Telnet on port 25
in [Microsoft Exchange]
|
From: Jake on 4 Jun 2010 01:22 "Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message news:buhg06tk51iu5phbl41lrrqhd6mm450k8q(a)4ax.com... >>---------------------------------------------------------------------------------------------- >>> Could the manual connectivity test (telnet on port 25) >>> trigger a false detection and got us blacklisted? >> >>Yes, it is possible. > > This just has to be asked: are you using a static IP address? Yes, static (public) IP. > You'd have to do an awful lot of typing to be detected as a the source > of spam. No, just the usual SMTP commands: EHLO, MAIL FROM, RCPT TO, DATA and a period to end it. > There is, of course, always the possibility of coincidence. You may > have an infected client on your network that's using your server as a > SMTP relay, I highly doubt it. If that is the case there should be a spike in outbound SMTP traffic on my firewall logs. I don't see anything unusual (150 outbound connections in 18 hours doesn't sound like spam traffic at all). In addition, I requested CBL to remove my IP from their list on the same day (Friday, May 28). It's been 5 days and my IP doesn't get back on their list. If there's a spambot in my network, my IP will get back on the list almost immediately. > or you haven't blocked clients from sending e-mail > directly to the Internet and they're using a common NATed address > shared by your server. There is only 1 SMTP outbound rule on my firewall, that is from Exchange box (with a private IP) directly to the internet. I've tested it by telnet on port 25 from a WinXP (client) machine to the internet. It appears hanging (which is normal) and times out after a while. During that time I see dropped packets on my firewall log. The firewall is doing its job blocking outbound SMTP packets from sources other than my Exchange private IP.
From: Rich Matheisen [MVP] on 4 Jun 2010 17:44 On Thu, 3 Jun 2010 22:22:29 -0700, "Jake" <someone> wrote: > >"Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message >news:buhg06tk51iu5phbl41lrrqhd6mm450k8q(a)4ax.com... >>>---------------------------------------------------------------------------------------------- >>>> Could the manual connectivity test (telnet on port 25) >>>> trigger a false detection and got us blacklisted? >>> >>>Yes, it is possible. >> >> This just has to be asked: are you using a static IP address? > >Yes, static (public) IP. That's good. If it were dynamic you could have switched to an IP that was listed before you used it. >> You'd have to do an awful lot of typing to be detected as a the source >> of spam. > >No, just the usual SMTP commands: EHLO, MAIL FROM, RCPT TO, DATA and a >period to end it. Well, I'd find out from the place you were connecting to what they do w/r/t spam reporting. Unless they reported you (or they gave you the IP address of a honeypot) there's no way that a single connection (or even several) justifies adding an IP address to a public DNSBL. AFAIC, this is just another reason to hate DNSBLs and the way they're commonly used. Let's pay no attention to the content of the message, let's just not accept the connection. --- Rich Matheisen MCSE+I, Exchange MVP
From: Jake on 4 Jun 2010 20:59
"Rich Matheisen [MVP]" <richnews(a)rmcons.com.NOSPAM.COM> wrote in message news:0jsi06dv0566jdr9u24qg9tomsif5l59h0(a)4ax.com... > Well, I'd find out from the place you were connecting to what they do > w/r/t spam reporting. Unless they reported you (or they gave you the > IP address of a honeypot) there's no way that a single connection (or > even several) justifies adding an IP address to a public DNSBL. That's what I thought. Someone (or something like spam detection software) must have reported my IP to the DNSBL when I did the telnet session to one of their public MX records. I'll just make a note of it to never deal with this domain in the future. > AFAIC, this is just another reason to hate DNSBLs and the way they're > commonly used. Let's pay no attention to the content of the message, > let's just not accept the connection. Yeah it is scary to know that anyone can submit a report to DNSBL provider to blacklist us without checking its validity. |