Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: Is "Reputation Backscatter" a Thing? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Is "Reputation Backscatter" a Thing?

I recently migrated a client from a 10mbps internet uplink to a new 100mbps uplink with a wireless 10mbps backup.  As part of this, they of course got new IP addresses.

Like the thorough, some would say compulsive person I am, before we migrated I did all the right things:

  • Tested both uplinks to make sure they were working
  • Be sure that I had access to ISP support for both uplinks
  • shortened the DNS TTL to ensure that when we migrated our DNS changes would propogate quickly
  • Checked the IP addresses for SMTP Blacklisting (more on this later).

As expected, the migration went smoothly.  Until the next morning.   My client called me bright and early, with the news  "Our users can't send email to company XYZ".  After some wrangling and some time, I got the NDR (Non Delivery Report).  By then, we had identifed 3 other organizations that would not receive our emails.

The key line in the NDR was:
#< #5.7.1 smtp; 550 5.7.1 Service unavailable; Client host [x.x.x.x] blocked using Blocklist 1; To request removal from this list please forward this message to delist@messaging.microsoft.com> #SMTP#

How could this be?  These IP addresses hadn't been used in at least 6 months!

After a bit of digging (Google really does know all), we found that this is the blacklist service employed by Microsoft Office 365.  This service is unique amongst email blacklist services in that there is no way to check your status online, so me checking in advance with MXTOOLS, Solarwinds EE or any of the other usual tools had not done me a bit of good.

Anyway, we emailed the indicated address with our problem, and asked to be removed from the list.
It soon became apparant that this blacklist service was unique in another important way.  The users of the system of course thought that this email problem was our problem.   From our perspective, the solution to the problem had to be implemented by their mail provider.  The roadblock we had was that, as far as they blacklist was concerned, *they* were the Microosft customer, not us.  So as far as the blacklist admins were concerned, we were nobody.

So, like every other blacklist service under the sun, 6 hours went by, then 12, then 18, and still no word.  We ended up having to open a paid support ticket to get ourselves off a list we never should have been on in the first place.

What did I learn?  That cloud services aren't all sunshine and lolipops?  Umm, no, I already knew that.  That Murphy (as in Murphy's Law) is great at exploiting new features and services?  I thought I knew that too, I just though I had it covered (that'll teach me !! )

The important lesson I learned (aside from the "Murphy lesson") was to add one more check in any migrations that affect email - send a test note to anyone of Office 365.

Have you had similar experiences with email migrations?  Or other gotcha's you though you had 100% covered, but not so much?  Use our comment form to let us know what problems you ran into, and how you resolved them.

===============
Rob VandenBrink
Metafore

Rob VandenBrink

489 Posts
ISC Handler
Backscatter! Boo Hiss! I found myself a few years back in the same situation because of an open relay, during a 3rd party upgrade IPSWITCH (part of license TOS) a flag was set to on during a upgrade. Sadly, we too were held hostage, paid their fee to get it removed, then got hit again, 4X!!! Going back to an earlier version and testing.. HUH? We have never been an open relay or SPAM. To add insult to injury, once removed they even showed that our IP was REMOVED but was on the list before. This did not set well with me as many of these BL sit quietly in the background and you have to spend hours hunting. AOL is another fun one especially with the amount of SPAM AOL sends out, oh the logs. For those that want direct check, here, http://www.backscatterer.org/?target=test then if you want the whole ball of wax http://www.dnsbl.info/dnsbl-database-check.php Thanks Rob.. as I POUND my keys, I thought I was over it. Anyone I could vent my displeasure with I did, results, Negative Ghost Rider! Now, they are bookmarked and are #1 to be checked and others each day.

On the positive side, GREAT article Rob! Hope others do not get trapped into the same hostage payout. The cost is cheap, the amount of lost emails is 100X worse and there is no spooling, it is lost into the vacuum of digital space.
ICI2Eye

52 Posts
+1 for Boo! Hiss! It's quite common for one of my users to submit a helpdesk ticket, "So and so is trying to email me and the spam filter is blocking them. Fix it!" I investigate, and usually find that their IP address has been blocked by one of the black lists. Sometimes the person has been compromised and is blasting spam and sometimes they just had the the bad luck to pick up an IP from their ISP that had been blasting in the past. I try to explain this to my user, and sometimes the user is nice about it. Once in a while it's, "I don't care what your problem is, I need that email. Fix it!" Grrrr. It would be nice if I had time to clean the machine and black listings of every person who needs to email us, but I don't.
John

88 Posts
Well, after fighting with it for about a month I became rather adept with Backscattering and its functionality. The DNSBL I posted is a start, a quick log scan will show the machine. Yes it would be nice that we all could work off the "gold standard" but that is Utopian. What at one time was a reverse "HELO" is now considered as backscatter. So some companies do not want you to check "are you who you say you are or spoof"? So in some ways they continue the SPAM.. but then again, how else does one generate $$$!
ICI2Eye

52 Posts

Sign Up for Free or Log In to start participating in the conversation!