A while ago I wrote about UCEProtect and how they were blocking a mail server due to an IP on a nearby segment being classed as a spam sender.

Well today, I’ve hit another problem with UCEProtect – and this time it’s worse!

It started when the client started getting bounce messages on emails sent to AT&T’s network:

#5.3.0 smtp;553 5.3.0 flpd124 – o2N8qxwF027519, DNSBL:ATTRBL 521< *.*.*.* > _is_blocked.__For_information_see_http://att.net/blocks

Following the link to AT&T, there’s a form to request a de-listing, however no mention of why you’re getting blocked?

Now I’ve seen similar to this before, so knew to check out the following site which searches all the popular blacklists for listings:

http://www.mxtoolbox.com/blacklists.aspx

All came back clear, apart from one – backscatterer.org which was a new one to me?     So here’s the background on backscatterer.org.

 

Non-Delivery Reports and Backscatter

When you send an email to an organization, but spell the persons name wrongly, you get a bounce message.   This bounce message is generated in one of two ways.

1) The recipient server receives the email and then attempts to route it to the destination mailbox.   When it finds the mailbox doesn’t exist – it generates the bounce message.

2) The recipient server looks up the recipient name when the sending server starts the conversation.   When it finds the mailbox doesn’t exist – it terminates the connection, leaving the sending server to generate the NDR (non-delivery report)

If your server is configured using method (1) above (which is a valid method and withing the guidelines of the SMTP protocol) then backscatterer.org will blacklist you!!!

Now there are valid reasons for this – spammers are using the NDRs as a way to get your mail server to send spam NDRs by using fake email addresses.

However form them to then charge you 50 Euros to be removed from the list is a joke!   If you don’t pay to be removed – they’ll blacklist you for 4 weeks!

50 Euros to be delisted because your mail server is working correctly…   Hmmm…

Anyway, first here’s how to test your mailserver to see if it it vulnerable:

Telnet to your server on port 25, so : “telnet <serverip> 25”

You should receive a response similar to :

220 MAILSERVER.MYDOMAIN.COM Microsoft ESMTP MAIL Service, Version 6.0.3790.3959 ready at Tue, 23 Mar 2010 11:33:16 +0000

Type : “Helo sample.domain.com”Response : “MAILSERVER.MYDOMAIN.COM Hello”

Type : “mail from: [email protected]
Response : “250 2.1.0 [email protected]….Sender”[email protected]….Sender Ok”

Type : “RCPT TO:  [email protected]

At this point you should receive “555 User unknown”

If you receive “250 .2.1.5 [email protected] – then you have a problem.

 

The Fix (for Exchange 2003)

1) In System Manager, go to Global Settings, right click Message Delivery and select properties

2) Check the box “Filter recipients who are not in the directory”

3) Go To Administrative Group, Servers, Protocols, SMTP, right click and select properties. 

4) Under Advanced, select Edit and Check the box that says “Apply Recipient Filter”.

5) Restart the SMTP Service for the change to take effect.

If I were you I’d check my mailserver and apply the above fix before you get blacklisted and have to pay the 50 euros…

Oh – and if you’re blacklisted by AT&T – here’s the form to request delisting : http://worldnet.att.net/general-info/block_admin.html