Hi All !Due to a database management problem with my ISP, my static I.P was forcibly changed and I'm doing my best to get it back !For the moment I've had to change my DNS stuff to have my servers back on the Net !Unfortunately, I soon found out that my current allocated IP address is not only blacklisted by Spamcannibal that doens't allow delisting but also by the controversial Backscatter.org !My problem is there, since I'm listed for 1 month and I can't unlist unless I pay for it, what I obviously don't want to do !I don't really know how many black listing mechanism rely on it's database, but whatI do know is that I want to be removed from their list ASAP !Here's the kind of message you get when you find out that you're listed :Testresult for 81.56.xx.xx:This IP IS CURRENTLY LISTED in our Database.Please note that this listing does not mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.If you don't know what BACKSCATTER or Sender Callouts are, click the links above to get clue how to stop that kind of abuse.To track down what happened investigate your smtplogs near 09.09.2009 13:40 CEST +/-10 minutes.You will either find that your system tried to send bounces or autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which got rejected at remote systems.Read the rejection texts carefully and it shouldn't be a big deal to figure out what caused or renewed your listing.Obviously, I'm not a spammer, but I probably didn't set properly my brand new Exchange 2007 Server !What are the recommended settings to avoid the mentioned "backscatter" or "Sender callouts" and where can I find the logs to investigate the event mentioned in this analysis ?At the moment, my server is set with default settings, and I use GFI Mail Security v14.0 to fight spam for my part.Any help or clues would be highly appreciated to avoid being relisted permanently by this private org and any other blacklisting system !Thx in advance,PhiL.

Lists like backscatter are one of the reason's the RBLs get a bad rap. I use the Spamhaus lists and am very pleased with my results. I have never heard of someone mistakenly being listed on the Spamhaus lists. However, others are another story. Frequently, these lists include known DHCP and dial-up ranges in their lists so they can be more effective. However, ISPs are not always very good at managing which IP ranges are static and assigned to customers versus IP addresses that are part of their DHCP ranges. Time Warner is not only notorious for blocking DHCP-based IP addresses, but also giving their static IP customers IPs from DHCP ranges. Anyway, if this is due to your ISP, you need to go back to them right now and DEMAND that they get your original, functional IP address back. Or, they need to provide you an SMTP relay through which you can send outbound mail until they can get this resolved. Getting off of some of these RBLs can be time consuming or almost impossible. One thing I did note was that the date/time in the backscatter message was 9/9/2009. Did you have this IP address during this timeframe? Jim McBee - Blog - http://mostlyexchange.blogspot.com

On Fri, 18-Sep-09 16:23:57 GMT, Fazer 49 wrote:>Hi All !Due to a database management problem with my ISP, my static I.P>was forcibly changed and I'm doing my best to get it back !For the >moment I've had to change my DNS stuff to have my servers back on the >Net !Unfortunately, I soon found out that my current allocated IP >address is not only blacklisted by Spamcannibal that doens't allow >delisting but also by the controversial Backscatter.org !My problem is for> it, what I obviously don't want to do !I don't really know how many >black listing mechanism rely on it's database, but what I do know is >that I want to be removed from their list ASAP>You can check a pretty good number of DNSBLs all at once fromhttp://www.mstoolbox.com>>Here's the kind of message you get when you find out that you're listed>>:Testresult for 81.56.xx.xx:This IP IS CURRENTLY LISTED in our >Database.Please note that this listing does not mean you are a spammer,>it means your mailsystem is either poorly configured or it is using >abusive techniques.If you don't know what BACKSCATTER or Sender >Callouts are, click the links above to get clue how to stop that kind >of abuse.To track down what happened investigate your smtplogs near >09.09.2009 13:40 CEST +/-10 minutes.You will either find that your >system tried to send bounces or autoresponders to claimed but in >reality faked senders, or your system tried sender verify callouts near that time. So you should look for outgoing >emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which >got rejected at remote systems. Read the rejection texts carefully and >it shouldn't be a big deal to figure out what caused or renewed your >listing.>>Obviously, I'm not a spammer, but I probably didn't set properly my >brand new Exchange 2007 Server !What are the recommended settings to >avoid the mentioned "backscatter" or "Sender callouts" and where can >I find the logs to investigate the event mentioned in this analysis?>At the moment, my server is set with default settings, and I use GFI >Mail Security v14.0 to fight spam for my part.Any help or clues would >be highly appreciated to avoid being relisted permanently by this >private org and any other blacklisting system !>Thx in advance,PhiL. >Have you installed the anti-spam agents on your hub transport server?If you use your HT to receive email from the Internet (i.e. you don'tand GFI isn't rejecting email sent to addressesthat don't exist in your AD, then you should. You'll find a Powershellscript in the "Scripts" directory (probably "C:\ProgramFiles\Microsoft\Exchange Server\Scripts") named"install-AntispamAgents.ps1". Run it.When it's done, use the EMC and navigate to the "Server Configuration| Hub Transport" container and select your HT server. Select the"Anti-Spam" tab and enable "Recipient Filtering". Then look at theproperties page of that item. Select the "Blocked Recipients" tab andcheck the blox labeled "Block messages sent to recipients . . .".Now your server won't accept a message it can't deliver. If you don'taccept a message you don't have to send a NDR -- that's now the job ofthe transmitting server.---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP

Hi Jim, Hi RichFirst of all, thanks very much for your answer !--> Jim :>Anyway, if this is due to your ISP, you need to go back to them right now and DEMAND that they get your original, functional IP address back. Or, theyneed >to provide you an SMTP relay through which you can send outbound mail until they can get this resolved. Getting off of some of these RBLs can be time >consuming or almost impossible. I agree with you, but the problem is that over there in France many I.S.P are being bought by bigger ones and now a few of them are left...I was certainly a victim as many other "small" professional this "black day", and even though you keep calling the hotline, they are dependant of the new structure that doesn't necessarily prioritize small customers...Their answer : either you accept this fact or you leave !Anyway, your suggestion, to ask for a host relay could be a good idea since for the moment "only" two domains bounce my emails !>One thing I did note was that the date/time in the backscatter message was 9/9/2009. Did you have this IP address during this timeframe? No, my I.P was "slammed" a couple of weeks ago, but this black listing occured with this new I.P address !I checked out on MXtoolbox (yes Rich, I'm using this site as well as some others for a couple of years and that's how I found out that I was blacklisted as soon as the first email was rejected) and any other usefull site and I can see that my previous I.P address is still "clean" !--> Rich :>Have you installed the anti-spam agents on your hub transport server?You mean Microsoft ones ?>If you use your HT to receive email from the Internet (i.e. you don't>and GFI isn't rejecting email sent to addresses>that don't exist in your AD, then you should. Ok, if you're talking about Microsoft Exchange Server built-in anti-spam solution, I didn't know for sure if I had to set it since I was using GFI solution, as I thought it could interfere and be of no use !But reading your comments, I should have done it...Yes, indeed, I'm using my HT to receive emails from Internet.I'm managingour own domain name emails as well as some I.S.P accounts for some users !That's how I can bypass this problem at hte moment !>You'll find a Powershell>script in the "Scripts" directory (probably "C:\Program>Files\Microsoft\Exchange Server\Scripts") named>"install-AntispamAgents.ps1". Run it.I will run it ASAP ! ;-)>When it's done, use the EMC and navigate to the "Server Configuration>| Hub Transport" container and select your HT server. Select the>"Anti-Spam" tab and enable "Recipient Filtering". Then look at the>properties page of that item. Select the "Blocked Recipients" tab and>check the blox labeled "Block messages sent to recipients . . .".Ok, I'll get back to the manual and try to set it properly !Any suggestion on these specific settings as to whose emails should be blocked or allowed ?>Now your server won't accept a message it can't deliver. If you don't>accept a message you don't have to send a NDR -- that's now the job of>the transmitting server.Ok, so, for this specific setting that I was considering when I first posted this question, should I untick all or part of the options to : -Allow automatic answers replies - Allow automatic forwards - Allow delivery reports - Allow non-delivery reportsThanks again for your help !PhiL.

On Sat, 19-Sep-09 08:10:32 GMT, Fazer 49 wrote: [ snip ]>Rich :>>Have you installed the anti-spam agents on your hub transport server?>>You mean Microsoft ones ?>Yes, I do.>>>If you use your HT to receive email from the Internet (i.e. you don't>>and GFI isn't rejecting email sent to addresses>>that don't exist in your AD, then you should. >>Ok, if you're talking about Microsoft Exchange Server built-in >anti-spam solution, I didn't know for sure if I had to set it ce I was using GFI solution, as I thought it could interfere >and be of no use! But reading your comments, I should have done it...If GFI is doing content filtering there's no need to use what MSsupplies. I was suggesting that if GFI is not rejecting email foraddresses that don't exist in your domain that you should use the"Recipient Filtering" agent on Exchange. That's not installed bydefault -- you have to install it.>>Yes, indeed, I'm using my HT to receive emails from Internet. I'm>managing our own domain name emails as well as some I.S.P accounts>for some users !That's how I can bypass this problem at hte moment !>>>You'll find a Powershell>>script in the "Scripts" directory (probably "C:\Program>Files\Microsoft\Exchange Server\Scripts") named>>"install-AntispamAgents.ps1". Run it.>>I will run it ASAP ! ;-)>>>When it's done, use the EMC and navigate to the "Server Configuration>>| Hub Transport" container and select your HT server. Select thend enable "Recipient Filtering". Then look at the>>properties page of that item. Select the "Blocked Recipients" tab and>>check the blox labeled "Block messages sent to recipients . . .".>>Ok, I'll get back to the manual and try to set it properly !Any>suggestion on these specific settings as to whose emails should be>blocked or allowed ?I'm not suggesting that you block or allow anything except mail sentto domains in your "accepted domains" that don't have an email addressin those domains.There's very little to set up. Either you accept all the email sent toyour "accepted domains" and then send NDRs for the addresses thatdon't exist, or you refuse to accept addresses you can't deliver emailto. It a "yes/no" binary choice.>>Now your server won't accept a message it can't deliver. If you don't>>accept a message you>>don't have to send a NDR -- that's now the job of>>the transmitting server.>>Ok, so, for this specific setting that I was considering when I firsted this question, should I untick all or part of the options to :>- Allow automatic answers replies >- Allow automatic forwards >- Allow delivery reports >- Allow non-delivery reportsWell, those are all policy choice you can make... Allow automatic replies: I'd disable that... Allow automatic forward: A decision that should be made in concertwith your legal counsel and management team. Will the "unconsciousdisclosure" of information present a problem for them?I don't see a problem with allowing DSNs, but that's also a policydecision you get to make. :-)>Thanks again for your help !PhiL. ---Rich MatheisenMCSE+I, Exchange MVP--- Rich Matheisen MCSE+I, Exchange MVP