SORBS-DUHL LISTED Detail Return codes were: 127.0.0.10 blacklist

EQ Admin

EQ Forum Admin
Staff member
Anyway to fix this? Im trying to get this customer off the blacklist but have no luck.
Yes. Find the source of the problem and stop the spam. Once the spam is stopped and the problem that causes it has been corrected create an account at SORBS (Spam and Open-Relay Blocking System) . Open a support ticket and let them know both what the problem was, how it was corrected, why it won't happen again, and don't forget to include the IP address in the ticket. As long as you appear to have been a good sender with a one time problem SORBS should delist you.

I removed the IP address to protect your clients privacy (since it's me creating a thread from an email), but it's worth noting it's a good thing that their reverse DNS TTL is 1D (more than 14400 seconds). The SORBS minimum TTL for getting delisted is 14400 seconds.
 

EQ Admin

EQ Forum Admin
Staff member
This sorbs blacklist is a pain in my {butt}. I followed your blog info and I'm not any further then I was prior to reading the blog.

Did you fix the source of the spam problem?

How far did you get with the delisting process?

Do you have a SORBS account?

Did you submit the delisting?

Did you get an auto response back?

Did you get any communication after the auto response?
 

EQ Admin

EQ Forum Admin
Staff member
Took two days to finally get an account. Still blacklisted
What what the source of the problem and the fix?

That info is required for delisting.

Still not sure why they got blacklisted. Timewarner told me to adjust the TTL to 12 hours.
Yes, having matching custom forward and reverse DNS TTL's that are at least 14400 seconds is one of the requirements for getting delisted at SORBS.

Not knowing what caused you to get listed is a problem.

If you get delisted and the problem repeats you'll get hit for being a repeat offender.

Likely causes of listings are spam and/or backscatter going to SORBS spamtrap accounts.

Make sure that the mail servers are only accepting email for addresses that can be delivered to, and that they 5xx reject emails that won't be delivered before they are accepted.

Also check to make sure none of the computers the mail server will relay mail for are infected and sending spam.

Do you see any unusual activity in your mail logs?
 

blenheimfire

Valued Member
Just to add a little note.... Is port 25 locked down only to mail server? If not it should be this will cut down on the possibility of workstations sending spam. I would also look at the network with tools such as Wireshark, Fireplotter etc. This will give you an in-depth look at where the SMTP traffic is coming from. If you have a half decent firewall(ciscoasa5505) you can caputre the information needed to correct issue if its spam related.

If you need help nailing down the problem I will be around today until 3:00 maybe we can setup a remote session and I can help you?>

Just an idea.

I love problems like this~!
Is your mail server open relay? AKA HOney Pot...AKA OH NO.

Pop: how come your entering in 2 parts to the conversation?
 

blenheimfire

Valued Member
Ok I just realized I made every other firewall look like crap...FACT is a lot of firewalls have logging which you must turn on. This will also let you see connections for SMTP which should help you locate your top spammer. I just prefer Cisco ASA 5505.

Sorry for the bias
 

EQ Admin

EQ Forum Admin
Staff member
Would be nice to figure out the source of the problem. Nothing changed an the customers end. They have had the server in place for three years and all of a sudden their blacklisted.

What about the other suggestions that were contributed after me?

Do they have a mail filter or other device/computer that's spamming?

Does someone have an auto responder that is being used to redirect spam?

From: Innocent 3rd party
To: legit-user-with-autoresponder
Body: Spammy content
Auto response -> Spammy content to innocent 3rd party?

One way or another you'll need to figure out the source of the problem or the blacklistings will continue.
 
Top