A while ago I wrote about UCEProtect and how they were blocking a mail server due to an IP on a nearby segment being classed as a spam sender.
Well today, I’ve hit another problem with UCEProtect – and this time it’s worse!
It started when the client started getting bounce messages on emails sent to AT&T’s network:
#5.3.0 smtp;553 5.3.0 flpd124 – o2N8qxwF027519, DNSBL:ATTRBL 521< *.*.*.* > _is_blocked.__For_information_see_http://att.net/blocks
Following the link to AT&T, there’s a form to request a de-listing, however no mention of why you’re getting blocked?
Now I’ve seen similar to this before, so knew to check out the following site which searches all the popular blacklists for listings:
http://www.mxtoolbox.com/blacklists.aspx
All came back clear, apart from one – backscatterer.org which was a new one to me? So here’s the background on backscatterer.org.
Non-Delivery Reports and Backscatter
When you send an email to an organization, but spell the persons name wrongly, you get a bounce message. This bounce message is generated in one of two ways.
1) The recipient server receives the email and then attempts to route it to the destination mailbox. When it finds the mailbox doesn’t exist – it generates the bounce message.
2) The recipient server looks up the recipient name when the sending server starts the conversation. When it finds the mailbox doesn’t exist – it terminates the connection, leaving the sending server to generate the NDR (non-delivery report)
If your server is configured using method (1) above (which is a valid method and withing the guidelines of the SMTP protocol) then backscatterer.org will blacklist you!!!
Now there are valid reasons for this – spammers are using the NDRs as a way to get your mail server to send spam NDRs by using fake email addresses.
However form them to then charge you 50 Euros to be removed from the list is a joke! If you don’t pay to be removed – they’ll blacklist you for 4 weeks!
50 Euros to be delisted because your mail server is working correctly… Hmmm…
Anyway, first here’s how to test your mailserver to see if it it vulnerable:
Telnet to your server on port 25, so : “telnet <serverip> 25”
You should receive a response similar to :
220 MAILSERVER.MYDOMAIN.COM Microsoft ESMTP MAIL Service, Version 6.0.3790.3959 ready at Tue, 23 Mar 2010 11:33:16 +0000
Type : “Helo sample.domain.com”Response : “MAILSERVER.MYDOMAIN.COM Hello”
Type : “mail from: [email protected]”
Response : “250 2.1.0 [email protected]….Sender”[email protected]….Sender Ok”
Type : “RCPT TO: [email protected]”
At this point you should receive “555 User unknown”
If you receive “250 .2.1.5 [email protected]” – then you have a problem.
The Fix (for Exchange 2003)
1) In System Manager, go to Global Settings, right click Message Delivery and select properties
2) Check the box “Filter recipients who are not in the directory”
3) Go To Administrative Group, Servers, Protocols, SMTP, right click and select properties.
4) Under Advanced, select Edit and Check the box that says “Apply Recipient Filter”.
5) Restart the SMTP Service for the change to take effect.
If I were you I’d check my mailserver and apply the above fix before you get blacklisted and have to pay the 50 euros…
Oh – and if you’re blacklisted by AT&T – here’s the form to request delisting : http://worldnet.att.net/general-info/block_admin.html
[…] Getting Blocked After Blacklist Removal? April 9th, 2010 adminFollowing on from the recent post on UCEProtect and my client being added to a spam blacklist, once we were removed from the blacklist I expected […]
Isn’t what UCEProtect define as ‘backscatter’ actually a fundamental part of the basic SMTP mail protocol?
They are trying to make a change to how ALL email works just because they feel like it.
If I send an email to a contact, and it is not delivered, I want to know. I can then phone and get their new email address, correct my typo or whatever. Blocking all NDRs will break the usefulness of email, or force all senders to use delivery confirmation (which many server block anyway).
Poor idea, brought to you by the same company that charges money to get your NON spamming IP removed from their blocklists – which they add just because someone on a similar IP was sending spam or had a poorly configured server. I’d suggest any mail server owner avoids using them as a blacklist provider.
Now they charge 72 EUR for immediate delisting!!
Incredible…. I am trying to receive emails from a company I work a lot with, but I simply cannot because they are listed with this company. Non of the other spamlists have them listed, just this one.
Who are they to decide if a domain should be listed or not, leave that up to me and nobody else….
How can we stop these idiots?