Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

suddendly can't send to hotmail addresses

Posted on 2009-12-22
26
Medium Priority
?
1,116 Views
Last Modified: 2013-12-17
hi,
Last week my customers could send to hotmail addresses.  this week they can't
  I have setup spf records per instructions on MS site, and vaildation tests come back okay. PTR records are correct and DNS tests come back good.  Still, can't send from my customer's email to hotmail addresses.  bounces back saying:

 Final-Recipient: rfc822;{removed email address}
Action: failed
Status: 5.0.0 (permanent failure)
Diagnostic-Code: smtp; 5.1.0 - Unknown address error 550-'OU-002 Mail rejected by Windows Live Hotmail for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation problems. If you are not an email/network admin please contact your E-mail/Internet Service Provider for help. Email/network admins, please visit http://postmaster.live.com for email delivery information and support' (delivery attempts: 0)
Reporting-MTA: dns; ironportexternal.disecurityco.com

been searching and reading for over 3 & 1/2hrs.
What else could be wrong?  Thanks for help, I have a growing number of hacked off customers.

0
Comment
Question by:KellyOfColorado
  • 12
  • 9
  • 3
  • +2
26 Comments
 
LVL 6

Expert Comment

by:kennyhenao
ID: 26108158
You are blacklisted.

http://windowslivehelp.com/community/t/26023.aspx?PageIndex=5

Go to the link and ask to have your domain removed.
0
 
LVL 3

Expert Comment

by:tomjohanson
ID: 26108169
Go to mxtoolbox.com and check your MX records there to make sure you haven't been blacklisted anywhere.  Also, go to http://www.kitterman.com/spf/validate.html to check your SPF records.
0
 
LVL 16

Expert Comment

by:Jon Brelie
ID: 26108170
Even though your SPF records might be correct, it's possible that someone complained about mail from your servers and you got blacklisted with hotmail.  If you're SURE you aren't sending spam, I would ask them to remove you.

Make sure you don't have any customers sending highly spammy message either.  Take a look at your queues and see what the content is like.

Worst case scenario:  If you are absolutely sure you don't have a problem, you can relay your mail for hotmail through another server while hotmail fixes the issue.  To do this, you need a trusting mailserver admin at another host to open up relaying for your site.  Then create an SMTP connecter to route mail destined for hotmail.com through the remote mailserver.

Be warned:  If you DO have a problem, you will end up blacklisting the site of your trusting admin too!
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
LVL 16

Expert Comment

by:Jon Brelie
ID: 26108201
I cannot stress enough, the importance of making sure you don't have a problem before you ask to be delisted.

If they delist you and you get relisted, It's a lot harder to get delisted again.

more things to check
 - content of customer emails
 - volume of customer emails (sheer volume will sometimes trigger a listing.
 - outbound smtp: only your mailserver should be able to send traffic from your network on port25.  Otherwise a virus infected pc could be sending mail around your mail server.
 - relay security:  Make absolutely certain that you don't allow relaying without authentication.

There are more, but those are the big ones.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108413
Please amend you mail greeting as currently I get this back when running a domain report:
WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). If your mailserver sends out E-mail using this domain in its EHLO or HELO, your E-mail might get blocked by anti-spam software. This is also a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server. Note that this one test may use a cached DNS record.

spam.disecurityco.com claims to be invalid hostname 'Welcome': <br />   220 Welcome <br />
This will most likely fail the Hotmail checks.
'Welcome' is not a correctly setup mail server name!
0
 

Author Comment

by:KellyOfColorado
ID: 26108707
Thanks alanhardisty.  i changed the SMTP greeting per instructions I found here: http://www.vladville.com/wiki/doku.php?id=change-exchange-smtp-greeting

but no fix

Thanks to Enphyniti, I have checked blacklists, and we are not listed (actually, started there this morning).  Anyway, still not listed.

thanks tomjohanson, i have validated our spf record; it is okay. On MXToolbox, it says our MX record failed reverse DNS, but I checked our DNS server and can't find where the error is.  PTR entries are there and correct as best i can see

can someone help me understand exactly what this means:

session transcript:
HELO please-read-policy.mxtoolbox.com
250 mailgates1.disecurityco.com Hello recover.mxtoolbox.com [64.20.227.133], pleased to meet you [16 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 Ok [78 ms]
RCPT TO: <test@example.com>
550 No such domain at this location (test@example.com) [94 ms]
QUIT
221 Bye [31 ms]

I tried to change the FQDN of the virtual SMTP server to mailgates1.disecurityco.com (from email1.emailarc.com), but the test says it's not a valid DNS name.  I have an A and PTR record for this name in our DNS servers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108740
Can you send me a quick test email to alan @ it-eye.co.uk - I use Vamsoft ORF which will reject you if you are not configured properly and can tell you why very quickly!
0
 

Author Comment

by:KellyOfColorado
ID: 26108770
Thanks alan,  I sent you a test message.

Also, since my last message, i have:

changed the virtual smtp serve fqdn to mailgates1.disecurityco.com
changed the dns entry for mailgates1.disecurityco.com to the outside address of our firewall - which is the address outbound mail will have; this address change allowed the dns test in the virtual smtp server to return a valid test on the name

Now, when I send to my hotmail test address, it doesn't bounce.  But, it doesn't arrive in the recipient inbox either.  Progress.

-
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108779
Okay - so far I temporarily rejected you!  Won't be long to find out if it gets through.  Thanks for sending one.
0
 

Author Comment

by:KellyOfColorado
ID: 26108820
thanks for the help!  (in the middle of your night?)
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108844
Got it - no problems as far as my server checks are concerned - and it is very fussy!
Your sending IP has got a Reverse DNS of iron2.emailxyzabc.com which resolves back to the same IP Address.
That IP is not Blacklisted - but then we already know that.
Your MX record is mxyourdomain.yourdomain.com and your server responds as "Welcome" still.
Presumably you have some sort of Firewall / Anti-Spam appliance receiving your mail.  That is what may be causing the problem and needs changing.
It also is restricting the ESMTP command set - so it may have either SMTP fixup enabled or the equivalent.  What is your device / firewall?
If I telnet to your IP I get the initial Welcome as the host name and then if I issue ehlo mydomain.com I get:
250-mailgatexyzabc.disecurityxyzabc.com Hello mail.mydomain.com [My IP Address], pleased to meet you
250-PIPELINING
250-SIZE 20000000
250-8BITMIME
250 HELP
I should be seeing something more like:
250-mail.mydomain.com Hello [My IP Address]
250-TURN
250-SIZE 10485760
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108890
It's nearly 11pm - still a few hours to go before I turn in ;-)
I tried to reply to your email and got this:
you@yourdomain.com
A problem occurred during the delivery of this message to this e-mail address. Try sending this message again. If the problem continues, please contact your helpdesk.
 
Diagnostic information for administrators:
 
Generating server: mailgatexyzabc.disecurityxyzabc.com (domain name disguised by me)
 
you@yourdomain.com
#< #5.0.0 X-Spam-&-Virus-Firewall; mail for [172.25.125.175]:25 loops back to myself> #SMTP#
What is going on at your end?
0
 

Author Comment

by:KellyOfColorado
ID: 26108909
*eesh*  you work hours like i do.  (that'll make you old soon ;)

not sure what's happening here.  inbound mail goes through a Barracuda Spam filter, but we have no reports of problems on inbound mail.
 
the generating server you reference (thanks for the disguise) is what was in the diags from mxtoolbox and I recently changed the virtual smtp server's fqdn to this as well as setting the A and PTR records for this to match the firewall outside interface, which gets assigned to all outbound traffic.

thoughts?
0
 

Author Comment

by:KellyOfColorado
ID: 26108943
please try again.  the changes i made ultimately broke evrything.  changed back to before i messed around
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108956
I am at home - work is in the garden - but the commute is great!  Self-employed too and I love what I do - could I be any happier ;-)  Grey hairs already kicking in and that's just from the kids!
The mail for [172.25.125.175]:25 loops back to myself part is weird.  What is going on with the Barracuda and 172.25.125.175?  Are they one and the same?
Presumably you have Internet > Barracuda > Exchange / Mail Server?  Is this correct?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108959
2nd attempt on it's way - hopefully.
0
 

Author Comment

by:KellyOfColorado
ID: 26108982
sounds like a good life.


you are correct.  Barracuda is between Internet and Exchange.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108993
FYI - this is the 2nd EE question about problems with Hotmail in 2 days - the other is happier now - but nothing exciting changed other than disabling authenticated relaying.
I am wondering if they screwed something up and are slowly fixing the problem.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26108999
Did you click on the link in the rejection and follow it to :
http://postmaster.live.com/Troubleshooting.aspx 
Are you using Symantec Anti-Virus Corporate v9 ?
0
 

Author Comment

by:KellyOfColorado
ID: 26109001
now there's a thought.  All was okay far as I was aware until this morning.  Got IM from one of our support techs (working from home today myself) that two customers had called in with trouble getting mail to the hotweenies.
I've been reasearching, adjusting and testing for nearly 6hrs now without any progress to speak of.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26109030
Short-term you could setup a new SMTP connector using your ISP's smart host and just set the Address Space to hotmail.com.
What flavour of Exchange have you got?
0
 

Author Comment

by:KellyOfColorado
ID: 26109100
not sure what host to use.  Our ISP is Qwest, but I don't have account info quickly available.

We're running Exchange 2003
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26109121
Are you able to call them?  You should be able to just add their mail server name and not need authentication as you are on their connection.
FYI - Create a connector in Exchange 2003: http://technet.microsoft.com/en-us/library/aa996625(EXCHG.65).aspx
0
 
LVL 16

Accepted Solution

by:
Jon Brelie earned 2000 total points
ID: 26109952
FYI I don't think Hotmail relies solely on public blacklists.  Much like comcast, I believe they have their own lists that don't necessarily update from public servers in realtime.   Also, much like comcast, there is no way for you to tell if you are on their list or not.

I still say you check very carefully for holes and content and then ask to be delisted.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 26110807
Any joy with the connector or calling Hotmail?
0
 

Author Closing Comment

by:KellyOfColorado
ID: 31669179
yes, thanks.  It was hotmail's blacklist all along.  they cleared us and all is well.

Gracias to all
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question