Help. I've been blacklisted.

[reckless2k2]

I'm not sure how this has happened and I'm more looking for answers as to how I can avoid it going forward. Any help would be appreciated.

[uxbod]

Which RBL have you been listed on ? Have you contacted them and asked why you have been listed ?

[centrex]

Quote:

Originally Posted by reckless2k2

I'm not sure how this has happened and I'm more looking for answers as to how I can avoid it going forward. Any help would be appreciated.

Do you mean your server's IP/network address are appearing in a Spam database ?

Some of these blacklists are over the top and will blacklist entire ISPs because of a few black sheep. Where have you been blacklisted ? Usually there's a mechanism whereby you as the mail server admin of the blacklisted host have a way to at least see their "evidence" against you.

Does this Zimbra server only handle mail for your organization's users or do you resell / host domains for other people as well ?

In general, try implementing SPF records as this will make it harder for a spammer to pretend to be you.

This is done via your domain's DNS zone, no zimbra modification is needed.

SPF: Project Overview

[reckless2k2]

I was just at 10 and in a matter of minutes it has gone to 13. I can't paste the image in but I'll put them down below:

FIVETENSRC
FIVETENTCPA
FIVETENWEBFORM
SORBS-BLOCK
SORBS-DUHL
SORBS-HTTP
SORBS-MISC
SORBS-SMTP
SORBS-SOCKS
SORBS-SOAM
SORBS-WEB
WORBS-ZOMBIE
Spamhaus-ZEN

My ISP informed me that they blocked my port 25 because of complaints. I have everything pointing to Google Apps and forward to Zimbra on home-based server as backup. I don't even send anything from the Zimbra server but I have recently noticed spam coming into my Google App box from my address. Bad news and caught too late since my ISP has shut me down.

I'm just trying to figure out this happened. I don't even know who or how to contact. Any help would be appreciated.

[uxbod]

Your domain may have been spoofed or your Zimbra account has been hacked. Are you using complex passwords ? Check /var/log/zimbra.log and /opt/zimbra/log/audit.log for any erroneous activity.

[reckless2k2]

I'm leaning on spoof but I could be wrong. How would I tell if I were spoofed?

[Bill Brock]

Do you check your Admin logs daily? They tell you who has sent how many messages.

Do you have a static public IP for your server or are you behind a NAT router? If you have a static public IP, Zimbra will add the entire subnet to the trusted IP's. For instance, my ISP uses a subnet mask of 255.255.255.0. Zimbra used the same and this opened up all of the IP's on that subnet. I went in and changed the trusted IP's appendix to /32 to allow only that IP.

[reckless2k2]

There is definitely some type of compromise but I don't think that someone hacked my accounts. I only had 2 (admin and my own). That's why I asked what's involved with spoofing. I have been running for a few years without issue. I just reinstalled on my server and nothing has been right since. It's ironic that suddenly now I'm showing up on a blacklist. Obviously, I missed something on the reinstall that caused this.

So how does spoofing happen?

[Platypus]

At the risk of sounding obvious, you've ensured that you aren't acting as an open relay, yes?

[reckless2k2]

I'm not sure how I make sure that I'm not acting as an open relay. I know everything seemed to be working for months and then not long after a reinstall I was blocked. It could have been a problem for months now and not known.

How would I tell if I was spoofed?

How would I tell if I was an open relay?

Thanks.