This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

RBL's blocking Microsoft internal and Office365 servers

I'm finding that my critical contacts can't communicate with me via email due to flagging by RBL's.  After further investigation, it includes those who are using Microsoft email infrastructure: both internal employees and corporate members who have outsourced their email services to Microsoft through Live@edu other other offerings.  It's not only these folks, but blocking these people impacts me the most.


var/log/smtp/2013/12/smtp-2013-12-18.log.gz:2013:12:18-13:53:08  ravenna exim-in[23455]: 2013-12-18 13:53:08 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="74.63.194.68"  from="bounces+273298-313f-[private information]sendgrid.info"  to="doug@[private information].com" size="-1" reason="rbl"  extra="cbl.abuseat.org" [FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-03.log.gz:2014:01:03-16:10:34  ravenna exim-in[14501]: 2014-01-03 16:10:34 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="204.13.248.72"  from="" to="prvs=008145706c=[private information]" size="13915"  reason="rbl" extra="cbl.abuseat.org" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-06.log.gz:2014:01:06-10:18:04  ravenna exim-in[8293]: 2014-01-06 10:18:04 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="207.46.163.209"  from="susan.[private information]"  to="doug@[private information]" size="16611" reason="rbl"  extra="combined.rbl.msrbl.net" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-06.log.gz:2014:01:06-10:18:04  ravenna exim-in[8293]: 2014-01-06 10:18:04  H=mail-bl2lp0209.outbound.protection.outlook.com  (na01-bl2-obe.outbound.protection.outlook.com) [207.46.163.209]:5037  F= rejected RCPT  : 207.46.163.209 blacklisted at  combined.rbl.msrbl.net [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-08.log.gz:2014:01:08-13:31:43  ravenna exim-in[6075]: 2014-01-08 13:31:43 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="207.46.163.206"  from="[private information].com" to="doug@[private information]"  size="20075" reason="rbl" extra="combined.rbl.msrbl.net" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-08.log.gz:2014:01:08-13:31:43  ravenna exim-in[6075]: 2014-01-08 13:31:43  H=mail-bl2lp0206.outbound.protection.outlook.com  (na01-bl2-obe.outbound.protection.outlook.com) [207.46.163.206]:42226  F= rejected RCPT  : 207.46.163.206 blacklisted at  combined.rbl.msrbl.net [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-08.log.gz:2014:01:08-13:34:08  ravenna exim-in[6301]: 2014-01-08 13:34:08 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="207.46.163.149"  from="[private information].com" to="doug@[private information].com"  size="18356" reason="rbl" extra="cbl.abuseat.org" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-08.log.gz:2014:01:08-13:37:22  ravenna exim-in[6617]: 2014-01-08 13:37:22 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="207.46.163.242"  from="[private information].com" to="doug@[private information].com"  size="20007" reason="rbl" extra="cbl.abuseat.org" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-09.log.gz:2014:01:09-14:09:53  ravenna exim-in[14288]: 2014-01-09 14:09:53 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="204.13.248.72"  from="" to="prvs=0086cc3a24=doug@[private information].com" size="9911"  reason="rbl" extra="combined.rbl.msrbl.net" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-09.log.gz:2014:01:09-14:09:53  ravenna exim-in[14288]: 2014-01-09 14:09:53 H=mho-02-ewr.mailhop.org  [204.13.248.72]:28519 F=<> rejected RCPT  : 204.13.248.72  blacklisted at combined.rbl.msrbl.net [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-10.log.gz:2014:01:10-12:43:14  ravenna exim-in[4950]: 2014-01-10 12:43:14 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="207.46.163.185"  from="[private information].com" to="doug@[private information].com"  size="10951" reason="rbl" extra="combined.rbl.msrbl.net" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-10.log.gz:2014:01:10-12:43:14  ravenna exim-in[4950]: 2014-01-10 12:43:14  H=mail-bn1blp0185.outbound.protection.outlook.com  (na01-bn1-obe.outbound.protection.outlook.com) [207.46.163.185]:13940  F= rejected RCPT  : 207.46.163.185 blacklisted at  combined.rbl.msrbl.net [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-10.log.gz:2014:01:10-23:51:44  ravenna exim-in[32238]: 2014-01-10 23:51:44 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="204.13.248.72"  from="" to="prvs=0088fe969f=doug[private information].com" size="4677"  reason="rbl" extra="bl.spamcop.net" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-14.log.gz:2014:01:14-07:51:08  ravenna exim-in[14631]: 2014-01-14 07:51:08 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="207.46.163.154"  from="[private information]com" to="doug@[private information].com"  size="26180" reason="rbl" extra="cbl.abuseat.org" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-15.log.gz:2014:01:15-21:20:11  ravenna exim-in[10406]: 2014-01-15 21:20:11 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="157.55.133.100"  from="" to="doug[private information]com" size="10082" reason="rbl"  extra="bl.spamcop.net" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-16.log.gz:2014:01:16-12:49:00  ravenna exim-in[10423]: 2014-01-16 12:49:00 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="209.85.214.201"   from="3ukXYUhIJAEMqfgwfitwnzxmzrfszxlrfnq.htr@calendar-server.bounces.google.com"  to="doug@[private information].com" size="-1" reason="rbl"  extra="cbl.abuseat.org" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-16.log.gz:2014:01:16-12:49:18  ravenna exim-in[10446]: 2014-01-16 12:49:18 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="74.125.82.48"  from="[private information].com" to="doug@[private information].com"  size="-1" reason="rbl" extra="zen.spamhaus.org" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-16.log.gz:2014:01:16-13:00:13  ravenna exim-in[11676]: 2014-01-16 13:00:13 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="209.85.128.73"  from="3W0jYUhIJAOgVKLbKNYbSecReWKXecQWKSV.MYW@calendar-server.bounces.google.com"  to="doug@[private information].com" size="-1" reason="rbl"  extra="bl.spamcop.net" [/FONT]
[FONT=monospace]/var/log/smtp/2014/01/smtp-2014-01-16.log.gz:2014:01:16-13:06:19  ravenna exim-in[12739]: 2014-01-16 13:06:19 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="209.85.213.73"  from="3W0jYUhIJAOgVKLbKNYbSecReWKXecQWKSV.MYW@calendar-server.bounces.google.com"  to="doug@[private information].com" size="-1" reason="rbl"  extra="b.barracudacentral.org" [/FONT]
[FONT=monospace]/var/log/smtp.log:2014:01:17-12:11:36  ravenna exim-in[8201]: 2014-01-17 12:11:36 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="207.46.163.150"  from="[private information].com"  to="doug@[private information].com" size="32305" reason="rbl"  extra="psbl.surriel.com" [/FONT]
[FONT=monospace]/var/log/smtp.log:2014:01:17-12:14:28  ravenna exim-in[8411]: 2014-01-17 12:14:28 id="1003" severity="info"  sys="SecureMail" sub="smtp" name="email rejected" srcip="207.46.163.189"  from="[private information]com"  to="doug@[private information].com" size="32438" reason="rbl"  extra="cbl.abuseat.org" [/FONT]
Does anyone have any thoughts on best practices for RBL's or what to tell a CEO when he suggests one's email server [Sophos Gateway] is misconfigured.

Thanks,

~Doug


This thread was automatically locked due to age.
  • it seems they have added a ton of blocklists to their utm..some of them are dubious at best.  I think they either need to build an extensive whitelist OR they need to tone down their anti-spam settings a bit.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • With regard to best practices, what do you think should be included in the RBL lists?
  • the default is pretty good.  I've added xbl.spamhaus.com and the brbl by barracuda in cases of really bad spam runs.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • It seems that most of the RBL-blocked emails are from Microsoft Online.

    I've opened a ticket with Microoft Tech Support and have spent quite a bit of time educating them on what an RBL is and why they need to manage them better.

    Sigh...
  • It seems that most of the RBL-blocked emails are from Microsoft Online.

    I've opened a ticket with Microoft Tech Support and have spent quite a bit of time educating them on what an RBL is and why they need to manage them better.

    Sigh...


    What I am reading the logs is that abuseeat .org has got Microsoft servers listed in their database this is not a Microsoft issue I think that whoever is using abuseeat needs to stop it if its sophos then you need to find a way to stop sophos from using abuseset and spamcop are two of the most dubious of tge rbls out there.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • It seems that most of the RBL-blocked emails are from Microsoft Online.

    I've opened a ticket with Microoft Tech Support and have spent quite a bit of time educating them on what an RBL is and why they need to manage them better.

    Sigh...


    Also msrbl.net hasnt had updates on their blog in years.  It appears to be the utm doing this.  I would contact support on this one.  What I had to do once was uncheck use recommended rbl and then add the brbl(called barbell) by barracuda( it is free to register for and free to use) as primary and the xbl.spamhaus as second.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • I'm switching to Default +

    [RIGHT]1[/RIGHT]
     zen.spamhaus.org
    2  
    dnsbl.tornevall.org
    3  combined.abuse.ch

    Per...Choosing The Best RBL or DNSBL | Learn Success The Easy Way
  • It seems that Baracuda does not support dynamic ip addresses.
    Are you on static?
  •  and then add the brbl(called barbell) by barracuda( it is free to register for and free to use) as primary and the xbl.spamhaus as second.



    It seems that Barracuda does not support dynamic ip's.
    Do you have static addressing?


  • It seems that Barracuda does not support dynamic ip's.
    Do you have static addressing?


    No rbl accepts queries from dynamic addies.  Are you running a mailserver behind acutm with a dynamic ip?

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow