Link to home
Create AccountLog in
Avatar of MrWhy
MrWhy

asked on

Mail senders from one specific host will not go through to our Exchange 2010

Customers of one big email hosting company do not get through to our server. The hosting company have many servers, but the common denominator of all the people having trouble sending us mail, are that they are sending through one of their servers. As we are not customers of this hostingcompany, I don't get through to their technical staff, so I have to figure this out from my end.
What the SMTP-log tells me, is that the sending server sends an EHLO, a Mail From:, and then QUIT.  Mail sent from any other servers work perfectly to my knowledge.

My system is an isa 2004 server in front hosting a microsoft SMTP service on a 2003 server, forwarding to a Norman Email Protection Server as a smart host, in turn coupled to an exchange 2010 server.

Excerpt from the SMTP-log:

2014-05-08 00:10:16 212.18.128.233 SendersSmtpserver.com SMTPSVC1 MyIsaServer 12.12.12.12 0 EHLO - +SendersSmtpserver.com 250 0 242 19 0 SMTP - - - -
2014-05-08 00:10:16 212.18.128.233 SendersSmtpserver.com SMTPSVC1 MyIsaServer 12.12.12.12 0 MAIL - +FROM:<sender@sendersdomain.com> 250 0 78 45 16 SMTP - - - -
2014-05-08 00:10:16 212.18.128.233 SendersSmtpserver.com SMTPSVC1 MyIsaServer 12.12.12.12 0 QUIT - SendersSmtpserver.com 240 32 78 45 16 SMTP - - - -
Avatar of Kash
Kash
Flag of United Kingdom of Great Britain and Northern Ireland image

what happens when the mail doesn't go through. do your customers get a bounce back. what does the bounce back say.
Assuming you have a firewall or other filtering service, have you check to see if the sending site is on any RBL lists?

You can use this site to do that...

http://mxtoolbox.com/blacklists.aspx
Avatar of MrWhy
MrWhy

ASKER

Customers get a bounceback like this:

Emne: Avisannonse 2mod 248x110
 
Denne meldingen er ikke levert enda. Det blir fortsatt gjort forsøk på å sende den.
*******************************************************************

Translated to English:
Subject: Newspaper add .....

This message is not delivered yet. It will still be attempted delivered.
********************************************************************

Later they get one stating that delivery was unsuccessful.
is it possible to post the sender's domain on here ?
Avatar of MrWhy

ASKER

It seems their servers are listed in the SORBS database, but to my knowledge no SORBS lookup is activated on my exchange. Could be if it's enabled by default. If so where?
Do you have a firewall or mail filtering device or service in front of the Exchange Server? For example, might your mail first go to Trend or some other reputation service, and then be forwarded to you if clean.

Do an nslookup on your MX records to see where they point.
the RBLs lookup would definitely help but then they would be getting bounce backs from anywhere and everywhere not just from your mailserver.
Check www.mxtoolbox.com  on both your URL and your Server's IP.  You may in fact be blacklisted
SOLUTION
Avatar of Kash
Kash
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of MrWhy

ASKER

Senders domains are for example aurskog-sparebank.no, sparebanken-hedmark.no, em1.no.

They all use EVRY as mail-host and SMTP. Servers are for instance mail17.edb.com, mail35.edb.com and mail36.edb.com

The mail36.edb.com are not represented in the SORBS database, but still dont get through.
I have not used Norman EPS, but in reviewing the info for this it seems that your block is likely coming from there. There is a good chance that it would check SORBS and other services. If there is logging on that device, I would look there for more info.

I assume you were at one time able to receive email from this site, but can't any longer. This is symptomatic of a SPAM sender or reputation problem.
One other observation. It appears that edb.com, aurskog-sparebank.no, sparebanken-hedmark.no, em1.no do not have a valid SPF record. This could also be part of the issue if NEPS is checking for that.
Avatar of MrWhy

ASKER

Nothing in the NEP logs indicates that these senders are blocked. Besides RBL-lookup is disabled on the Norman EPS in order to diagnose this.
OK, but what about NEPS checking for SPAM senders, reputation, or SPF records?

When did this last work?
Avatar of MrWhy

ASKER

I turned off RBL-checking, Sender reputation, Greylisting, SPF support, Scan attack blocking, Malformed address rejecting, Sender address validating, BATV, DKIM Verification and signing.
I virtually disabled the NEP server except for antivirus and spam-blocking per message. Still these senders don't get through.

Also, the logs does not indicate any blocking. They do for other sites, and these are spammers and should be blocked, but the EVRY-customers does not appear.

It worked four weeks ago.
ASKER CERTIFIED SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of MrWhy

ASKER

I circumvented the problem by eliminating the front SMTP service and forwarding the packets directly to the NEP server. I still have no idea what caused the problem at the smtp service, but I suspect the real problem lied in the senders end, and still lies there. They probably have the same problem with other recipients out there, but now it's someone elses problem. Thank you for your input.
Avatar of MrWhy

ASKER

I circumvented the problem by eliminating the front SMTP service and forwarding the packets directly to the NEP server. I still have no idea what caused the problem at the smtp service, but I suspect the real problem lied in the senders end, and still lies there. They probably have the same problem with other recipients out there, but now it's someone elses problem. Thank you for your input.