Server Getting Listing In Spam DB? Not Open Relay
Posted: Fri May 12, 2006 3:08 am
Hello Everyone:
I have been running Scalix 10 for about 2 months now on our corporate domain, and it seems that our external IP has somehow been flagged as a spam sender.
Before I made the system live, I did all kinds of open relay testing -- and it all showed that my server was not an open relay; however now I am getting such messages in my postmaster inbox:
As you can see, it seems our IP is listed at spamhaus.org. Before I go and get our IP delisted, I have a few questions:
1. I would like to know if there is a way for Scalix/Sendmail to NOT send back these rejection notices for emails that are sent to non-existant mailboxes, just route them to /dev/null. I believe this may be the reason why our server is getting listed.
2. Is there a way to track using the message Id which local IP address is sending the messages? I have tons of messages where it says 'recieved from 127.0.0.1' or 'recieved from localhost.localdomain' -- I would like to know how to track this message using its message id. I am getting a lot of suspect messages in postmaster, and I think that one of the client machines may be infected with some trojan/virus that is responsible for these messages. An example message:
Is there anything else I should be looking at? What can I do to troubleshoot this problem?
I have been running Scalix 10 for about 2 months now on our corporate domain, and it seems that our external IP has somehow been flagged as a spam sender.
Before I made the system live, I did all kinds of open relay testing -- and it all showed that my server was not an open relay; however now I am getting such messages in my postmaster inbox:
Code: Select all
Date: Fri, 12 May 2006 09:05:57 +0300
From: Mail Delivery Subsystem <MAILER-DAEMON@avalon.am-ul.com>
To: postmaster@avalon.am-ul.com
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)
[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]
The original message was received at Fri, 12 May 2006 09:05:55 +0300
from localhost
with id k4C65qxb000684
----- The following addresses had permanent fatal errors -----
<ASFI.Notify@redstone.army.mil>
(reason: 550 5.7.1 Rejected: 62.215.232.26 listed at sbl-xbl.spamhaus.org)
----- Transcript of session follows -----
... while talking to pcgw1.redstone.army.mil.:
>>> MAIL From:<>
<<< 550 5.7.1 Rejected: 62.215.232.26 listed at sbl-xbl.spamhaus.org
554 5.0.0 Service unavailable
[-- Attachment #2 --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.3K --]
Reporting-MTA: dns; avalon.am-ul.com
Arrival-Date: Fri, 12 May 2006 09:05:55 +0300
Final-Recipient: RFC822; ASFI.Notify@redstone.army.mil
Action: failed
Status: 5.7.1
Diagnostic-Code: SMTP; 550 5.7.1 Rejected: 62.215.232.26 listed at sbl-xbl.spamhaus.org
Last-Attempt-Date: Fri, 12 May 2006 09:05:57 +0300
[-- Attachment #3 --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 7.5K --]
Date: Fri, 12 May 2006 09:05:55 +0300
From: Mail Delivery Subsystem <MAILER-DAEMON>
To: <ASFI.Notify@redstone.army.mil>
Subject: Warning: could not send message for past 4 hours
Auto-Submitted: auto-generated (warning-timeout)
[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]
**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************
The original message was received at Fri, 12 May 2006 04:18:12 +0300
from localhost.localdomain [127.0.0.1]
----- Transcript of session follows -----
<kenblalock@am-ul.com>... Deferred: Connection refused by am-ul.com.
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old
[-- Attachment #2 --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.3K --]
Original-Envelope-Id: 30402131.1147396586221.JavaMail.www@ams5
Reporting-MTA: dns; avalon.am-ul.com
Arrival-Date: Fri, 12 May 2006 04:18:12 +0300
Final-Recipient: RFC822; kenblalock@am-ul.com
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; am-ul.com
Last-Attempt-Date: Fri, 12 May 2006 09:05:55 +0300
Will-Retry-Until: Wed, 17 May 2006 04:18:12 +0300
[-- Attachment #3 --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 5.8K --]
Date: Thu, 11 May 2006 20:16:26 -0500
From: ASFI.Notify@redstone.army.mil
To: kenblalock@am-ul.com
Subject: New Solicitations Have Been Posted at ASFI
x-scalix-Hops: 1
X-Mailer: ColdFusion MX Application Server
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,HTML_20_30,
HTML_MESSAGE,NO_REAL_NAME autolearn=no version=3.0.4
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on avalon.am-ul.com
[ ... email follows ...]
As you can see, it seems our IP is listed at spamhaus.org. Before I go and get our IP delisted, I have a few questions:
1. I would like to know if there is a way for Scalix/Sendmail to NOT send back these rejection notices for emails that are sent to non-existant mailboxes, just route them to /dev/null. I believe this may be the reason why our server is getting listed.
2. Is there a way to track using the message Id which local IP address is sending the messages? I have tons of messages where it says 'recieved from 127.0.0.1' or 'recieved from localhost.localdomain' -- I would like to know how to track this message using its message id. I am getting a lot of suspect messages in postmaster, and I think that one of the client machines may be infected with some trojan/virus that is responsible for these messages. An example message:
Code: Select all
Date: Thu, 11 May 2006 09:09:10 +0300
From: Mail Delivery Subsystem <MAILER-DAEMON@avalon.am-ul.com>
To: postmaster@avalon.am-ul.com
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)
[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.4K --]
The original message was received at Thu, 11 May 2006 09:09:02 +0300
from localhost
with id k4B65pX6016891
----- The following addresses had permanent fatal errors -----
<hhd@0731fdc.com>
(reason: 553 Requested action not taken: address blocked)
----- Transcript of session follows -----
... while talking to mail-g2.xinnetdns.com.:
>>> MAIL From:<> SIZE=3845
<<< 553 Requested action not taken: address blocked
501 5.6.0 Data format error
[-- Attachment #2 --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.3K --]
Reporting-MTA: dns; avalon.am-ul.com
Arrival-Date: Thu, 11 May 2006 09:09:02 +0300
Final-Recipient: RFC822; hhd@0731fdc.com
Action: failed
Status: 5.1.3
Diagnostic-Code: SMTP; 553 Requested action not taken: address blocked
Last-Attempt-Date: Thu, 11 May 2006 09:09:10 +0300
[-- Attachment #3 --]
[-- Type: message/rfc822, Encoding: 7bit, Size: 4.5K --]
Date: Thu, 11 May 2006 09:09:02 +0300
From: Mail Delivery Subsystem <MAILER-DAEMON>
To: <hhd@0731fdc.com>
Subject: Warning: could not send message for past 4 hours
Auto-Submitted: auto-generated (warning-timeout)
Is there anything else I should be looking at? What can I do to troubleshoot this problem?