Solved

PDFs blocked as spam in Exchange 2010

Posted on 2010-09-08
29
2,470 Views
Last Modified: 2012-08-14
Some external users, but not all, have problems sending emails with pdf attacthments to our exchange server. I have tried to recreate the error by sending pdf-files with my hotmail and gmail accounts but i never have any trouble. This is the error the other external users get somteimes.

Delivery to the following recipient failed permanently:

    name@ourdomain.com

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.7.1 Message rejected as spam by Content Filtering. (state 18).

Is there a way to see exactly the reason why this message was rejected? Is there a summary somewhere in exchange that lets me see which part of the mail that gets spampoints or which part of the mail that is the offending part?
0
Comment
Question by:ishtari
  • 14
  • 13
29 Comments
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33627354
Have you had a look at get-agentlog?

http://technet.microsoft.com/en-us/library/aa996044.aspx
0
 
LVL 1

Author Comment

by:ishtari
ID: 33627711
When I type Get-AgentLog -StartDate "08/09/2010 3:20:00 PM" I get an insane amount of posts, but when I tupe in C:\Windows\system32>Get-AgentLog -StartDate "08/09/2010 3:20:00 PM" -EndDate "08/09/2010 4:00:00 PM" i get the following error:

[PS] C:\Windows\system32>Get-AgentLog -StartDate "08/09/2010 3:20:00 PM" -EndDate "08/09/2010 4:00:00 PM"
The location "C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\AgentLog\" doesn't contain any logs fo
r the specified time range.
Parameter name: Location
    + CategoryInfo          : InvalidArgument: (:) [Get-AgentLog], ArgumentException
    + FullyQualifiedErrorId : 7984EE63,Microsoft.Exchange.Management.AgentLog.GetAgentLog

i have tried a few different end times like "08/09/2010 3:35:00 PM" or "08/09/2010 6:00:00 PM" but I never get any results when I use the endtime parameter. I am on Central European Time with a 24h clock and the email was sent as follows

Received: by xx.xx.xx.xx with HTTP; Wed, 8 Sep 2010 06:23:52 -0700 (PDT)
X-Originating-IP: [xx.xx.xx.xx]
From: Name <namel@domain.com>
Date: Wed, 8 Sep 2010 15:23:52 +0200

I guess I am wrong about the times or something? Could you help me with what I should write to get info about the above email?

Thanks in advance!
0
 
LVL 1

Author Comment

by:ishtari
ID: 33635677
Since I'm a European mixed up the month/day part of the get-agentlog paramterer. I found the message in question:

RunspaceId      : 65075907-bfc1-4c54-a958-5ab480332265
Timestamp       : 2010-09-08 15:24:28
SessionId       : 08CD06728FCB4F8F
IPAddress       : <ip adress>
MessageId       : <AANLkTing8Z34ffZ-WzvDEbqKfYabP_A+qS4u7DypP6Xq@mail.gmail.com>
P1FromAddress   : name@externaldomain.com
P2FromAddresses : {name@externaldomain.com}
Recipients      : {name@internaldomain.se}
Agent           : Content Filter Agent
Event           : OnEndOfData
Action          : RejectMessage
SmtpResponse    : 550 5.7.1 Message rejected as spam by Content Filtering.
Reason          : SclAtOrAboveRejectThreshold
ReasonData      : 7
Diagnostics     : DV:3.3.5705.600;SID:SenderIDStatus None

So the mail got 7 spam points and our anti-spam filter is set to reject all messages with or above  the default value of 7. That is good to know, but since the first error message said that it was blocked as spam that's not so much new info to go on. Am I missing something here, or is it possible to see why/which part of the message that gave it such high spam-points?
0
 
LVL 1

Author Comment

by:ishtari
ID: 34153579
I tired to add the users mail domain to our IP allow list in the Exchange 2010 anti-spam but the users email still get's labeld as spam when he sends pdf-files. if he sends mail with other attachments they get through without problems. How do I whitlist the senders domain or how do I allow pdf-files through?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34159254
In my experience, Exchange does a bad job of filtering spam.  There are too many blacklists and not enough whitelists.

I went from Vamsoft ORF to Exchange 2010 / Forefront TMG anti-spam and all I got was people complaining mail was being rejected.

In the end, I reverted back to Vamsoft ORF and now my phones are silent.

If you want to try an alternative product, please visit www.vamsoft.com and download the trial - you won't be disappointed, nor shocked at the price of $239 per server.
0
 
LVL 1

Author Comment

by:ishtari
ID: 34218160
While that could be an amazing product I was looking for help with the product I got first and foremost.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34218557
No problems - just thought I would share the info.

What do you have your SCL settings set to?
0
 
LVL 1

Author Comment

by:ishtari
ID: 34229035
Greater or equal to 7, the default setting
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34229176
Okay - as the attachment blocking is not a blanket block, it rules out file level attachment filtering, so it may be that the message is seen as spam.

Can the senders who are having problems send a test email through to you in exactly the same way as before (same email), just without the attachment.  Does this message arrive?
0
 
LVL 1

Author Comment

by:ishtari
ID: 34229472
Yes, they can even attach a word document without problem. It's just when there is a pdf that it gets blocked. As I understood the anti-spam "ip allow list" the domains I added there wouldn't get blocked at all by the anti-spam, but they still does and the sender get's a "message blocked as spam" in return.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34229830
Is the PDF file encrypted or password protected at all?

Can the sender send the same email with a different PDF unencrypted / password protected and does that pass through happily?
0
 
LVL 1

Author Comment

by:ishtari
ID: 34230100
Non of the PDFs that they hav tried blocked have encryption or any passwords
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34230109
Okay - thanks.

Do any of their PDF's make it through happily?
0
 
LVL 1

Author Comment

by:ishtari
ID: 34230898
Some external user can always send us pdfs some external users can never send pdfs, seems to be either or.

The only correlation I have been able to find is that if the sender uses some kind of automated system to send us pdfs (like a booking system) their pdfs are more likely to get blocked,  but this is not always the case even though it seems to be more common then not.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34230947
Okay - I was trying to see if the sender is blocked or the PDF document.

As you can receive PDF's from others, that rules out a blanket PDF block.

As you can receive PDF's from the sender this rules out the sender being blocked.

If the emails that are getting blocked are coming from an automated system - that system may be Blacklisted.  Do you know the sending IP Address from that Automated System?

If you do - please check it out on http://www.mxtoolbox.com/blacklists.aspx and check.   If not - are you able to ask them and find out.

Alternatively, please can you ask them to email me a PDF from their automated system to alan @ it-eye.co.uk and I will check for you.

Thanks

Alan
0
 
LVL 1

Author Comment

by:ishtari
ID: 34238079
I will ask one sender to email you, didn't seem to be in any blacklist according to mxtoolbox
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34238129
Thanks - please let me know when the email has been sent so I can check my Anti-Spam logs.

Alan
0
 
LVL 1

Author Comment

by:ishtari
ID: 34239788
It should have been sent around 2010-11-30 13:26 CET, but could be a minute or so earlier perhaps
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34240014
Thanks - looking for it now.

Alan
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34240061
Okay - checked my logs and don't see anything there at all.  Either Forefront TMG didn't like it and rejected it or it didn't make it to me.

Do you know the IP Address that they are sending from?

If you can post the IP - I can hide it quickly afterwards.

Alan
0
 
LVL 1

Author Comment

by:ishtari
ID: 34246591
I sent you a pm here on experts-exchange
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34246760
I have replied.  Awaiting your response.

Alan
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 34246974
Okay - sorry - I did get their email but though it was spam!

Now recovered from my Deleted Items!

Some checks:

Blacklists: Clean
Reverse DNS on their Sending IP: xxx.xxx.89.118 PTR record: d0118.cust.networksab.com. [TTL 38400s] [A=xxx.xxx.89.118] - This is a problem - the Reverse DNS should match their FQDN which is mail.domain.se
NS Lookup on mail.domain.se: Returns IP Address xxx.xxx.91.3 - this is wrong - it should match xxx.xxx.89.118

So - they have configuration issues that they need to resolve before your mail server will not think that they are spammers.
0
 
LVL 1

Author Comment

by:ishtari
ID: 34256207
Alrgiht, cheers!
0
 
LVL 1

Author Closing Comment

by:ishtari
ID: 34256213
The experts help went above and beyond what I had hoped for!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34256351
Thanks for the points - have you managed to get them to sort out their problems and can you now receive the PDF's?

I hope so.

Alan
0
 
LVL 1

Author Comment

by:ishtari
ID: 34257712
The sender is a larger company so they will not implement any changes quickly, but now the reason and that helps me!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34257814
Tell me about it - I rang a company the other day to tell them that their mail server was not configured properly and was told that I was being rude!

That's what you get for trying to be helpful!!

Good luck - hopefully they will take the changes on board and improve their mail-flow.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now