Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Email blocked by Barracuda Reputation 1

Status
Not open for further replies.
Oct 7, 2007
6,597
US
I've got one user on a PC using Outlook that gets undeliverable emails from her company gmail account when sending.
554 Service unavailable; Client host [mail-io0-f174.google.com] blocked using Barracuda Reputation;
CBL lookup says our IP address has a bad reputation and maybe a botnet
IP Address 70.XX.XX.XX is listed in the CBL. It shows signs of being infected with a spam
sending trojan, malicious link or some other form of botnet.
It was last detected at 2016-03-15 19:00 GMT (+/- 30 minutes), approximately 23 hours ago.
This IP is infected (or NATting for a computer that is infected) with the Conficker
botnet.

The weird thing is that another user on the computer (a different user profile) can send email. Not sure if they tried sending to the same email address though.
Is this an email problem (Outlook) or should I go searching for botnet infected computers??

Attached is the blacklist report from MXToolbox for the static IP address at the office. It shows three blacklists.




"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
Maybe the "other user" is NOT sending directly from Outlook but is routing through a SMTP server with appropriate reverse DNS entries.
Sending email directly from an ISP provided dynamic IP is always a risky business, as you never know when you will pick up a new IP that has been 'abused' by a previous DHCP lease holder.



Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
But................ It's a static Comcast IP address for the whole office. So, reputation score for IP address should be the same for all computers sharing the IP via router/NAT

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
reputation score for IP address should be the same for all computers sharing the IP via router/NAT

Only provided that every user profile IS sending directly from that IP, rather than via an external SMTP server.






Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
The SMTP server setting for Outlook on all computers at the office is the same: smtp.gmail.com

The blacklist lists the actual Comcast IP address, so that is not the IP address of smtp.gmail.com Thus, it's likely there is an SMTP server running on one of the computers via a worm (conficker?) and sending email from the Comcast IP?!?!

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
Then the destination server is checking ALL the IPs of the relays in the "Received Headers" and blocking on the first one rather than the last one, if it was an Exim or Postfix server I could tell you how to not include the initial connection, but I do not know if that can be done on gmail servers.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Well, I have to get the customer motivated enough to have me out to scan all the computers. Shall we say that their virus protection is spotty to non-existent on some computers. Thus a virus is not out of the question!!! XP computers too!!!!

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
So............... I believe the problem was simply that one of the Outlook computers was set to send out email via gmail smtp server on PORT 25 and not PORT 587. So, sending email on PORT 25 is apparently a suspicious thing in these times of spammers and bots. I fixed the port and asked them to remove us from the one spam black list and now things have cleared up and messages go through + no listings on any black list.

I can give "credit" to MYSELF for leaving the SMTP port at 25 when configuring Outlook unless somebody else came along and changed it.

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
So, sending email on PORT 25 is apparently a suspicious thing in these times of spammers and bots.

Only with some ISPs and if the port 25 traffic is not destined for their own SMTP relays. Port 25 at gmail accepts incoming connections and will relay if you have you have set the gmail account to "accept less secure MUAs". It may be just Outlook being 'helpful', after getting a "soft failure" at gmail, and using the local DNS resolver to route directly to the recipient's MX. 'Mail' on Apple Macs goes through a similar 'helpful process' where it will cycle through the 'known' SMTP servers should the one specified in the account fail for any reason, and the user has not bound one specific SMTP server to the account.
The result then being that ALL mail server are flagged as 'off-line' because the account credentials were refused at the "foreign" mail server.

Note to all MUA developers:

Do NOT make your application 'helpful' ... ... Because it rarely is, just throw up an error and let a thinking being 'decide' what to do about it.
AND when you throw up an error dialogue DO NOT make the 'password box' to have focus in the dialogue as default, because if [we] happen to be typing something else and the modal alert dialogue 'steals' focus, 'Bingo!' [we] have just overwritten the saved password.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Wow - that's some interesting background. Detecting a bit of bitterness however!

"Living tomorrow is everyone's sorrow.
Modern man's daydreams have turned into nightmares.
 
Ooh no, no bitterness, just the hope of getting the odd mid-week 'sleep-in' without somebody needing to reset their password :)

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top