4

Customer called saying their e-mail was bouncing from particular vendors. Investigated it and identified they were listed on more than one RBL/CBL. Restricted firewall to only allow traffic on port 25 from mail server. Then requested removals from RBLs/CBLs.

My question is two-fold:

1) I cannot determine the original culprit for tripping the blacklisting. I am looking for tool recommendations or process recommendations to identify root issue for resolution

2) What steps do you use to prevent black listing?

Lucille
  • 219
  • 2
  • 4

3 Answers3

3

To prevent being blacklisted in the future, allow only authorized SMTP servers on the Customer's network to send email (which, I believe, you've already done with the "Restricted firewall..." bit), be sure you're not an open relay, and encourage the Customer not to send unsolicited commercial emails that could be considered spam.

I'm guessing that the Customer got malicious software on a computer that was sending email, and since their computers all could source SMTP to the Internet the malware was able to deliver the emails it was generating.

I'd sniff traffic behind the firewall, bound for the firewall, looking for outbound SYN requests to the Internet on TCP port 25. That might find your culprit machine(s), assuming the malware hasn't figured out what you've done and "gone silent". Wireshark or other sniffer software will do what you need there.

This isn't really an email blacklisting problem, I'm guessing. It's a "users are running as 'Administrator' and allowing malicious third parties to use their computers" problem, I would guess, at the root.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
1

I am looking for tool recommendations or process recommendations to identify root issue for resolution

A nasty, horrible, ugly interface but it works quite OK. It was written by Michael Renner (former co-worker) and another friend of mine.

As for the finding ultimate reason: I couldn't come up with anything better than to check the logs. A central logserver is very helpful since you at least have a central place to check what happened

What steps do you use to prevent black listing?

Be sure to have a working double-opt-in/out readily available. Also lot's of providers have spamtraps where some people will use this address to subscribe to your site and if your application doesn't have proper double-opt-in and you start sending them more than 1 or 2 emails you will be blacklisted.

Standard stuff like only allowing senders thru SMTP+TLS with username and password, proper DNS (reverse DNS) and such should of course be configured.

Also there are a couple of "Whitelist Providers" which will randomly audit you. Of course I forgot the links, we don't really use them since we decided the cost is too high for the service they provide

Community
  • 1
Martin M.
  • 6,428
  • 2
  • 24
  • 42
0

To identify the root issue, check the customer's network IP block and be sure that there is an easily discovered abuse handle, registered by ARIN or regional network IP manager. If you are the ISP, be certain that their network block leads to your abuse desk as the abuse contact and that the abuse mailbox is monitored for rapid response.

The end result is that a spam infestation will eventually send spam to a spam-trap or someone such as SpamCop who reports to the abuse contact. Based on this report, you have an IP address to be able to locate the infected machine. This will be a 2-step process if the machine is behind a firewall.

A second common case is where the machine sending spam is a legitimate email server. An email account is compromised by guessing a poor password (such as 'test', 'password', etc), or a keylogger on a computer used to retrieve the email. For this case the spam may be stopped by changing the email account password. It may be necessary for the end user to clean up all machines to prevent the new email password from being leaked by a keylogger. For that case, the owner of the legitimate email server may need to inspect logs for more clues and to make sure that there are not more problems.

Having an active abuse contact address will usually prevent blacklisting since you know about the problem when it starts.

Mike
  • 649
  • 1
  • 6
  • 7