Exchange 2013 server blacklisted by Spamhaus PBL

Question

The static IP address my MTA (running Exchange 2013) is running on has been blacklisted by SPAMHAUS PBL.

This IP address range has been identified by Spamhaus as not meeting our policy for IP addresses permitted to deliver unauthenticated 'direct-to-mx' email to PBL users.

As I understand it, that means that Spamhaus has detected MSAs connectiong to my exchange server via SMTP port 25 instead of port 587. Is that correct?

Being that all the MSAs are either Outlook 2013 or Outlook for iOS, I don't see how any of those would be connecting over port 25.

Any help would be much appreciated.

Thanks

Answer 1

This usually means that the ip address that your server is using is listed as a dynamic in the spamhaus database. Just request an exclusion directly from them.

Answer 2

Its not possible that a 3rd party environment can detect how many connections users would have to your environment without that the 3rd party has access to your environment (or is part from the connection flow).

So the correct answer here is that your Exchange server is listed in the SpamHouse database with the reasons written in the SpamHouse FAQ:

Due to the vast volumes of compromised PCs spewing spam "direct-to-mx" from dynamic domestic Internet connections, most major mail systems choose not to accept unauthenticated SMTP mail from servers on dynamic IPs.

Unless you use Authenticated SMTP, there is no way for a machine to differentiate between legitimate email sent by your server from a dynamic IP and spam mail sent by a virus on a dynamic IP next door to yours. So, most networks make it their policy not to accept unauthenticated SMTP email sent "direct-to-mx" from dynamic IP pools. The Spamhaus PBL enables networks to enforce this policy.

If you're on a dynamic IP address and you absolutely need to run your own mail server, then use your ISP's outgoing mail relay as a 'smarthost'. If your ISP does not provide an outgoing mail relay, find a commercial smarthost provider. Such smarthosting arrangements are very common and inexpensive; contact your ISP or a hosting company for information. You can still accept inbound mail directly onto your server, PBL does not affect that.

Industry best practice is to block outgoing port 25 of dynamic pools; see M3AAWG documents (formerly MAAWG).

As you outlined you aren´t using a Dynamic IP Address it might be a false positive as also mentioned by Symantec here. So you might wish to get in contact with Spamhouse directly and explain that issue and let them remove your system from the blacklist (via the SpamHouse Blocklist Removal Center) as explained here via:

A feature of the PBL is the elimination of 'false positives' with a server-identifying and automatic removal mechanism for single IP addresses. This allows end users with static IP addresses within a larger dynamic pool, and legitimate mail server operators, to assert that in their opinion their IP addresses are a trustworthy source of email and to automatically remove (suppress) their IP addresses from the PBL database. Safeguards are built in to prevent abuse of this facility by spammers (and particularly by automated bots).