Problem solve Get help with specific problems with your technologies, process and projects.

Email returns: Am I on the blacklist?

In the last week I have been receiving numerous returned messages with my name (I am the Network Administrator). These messages are as follows:

From: Net admin
Date: August 29, 2001 3:34 PM
To: Net admin
Subject: Notification: Outbound Mail Failure - A protocol error occurred.

A mail message was not sent due to a protocol error.

553 Sorry, netadco@xxxx.com has been banned from this site. The message that caused this notification was:

TO: ycs@hotmail.com; ycs@joymail.com; ycs@mail.com...and so on and so forth.

I have contacted my ISP, but so far they have ignored my phone calls. I can delete these messages easily, but I would like to stop receiving them. I checked and I have relaying turned off on the email server. I am running NT 4.0 on the server (SP 6a with lastest patch from Microsoft applied), and Exchange 5.5 SP 3 on email server. Messages are sent in clusters of approximately 500 or more every couple days.

Is this something on my system or is this happening on the ISP's server? They did admit that they were having problems with a virus on their server, but would not specify or explain anything else. I searched on Microsoft Knowledge base and found nothing that would explain this. Any help would be appreciated.
You're probably familiar with UCE (unsolicited commercial email), also known as "spam." Spammers use a technique called mail relaying to disguise the true origin of their messages by "bouncing" them off of a mail server that has been improperly configured to allow relaying to occur.

In an effort to "self-police" the Internet, there are a few organizations (such as the Mail Abuse Prevention System, or MAPS - www.mail-abuse.org) that regularly test sites for open relays, notify those sites of the problem, and then list those sites on a "blacklist" until the problem is fixed. In an effort to reduce the amount of spam received, many networks/ISPs will block *all* mail from blacklisted sites. In other cases, receiving systems will tweak their mail configuration to simply reject messages that look suspicious (header information that may indicate spam or relayed mail).

It's difficult to tell without additional information (mail headers, etc.), but there are a couple of reasons you may be receiving those messages:

  1. Your site has an open mail relay and has been added to a blacklist. In this case, the error messages are being sent to you from the remote (receiving) system. You will need to check your Exchange server to make sure it is not relaying mail. You can check the MAPS site to see if you are on their list. MAPS or the MS Knowledge Base can give you information on how to test your server and block relaying. You will have to block relaying and then contact the organization that blacklisted you in order to be removed.
  2. Your ISP has been added to a blacklist. Same as above, only your ISP will have to resolve the problem.
  3. Your end users are attempting to send personal mail (i.e., mail NOT originating in your domain) through your (or your ISP's) mail server, to a receiving server that has been configured to reject relayed mail. This is becoming more common as users configure work computers to access personal mail (clever users can configure their mail client to point to a personal account; less clever ones can still use the web to access Hotmail and Yahoo accounts). In this case, your user tries to send a personal message (from user@my-pesonal-isp.net). But, they are on your corporate network, so the message is sent from your (or your ISP's, depending on your setup) mail server: in other words, from company.com. When the receiving system sees a username (@my-personal-isp.net) that doesn't match the sending domain (@company.com), it smells something fishy and rejects the message.

Good luck in resolving the issue!

This was last published in September 2001

Dig Deeper on Network Security Monitoring and Analysis

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.