A while ago I wrote about UCEProtect and how they were blocking a mail server due to an IP on a nearby segment being classed as a spam sender.

Well today, I’ve hit another problem with UCEProtect – and this time it’s worse!

It started when the client started getting bounce messages on emails sent to AT&T’s network:

#5.3.0 smtp;553 5.3.0 flpd124 – o2N8qxwF027519, DNSBL:ATTRBL 521< *.*.*.* > _is_blocked.__For_information_see_http://att.net/blocks

Following the link to AT&T, there’s a form to request a de-listing, however no mention of why you’re getting blocked?

Now I’ve seen similar to this before, so knew to check out the following site which searches all the popular blacklists for listings:

http://www.mxtoolbox.com/blacklists.aspx

All came back clear, apart from one – backscatterer.org which was a new one to me?     So here’s the background on backscatterer.org.

Non-Delivery Reports and Backscatter

When you send an email to an organization, but spell the persons name wrongly, you get a bounce message.   This bounce message is generated in one of two ways.

1) The recipient server receives the email and then attempts to route it to the destination mailbox.   When it finds the mailbox doesn’t exist – it generates the bounce message.

2) The recipient server looks up the recipient name when the sending server starts the conversation.   When it finds the mailbox doesn’t exist – it terminates the connection, leaving the sending server to generate the NDR (non-delivery report)

If your server is configured using method (1) above (which is a valid method and withing the guidelines of the SMTP protocol) then backscatterer.org will blacklist you!!!

Now there are valid reasons for this – spammers are using the NDRs as a way to get your mail server to send spam NDRs by using fake email addresses.

However form them to then charge you 50 Euros to be removed from the list is a joke!   If you don’t pay to be removed – they’ll blacklist you for 4 weeks!

50 Euros to be delisted because your mail server is working correctly…   Hmmm…

Anyway, first here’s how to test your mailserver to see if it it vulnerable:

Telnet to your server on port 25, so : “telnet <serverip> 25″

You should receive a response similar to :

220 MAILSERVER.MYDOMAIN.COM Microsoft ESMTP MAIL Service, Version 6.0.3790.3959 ready at Tue, 23 Mar 2010 11:33:16 +0000

Type : “Helo sample.domain.com”Response : “MAILSERVER.MYDOMAIN.COM Hello”

Type : “mail from: fake@fakedomain.com”
Response : “250 2.1.0 fake@fakedomain.com….Sender”fake@fakedomain.com….Sender Ok”

Type : “RCPT TO:  wrongname@mydomain.com”

At this point you should receive “555 User unknown”

If you receive “250 .2.1.5 wrongname@mydomain.com” – then you have a problem.

The Fix (for Exchange 2003)

1) In System Manager, go to Global Settings, right click Message Delivery and select properties

2) Check the box “Filter recipients who are not in the directory”

3) Go To Administrative Group, Servers, Protocols, SMTP, right click and select properties. 

4) Under Advanced, select Edit and Check the box that says “Apply Recipient Filter”.

5) Restart the SMTP Service for the change to take effect.

If I were you I’d check my mailserver and apply the above fix before you get blacklisted and have to pay the 50 euros…

Oh – and if you’re blacklisted by AT&T – here’s the form to request delisting : http://worldnet.att.net/general-info/block_admin.html

I’ve seen a number of emails recently which appear to be from Microsoft with advice about a critical patch you need to install.  

The latest one was titled “Install Critical Update for Microsoft Outlook” regarding patch “officexp-KB910721-FullFile-ENU.exe“

Delete these emails – they’re not legit!   MS would never email you with advice like this as you should be using automatic updates to receive any patches from them.

TIP:

If you hover your mouse over the link in the email – you’ll see that it doesn’t actually link back to Microsoft – instead it links back to a random address that “looks” like Microsoft.  In my example it was linking to a site along the lines of update.microsoft.com.1lfx.mx.com.   If you don’t pay attention – it’s easy to miss the “1lfx.mx.com” and think that this is linking to MS.

Had a client with a blocked SMTP server this week.   After taking a look at a few bounce messages it became evident that the connection had just been terminated by the remote host.

Verifying the problem is possible, using telnet to the remote host on port 25 from your local mail server:

telnet <remote mail server> 25

If you get disconnected immediately – you’re probably getting blocked as a spam sender.   Here’s a useful site to check the status of your mail server with a variety of filters:

http://www.mxtoolbox.com/blacklists.aspx

After clearing an erroneous block, mail started flowing again (albeit after a few hours).

I’ll be keeping an eye on the above site for any further warnings on this mail server….