Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Interpreting a blacklist error message

Posted on 2009-03-30
Medium Priority
Last Modified: 2013-12-09

I have 4 users who have received the same e-mail from a person at wellsfargo.com.  All four of these people have e-mail account on our server.  Two of the four get their e-mail forwarded to their roadrunner account and the other two just keep their mail on our server.

The two that the wellsfargo person is mailing that are getting their mails forwarded to @carolina.rr.com accounts get the following bounceback.

  FWD, Agents Name on 3/28/2009 11:02 AM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.

            <DMAMAIL.dm.local #5.5.0 smtp;550 Sender Personatwellsfargo@wellsfargo.com is blacklisted>

I've been on the line with Roadrunner tech support and I pulled all the server IP's listed in a MX record nslookup and checked each with Spamhause as well as had the tech support check them.  They are all coming back as not blocked?

Am I reading this wrong?  Is something other than the Roadrunner mail server generating that blacklist message?   We don't use a blacklist service ourselves.

I should also mention we employ a spam filtering service called electricmail.com and I've talked with them and they assure us that they do not have the wellsfargo person blacklisted and that it's not their server doing it anyway since it's a forward it's going directly to the RR servers.

Any help or advice please?
Question by:JamesBTaylor

Author Comment

ID: 24019726
Ok, more data.

The roadrunner tech has interpreted the above message that our mail server is sending that blacklist message before the e-mail is even forwarded.  Meaning it's coming from our local exchange server.

I have no clue why this is?  We do not pay or subscribe to ANY blacklist services...so I really need some help figuring out where the heck this message could be coming from.

Expert Comment

ID: 24019780
Instead of forwarding the mail, have you tried copying the contents and creating a new email... this will help you to narrow down, whether the history in the header is the cause for the black list block....

And also please explain briefly how the mail is routed....

from where -> whom,

and who is forwarding it where ?

Expert Comment

ID: 24019792
This might be the cause....

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.


Author Comment

ID: 24019798
Sorry, more data, I should have lumped all this together.

On our exchange server, under message delivery properties I have the following set.
Recipient Filtering:
There is no recipient filter rules, but the filter recipients who are not in directory is checked

Sender ID Filtering:  Accept

Sender Filtering:
No Filters

Intelligent Message Filtering:
Threshhold: 9
Block message with SCL greater than 8
When blocking messages:  No Action
Move messages with an SCL rating greater than 8


Expert Comment

ID: 24019818
Better go for a better port scan which can identify if there is any vulnerable port which is open...


Run a security scan.... and then a virus scan...

Author Comment

ID: 24019859
Our mail server is not an open relay.  I've firewalled it off and only accepted inbound connections from the IP range of our spam filter service only.  I don't even allow our guys to use Pop3 with our server if they aren't inside the company or connected through a vpn.

also, for the routing it SHOULD take the following route if everything were woorking correctly.

Wellsfargo mails this person at my company.
The e-mail hits our spam filter service and either passes or is quarantined
If it passes, it is delivered to our exchange server.
This person has a forward set up for them in exchange and doesn't leave a copy on the server.
That mail then gets forwarded to her roadrunner account.
End of route.

I can verify that the e-mail is hitting our spam filter service and passing to our server, but thats about it.  I can't tell if it's my server giving the blacklist (which it's really looking like at this point) or if it's roadrunner.  And the guy I talked too at roadrunner seemed like one of the better techs as he didn't blow me off and checked out around 20 different IP's I pulled from the wellsfargo MX records.

Author Comment

ID: 24019898
When I set up our spam filter service with firewall rules, they check to verify that we are not a relay, otherwise they would flag us themselves and stop all our inbound mail until we resolved the relay issue.

i've also tried to hit the smtp port from telnet at my home and it's blocked.  I'm farily confident we aren't a relay.

Either way, It's not us who is getting blacklisted.  We can e-mail people just fine.  It's the lady from Wellsfargo.  Even if we are a relay, we would not be cause her to be blacklisted.   Our server or roadrunner (again I'm thinking it's our server somehow) is the one saying that the wellsfargo lady is blacklisted.

As another data point, i had her test.   Wellsfargo can e-amil my client at roadrunner just fine.  I also can e-mail my client at roadrunner from my work account just fine.  However, when an e-mail is sent to her work account which then forwards it to her roadrunner account, the blacklisting is coming into effect.

Expert Comment

ID: 24020461
For me it seems that you cannot do any thing about it, it seems the block status is applied between her work account and roadrunner account,

Ask her to check her account details with roadrunner(ISP) whether it is in blacklist or not....

Author Comment

ID: 24020487
I checked with roadrunner, after a good hour conversation with them they checked every IP address on the list I gave him for wellsfargo MX records and they all came back as not blacklisted.  Our e-mail server IP, incidentally, also came back as not blacklisted.

Roadrunner is saying that our server never even tried to communicate with any other server, they're saying that it is our Exchange server that is blacklisting the account.  I'm completely stumped.

Author Comment

ID: 24020744
Another data point to consider:

I've verified that the Wellsfargo person can e-mail anyone in our company just fine without hitting the blacklist.

I've verified that the wellsfargo person can e-mail directly to the carolina.rr.com account without hitting the blacklist issue.

I've verrified that our domain can e-mail directly to the carolina.rr.com account without hitting the blacklisting issue.

So the individual parts are working just fine, the only time the mail gets rejected as being blacklisted is when the e-mail is forwarded from her work account to her home account?  This makes no sense at all to me.
LVL 65

Accepted Solution

Mestha earned 2000 total points
ID: 24035359
Is that an automatic forward?
If so then it is probably spoofing controls are rejecting the message.
The message appears to be coming from your server, which is not authorised to send email for that remote domain.

The type of email forwarding that Exchange does, keeping the header intact, will not be possible soon as the number of anti spoofing measures increases.


Expert Comment

ID: 24041533
I am sure you have done this but just in case,

Have you check the Quarantine Central in the electric mail to see if the recipients has Personatwellsfargo@wellsfargo.com blacklisted.

The syntax <DMAMAIL.dm.local #5.5.0 smtp;550 Sender Personatwellsfargo@wellsfargo.com is blacklisted>  showed that it is not the server that was blacklisted but the sender.  There may be a blacklist in the Quarantine Central that blacklisted the domain wellsfargo or the email address Personatwellsfargo@wellsfargo.com.


Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses
Course of the Month15 days, 1 hour left to enroll

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question