Solved

Email not going to certain domains - new firewall - blacklist - dns record?

Posted on 2012-03-20
5
468 Views
Last Modified: 2012-08-13
We installed a new firewall a couple days ago.  The next day we started getting reports of some emails not being delivered.  Most mail goes through, but to certain domains it doesn't.  Those emails are piling up in Exchange 2007 as delayed.  We tried telneting to the servers of these other domains and they say our domain's reputation isn't good enough or something like that.

To me it sounded like a blacklist issue.  We are only on one.  Could be the problem, might not be.  Trying to get that figured out.

Other things i'm looking at - is there some kind of dns record that bigger companies are requiring to send them email?  I forget what it's called.  Soap record or something.  It is to prove that your mail server really belongs to you, and isn't being spoofed.  Could that cause this?  What is it called and how do I implement it?

The new firewall is another possibility, but I don't see how.  Anti-virus and all security settings are turned off.  And we can email most domains fine.  

Any advice would be helpful.  The one blacklist we were on said we were on it because we emailed a spamtrap.  Exchange server shows no signs it is being used to spam.  The blacklist also wanted us to pay like $150 for an express whitelist.  Sounds kind of sketchy.  

thanks for any help.
0
Comment
Question by:readymade
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 18

Accepted Solution

by:
Netflo earned 350 total points
ID: 37745426
Step 1: Temporarily disable TCP SYN checking on your firewall, this can cause problems with mail flow and internet surfing appearing to be delayed.

Step 2: Create a rule on your firewall to block port 25 traffic from trusted to untrusted except for your Exchange server IP. Enable logging to identify machines which have been infected - disinfect and monitor again.

Step 3: Ensure your 'PTR record' matches your 'A record'. For example owa.domainname.com, you will need to contact your ISP to get that record set.

Step 4: Grab a tea or coffee and wait for your record to be removed from the spam list or pay the express fee.

This is the normal procedure if your network is not bolted down and you dealing with the 'cute', rather than 'prevention'.

Best of luck!
0
 

Author Comment

by:readymade
ID: 37745444
Ok we've already done some of those things.  What about an SPF record?  Could not having this cause some domains to reject our mail?
0
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 150 total points
ID: 37745653
To me it sounded like a blacklist issue.  We are only on one.  Could be the problem, might not be.
Depending on the list this may be a huge problem or a tiny problem... all depends on which lists receivers check against.

Other things i'm looking at - is there some kind of dns record that bigger companies are requiring to send them email?
Yep that would be an SPF record, and yes that could cause some receiving servers to reject you flat out.

For most sending domains the SPF record is very simple and doesn't need all the bells and whistles you may find from certain online SPF generation tools.

E.g., assuming the sending IP's for your domain are 1.2.3.4 and 1.2.3.5
"v=spf1 ip4:1.2.3.4 ip4:1.2.3.5 -all"

Open in new window

That would be added into DNS for the domain used in your envelope-from (MAIL FROM) as a TXT record.  If your envelope-from is bobsdomain.com then that is where this record needs to be.

The one blacklist we were on said we were on it because we emailed a spamtrap.
This sounds a bit phishy, pun intended.  Most spamtraps are fake addresses setup as honeypots, most big receivers will actually recycle old real email addresses that shouldn't be getting new mail for that exact purpose.

The blacklist also wanted us to pay like $150 for an express whitelist.  Sounds kind of sketchy.  
Usually only the wanna-be / small time RBL's will charge you like that.  Honestly depending on which list it is and how many of your emails are being affected, I may not even worry about it.

Get your SPF record in check first and then see how your deliverability is.  Also take heed of Netflo's answers, specifically 2 and 3.
0
 

Author Closing Comment

by:readymade
ID: 37747908
We created the firewall policy so only email servers can send.  It also looks like all of the domains that were blocking us were using Cisco IronPort, which uses senderbase.org as their spam reporter.  I believe we have been taken off senderbase so we are now able to send to many if not all of the domains again.  We will look into the SPF record.  

We think maybe a machine was sending out spam.  Unless we find it, we'll never know.  Have to wait and see.  Thanks for the help!
0
 
LVL 18

Expert Comment

by:Netflo
ID: 37747926
Enable logging for your port 25 rule, you'll find the machine report immediately.

Yes I would strongly recommend a SPF record too as mentioned by Papertrip.

Best of luck!
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question