I think that is exactly what is going on here. I can't see any other traffic out of the network besides the NDR's.... Mark what did you end up doing in the end?
On Thu, Apr 10, 2014 at 8:09 AM, Reimer, Mark <[email protected]>wrote: > Blue host caught me too. I was getting spammed (to non-existant > accounts), and my server was sending NDR’s. Of course, the NDR’s were going > to people who didn’t exist, and they blocked our email. And as in Steve’s > case, we weren’t listed on mxtoolbox. > > > > My two cents. > > > Mark > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Steve Ens > *Sent:* Wednesday, April 09, 2014 3:06 PM > > *To:* [email protected] > *Subject:* Re: [Exchange] Relaying > > > > It was a site called bluehost. If I went to mxtoolbox, we weren't listed > anywhere. > > > > On Wed, Apr 9, 2014 at 4:04 PM, J- P <[email protected]> wrote: > > When you were blacklisted do you see what RBL you were listed on, or why > you were listed? > I had a site where there was a lone workstation in the far end of the > warehouse used only for checking schedules, sure enough that was the > affected/infected PC that was part of bot-net causing the blacklisting. > > > Jean-Paul Natola > > > ------------------------------ > > Date: Wed, 9 Apr 2014 11:54:11 -0500 > > > Subject: Re: [Exchange] Relaying > From: [email protected] > To: [email protected] > > I've also put a firewall rule into the default domain policy to block all > port 25 traffic between clients. I'll see if that helps. > > > > On Wed, Apr 9, 2014 at 11:49 AM, J- P <[email protected]> wrote: > > You can get blacklisted without SMTP traffic, simply by machines trying to > access certain websites known as sinkhole servers > http://www.spamhaus.org/faq/section/Spamhaus%20XBL > > > > > > ------------------------------ > > Date: Tue, 8 Apr 2014 21:55:27 -0500 > Subject: Re: [Exchange] Relaying > From: [email protected] > To: [email protected] > > > > I think Don has not been in this conversation yet, and i do use Vipre for > backscatter and spam protection. I don't think having 600 messages > undelivered in the queue is reasonable. We have been blacklisted a couple > of times and been delisted so far. I also have all traffic on port 25 > blocked out of the firewall except for the Exchange box. I'm looking at the > smtp logs and can;t seem anything off yet. > > > > On Tue, Apr 8, 2014 at 7:07 PM, Richard Stovall <[email protected]> wrote: > > I think this answer is correct in some circumstances, but not universally > by any means. Don, do you have any backscatter protection enabled? This > would eliminate these as NDRs resulting from spam from spoofed addresses > you own. If you don't have backscatter protection, my guess is that spam > which does spoof existing addresses would be far more problematic than that > which does not. > > > > On Tue, Apr 8, 2014 at 7:13 PM, Mike Tavares <[email protected]> > wrote: > > the sender <> is normal exchange NDR’s being delivered. Since your > exchange server is authoritative for you domain any messages addressed to > non existent email address will cause these, since a lot of spam has bogus > address you tend to see them sitting in your ques for a while. They will > eventually time out and go away on their own. > > > > Nothing to worry about. > > > > > > *From:* Steve Ens <[email protected]> > > *Sent:* Tuesday, April 08, 2014 4:30 PM > > *To:* [email protected] > > *Subject:* [Exchange] Relaying > > > > I'm running exchange 2010 here with all the service packs. I think that I > must have misconfigured one of my receive connectors. I know I am not an > open relay from the outside, but I think I have a machine inside my network > that is compromised and using exchange to send out since I have many > messages sitting in my queue that are undeliverable. Any suggestions as to > how I'd determine from which IP these messages are originating? The sender > always looks like <> I've opened up the message tracking logs, but can't > find any incriminating evidence there. > > > > > > > > >
