in

EXIM mainlog blacklist (blocked by backscatterer.org)   easy question for someone who knows mail logs

I have become aware that one of my servers is on the backscatterer list.
Our servers have all the standard reverse DNS etc pointers and are supposedly set up to be good email citizens.
The following "test results" from backscatterer advises me to look thru my server mail logs for +/- 10 minutes of a specific incident time to find what it's complaining about.
I have captured about a half meg (a HUGE amount) of text log excerpt from exim_mainlog.
But, knowing barely anything about this, I don't know what to look for, and thus my question today:  what should i specifically search for in the log to find out why backscatterer has blocked this server?

- - - - - - - - - - - -
what specifically to look for when it says:
So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which got rejected at remote systems.

for instance, is this a NULL SENDER?
2010-02-28 17:59:10 1Nls6Q-0004q9-KK <= <> R=1Nls6J-0004pF-G8 U=mailnull P=local S=5630
2010-02-28 17:59:10 1Nls6Q-0004q9-KK ** sexmachine.erectile@financier.com R=lookuphost T=remote_smtp: SMTP error from remote mail server after RCPT TO:nancier.com>: host mailin-03.mx.aol.com [205.188.59.193]: 550 5.1.1 cier.com>: Recipient address rejected: financier.com
2010-02-28 17:59:10 1Nls6Q-0004q9-KK Frozen (delivery error message)


-----------
OR
For instance, do i need to do this?

(from http://www.backscatterer.org/index.php?target=usage)
SAFE Mode with Exim:

If you don't already have one, you'll need to add a local ACL file for the RCPT ACL check.
On a split config, add something like the following to:
/etc/exim4/conf.d/00_local_config
CHECK_RCPT_LOCAL_ACL_FILE=/etc/exim4/local_acl_check_rcpt
Then edit /etc/exim4/local_acl_check_rcpt:
deny senders = :
dnslists = ips.backscatterer.org
log_message = $sender_host_address listed at $dnslist_domain
message = Backscatter: $dnslist_text




- - - - - - - - - - - -- - - -
TEST RESULTS FROM backscatterer.org:

This IP  IS CURRENTLY LISTED in our Database.
Please note that this listing does not mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
If you don't know what BACKSCATTER or Sender Callouts are, click the links above to get clue how to stop that kind of abuse.


To track down what happened investigate your smtplogs near 28.02.2010 18:00 CET +/-10 minutes.

You will either find that your system tried to send bounces or autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM and which got rejected at remote systems.

Read the rejection texts carefully and it shouldn't be a big deal to figure out what caused or renewed your listing.


History:
11.10.2007 12:10 CEST      listed      
08.11.2007 11:20 CET      expired      
09.02.2008 14:30 CET      listed      
13.03.2008 19:30 CET      expired      
21.03.2008 06:40 CET      listed      
19.04.2008 19:30 CEST      expired      
20.04.2008 19:00 CEST      listed      
01.06.2008 20:30 CEST      expired      
05.06.2008 17:20 CEST      listed      
24.07.2008 20:30 CEST      expired      
28.08.2008 15:20 CEST      listed      
13.12.2008 01:00 CET      expired      
29.01.2009 11:20 CET      listed      

A total of 496 Impacts were detected during this listing. Last was 28.02.2010 18:00 CET +/- 10 minutes.
Earliest date this IP can expire is 28.03.2010 19:00 CEST.

Solution: EXIM mainlog blacklist (blocked by backscatterer.org)   easy question for someone who knows mail logs

Yeah, you're looking for outgoing mail with the sender set as "<>". You should check your local workstations for viruses/spyware that are probably sending the spam. Also check your firewall to make sure the ONLY IP that can get out on TCP/25 is your email server.

Popular Tags

Browse All Tags