I have a mx record monitor configured at mxtoolbox.com. It watches several of the blacklists to see if your mx record or server IP is listed. If it gets listed, you get an email notification.

Over the course of the last year it has been listed twice, and we were able to de-list it pretty easily.

Today, I got a notification that it was listed on backscatterer.org. I went to the URL and put it in my server's IP address and this is the text that is listed.


This IP IS CURRENTLY LISTED in our Database.
Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.
This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.

To track down what happened investigate your smtplogs near 11.04.2013 14:22 CEST +/-1 minute.

You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.

Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.

11.04.2013 14:22 CEST listed

A total of 1 Impacts were detected during this listing. Last was 11.04.2013 14:22 CEST +/- 1 minute.
Earliest date this IP can expire is 09.05.2013 14:22 CEST.

This IP is temporary listed.
The listing will expire automatically and free of charge 4 weeks after the last abuse is seen from that IP.
Expedited manual expressdelisting is available as an option, in case you do not want to wait for the automatic and free expiration.
You will be charged 113 USD using one of the following payment services.
WARNING: Before requesting expressdelisting make sure the problem which caused the listing is fixed, otherwise you are at risk to get listed again if new abuse becomes known.


I checked the mail.log.1 to find the date/time listed on the website and didn't see anything that looked too suspicious.

I tried to check zimbra.log, but it had already been rotated 5 times and the oldest zimbra.log.4.gz was never than the date listed on the website.

Does anybody have any ideas on how I can mitigat this?