sender mailserver found on blacklist server

I'm using exchange server 2003 + GFI mailessentials 12 for spam filtering.

One of our business client is trying to send us an email which is filtered by GFI as the Sending mail server found on dnsbl.njabl.org. The problem is when I do MX Query to senders domain I get single IP 195.X.X.X which I checked in all blacklist servers, but its clean. but the problem is when I check the email header I see another IP address 81.X.X.X which when I query in blacklist server it is listed in lot of servers. the sender is not a spammer, and his emails gets blocked by our GFI. I also can add him in whitelist but I want to know the reason what really is the problem, as I have seen this with other clients as well.

[Header's keywords]

Our Exchange server domain is: mail.OurMailServer.org  (just for demonstration)  
sender's domain is: senderdomain.com
sender name is: senderusername
Sender's IP: 195.X.X.X
another IP in headers: 81.X.X.X ( dont know where it came from, could be the Outlook's Machine IP? )

Kindly advise me on this situation, what is going on/wrong and what should I do to handle these problems in future.

Thanks a lot.


[Full Headers]

Microsoft Mail Internet Headers Version 2.0
Received: from blue11core.senderdomain.com ([195.X.X.X]) by mail.ourMailServer.org with Microsoft SMTPSVC(6.0.3790.3959);
       Thu, 30 Oct 2008 13:11:17 +0000
Received: from [81.X.X.X] (port=3138 helo=senderusername)
      by blue11core.senderdomain.com with esmtpa (Exim 4.69)
      (envelope-from <senderusername@senderdomain.com>)
      id 1KvVKZ-0006nB-RR; Thu, 30 Oct 2008 11:04:51 +0000
From: "Sender Full Name" <senderusername@senderdomain.com>
To: "''" <@ourMailServer.org>
Cc: <someone@else.com>
References: <5DD5BFD98AEF5B4FBA712AC4EA8ED8469D6499@myhost.ourMailServer.org>
Subject: RE: Receiver@ourMailServer.org - Sending mail server found on dnsbl.njabl.org - RE: Mortgage Offer
Date: Thu, 30 Oct 2008 13:10:14 -0000
Message-ID: <91C2A5BA7A4345258FED891BC307D322@senderusername>
MIME-Version: 1.0
Content-Type: multipart/mixed;
      boundary="----=_NextPart_000_0043_01C93A90.DBE17FA0"
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Thread-Index: Ack1v+PT2kiCzQdaS5qneC953FN6lgAAFNEgANL9GqAAAHpeIABdTXAQAAAhgyAAADfG0AAC/oKw
In-Reply-To: <5DD5BFD98AEF5B4FBA712AC4EA8ED8469D6499@myhost.ourMailServer.org>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - another.senderdomain.com
X-AntiAbuse: Original Domain - ourMailServer.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - senderdomain.com
X-Source:
X-Source-Args:
X-Source-Dir:
Return-Path: senderusername@senderdomain.com
X-OriginalArrivalTime: 30 Oct 2008 13:11:17.0833 (UTC) FILETIME=[FE9F6390:01C93A90]

------=_NextPart_000_0043_01C93A90.DBE17FA0
Content-Type: multipart/related;
      boundary="----=_NextPart_001_0044_01C93A90.DBE17FA0"

------=_NextPart_001_0044_01C93A90.DBE17FA0
Content-Type: multipart/alternative;
      boundary="----=_NextPart_002_0045_01C93A90.DBE17FA0"

------=_NextPart_002_0045_01C93A90.DBE17FA0
Content-Type: text/plain;
      charset="us-ascii"
Content-Transfer-Encoding: 7bit

------=_NextPart_002_0045_01C93A90.DBE17FA0
Content-Type: text/html;
      charset="us-ascii"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_002_0045_01C93A90.DBE17FA0--
------=_NextPart_001_0044_01C93A90.DBE17FA0
Content-Type: image/gif;
      name="image001.gif"
Content-Transfer-Encoding: base64
Content-ID: <image001.gif@01C93A90.D8683760>

------=_NextPart_001_0044_01C93A90.DBE17FA0
Content-Type: image/gif;
      name="image002.gif"
Content-Transfer-Encoding: base64
Content-ID: <image002.gif@01C93A90.D8683760>

------=_NextPart_001_0044_01C93A90.DBE17FA0
Content-Type: image/gif;
      name="image003.gif"
Content-Transfer-Encoding: base64
Content-ID: <image003.gif@01C93A90.D8683760>

------=_NextPart_001_0044_01C93A90.DBE17FA0
Content-Type: image/gif;
      name="image004.gif"
Content-Transfer-Encoding: base64
Content-ID: <image004.gif@01C93A90.D8683760>

------=_NextPart_001_0044_01C93A90.DBE17FA0
Content-Type: image/gif;
      name="image005.gif"
Content-Transfer-Encoding: base64
Content-ID: <image005.gif@01C93A90.D8683760>


------=_NextPart_001_0044_01C93A90.DBE17FA0--
------=_NextPart_000_0043_01C93A90.DBE17FA0
Content-Type: application/msword;
      name="abbey acs ref request - ltd co.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
      filename="abbey acs ref request - ltd co.doc"


------=_NextPart_000_0043_01C93A90.DBE17FA0--

GuildOfDruidsAsked:
Who is Participating?
 
simonpainterConnect With a Mentor Commented:
Seems they are relaying their mail via an ISP smtp relay server, from the headers it looks like their IP is on the blacklist and their ISP isn't. Either way they need to apply to the block lists to be removed. It's worth doing a whois on the IP addresses to check who owns them before you whitelist anything.
0
 
Hugh FraserConsultantCommented:
The MX record points to the host used to receive mail. Outbound mail can (and in this case does) go through another host, and that's the one that mail recipients check against RBLs.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.