sender mailserver found on blacklist server

Posted on 2008-11-14
Medium Priority
Last Modified: 2012-05-05
I'm using exchange server 2003 + GFI mailessentials 12 for spam filtering.

One of our business client is trying to send us an email which is filtered by GFI as the Sending mail server found on dnsbl.njabl.org. The problem is when I do MX Query to senders domain I get single IP 195.X.X.X which I checked in all blacklist servers, but its clean. but the problem is when I check the email header I see another IP address 81.X.X.X which when I query in blacklist server it is listed in lot of servers. the sender is not a spammer, and his emails gets blocked by our GFI. I also can add him in whitelist but I want to know the reason what really is the problem, as I have seen this with other clients as well.

[Header's keywords]

Our Exchange server domain is: mail.OurMailServer.org  (just for demonstration)  
sender's domain is: senderdomain.com
sender name is: senderusername
Sender's IP: 195.X.X.X
another IP in headers: 81.X.X.X ( dont know where it came from, could be the Outlook's Machine IP? )

Kindly advise me on this situation, what is going on/wrong and what should I do to handle these problems in future.

Thanks a lot.

[Full Headers]

Microsoft Mail Internet Headers Version 2.0
Received: from blue11core.senderdomain.com ([195.X.X.X]) by mail.ourMailServer.org with Microsoft SMTPSVC(6.0.3790.3959);
       Thu, 30 Oct 2008 13:11:17 +0000
Received: from [81.X.X.X] (port=3138 helo=senderusername)
      by blue11core.senderdomain.com with esmtpa (Exim 4.69)
      (envelope-from <senderusername@senderdomain.com>)
      id 1KvVKZ-0006nB-RR; Thu, 30 Oct 2008 11:04:51 +0000
From: "Sender Full Name" <senderusername@senderdomain.com>
To: "''" <@ourMailServer.org>
Cc: <someone@else.com>
References: <5DD5BFD98AEF5B4FBA712AC4EA8ED8469D6499@myhost.ourMailServer.org>
Subject: RE: Receiver@ourMailServer.org - Sending mail server found on dnsbl.njabl.org - RE: Mortgage Offer
Date: Thu, 30 Oct 2008 13:10:14 -0000
Message-ID: <91C2A5BA7A4345258FED891BC307D322@senderusername>
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Thread-Index: Ack1v+PT2kiCzQdaS5qneC953FN6lgAAFNEgANL9GqAAAHpeIABdTXAQAAAhgyAAADfG0AAC/oKw
In-Reply-To: <5DD5BFD98AEF5B4FBA712AC4EA8ED8469D6499@myhost.ourMailServer.org>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - another.senderdomain.com
X-AntiAbuse: Original Domain - ourMailServer.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - senderdomain.com
Return-Path: senderusername@senderdomain.com
X-OriginalArrivalTime: 30 Oct 2008 13:11:17.0833 (UTC) FILETIME=[FE9F6390:01C93A90]

Content-Type: multipart/related;

Content-Type: multipart/alternative;

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable

Content-Type: image/gif;
Content-Transfer-Encoding: base64
Content-ID: <image001.gif@01C93A90.D8683760>

Content-Type: image/gif;
Content-Transfer-Encoding: base64
Content-ID: <image002.gif@01C93A90.D8683760>

Content-Type: image/gif;
Content-Transfer-Encoding: base64
Content-ID: <image003.gif@01C93A90.D8683760>

Content-Type: image/gif;
Content-Transfer-Encoding: base64
Content-ID: <image004.gif@01C93A90.D8683760>

Content-Type: image/gif;
Content-Transfer-Encoding: base64
Content-ID: <image005.gif@01C93A90.D8683760>

Content-Type: application/msword;
      name="abbey acs ref request - ltd co.doc"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
      filename="abbey acs ref request - ltd co.doc"


Question by:GuildOfDruids

Accepted Solution

simonpainter earned 2000 total points
ID: 22958403
Seems they are relaying their mail via an ISP smtp relay server, from the headers it looks like their IP is on the blacklist and their ISP isn't. Either way they need to apply to the block lists to be removed. It's worth doing a whois on the IP addresses to check who owns them before you whitelist anything.
LVL 12

Expert Comment

by:Hugh Fraser
ID: 22958725
The MX record points to the host used to receive mail. Outbound mail can (and in this case does) go through another host, and that's the one that mail recipients check against RBLs.

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question