Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2894
  • Last Modified:

PDFs blocked as spam in Exchange 2010

Some external users, but not all, have problems sending emails with pdf attacthments to our exchange server. I have tried to recreate the error by sending pdf-files with my hotmail and gmail accounts but i never have any trouble. This is the error the other external users get somteimes.

Delivery to the following recipient failed permanently:

    name@ourdomain.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.7.1 Message rejected as spam by Content Filtering. (state 18).

Is there a way to see exactly the reason why this message was rejected? Is there a summary somewhere in exchange that lets me see which part of the mail that gets spampoints or which part of the mail that is the offending part?
0
ishtari
Asked:
ishtari
  • 14
  • 13
1 Solution
 
Coast-ITCommented:
Have you had a look at get-agentlog?

http://technet.microsoft.com/en-us/library/aa996044.aspx
0
 
ishtariAuthor Commented:
When I type Get-AgentLog -StartDate "08/09/2010 3:20:00 PM" I get an insane amount of posts, but when I tupe in C:\Windows\system32>Get-AgentLog -StartDate "08/09/2010 3:20:00 PM" -EndDate "08/09/2010 4:00:00 PM" i get the following error:

[PS] C:\Windows\system32>Get-AgentLog -StartDate "08/09/2010 3:20:00 PM" -EndDate "08/09/2010 4:00:00 PM"
The location "C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\AgentLog\" doesn't contain any logs fo
r the specified time range.
Parameter name: Location
    + CategoryInfo          : InvalidArgument: (:) [Get-AgentLog], ArgumentException
    + FullyQualifiedErrorId : 7984EE63,Microsoft.Exchange.Management.AgentLog.GetAgentLog

i have tried a few different end times like "08/09/2010 3:35:00 PM" or "08/09/2010 6:00:00 PM" but I never get any results when I use the endtime parameter. I am on Central European Time with a 24h clock and the email was sent as follows

Received: by xx.xx.xx.xx with HTTP; Wed, 8 Sep 2010 06:23:52 -0700 (PDT)
X-Originating-IP: [xx.xx.xx.xx]
From: Name <namel@domain.com>
Date: Wed, 8 Sep 2010 15:23:52 +0200

I guess I am wrong about the times or something? Could you help me with what I should write to get info about the above email?

Thanks in advance!
0
 
ishtariAuthor Commented:
Since I'm a European mixed up the month/day part of the get-agentlog paramterer. I found the message in question:

RunspaceId      : 65075907-bfc1-4c54-a958-5ab480332265
Timestamp       : 2010-09-08 15:24:28
SessionId       : 08CD06728FCB4F8F
IPAddress       : <ip adress>
MessageId       : <AANLkTing8Z34ffZ-WzvDEbqKfYabP_A+qS4u7DypP6Xq@mail.gmail.com>
P1FromAddress   : name@externaldomain.com
P2FromAddresses : {name@externaldomain.com}
Recipients      : {name@internaldomain.se}
Agent           : Content Filter Agent
Event           : OnEndOfData
Action          : RejectMessage
SmtpResponse    : 550 5.7.1 Message rejected as spam by Content Filtering.
Reason          : SclAtOrAboveRejectThreshold
ReasonData      : 7
Diagnostics     : DV:3.3.5705.600;SID:SenderIDStatus None

So the mail got 7 spam points and our anti-spam filter is set to reject all messages with or above  the default value of 7. That is good to know, but since the first error message said that it was blocked as spam that's not so much new info to go on. Am I missing something here, or is it possible to see why/which part of the message that gave it such high spam-points?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
ishtariAuthor Commented:
I tired to add the users mail domain to our IP allow list in the Exchange 2010 anti-spam but the users email still get's labeld as spam when he sends pdf-files. if he sends mail with other attachments they get through without problems. How do I whitlist the senders domain or how do I allow pdf-files through?
0
 
Alan HardistyCo-OwnerCommented:
In my experience, Exchange does a bad job of filtering spam.  There are too many blacklists and not enough whitelists.

I went from Vamsoft ORF to Exchange 2010 / Forefront TMG anti-spam and all I got was people complaining mail was being rejected.

In the end, I reverted back to Vamsoft ORF and now my phones are silent.

If you want to try an alternative product, please visit www.vamsoft.com and download the trial - you won't be disappointed, nor shocked at the price of $239 per server.
0
 
ishtariAuthor Commented:
While that could be an amazing product I was looking for help with the product I got first and foremost.
0
 
Alan HardistyCo-OwnerCommented:
No problems - just thought I would share the info.

What do you have your SCL settings set to?
0
 
ishtariAuthor Commented:
Greater or equal to 7, the default setting
0
 
Alan HardistyCo-OwnerCommented:
Okay - as the attachment blocking is not a blanket block, it rules out file level attachment filtering, so it may be that the message is seen as spam.

Can the senders who are having problems send a test email through to you in exactly the same way as before (same email), just without the attachment.  Does this message arrive?
0
 
ishtariAuthor Commented:
Yes, they can even attach a word document without problem. It's just when there is a pdf that it gets blocked. As I understood the anti-spam "ip allow list" the domains I added there wouldn't get blocked at all by the anti-spam, but they still does and the sender get's a "message blocked as spam" in return.
0
 
Alan HardistyCo-OwnerCommented:
Is the PDF file encrypted or password protected at all?

Can the sender send the same email with a different PDF unencrypted / password protected and does that pass through happily?
0
 
ishtariAuthor Commented:
Non of the PDFs that they hav tried blocked have encryption or any passwords
0
 
Alan HardistyCo-OwnerCommented:
Okay - thanks.

Do any of their PDF's make it through happily?
0
 
ishtariAuthor Commented:
Some external user can always send us pdfs some external users can never send pdfs, seems to be either or.

The only correlation I have been able to find is that if the sender uses some kind of automated system to send us pdfs (like a booking system) their pdfs are more likely to get blocked,  but this is not always the case even though it seems to be more common then not.
0
 
Alan HardistyCo-OwnerCommented:
Okay - I was trying to see if the sender is blocked or the PDF document.

As you can receive PDF's from others, that rules out a blanket PDF block.

As you can receive PDF's from the sender this rules out the sender being blocked.

If the emails that are getting blocked are coming from an automated system - that system may be Blacklisted.  Do you know the sending IP Address from that Automated System?

If you do - please check it out on http://www.mxtoolbox.com/blacklists.aspx and check.   If not - are you able to ask them and find out.

Alternatively, please can you ask them to email me a PDF from their automated system to alan @ it-eye.co.uk and I will check for you.

Thanks

Alan
0
 
ishtariAuthor Commented:
I will ask one sender to email you, didn't seem to be in any blacklist according to mxtoolbox
0
 
Alan HardistyCo-OwnerCommented:
Thanks - please let me know when the email has been sent so I can check my Anti-Spam logs.

Alan
0
 
ishtariAuthor Commented:
It should have been sent around 2010-11-30 13:26 CET, but could be a minute or so earlier perhaps
0
 
Alan HardistyCo-OwnerCommented:
Thanks - looking for it now.

Alan
0
 
Alan HardistyCo-OwnerCommented:
Okay - checked my logs and don't see anything there at all.  Either Forefront TMG didn't like it and rejected it or it didn't make it to me.

Do you know the IP Address that they are sending from?

If you can post the IP - I can hide it quickly afterwards.

Alan
0
 
ishtariAuthor Commented:
I sent you a pm here on experts-exchange
0
 
Alan HardistyCo-OwnerCommented:
I have replied.  Awaiting your response.

Alan
0
 
Alan HardistyCo-OwnerCommented:
Okay - sorry - I did get their email but though it was spam!

Now recovered from my Deleted Items!

Some checks:

Blacklists: Clean
Reverse DNS on their Sending IP: xxx.xxx.89.118 PTR record: d0118.cust.networksab.com. [TTL 38400s] [A=xxx.xxx.89.118] - This is a problem - the Reverse DNS should match their FQDN which is mail.domain.se
NS Lookup on mail.domain.se: Returns IP Address xxx.xxx.91.3 - this is wrong - it should match xxx.xxx.89.118

So - they have configuration issues that they need to resolve before your mail server will not think that they are spammers.
0
 
ishtariAuthor Commented:
Alrgiht, cheers!
0
 
ishtariAuthor Commented:
The experts help went above and beyond what I had hoped for!
0
 
Alan HardistyCo-OwnerCommented:
Thanks for the points - have you managed to get them to sort out their problems and can you now receive the PDF's?

I hope so.

Alan
0
 
ishtariAuthor Commented:
The sender is a larger company so they will not implement any changes quickly, but now the reason and that helps me!
0
 
Alan HardistyCo-OwnerCommented:
Tell me about it - I rang a company the other day to tell them that their mail server was not configured properly and was told that I was being rude!

That's what you get for trying to be helpful!!

Good luck - hopefully they will take the changes on board and improve their mail-flow.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 14
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now