.com > From: administra...@lmsintellibound.com > Subject: Sent from an open relay > > Testing out the body > cheers > . > 250 Requested mail action okay, completed > quit > > > Found in a mailbox moments later...woops > > > Delivered-To: x...@gmail.com > Received: by 10.231.16.65 with SMTP id n1cs224076iba; > Wed, 30 Sep 2009 07:22:15 -0700 (PDT) > Received: by 10.224.8.136 with SMTP id h8mr5707464qah.25.1254320534533; > Wed, 30 Sep 2009 07:22:14 -0700 (PDT) > Return-Path: > Received: from barracuda.mail.lmsintellibound.com > (mail.lmsintellibound.com [66.64.158.244]) > by mx.google.com with ESMTP id > 27si8524489ywh.104.2009.09.30.07.22.14; > Wed, 30 Sep 2009 07:22:14 -0700 (PDT) > Received-SPF: pass (google.com: best guess record for domain of > administra...@lmsintellibound.com designates 66.64.158.244 as permitted > sender) client-ip=66.64.158.244; > Authentication-Results: mx.google.com; spf=pass (google.com: best guess > record for domain of administra...@lmsintellibound.com designates > 66.64.158.244 as permitted sender) > smtp.mail=administra...@lmsintellibound.com > To: x...@gmail.com > From: administra...@lmsintellibound.com > Subject: Sent from an open relay > Message-Id: > <20090930142153.4f3d923b...@barracuda.mail.lmsintellibound.com> > Date: Wed, 30 Sep 2009 10:21:53 -0400 (EDT) > > Testing out the body > cheers > ~JasonG
Re: Blacklisted out of the blue
Could it be a bot? We were recently blacklisted. After doing some digging I found that one of our machines had a spambot on it that was causing the problem. BJ No trees were killed in the sending of this message, but a large number of electrons were terribly inconvenienced. From: Chris Drobny To: MS-Exchange Admin Issues Sent: Wed, September 30, 2009 10:01:42 AM Subject: RE: Blacklisted out of the blue Currently my people using email do have to VPN in so that isn't a problem. The barracuda is just for filtering spam coming in I don't think I have it relaying mail out. But maybe I am confused. Again nothing has changed in 3 years and I am just getting these open relay messages now. I fought this when I first put the box up and thought I had closed everything off. Chris Drobny Network/System Administrator LMS Intellibound, Inc. office 770.724.0562 cell 404.797.9710 cdro...@lmsintellibound.com -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Wednesday, September 30, 2009 10:42 AM To: MS-Exchange Admin Issues Subject: RE: Blacklisted out of the blue > Ok so we are having trouble emailing some of our customers so I do a > quick check to find out why. Seems http://njabl.org/ is saying we are an > open relay which I had thought I had closed up years ago. Looks like you should go through those barracuda settings again because spammers are likely abusing your public service. If you need to have mobile users relay mail from the field, you need to enable and require some kind of LDAP/AD authentication for all senders. If the barracuda doesn't support authenticated relaying via AD you will have to turn off all relaying except from your exchange server. In this case, the remote users will have to use a vpn of some sort in order to send mail as though they were in the office 220 barracuda.mail.lmsintellibound.com ESMTP Service ready helo lmsintellibound.com 250 Requested mail action okay, completed mail from: administra...@lmsintellibound.com 250 Requested mail action okay, completed rcpt to: x...@gmail.com 250 Requested mail action okay, completed data 354 Start mail input; end with . To: x...@gmail.com From: administra...@lmsintellibound.com Subject: Sent from an open relay Testing out the body cheers . 250 Requested mail action okay, completed quit Found in a mailbox moments later...woops Delivered-To: x...@gmail.com Received: by 10.231.16.65 with SMTP id n1cs224076iba; Wed, 30 Sep 2009 07:22:15 -0700 (PDT) Received: by 10.224.8.136 with SMTP id h8mr5707464qah.25.1254320534533; Wed, 30 Sep 2009 07:22:14 -0700 (PDT) Return-Path: Received: from barracuda.mail.lmsintellibound.com (mail.lmsintellibound.com [66.64.158.244]) by mx.google.com with ESMTP id 27si8524489ywh.104.2009.09.30.07.22.14; Wed, 30 Sep 2009 07:22:14 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of administra...@lmsintellibound.com designates 66.64.158.244 as permitted sender) client-ip=66.64.158.244; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of administra...@lmsintellibound.com designates 66.64.158.244 as permitted sender) smtp.mail=administra...@lmsintellibound.com To: x...@gmail.com From: administra...@lmsintellibound.com Subject: Sent from an open relay Message-Id: <20090930142153.4f3d923b...@barracuda.mail.lmsintellibound.com> Date: Wed, 30 Sep 2009 10:21:53 -0400 (EDT) Testing out the body cheers What's really bad here is that all the spam comes from your IP and the sender is also spoofed as you since you have locked down relaying from senders with a domain other than yours. Some chickenboner has probably discovered your service lately... ~JasonG
RE: Blacklisted out of the blue
Thank you guys for all your help. I shoulda called Barracuda first. Had one setting that was a "little" unsecure and that's why the bastards were flagging me. I think it is beer thirty even though it is 1:00 Chris Drobny Network/System Administrator LMS Intellibound, Inc. office 770.724.0562 cell 404.797.9710 cdro...@lmsintellibound.com From: King's Kid [mailto:kingskid1002...@yahoo.com] Sent: Wednesday, September 30, 2009 12:41 PM To: MS-Exchange Admin Issues Subject: Re: Blacklisted out of the blue Could it be a bot? We were recently blacklisted. After doing some digging I found that one of our machines had a spambot on it that was causing the problem. BJ No trees were killed in the sending of this message, but a large number of electrons were terribly inconvenienced. From: Chris Drobny To: MS-Exchange Admin Issues Sent: Wed, September 30, 2009 10:01:42 AM Subject: RE: Blacklisted out of the blue Currently my people using email do have to VPN in so that isn't a problem. The barracuda is just for filtering spam coming in I don't think I have it relaying mail out. But maybe I am confused. Again nothing has changed in 3 years and I am just getting these open relay messages now. I fought this when I first put the box up and thought I had closed everything off. Chris Drobny Network/System Administrator LMS Intellibound, Inc. office 770.724.0562 cell 404.797.9710 cdro...@lmsintellibound.com -Original Message- From: Jason Gurtz [mailto:jasongu...@npumail.com] Sent: Wednesday, September 30, 2009 10:42 AM To: MS-Exchange Admin Issues Subject: RE: Blacklisted out of the blue > Ok so we are having trouble emailing some of our customers so I do a > quick check to find out why. Seems http://njabl.org/ is saying we are an > open relay which I had thought I had closed up years ago. Looks like you should go through those barracuda settings again because spammers are likely abusing your public service. If you need to have mobile users relay mail from the field, you need to enable and require some kind of LDAP/AD authentication for all senders. If the barracuda doesn't support authenticated relaying via AD you will have to turn off all relaying except from your exchange server. In this case, the remote users will have to use a vpn of some sort in order to send mail as though they were in the office 220 barracuda.mail.lmsintellibound.com <http://barracuda.mail.lmsintellibound.com/> ESMTP Service ready helo lmsintellibound.com <http://lmsintellibound.com/> 250 Requested mail action okay, completed mail from: administra...@lmsintellibound.com 250 Requested mail action okay, completed rcpt to: x...@gmail.com 250 Requested mail action okay, completed data 354 Start mail input; end with . To: x...@gmail.com From: administra...@lmsintellibound.com Subject: Sent from an open relay Testing out the body cheers . 250 Requested mail action okay, completed quit Found in a mailbox moments later...woops Delivered-To: x...@gmail.com Received: by 10.231.16.65 with SMTP id n1cs224076iba; Wed, 30 Sep 2009 07:22:15 -0700 (PDT) Received: by 10.224.8.136 with SMTP id h8mr5707464qah.25.1254320534533; Wed, 30 Sep 2009 07:22:14 -0700 (PDT) Return-Path: Received: from barracuda.mail.lmsintellibound.com (mail.lmsintellibound.com <http://mail.lmsintellibound.com/> [66.64.158.244]) by mx.google.com <http://mx.google.com/> with ESMTP id 27si8524489ywh.104.2009.09.30.07.22.14; Wed, 30 Sep 2009 07:22:14 -0700 (PDT) Received-SPF: pass (google.com <http://google.com/> : best guess record for domain of administra...@lmsintellibound.com designates 66.64.158.244 as permitted sender) client-ip=66.64.158.244; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of administra...@lmsintellibound.com designates 66.64.158.244 as permitted sender) smtp.mail=administra...@lmsintellibound.com To: x...@gmail.com From: administra...@lmsintellibound.com Subject: Sent from an open relay Message-Id: <20090930142153.4f3d923b...@barracuda.mail.lmsintellibound.com> Date: Wed, 30 Sep 2009 10:21:53 -0400 (EDT) Testing out the body cheers What's really bad here is that all the spam comes from your IP and the sender is also spoofed as you since you have locked down relaying from senders with a domain other than yours. Some chickenboner has probably discovered your service lately... ~JasonG
Re: Blacklisted out of the blue
On Wed, Sep 30, 2009 at 12:52 PM, Chris Drobny wrote: >Had one setting that was a “little” unsecure ... Is that like being a "little bit pregnant"? -- Ben
Re: Blacklisted out of the blue
LOL -- ME2 On Thu, Oct 1, 2009 at 6:09 PM, Ben Scott wrote: > On Wed, Sep 30, 2009 at 12:52 PM, Chris Drobny > wrote: > >Had one setting that was a “little” unsecure ... > > Is that like being a "little bit pregnant"? > > -- Ben > > >
RE: Blacklisted out of the blue
Approximately. -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Thursday, October 01, 2009 3:10 PM To: MS-Exchange Admin Issues Subject: Re: Blacklisted out of the blue On Wed, Sep 30, 2009 at 12:52 PM, Chris Drobny wrote: >Had one setting that was a "little" unsecure ... Is that like being a "little bit pregnant"? -- Ben