Xwall accepts the email. The error comes when it communicates with my Exchange server. I get the 550 error in the conversation between XWall and my Exchange server.
Mark From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Thursday, April 10, 2014 11:14 AM To: '[email protected]' Subject: RE: [Exchange] Relaying You verify that the XWall does this in realtime….while the sending server is still sending the email to you? If snoop the smtp conversation it would look like this: 220 mail.elyriaschools.org HELO my.fake.domain.com 250 spamkiller.elyriaschools.org Hello w8desktopjdk.edunet.local [10.55.235.1], pleased to meet you mail from: [email protected]<mailto:[email protected]> 250 Sender <[email protected]<mailto:[email protected]>> OK rcpt to: [email protected]<mailto:[email protected]> 550 No such user ([email protected]<mailto:[email protected]>) Quit You can do this manually yourself, telnet to your Xwall on port 25 and just type the commands. http://www.yuki-onna.co.uk/email/smtp.html The question is, does your XWall do it as my example above….or does it accept the email then generate an outgoing email…an NDR. Because what is happening above isn’t called an NDR, it’s a 550 fatal error during the conversation. So no backscatter from you, the sending server takes responsibility at that point for the NDR. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Reimer, Mark Sent: Thursday, April 10, 2014 1:03 PM To: '[email protected]' Subject: RE: [Exchange] Relaying I did turn on recipient filtering. I have a mail filter (XWall) in front of the Exchange server. From what I can see/understand in the logs, XWALL opens up a connection to the exchange server. The exchange server says there is no recipient, and XWall sends the NDR, not Exchange. The emails have a consistent subject line, so I’ve been watching it, and filtering the email out by subject line. Mark From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Steve Ens Sent: Thursday, April 10, 2014 10:27 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Exchange] Relaying Thanks Jim, I set that up on Tuesday. On Thu, Apr 10, 2014 at 9:13 AM, Kennedy, Jim <[email protected]<mailto:[email protected]>> wrote: If these are because of non-existent accounts, which is usually the cause, turn on recipient filtering. That way your server rejects them during the smtp phase. What you are probably doing now is accepting then realizing they are invalid addresses….and generating the ndr. http://www.gn.apc.org/support/minimising-backscatter-your-office-server From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Steve Ens Sent: Thursday, April 10, 2014 10:07 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Exchange] Relaying I think that is exactly what is going on here. I can't see any other traffic out of the network besides the NDR's.... Mark what did you end up doing in the end? On Thu, Apr 10, 2014 at 8:09 AM, Reimer, Mark <[email protected]<mailto:[email protected]>> wrote: Blue host caught me too. I was getting spammed (to non-existant accounts), and my server was sending NDR’s. Of course, the NDR’s were going to people who didn’t exist, and they blocked our email. And as in Steve’s case, we weren’t listed on mxtoolbox. My two cents. Mark From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Steve Ens Sent: Wednesday, April 09, 2014 3:06 PM To: [email protected]<mailto:[email protected]> Subject: Re: [Exchange] Relaying It was a site called bluehost. If I went to mxtoolbox, we weren't listed anywhere. On Wed, Apr 9, 2014 at 4:04 PM, J- P <[email protected]<mailto:[email protected]>> wrote: When you were blacklisted do you see what RBL you were listed on, or why you were listed? I had a site where there was a lone workstation in the far end of the warehouse used only for checking schedules, sure enough that was the affected/infected PC that was part of bot-net causing the blacklisting. Jean-Paul Natola ________________________________ Date: Wed, 9 Apr 2014 11:54:11 -0500 Subject: Re: [Exchange] Relaying From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> I've also put a firewall rule into the default domain policy to block all port 25 traffic between clients. I'll see if that helps. On Wed, Apr 9, 2014 at 11:49 AM, J- P <[email protected]<mailto:[email protected]>> wrote: You can get blacklisted without SMTP traffic, simply by machines trying to access certain websites known as sinkhole servers http://www.spamhaus.org/faq/section/Spamhaus%20XBL ________________________________ Date: Tue, 8 Apr 2014 21:55:27 -0500 Subject: Re: [Exchange] Relaying From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> I think Don has not been in this conversation yet, and i do use Vipre for backscatter and spam protection. I don't think having 600 messages undelivered in the queue is reasonable. We have been blacklisted a couple of times and been delisted so far. I also have all traffic on port 25 blocked out of the firewall except for the Exchange box. I'm looking at the smtp logs and can;t seem anything off yet. On Tue, Apr 8, 2014 at 7:07 PM, Richard Stovall <[email protected]<mailto:[email protected]>> wrote: I think this answer is correct in some circumstances, but not universally by any means. Don, do you have any backscatter protection enabled? This would eliminate these as NDRs resulting from spam from spoofed addresses you own. If you don't have backscatter protection, my guess is that spam which does spoof existing addresses would be far more problematic than that which does not. On Tue, Apr 8, 2014 at 7:13 PM, Mike Tavares <[email protected]<mailto:[email protected]>> wrote: the sender <> is normal exchange NDR’s being delivered. Since your exchange server is authoritative for you domain any messages addressed to non existent email address will cause these, since a lot of spam has bogus address you tend to see them sitting in your ques for a while. They will eventually time out and go away on their own. Nothing to worry about. From: Steve Ens<mailto:[email protected]> Sent: Tuesday, April 08, 2014 4:30 PM To: [email protected]<mailto:[email protected]> Subject: [Exchange] Relaying I'm running exchange 2010 here with all the service packs. I think that I must have misconfigured one of my receive connectors. I know I am not an open relay from the outside, but I think I have a machine inside my network that is compromised and using exchange to send out since I have many messages sitting in my queue that are undeliverable. Any suggestions as to how I'd determine from which IP these messages are originating? The sender always looks like <> I've opened up the message tracking logs, but can't find any incriminating evidence there.
