Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Interpreting a blacklist error message

Posted on 2009-03-30
12
Medium Priority
?
774 Views
Last Modified: 2013-12-09
Hello,

I have 4 users who have received the same e-mail from a person at wellsfargo.com.  All four of these people have e-mail account on our server.  Two of the four get their e-mail forwarded to their roadrunner account and the other two just keep their mail on our server.

The two that the wellsfargo person is mailing that are getting their mails forwarded to @carolina.rr.com accounts get the following bounceback.

  FWD, Agents Name on 3/28/2009 11:02 AM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.

            <DMAMAIL.dm.local #5.5.0 smtp;550 Sender Personatwellsfargo@wellsfargo.com is blacklisted>

I've been on the line with Roadrunner tech support and I pulled all the server IP's listed in a MX record nslookup and checked each with Spamhause as well as had the tech support check them.  They are all coming back as not blocked?

Am I reading this wrong?  Is something other than the Roadrunner mail server generating that blacklist message?   We don't use a blacklist service ourselves.

I should also mention we employ a spam filtering service called electricmail.com and I've talked with them and they assure us that they do not have the wellsfargo person blacklisted and that it's not their server doing it anyway since it's a forward it's going directly to the RR servers.

Any help or advice please?
0
Comment
Question by:JamesBTaylor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 

Author Comment

by:JamesBTaylor
ID: 24019726
Ok, more data.

The roadrunner tech has interpreted the above message that our mail server is sending that blacklist message before the e-mail is even forwarded.  Meaning it's coming from our local exchange server.

I have no clue why this is?  We do not pay or subscribe to ANY blacklist services...so I really need some help figuring out where the heck this message could be coming from.
0
 
LVL 7

Expert Comment

by:C-Shadows
ID: 24019780
Instead of forwarding the mail, have you tried copying the contents and creating a new email... this will help you to narrow down, whether the history in the header is the cause for the black list block....

And also please explain briefly how the mail is routed....

from where -> whom,

and who is forwarding it where ?
0
 
LVL 7

Expert Comment

by:C-Shadows
ID: 24019792
This might be the cause....

http://en.wikipedia.org/wiki/Open_mail_relay
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 

Author Comment

by:JamesBTaylor
ID: 24019798
Sorry, more data, I should have lumped all this together.

On our exchange server, under message delivery properties I have the following set.
Recipient Filtering:
There is no recipient filter rules, but the filter recipients who are not in directory is checked

Sender ID Filtering:  Accept

Sender Filtering:
No Filters

Intelligent Message Filtering:
Threshhold: 9
Block message with SCL greater than 8
When blocking messages:  No Action
Move messages with an SCL rating greater than 8

0
 
LVL 7

Expert Comment

by:C-Shadows
ID: 24019818
Better go for a better port scan which can identify if there is any vulnerable port which is open...

http://security.symantec.com

Run a security scan.... and then a virus scan...
0
 

Author Comment

by:JamesBTaylor
ID: 24019859
Our mail server is not an open relay.  I've firewalled it off and only accepted inbound connections from the IP range of our spam filter service only.  I don't even allow our guys to use Pop3 with our server if they aren't inside the company or connected through a vpn.

also, for the routing it SHOULD take the following route if everything were woorking correctly.

Wellsfargo mails this person at my company.
The e-mail hits our spam filter service and either passes or is quarantined
If it passes, it is delivered to our exchange server.
This person has a forward set up for them in exchange and doesn't leave a copy on the server.
That mail then gets forwarded to her roadrunner account.
End of route.

I can verify that the e-mail is hitting our spam filter service and passing to our server, but thats about it.  I can't tell if it's my server giving the blacklist (which it's really looking like at this point) or if it's roadrunner.  And the guy I talked too at roadrunner seemed like one of the better techs as he didn't blow me off and checked out around 20 different IP's I pulled from the wellsfargo MX records.
0
 

Author Comment

by:JamesBTaylor
ID: 24019898
When I set up our spam filter service with firewall rules, they check to verify that we are not a relay, otherwise they would flag us themselves and stop all our inbound mail until we resolved the relay issue.

i've also tried to hit the smtp port from telnet at my home and it's blocked.  I'm farily confident we aren't a relay.

Either way, It's not us who is getting blacklisted.  We can e-mail people just fine.  It's the lady from Wellsfargo.  Even if we are a relay, we would not be cause her to be blacklisted.   Our server or roadrunner (again I'm thinking it's our server somehow) is the one saying that the wellsfargo lady is blacklisted.

As another data point, i had her test.   Wellsfargo can e-amil my client at roadrunner just fine.  I also can e-mail my client at roadrunner from my work account just fine.  However, when an e-mail is sent to her work account which then forwards it to her roadrunner account, the blacklisting is coming into effect.
0
 
LVL 7

Expert Comment

by:C-Shadows
ID: 24020461
For me it seems that you cannot do any thing about it, it seems the block status is applied between her work account and roadrunner account,

Ask her to check her account details with roadrunner(ISP) whether it is in blacklist or not....
0
 

Author Comment

by:JamesBTaylor
ID: 24020487
I checked with roadrunner, after a good hour conversation with them they checked every IP address on the list I gave him for wellsfargo MX records and they all came back as not blacklisted.  Our e-mail server IP, incidentally, also came back as not blacklisted.

Roadrunner is saying that our server never even tried to communicate with any other server, they're saying that it is our Exchange server that is blacklisting the account.  I'm completely stumped.
0
 

Author Comment

by:JamesBTaylor
ID: 24020744
Another data point to consider:

I've verified that the Wellsfargo person can e-mail anyone in our company just fine without hitting the blacklist.

I've verified that the wellsfargo person can e-mail directly to the carolina.rr.com account without hitting the blacklist issue.

I've verrified that our domain can e-mail directly to the carolina.rr.com account without hitting the blacklisting issue.

So the individual parts are working just fine, the only time the mail gets rejected as being blacklisted is when the e-mail is forwarded from her work account to her home account?  This makes no sense at all to me.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 2000 total points
ID: 24035359
Is that an automatic forward?
If so then it is probably spoofing controls are rejecting the message.
The message appears to be coming from your server, which is not authorised to send email for that remote domain.

The type of email forwarding that Exchange does, keeping the header intact, will not be possible soon as the number of anti spoofing measures increases.

-M
0
 
LVL 1

Expert Comment

by:pressonj
ID: 24041533
I am sure you have done this but just in case,

Have you check the Quarantine Central in the electric mail to see if the recipients has Personatwellsfargo@wellsfargo.com blacklisted.

The syntax <DMAMAIL.dm.local #5.5.0 smtp;550 Sender Personatwellsfargo@wellsfargo.com is blacklisted>  showed that it is not the server that was blacklisted but the sender.  There may be a blacklist in the Quarantine Central that blacklisted the domain wellsfargo or the email address Personatwellsfargo@wellsfargo.com.

0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Forget those services on TV trying to sell you software – that’s step one.  Almost all of the software you need should be available for free.  The tricky part is doing the work.  If you are not comfortable performing these steps yourself, contact a …
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question