Solved

how do I determine the reason for 554 denied bounce backs?

Posted on 2013-06-05
29
629 Views
Last Modified: 2013-06-11
received a call informing me of 554 bounce backs. See below:

This is a delivery status notification, automatically generated by MTA domain1.com on Wed, 05 Jun 2013 09:21:05 -0400 Regarding recipient(s) : user1@domain2.com Delivery status : Failed. Message could not be delivered to domain <domain2.com> .554; Denied
[p02c11m066.mxlogic.net] (Mode: normal) MTA Response :554

Called out to the email admin that was reporting the bounce backs and we both completed a Telnet to Port 25 to Test SMTP Communication to each others email server with success, but they still getting '554 denied'.
0
Comment
Question by:ID10Tz
  • 15
  • 14
29 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39222913
You are basically being rejected by the Recipient Server as they have taken a dislike to you presumably because you are considered a spammer.

Have you checked your IP Address on the following sites:

http://www.blacklistalert.org / http://mxtoolbox.com/blacklists.aspx

Have a read of my article too:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/A_2427-Problems-sending-mail-to-one-or-more-external-domains.html

Alan
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39222943
so my server is rejecting the 'offensive email server'.

1.) Checked both my server is NOT listed.
2.) I am the only admin for our email server and I haven't changed a thing
3.) On a daily basis we (well at least were) communicate w/the other server w/out issue
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39222956
Sorry - who is sending the emails that are getting rejected?

Are you on the sending end or the receiving end?
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39223017
the other email server is being denied
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39223058
Okay - so do you have Anti-Spam software on your server?

Are you using the built-in tools in Exchange (Blacklists etc) to reject emails?

See my other article for details of how this might be done:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2527-How-to-prevent-Spoofed-Emails-in-Exchange-2003.html

Alan
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39223068
no anti-spam & yes using the built-in tools: (Sender/recipient/sender ID filtering) which we haven't been modified.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39223086
Are you logging your SMTP Communications?

http://www.msexchange.org/articles-tutorials/exchange-server-2000/monitoring-operations/Logging_the_SMTP_Service.html

You can use telnet to manually test communications between yourselves, but generally the info is entered correctly when done manually and you don't send a full message and so it usually works.

If you have been logging, then check the logs around the time of the failed delivery.  If not, please enable logging, ask the sender to retry the same message and then examine the logs afterwards for reasons.

Alan
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39223126
went to enable logging and its enabled, but nothing was selected from the advanced tab so I selected all & now copying the log file to import into excel. I found the following ip listed in my default smtp virtual server properties, but its not mine: 169.254.176.136
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39223199
Is that repeated on each line?

What is the IP Listed in your Default SMTP Virtual Server?

Alan
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39223269
no this is actually on the server itself like where it says IP Address (All unassigned) click the drop down box and I see my local ip for the sever and then I see the alien IP. I have the local IP listed not the All unassigned or the foreign IP. Still copying the log file. It was 300MB
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39223287
Okay - no worries.

See what the log file has to say and post a section (edited to remove identifying details) if you need help deciphering it.

Alan
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39223599
Im scared now. There is 1048576 lines (my email address and from my ipad) of the following:

6/5/2013      0:00:01      W3SVC1      EXCHANGE      192.0.0.1      PROPFIND      /exchange-oma/myemail@domain.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplDLXG3CP0DJHG      -      80      -      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      401      1      0
6/5/2013      0:00:01      W3SVC1      EXCHANGE      192.0.0.1      PROPFIND      /exchange-oma/myemail@domain.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplDLXG3CP0DJHG      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      207      0      0
6/5/2013      0:00:01      W3SVC1      EXCHANGE      192.0.0.1      GET      /exchange-oma/myemail@domain.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplDLXG3CP0DJHG/5f96240d4001cf4d86ee41d15b1ac229-1488      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:01      W3SVC1      EXCHANGE      192.0.0.1      SEARCH      /exchange-oma/myemail@domain.com/      -      80      -      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      401      1      0
6/5/2013      0:00:01      W3SVC1      EXCHANGE      192.0.0.1      SEARCH      /exchange-oma/myemail@domain.com/      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      207      0      0
6/5/2013      0:00:01      W3SVC1      EXCHANGE      192.0.0.1      POST      /Microsoft-Server-ActiveSync      User=myemail&DeviceId=ApplDLXG3CP0DJHG&DeviceType=iPad&Cmd=Sync&Log=V4TEmSSC:0A0C0D0FS:0A0C0D0SP:1C3I7423S683482R0S0L0H0P      443      domain.com.com\myemail      174.224.139.228      Apple-iPad2C3/1002.329      200      0      0
6/5/2013      0:00:01      W3SVC1      EXCHANGE      192.0.0.1      GET      /exchange/      -      443      hostmaster@domain.com.com      10.30.50.179      Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X;+en-US;+rv:1.8.1.13)+Gecko/20080311+Firefox/2.0.0.13      200      0      0
6/5/2013      0:00:03      W3SVC1      EXCHANGE      192.0.0.1      GET      /exchange/hostmaster/      Cmd=contents&ShowFolders=1      443      hostmaster@domain.com.com      10.30.50.179      Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X;+en-US;+rv:1.8.1.13)+Gecko/20080311+Firefox/2.0.0.13      200      0      0
6/5/2013      0:00:03      W3SVC1      EXCHANGE      192.0.0.1      SEARCH      /exchange/hostmaster/Inbox/      -      443      hostmaster@domain.com.com      10.30.50.179      Mozilla/5.0+(Macintosh;+U;+Intel+Mac+OS+X;+en-US;+rv:1.8.1.13)+Gecko/20080311+Firefox/2.0.0.13      207      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      PROPFIND      /exchange-oma/myemail@domain.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplDLXG3CP0DJHG      -      80      -      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      401      1      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      PROPFIND      /exchange-oma/myemail@domain.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplDLXG3CP0DJHG      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      207      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      GET      /exchange-oma/myemail@domain.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplDLXG3CP0DJHG      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      302      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      GET      /exchange-oma/myemail@domain.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplDLXG3CP0DJHG/AutdState.xml      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      GET      /exchange-oma/myemail@domain.com/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplDLXG3CP0DJHG/FolderSyncFile      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      SUBSCRIBE      /exchange-oma/myemail@domain.com/Deleted%20Items/GH/      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      SUBSCRIBE      /exchange-oma/myemail@domain.com/Inbox/      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      SUBSCRIBE      /exchange-oma/myemail@domain.com/Inbox/VMware/      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      SUBSCRIBE      /exchange-oma/myemail@domain.com/Inbox/RR/      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      SUBSCRIBE      /exchange-oma/myemail@domain.com/Inbox/BW/      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      SUBSCRIBE      /exchange-oma/myemail@domain.com/Inbox/CS/      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
6/5/2013      0:00:04      W3SVC1      EXCHANGE      192.0.0.1      SUBSCRIBE      /exchange-oma/myemail@domain.com/Inbox/Dell/      -      80      domain.com\myemail      192.0.0.1      Microsoft-Server-ActiveSync/6.5.7638.1      200      0      0
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39223692
not sure why it like that (log file) but I copied it before adding the advance elements.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39223734
That seems to be your default website log, not the SMTP log.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:ID10Tz
ID: 39228776
I copied it directly from w3svc1 directory
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39228973
Yes - but that won't show SMTP traffic - only HTTP / HTTPS web traffic from your default website.

We need to examine the SMTP logs to find out why.
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39228990
where do I find them?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39229004
Usually c:\windows\system32\logfiles\smtpsvc1 ..................
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39229195
ok found it and imported to excel. how much of an example and what should I be looking for to copy and paste?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39229220
Ideally look for the message (email address) from the sender that got rejected and then follow the flow of IP Addresses that they connect from and see what the result is.

How big are the files?
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39229337
328 KB
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39229389
Okay - that's not huge.  Does it contain the relevant data?

Is the file recent?
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39229454
Attached is a couple of lines from the log, but because I enabled the advanced logging after the issue occurred it looks as if the logging didn't start until 4 pm PST & I  have not heard from the end user who was suffering from this originally.
4-EE.xlsx
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39229535
Okay - can you ask them to try again and then once they have confirmed the message got rejected and as long as you are logging, we should be able to see what is happening.

Thanks

Alan
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39229559
Asked them to try and send another so now I'm playing the waiting game.
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39238032
this error ended up being on the other admins side.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39238065
What was the problem in the end?

Alan
0
 
LVL 1

Author Comment

by:ID10Tz
ID: 39238232
not sure. It just stopped
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39238249
Ah - then it shall forever remain a mystery!!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now