suddendly can't send to hotmail addresses

hi,
Last week my customers could send to hotmail addresses.  this week they can't
  I have setup spf records per instructions on MS site, and vaildation tests come back okay. PTR records are correct and DNS tests come back good.  Still, can't send from my customer's email to hotmail addresses.  bounces back saying:

 Final-Recipient: rfc822;{removed email address}
Action: failed
Status: 5.0.0 (permanent failure)
Diagnostic-Code: smtp; 5.1.0 - Unknown address error 550-'OU-002 Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support' (delivery attempts: 0)
Reporting-MTA: dns; ironportexternal.disecurityco.com

been searching and reading for over 3 & 1/2hrs.
What else could be wrong?  Thanks for help, I have a growing number of hacked off customers.

KellyOfColoradoAsked:
Who is Participating?
 
Jon BrelieConnect With a Mentor System ArchitectCommented:
FYI I don't think Hotmail relies solely on public blacklists.  Much like comcast, I believe they have their own lists that don't necessarily update from public servers in realtime.   Also, much like comcast, there is no way for you to tell if you are on their list or not.

I still say you check very carefully for holes and content and then ask to be delisted.
0
 
kennyhenaoCommented:
You are blacklisted.

http://windowslivehelp.com/community/t/26023.aspx?PageIndex=5

Go to the link and ask to have your domain removed.
0
 
tomjohansonCommented:
Go to mxtoolbox.com and check your MX records there to make sure you haven't been blacklisted anywhere.  Also, go to http://www.kitterman.com/spf/validate.html to check your SPF records.
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
Jon BrelieSystem ArchitectCommented:
Even though your SPF records might be correct, it's possible that someone complained about mail from your servers and you got blacklisted with hotmail.  If you're SURE you aren't sending spam, I would ask them to remove you.

Make sure you don't have any customers sending highly spammy message either.  Take a look at your queues and see what the content is like.

Worst case scenario:  If you are absolutely sure you don't have a problem, you can relay your mail for hotmail through another server while hotmail fixes the issue.  To do this, you need a trusting mailserver admin at another host to open up relaying for your site.  Then create an SMTP connecter to route mail destined for hotmail.com through the remote mailserver.

Be warned:  If you DO have a problem, you will end up blacklisting the site of your trusting admin too!
0
 
Jon BrelieSystem ArchitectCommented:
I cannot stress enough, the importance of making sure you don't have a problem before you ask to be delisted.

If they delist you and you get relisted, It's a lot harder to get delisted again.

more things to check
 - content of customer emails
 - volume of customer emails (sheer volume will sometimes trigger a listing.
 - outbound smtp: only your mailserver should be able to send traffic from your network on port25.  Otherwise a virus infected pc could be sending mail around your mail server.
 - relay security:  Make absolutely certain that you don't allow relaying without authentication.

There are more, but those are the big ones.
0
 
Alan HardistyCo-OwnerCommented:
Please amend you mail greeting as currently I get this back when running a domain report:
WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

spam.disecurityco.com claims to be invalid hostname 'Welcome': <br />   220 Welcome <br />
This will most likely fail the Hotmail checks.
'Welcome' is not a correctly setup mail server name!
0
 
KellyOfColoradoAuthor Commented:
Thanks alanhardisty.  i changed the SMTP greeting per instructions I found here: http://www.vladville.com/wiki/doku.php?id=change-exchange-smtp-greeting

but no fix

Thanks to Enphyniti, I have checked blacklists, and we are not listed (actually, started there this morning).  Anyway, still not listed.

thanks tomjohanson, i have validated our spf record; it is okay. On MXToolbox, it says our MX record failed reverse DNS, but I checked our DNS server and can't find where the error is.  PTR entries are there and correct as best i can see

can someone help me understand exactly what this means:

session transcript:
HELO please-read-policy.mxtoolbox.com
250 mailgates1.disecurityco.com Hello recover.mxtoolbox.com [64.20.227.133], pleased to meet you [16 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 Ok [78 ms]
RCPT TO: <test@example.com>
550 No such domain at this location (test@example.com) [94 ms]
QUIT
221 Bye [31 ms]

I tried to change the FQDN of the virtual SMTP server to mailgates1.disecurityco.com (from email1.emailarc.com), but the test says it's not a valid DNS name.  I have an A and PTR record for this name in our DNS servers.
0
 
Alan HardistyCo-OwnerCommented:
Can you send me a quick test email to alan @ it-eye.co.uk - I use Vamsoft ORF which will reject you if you are not configured properly and can tell you why very quickly!
0
 
KellyOfColoradoAuthor Commented:
Thanks alan,  I sent you a test message.

Also, since my last message, i have:

changed the virtual smtp serve fqdn to mailgates1.disecurityco.com
changed the dns entry for mailgates1.disecurityco.com to the outside address of our firewall - which is the address outbound mail will have; this address change allowed the dns test in the virtual smtp server to return a valid test on the name

Now, when I send to my hotmail test address, it doesn't bounce.  But, it doesn't arrive in the recipient inbox either.  Progress.

-
0
 
Alan HardistyCo-OwnerCommented:
Okay - so far I temporarily rejected you!  Won't be long to find out if it gets through.  Thanks for sending one.
0
 
KellyOfColoradoAuthor Commented:
thanks for the help!  (in the middle of your night?)
0
 
Alan HardistyCo-OwnerCommented:
Got it - no problems as far as my server checks are concerned - and it is very fussy!
Your sending IP has got a Reverse DNS of iron2.emailxyzabc.com which resolves back to the same IP Address.
That IP is not Blacklisted - but then we already know that.
Your MX record is mxyourdomain.yourdomain.com and your server responds as "Welcome" still.
Presumably you have some sort of Firewall / Anti-Spam appliance receiving your mail.  That is what may be causing the problem and needs changing.
It also is restricting the ESMTP command set - so it may have either SMTP fixup enabled or the equivalent.  What is your device / firewall?
If I telnet to your IP I get the initial Welcome as the host name and then if I issue ehlo mydomain.com I get:
250-mailgatexyzabc.disecurityxyzabc.com Hello mail.mydomain.com [My IP Address], pleased to meet you
250-PIPELINING
250-SIZE 20000000
250-8BITMIME
250 HELP
I should be seeing something more like:
250-mail.mydomain.com Hello [My IP Address]
250-TURN
250-SIZE 10485760
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
0
 
Alan HardistyCo-OwnerCommented:
It's nearly 11pm - still a few hours to go before I turn in ;-)
I tried to reply to your email and got this:
you@yourdomain.com
A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.
 
Diagnostic information for administrators:
 
Generating server: mailgatexyzabc.disecurityxyzabc.com (domain name disguised by me)
 
you@yourdomain.com
#< #5.0.0 X-Spam-&-Virus-Firewall; mail for [172.25.125.175]:25 loops back to myself> #SMTP#
What is going on at your end?
0
 
KellyOfColoradoAuthor Commented:
*eesh*  you work hours like i do.  (that'll make you old soon ;)

not sure what's happening here.  inbound mail goes through a Barracuda Spam filter, but we have no reports of problems on inbound mail.
 
the generating server you reference (thanks for the disguise) is what was in the diags from mxtoolbox and I recently changed the virtual smtp server's fqdn to this as well as setting the A and PTR records for this to match the firewall outside interface, which gets assigned to all outbound traffic.

thoughts?
0
 
KellyOfColoradoAuthor Commented:
please try again.  the changes i made ultimately broke evrything.  changed back to before i messed around
0
 
Alan HardistyCo-OwnerCommented:
I am at home - work is in the garden - but the commute is great!  Self-employed too and I love what I do - could I be any happier ;-)  Grey hairs already kicking in and that's just from the kids!
The mail for [172.25.125.175]:25 loops back to myself part is weird.  What is going on with the Barracuda and 172.25.125.175?  Are they one and the same?
Presumably you have Internet > Barracuda > Exchange / Mail Server?  Is this correct?
0
 
Alan HardistyCo-OwnerCommented:
2nd attempt on it's way - hopefully.
0
 
KellyOfColoradoAuthor Commented:
sounds like a good life.


you are correct.  Barracuda is between Internet and Exchange.

0
 
Alan HardistyCo-OwnerCommented:
FYI - this is the 2nd EE question about problems with Hotmail in 2 days - the other is happier now - but nothing exciting changed other than disabling authenticated relaying.
I am wondering if they screwed something up and are slowly fixing the problem.
0
 
Alan HardistyCo-OwnerCommented:
Did you click on the link in the rejection and follow it to :
http://postmaster.live.com/Troubleshooting.aspx 
Are you using Symantec Anti-Virus Corporate v9 ?
0
 
KellyOfColoradoAuthor Commented:
now there's a thought.  All was okay far as I was aware until this morning.  Got IM from one of our support techs (working from home today myself) that two customers had called in with trouble getting mail to the hotweenies.
I've been reasearching, adjusting and testing for nearly 6hrs now without any progress to speak of.

0
 
Alan HardistyCo-OwnerCommented:
Short-term you could setup a new SMTP connector using your ISP's smart host and just set the Address Space to hotmail.com.
What flavour of Exchange have you got?
0
 
KellyOfColoradoAuthor Commented:
not sure what host to use.  Our ISP is Qwest, but I don't have account info quickly available.

We're running Exchange 2003
0
 
Alan HardistyCo-OwnerCommented:
Are you able to call them?  You should be able to just add their mail server name and not need authentication as you are on their connection.
FYI - Create a connector in Exchange 2003: http://technet.microsoft.com/en-us/library/aa996625(EXCHG.65).aspx
0
 
Alan HardistyCo-OwnerCommented:
Any joy with the connector or calling Hotmail?
0
 
KellyOfColoradoAuthor Commented:
yes, thanks.  It was hotmail's blacklist all along.  they cleared us and all is well.

Gracias to all
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.