• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 781
  • Last Modified:

Interpreting a blacklist error message


I have 4 users who have received the same e-mail from a person at wellsfargo.com.  All four of these people have e-mail account on our server.  Two of the four get their e-mail forwarded to their roadrunner account and the other two just keep their mail on our server.

The two that the wellsfargo person is mailing that are getting their mails forwarded to @carolina.rr.com accounts get the following bounceback.

  FWD, Agents Name on 3/28/2009 11:02 AM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.

            <DMAMAIL.dm.local #5.5.0 smtp;550 Sender Personatwellsfargo@wellsfargo.com is blacklisted>

I've been on the line with Roadrunner tech support and I pulled all the server IP's listed in a MX record nslookup and checked each with Spamhause as well as had the tech support check them.  They are all coming back as not blocked?

Am I reading this wrong?  Is something other than the Roadrunner mail server generating that blacklist message?   We don't use a blacklist service ourselves.

I should also mention we employ a spam filtering service called electricmail.com and I've talked with them and they assure us that they do not have the wellsfargo person blacklisted and that it's not their server doing it anyway since it's a forward it's going directly to the RR servers.

Any help or advice please?
1 Solution
JamesBTaylorAuthor Commented:
Ok, more data.

The roadrunner tech has interpreted the above message that our mail server is sending that blacklist message before the e-mail is even forwarded.  Meaning it's coming from our local exchange server.

I have no clue why this is?  We do not pay or subscribe to ANY blacklist services...so I really need some help figuring out where the heck this message could be coming from.
C-ShadowsEngineer - SupportCommented:
Instead of forwarding the mail, have you tried copying the contents and creating a new email... this will help you to narrow down, whether the history in the header is the cause for the black list block....

And also please explain briefly how the mail is routed....

from where -> whom,

and who is forwarding it where ?
C-ShadowsEngineer - SupportCommented:
This might be the cause....

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

JamesBTaylorAuthor Commented:
Sorry, more data, I should have lumped all this together.

On our exchange server, under message delivery properties I have the following set.
Recipient Filtering:
There is no recipient filter rules, but the filter recipients who are not in directory is checked

Sender ID Filtering:  Accept

Sender Filtering:
No Filters

Intelligent Message Filtering:
Threshhold: 9
Block message with SCL greater than 8
When blocking messages:  No Action
Move messages with an SCL rating greater than 8

C-ShadowsEngineer - SupportCommented:
Better go for a better port scan which can identify if there is any vulnerable port which is open...


Run a security scan.... and then a virus scan...
JamesBTaylorAuthor Commented:
Our mail server is not an open relay.  I've firewalled it off and only accepted inbound connections from the IP range of our spam filter service only.  I don't even allow our guys to use Pop3 with our server if they aren't inside the company or connected through a vpn.

also, for the routing it SHOULD take the following route if everything were woorking correctly.

Wellsfargo mails this person at my company.
The e-mail hits our spam filter service and either passes or is quarantined
If it passes, it is delivered to our exchange server.
This person has a forward set up for them in exchange and doesn't leave a copy on the server.
That mail then gets forwarded to her roadrunner account.
End of route.

I can verify that the e-mail is hitting our spam filter service and passing to our server, but thats about it.  I can't tell if it's my server giving the blacklist (which it's really looking like at this point) or if it's roadrunner.  And the guy I talked too at roadrunner seemed like one of the better techs as he didn't blow me off and checked out around 20 different IP's I pulled from the wellsfargo MX records.
JamesBTaylorAuthor Commented:
When I set up our spam filter service with firewall rules, they check to verify that we are not a relay, otherwise they would flag us themselves and stop all our inbound mail until we resolved the relay issue.

i've also tried to hit the smtp port from telnet at my home and it's blocked.  I'm farily confident we aren't a relay.

Either way, It's not us who is getting blacklisted.  We can e-mail people just fine.  It's the lady from Wellsfargo.  Even if we are a relay, we would not be cause her to be blacklisted.   Our server or roadrunner (again I'm thinking it's our server somehow) is the one saying that the wellsfargo lady is blacklisted.

As another data point, i had her test.   Wellsfargo can e-amil my client at roadrunner just fine.  I also can e-mail my client at roadrunner from my work account just fine.  However, when an e-mail is sent to her work account which then forwards it to her roadrunner account, the blacklisting is coming into effect.
C-ShadowsEngineer - SupportCommented:
For me it seems that you cannot do any thing about it, it seems the block status is applied between her work account and roadrunner account,

Ask her to check her account details with roadrunner(ISP) whether it is in blacklist or not....
JamesBTaylorAuthor Commented:
I checked with roadrunner, after a good hour conversation with them they checked every IP address on the list I gave him for wellsfargo MX records and they all came back as not blacklisted.  Our e-mail server IP, incidentally, also came back as not blacklisted.

Roadrunner is saying that our server never even tried to communicate with any other server, they're saying that it is our Exchange server that is blacklisting the account.  I'm completely stumped.
JamesBTaylorAuthor Commented:
Another data point to consider:

I've verified that the Wellsfargo person can e-mail anyone in our company just fine without hitting the blacklist.

I've verified that the wellsfargo person can e-mail directly to the carolina.rr.com account without hitting the blacklist issue.

I've verrified that our domain can e-mail directly to the carolina.rr.com account without hitting the blacklisting issue.

So the individual parts are working just fine, the only time the mail gets rejected as being blacklisted is when the e-mail is forwarded from her work account to her home account?  This makes no sense at all to me.
Is that an automatic forward?
If so then it is probably spoofing controls are rejecting the message.
The message appears to be coming from your server, which is not authorised to send email for that remote domain.

The type of email forwarding that Exchange does, keeping the header intact, will not be possible soon as the number of anti spoofing measures increases.

I am sure you have done this but just in case,

Have you check the Quarantine Central in the electric mail to see if the recipients has Personatwellsfargo@wellsfargo.com blacklisted.

The syntax <DMAMAIL.dm.local #5.5.0 smtp;550 Sender Personatwellsfargo@wellsfargo.com is blacklisted>  showed that it is not the server that was blacklisted but the sender.  There may be a blacklist in the Quarantine Central that blacklisted the domain wellsfargo or the email address Personatwellsfargo@wellsfargo.com.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now