Backscatter.org-any experience with this service/site?

Started by Matthew Udovich, May 03, 2010, 12:18:17 PM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

Matthew Udovich

Anyone every have experience with this site?? I'll try to explain what's happening to us.

About 2 weeks ago people here started having trouble sending new emails to certain domains, replies were going through, albeit slowly.
Fast fwd to last Friday, they tell me that for two weeks they haven't been get'n no emails to go through.

I checked mxtoolbox.com with our email server IP address to see if we were blacklisted, no hits there, so I called our ISP (who happens to be charter and one of the domains we cannot send mail to). Judy goes to MXToolbox and does a blacklist check but she uses our domain name instead and gets a hit that we are listed on backscatter.org as the bane of the internet. But the IP address is that of our web site, which is hosted by a different company.

I called that company and they are 'looking' into it, however now their helpdesk won;t answer the phone so I have no idea where we are at, other than we still cannot send email to charter or comcast domains.

WTF  :'( I say, anybody have any ideas how I can get this worked out?

Bloody Jack Kidd

what is happening is that some of your intended recipients have filters setup that use data from backscatter.org

backscatter is Internet noise mostly created from poorly configured MTAs (mail servers) that send out NDRs (non-delivery reports) when an email arrives that is destined for a non-existent person - i.e. joeblowbigtoe@yourdomain.com

The problem with backscatter is that is a spam engine sends out tons of bogus-addressed email to your domain with a spoofed, but legit return address, guess what happens?  Some innocent bystander gets spam bombed with all these delivery failures.  That's backscatter and it is bad.

A properly configured MTA will give a 500 error and leave it up to the sending server to notify the sender of the problem.

chavez rickc # telnet mail.parallel42.ca 25
Trying 216.8.139.228...
Connected to mail.parallel42.ca.
Escape character is '^]'.
220 ********************************
helo rkc.cyphersystems.com
250 mail.parallel42.ca
mail from: mickeymouse@disney.com
250 2.1.0 Ok
rcpt to: bogusdude@parallel42.ca
550 5.1.1 <bogusdude@parallel42.ca>: Recipient address rejected: User unknown in local recipient table


Your first step should be to see how you got on the backscatter RBL and see if you can apply to have the domain removed.  At the same time make sure your mail servers are not misconfigured.
Sysadmin - Parallel42

Che Guevara

I had this happen last year when we were listed as a spammer.  Actually what happened was someone reported a range of IP addresses that we known to be sending a lot of Spam and our IP was in that range.  This black listing got replicated globally so our emails were going into spam everywhere we sent to that had decent Spam software.
My ISP tracked down the source of this and this was corrected within one week for the most part.

Very frustrating

Matthew Udovich

I have contacted our web host (it's their IP that is listed-not our mail servers), but i have not heard back from them, I called and was sent through to V-mail, I left a msg, no call back yet.  I think I understand what the backscatter is and I believe i have our server setup correctly.

I sent an email from my yahoo account to a bogus address here at work and the NDR i received back was from yahoo, not from our exchange server, so i take that to mean that our server simply rejected the message, rather than accept and then send an ndr, is this correct??

Bloody Jack Kidd

sounds like your server is fine... from what I understand, your webhost likely runs a mail server on the same IP address that your site is hosted at and it's misconfigured.

I tested your server, it gave the correct 550 response, was a bit slow though.

you should also configure your MTA so that VRFY is disabled.  It's a much abused feature that has little usefulness other than to spammers these days.

Quote from: Matthew Udovich on May 03, 2010, 01:59:11 PM
I have contacted our web host (it's their IP that is listed-not our mail servers), but i have not heard back from them, I called and was sent through to V-mail, I left a msg, no call back yet.  I think I understand what the backscatter is and I believe i have our server setup correctly.

I sent an email from my yahoo account to a bogus address here at work and the NDR i received back was from yahoo, not from our exchange server, so i take that to mean that our server simply rejected the message, rather than accept and then send an ndr, is this correct??
Sysadmin - Parallel42

Matthew Udovich

Thanks for the affirmation Rick, I checked, vrfy is/was disabled. When you say it was slow, what do you mean?? Any ideas why? We don't see it slow as far as sending/receiving emails, but if i can tweak/fix something, I'm all for it :-)

Bloody Jack Kidd

It seemed to pause before providing the 550 error, other than that, it was fine, and if you are not having issues on the client end - let sleeping dogs lie.

Odd when VRFY is disabled, I'm use to seeing another 500 error, but I think I was getting a 252 from yours.  That said, I was not getting a response that would be useful if I was a spammer.

Do you who your email server announces itself when it connects to another server to pass mail?  Does it call itself mail.[yourdomain].com?  It's just a bit weird that even if www and * both resolve to your web host ip, your mail server doesn't. 

Now I'm also wondering if the webserver itself could be sending out potentially bad emails... just one needs to find its way into a backscatter honeypot and bang! - yer listed.
Sysadmin - Parallel42

Matthew Udovich

Quote from: Rick Chisholm on May 03, 2010, 04:30:12 PM
Do you who your email server announces itself when it connects to another server to pass mail?  Does it call itself mail.[yourdomain].com?  It's just a bit weird that even if www and * both resolve to your web host ip, your mail server doesn't. 
Sorry, I 'm a rather green Exchange admin,so I don't quite understand. Our website is hosted by KDV, our ISP is charter and the mail server is sitting right behind me. Mail goes out on a charter IP, website traffic is directed to KDV ip (the one on the backscatter list). They way I understand it, it shouldn't matter that our website is blacklisted, as it is not the same IP that our mail server uses. At least that is what KDV is selling.

Bloody Jack Kidd

I think you are correct that it *should* work that way, but what I fear is that since *.yourdomain.com points to the ip of your webserver, the backscatter service that some are using may be confused by this.

e.g.: email from you goes to a comcast address, the comcast filter sees @yourdomain.com and does an A record lookup which returns the website IP, which is the problem.  Now since your mailserver likely announces itself with it's FQDN - mail.yourdomain.com - the filters *should* be using that for reference, but that does not appear to be happening.

The thing is - these types of DNSRBL issues are not uncommon when don't have control over your hosting environment... and shared hosting esp. 
Sysadmin - Parallel42