Solved

Interpreting a blacklist error message

Posted on 2009-03-30
12
761 Views
Last Modified: 2013-12-09
Hello,

I have 4 users who have received the same e-mail from a person at wellsfargo.com.  All four of these people have e-mail account on our server.  Two of the four get their e-mail forwarded to their roadrunner account and the other two just keep their mail on our server.

The two that the wellsfargo person is mailing that are getting their mails forwarded to @carolina.rr.com accounts get the following bounceback.

  FWD, Agents Name on 3/28/2009 11:02 AM
            There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.

            <DMAMAIL.dm.local #5.5.0 smtp;550 Sender Personatwellsfargo@wellsfargo.com is blacklisted>

I've been on the line with Roadrunner tech support and I pulled all the server IP's listed in a MX record nslookup and checked each with Spamhause as well as had the tech support check them.  They are all coming back as not blocked?

Am I reading this wrong?  Is something other than the Roadrunner mail server generating that blacklist message?   We don't use a blacklist service ourselves.

I should also mention we employ a spam filtering service called electricmail.com and I've talked with them and they assure us that they do not have the wellsfargo person blacklisted and that it's not their server doing it anyway since it's a forward it's going directly to the RR servers.

Any help or advice please?
0
Comment
Question by:JamesBTaylor
12 Comments
 

Author Comment

by:JamesBTaylor
Comment Utility
Ok, more data.

The roadrunner tech has interpreted the above message that our mail server is sending that blacklist message before the e-mail is even forwarded.  Meaning it's coming from our local exchange server.

I have no clue why this is?  We do not pay or subscribe to ANY blacklist services...so I really need some help figuring out where the heck this message could be coming from.
0
 
LVL 7

Expert Comment

by:C-Shadows
Comment Utility
Instead of forwarding the mail, have you tried copying the contents and creating a new email... this will help you to narrow down, whether the history in the header is the cause for the black list block....

And also please explain briefly how the mail is routed....

from where -> whom,

and who is forwarding it where ?
0
 
LVL 7

Expert Comment

by:C-Shadows
Comment Utility
This might be the cause....

http://en.wikipedia.org/wiki/Open_mail_relay
0
 

Author Comment

by:JamesBTaylor
Comment Utility
Sorry, more data, I should have lumped all this together.

On our exchange server, under message delivery properties I have the following set.
Recipient Filtering:
There is no recipient filter rules, but the filter recipients who are not in directory is checked

Sender ID Filtering:  Accept

Sender Filtering:
No Filters

Intelligent Message Filtering:
Threshhold: 9
Block message with SCL greater than 8
When blocking messages:  No Action
Move messages with an SCL rating greater than 8

0
 
LVL 7

Expert Comment

by:C-Shadows
Comment Utility
Better go for a better port scan which can identify if there is any vulnerable port which is open...

http://security.symantec.com

Run a security scan.... and then a virus scan...
0
 

Author Comment

by:JamesBTaylor
Comment Utility
Our mail server is not an open relay.  I've firewalled it off and only accepted inbound connections from the IP range of our spam filter service only.  I don't even allow our guys to use Pop3 with our server if they aren't inside the company or connected through a vpn.

also, for the routing it SHOULD take the following route if everything were woorking correctly.

Wellsfargo mails this person at my company.
The e-mail hits our spam filter service and either passes or is quarantined
If it passes, it is delivered to our exchange server.
This person has a forward set up for them in exchange and doesn't leave a copy on the server.
That mail then gets forwarded to her roadrunner account.
End of route.

I can verify that the e-mail is hitting our spam filter service and passing to our server, but thats about it.  I can't tell if it's my server giving the blacklist (which it's really looking like at this point) or if it's roadrunner.  And the guy I talked too at roadrunner seemed like one of the better techs as he didn't blow me off and checked out around 20 different IP's I pulled from the wellsfargo MX records.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:JamesBTaylor
Comment Utility
When I set up our spam filter service with firewall rules, they check to verify that we are not a relay, otherwise they would flag us themselves and stop all our inbound mail until we resolved the relay issue.

i've also tried to hit the smtp port from telnet at my home and it's blocked.  I'm farily confident we aren't a relay.

Either way, It's not us who is getting blacklisted.  We can e-mail people just fine.  It's the lady from Wellsfargo.  Even if we are a relay, we would not be cause her to be blacklisted.   Our server or roadrunner (again I'm thinking it's our server somehow) is the one saying that the wellsfargo lady is blacklisted.

As another data point, i had her test.   Wellsfargo can e-amil my client at roadrunner just fine.  I also can e-mail my client at roadrunner from my work account just fine.  However, when an e-mail is sent to her work account which then forwards it to her roadrunner account, the blacklisting is coming into effect.
0
 
LVL 7

Expert Comment

by:C-Shadows
Comment Utility
For me it seems that you cannot do any thing about it, it seems the block status is applied between her work account and roadrunner account,

Ask her to check her account details with roadrunner(ISP) whether it is in blacklist or not....
0
 

Author Comment

by:JamesBTaylor
Comment Utility
I checked with roadrunner, after a good hour conversation with them they checked every IP address on the list I gave him for wellsfargo MX records and they all came back as not blacklisted.  Our e-mail server IP, incidentally, also came back as not blacklisted.

Roadrunner is saying that our server never even tried to communicate with any other server, they're saying that it is our Exchange server that is blacklisting the account.  I'm completely stumped.
0
 

Author Comment

by:JamesBTaylor
Comment Utility
Another data point to consider:

I've verified that the Wellsfargo person can e-mail anyone in our company just fine without hitting the blacklist.

I've verified that the wellsfargo person can e-mail directly to the carolina.rr.com account without hitting the blacklist issue.

I've verrified that our domain can e-mail directly to the carolina.rr.com account without hitting the blacklisting issue.

So the individual parts are working just fine, the only time the mail gets rejected as being blacklisted is when the e-mail is forwarded from her work account to her home account?  This makes no sense at all to me.
0
 
LVL 65

Accepted Solution

by:
Mestha earned 500 total points
Comment Utility
Is that an automatic forward?
If so then it is probably spoofing controls are rejecting the message.
The message appears to be coming from your server, which is not authorised to send email for that remote domain.

The type of email forwarding that Exchange does, keeping the header intact, will not be possible soon as the number of anti spoofing measures increases.

-M
0
 
LVL 1

Expert Comment

by:pressonj
Comment Utility
I am sure you have done this but just in case,

Have you check the Quarantine Central in the electric mail to see if the recipients has Personatwellsfargo@wellsfargo.com blacklisted.

The syntax <DMAMAIL.dm.local #5.5.0 smtp;550 Sender Personatwellsfargo@wellsfargo.com is blacklisted>  showed that it is not the server that was blacklisted but the sender.  There may be a blacklist in the Quarantine Central that blacklisted the domain wellsfargo or the email address Personatwellsfargo@wellsfargo.com.

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Forget those services on TV trying to sell you software – that’s step one.  Almost all of the software you need should be available for free.  The tricky part is doing the work.  If you are not comfortable performing these steps yourself, contact a …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now