Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio claims IP is black listed
  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
Running Kerio 6.1.4 on Windows server 2003. A few times a day, I see entries similar to this in the debug log (trimmed for brevity):

Quote:

{smtps} Server session begin; client connected from 219.151.217.143:3525
{smtps} Delaying SMTP greeting to 219.151.217.143:3525 for 19 seconds
{smtps} Sent SMTP greeting to 219.151.217.143:3525
{smtps} Command HELO mail.mrpcap.com
{smtps} Sent reply to HELO: 250 mail.mrpcap.com
{smtps} Command MAIL FROM: <yyyyyy<_at_>hotmail.com>
{smtps} Sent reply to MAIL: 250 2.1.0 Sender <yyyyyyyy<_at_>hotmail.com> ok
{smtps} Command RCPT TO: <JohnDoe<_at_>mrpcap.com>
{smtps} Sent reply to RCPT: 550 5.7.0 Your IP address is in local blacklist
{smtps} SMTP server session end


I do have a local IP black list set up. It has about 130 entries. The IP address abovr (219.151.217.143) is not in the black list. Why did Kerio claim it is? Is there a limit to how many black list entries I can have?

Good is better than evil because it's nicer
--Mammy Yokum
  •  
Lyle M

Messages: 410

Karma: 7
Send a private message to this user
Someone smarter than I may chime in on this one. In your situation I would try the following (assuming the debug log is being honest):

Locate the IP Group that you have designated as your local blacklist.

Uncheck all the entries in the group (optionally, you could just select a null IP group)

Have the sender at 219.151.217.143 send their email

IF the message is still blocked by the "local blacklist" I would suggest calling Kerio support.

IF the message is not blocked, turn back on half of your blacklist IP group and have the email sent again.

Obviously, this is the divide and conquer method and I'm sure you know how to proceed from here.

Once you find the errant IP group entry (if that's the problem) I'd be curious to know if there was a range that included the IP, or if the entry itself was corrupted.

Best of luck,
Lyle Millander
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
The IP address you mention is listed in a number of blacklists as it appears to be an open proxy and being abused by spammers. See http://www.dnsstuff.com/tools/ip4r.ch?ip=219.151.217.143.

Assuming you still want to accept mail from this server, check and make sure you don't have one of your blacklists on the blacklist tab named 'local'. That could cause one of the outside blacklists to look like the local blacklist in the logs.

Scott
  •  
scottwilkins

Messages: 654
Karma: 7
Send a private message to this user
I had a similar problem occur in my business. We have 6 locations, all with different IP addresses that access our server from those locations. One of my locations became blacklisted in a group listing (i.e. X.X.X.1 through X.X.X.255) from ORDB or SORBS, I forget which one. None-the-less, I had to stop using those blacklists for that reason and others. I contacted them and they were very abusive and not helpfull in the least. Instead of blacklisting a single IP address they prefer to blacklist an entire block of addresses, no matter who it harms. Currently I only use SpamCop and SpamHaus for blacklists and they work extremely well.
  •  
freakinvibe

Messages: 1552
Karma: 62
Send a private message to this user
I think it is SORBS, they list whole blocks of (what they believe) dynamic addresses and it is not easy to get delisted.

ORDB only list single IP addresses that are open relays. It is simple to get delisted once you have closed your relay.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
scottwilkins

Messages: 654
Karma: 7
Send a private message to this user
freakinvibe wrote on Fri, 14 July 2006 09:17

I think it is SORBS, they list whole blocks of (what they believe) dynamic addresses and it is not easy to get delisted.

ORDB only list single IP addresses that are open relays. It is simple to get delisted once you have closed your relay.


That's what upset me so much about thier policy. Our IP addresses are static. The whole block that one of ours was in is static, commercial only addresses. The research I did found only 1 of the block that we are in actually was listed in any other blacklist, but they listed the whole block. Very poor service, just flat out lazy in fact, IMHO.

[Updated on: Fri, 14 July 2006 14:56]

  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
I gave up and re-instated our ORF anti-spam server. I missed the grey listing automatic whitelist. I also created an in-house DNS black list. My in house list does block entire ranges, but usually after I determine that it's a range I should never get mail from to begin with. Plus, ORF's whitelisting lets me make excpetions.

Good is better than evil because it's nicer
--Mammy Yokum
  •  
scottwilkins

Messages: 654
Karma: 7
Send a private message to this user
Bud, what did you do that turning off the ORBS black list in Kerio that isn't already done on Kerio? You can make your own blacklist in Kerio too. Plus you can control both blacklists and whitelists in Kerio. I'm not sure I understand what is differnt.

It sounds like you are still blaming Kerio for the blacklist when it was a 3rd party not Kerio that was the problem.
  •  
BudDurland

Messages: 348

Karma: 10
Send a private message to this user
Answers, in no particular order:

I still don't know why Kerio was blacklising the IP. All the log said was "Your IP address is in Local Blacklist". If this means Kerio thought it was in the local IP blacklist I maintain, I can assure that the IP in question was NOT in that list, so it's reasonable to fault Kerio for wrongly blacklisting. If the data came from a 3rd party (SORBS, or whoever), then the message should say ("... is in the SORBS DNSBL"). Again, a certain amount of responsibility can be directed at Kerio.

I was maintaining an IP black list in Kerio. It was up to approximately 200 entries. I am not confident that there wasn't a performance hit because of the list size. Maybe a Kerio employee could chime in and say what the practical limit (if any) is.

I set up my own DNSRBL because that way I can have both ORF and Kerio look to the same place, instead of maintaining two black lists.

At this point, ORF is blocking far more spam than Kerio does on it's own. I attribute most of that to ORF's greylisting ability; I'm eagerly awaiting Kerio to get that ability. I also like being able to use regex expressions to filter spam. At $199 purchase, and $99 maintenance, it's a cheap solition.

Also, with ORF, whitelisting is automatic -- when I send an e-mail out, the destination address is automatically added to the inbound whitelist for a few days.


Good is better than evil because it's nicer
--Mammy Yokum
  •  
Kerio_ktrumbull

Messages: 597
Karma: 2
Send a private message to this user
If you feel there is a technical issue with the product, please file a ticket if you have not already done so: http://support.kerio.com

We would be happy to take a look at your setup and troubleshoot the issue with you.

Kevin Trumbull
Kerio Technical Support Team Leader
http://support.kerio.com
Previous Topic: Publishing a public calendar with iCal?
Next Topic: Duplicate emails to users when in multiple Email Alias List
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 01:27:37 CET 2017

Total time taken to generate the page: 0.00506 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.