One of my two outgoing mail servers was listed.
<tulsmtp02.willbros.com #5.0.0 X-Postfix; host sv1.westfallcomputing.com[22.214.171.124] said: 554 5.7.1 Service unavailable; Client host [126.96.36.199] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?188.8.131.52 (in reply to RCPT TO command)>
It appears to have just delisted, but a couple of hours ago returned:
184.108.40.206 listed in bl.spamcop.net (127.0.0.2)
If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.
Causes of listing
* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
* SpamCop users have reported system as a source of spam less than 10 times in the past week
I thought I was locked down pretty tight, but I guess I'm 0 for 2. I've done a little digging around, tightened a couple of things and I would appreciate any suggestions on where else to look.
Our incoming mail goes through Vamsoft's ORF, then Trend's IMSS before being passed to Exchange 2003. Outgoing is sent from the IMSS box. Both NAT to 220.127.116.11. They sit in the DMZ and they're not doing AD lookups, so they're not checking for valid addresses. Exchange is handling the bounces for any mail that gets through.
I don't allow OoO responses to Internet recipients, but I do send NDR's. The business wants them, and since almost all incoming spam gets dropped by ORF or quarantined with no response by IMSS, I felt most NDR's that went out from Exchange would be legit, so it hasn't been a hill I'm willing to die for. Should it be?
If these are indeed the culprit then I guess allowing ORF to do AD lookups would be a better solution for NDR's, but I anticipate a fight with the network security guys.
I did get a bunch of reports of the "greeting card" spam being caught by our anti-virus, so some may have slipped through. Workstations all run McAfee VirusScan 8.0, with port 25 blocked. The policy is enforced through ePO, but we've had VirusScan defeated before and there are sometimes non-company machines on guest networks that would get NAT'd to the same IP.
I don't see anything abnormal in the running firewall logs, but don't have a lot of history to look at. I'm now dumping to a syslog server. I've (just now) started blocking port 25 from the users and guests VLAN to the Internet, which will hopefully take care of any more reports.
Should I have received copies of these reports in my Postmaster account? I didn't see any, but it gets a lot of crud and my delete finger is sometimes a bit too quick.
Thanks for any help or advice you can offer.