Solved

E-mail Messages bounce back

Posted on 2014-10-22
31
1,142 Views
Last Modified: 2014-10-27
I have a client who occasionally not always occasionally no pattern no specific time and date or e-mail attachment just get them every now and then when only sending to a specific domain.

Again some emails go through some does not

The client does not have this problem with anybody else.

this is the message header.

From: Mail Delivery System [mailto:mailer-daemon@kundenserver.de]
Sent: 22 October 2014 14:33
To: firstname.lastname@domain.com
Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address
failed:

"user@domain.com":
SMTP error from remote server after RCPT command:
host: mail.domainname.com
5.7.1 Recipient not authorized, your IP has been found on a block list
"firstname.lastname@domain.com":
SMTP error from remote server after RCPT command:
host: mail.domain.com
5.7.1 Recipient not authorized, your IP has been found on a block list
--- The header of the original message is following. ---

Received: from Name (mail.domain.com [x.x.x.x])
        by mrelayeu.kundenserver.de (node=mreue102) with ESMTP (Nemesis)
        id 0LzJrN-1YBKsC1hYH-014XEM; Wed, 22 Oct 2014 15:32:26 +0200
From: "First/Last name" <firstname.lastname@domain.com>
To: "'First/Last name'" <firstname.lastname@domain.com>,
        "first/last name" <username@domainname>
Cc: "first/last name" <firstname.lastname@Domain.com>,
        "First/Last name" <user@domain.com>
Subject: XXXXXXXX
Date: Wed, 22 Oct 2014 14:32:23 +0100
Message-ID: <003e01cfedfc$9d5be2e0$d813a8a0$@atdconsulting.com>
MIME-Version: 1.0
Content-Type: multipart/related;
        boundary="----=_NextPart_000_003F_01CFEE04.FF274FC0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: Ac/t/JxjUBKA4PlyREyE6o+GpPtrCw==
Content-Language: en-gb
X-Provags-ID: V02:K0:GgvcOm1HOfMahaYPgLQXTKYjO1pWrUkEElu7qNKPtNm
 aaEp+J/GZSEC0EUdHmQhNDAtZydogle9GpRhGzEH6ace80el6f
 KddCvp1OMCbNmDXc21gkufR970sGLSp1kt4dgOfgt3EDme6vTu
 UrxWaADoG3vseqkVBtIi86ucBhv8aImMlwcgJUVr/zhk03I/8j
 bHsbfEBuX1jqe1k+qpRM9XmaLxQgSpWlOFxzV1/QmPDwTadxZe
 7Derc1dYMFPn+Kn5mIDBImZnHevteVFA0PBbaJnVW5N8i6QxJQ
 60s3FZE/bjaiuyuFZzDu7IblY3XZWcsuXoLqgyu74d66UA0ifx
 m1pa+bsrTZGmDgWCO+5wpe1VP1ogh1vTrxWU6JI0XenTFmBLRe
 aRHdt2L4mpSnw==
X-UI-Out-Filterresults: notjunk:1;


Any help will be greatly appreciated.

Thanks
0
Comment
Question by:M SOS
  • 16
  • 13
31 Comments
 
LVL 8

Expert Comment

by:tshearon
ID: 40397754
I have you checked your mail domain for blacklists?

Check here:

http://mxtoolbox.com/blacklists.aspx
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40397769
Is the mail server sending directly to the internet? Or is it going through some other outbound hygiene service?

It could be that mail is not always sent out from the same IP. And one of those IPs is blacklisted while others are not.
0
 

Author Comment

by:M SOS
ID: 40397787
My client e-mail address or IP are not blacklisted anywhere I have checked

Important detail here: I look after the company that rejects the e-mail not the sender who experiencing this issue.

So the company I look after is asking me to look at the issue for one of their client.

How could I know if the user is using a hygiene service?

Thanks very much
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40397795
You might be able to tell from their MX records. But even if it appears they have a hygiene service for inbound there is no guarantee they are leveraging outbound filtering.

NSLOOKUP
SET TYPE=MX
senderdomain.com

Another possibility is to examine the message tracking logs. See if any of the SMTP hops in the message header are hygiene service.

Or, ask the sender.
0
 

Author Comment

by:M SOS
ID: 40397806
Using nslookup

The following comes up

domainname.com       MX preference = 10, mail exchanger = mx01.1and1.co.uk
atdconsulting.com       MX preference = 10, mail exchanger = mx00.1and1.co.uk

mx00.1and1.co.uk        internet address = 212.227.17.175
mx00.1and1.co.uk        internet address = 212.227.17.175
mx01.1and1.co.uk        internet address = 212.227.15.150
mx01.1and1.co.uk        internet address = 212.227.15.150

Is that of any significance?
0
 

Author Comment

by:M SOS
ID: 40397810
the above nslookup result is the sender (the one with the issue) config
0
 

Author Comment

by:M SOS
ID: 40397818
Again the issue is not with the company I look after they receive e-mails fine..

The issue is with one of their clients who has the issue and they are concerned about.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40397826
Hmm. Well its a hosting provider in the UK. Not sure if that is their filtering service, or, maybe their mail is hosted in the cloud at 1and1.

I would take note of the IP that was blocked (verify it is 1and1's IP) and call 1and1 and let them know that IP is appearing on block lists.
0
 

Author Comment

by:M SOS
ID: 40397859
So are you suggesting that one of the above IP addresses is blocked on the internet?

If that is the case why this sender is having this issue with my client only not with others?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40397885
I am assuming you have your own anti-spam or message hygiene service or appliance. Perhaps one of the block lists it subscribes to has one of their IPs on its lists.
0
 

Author Comment

by:M SOS
ID: 40397905
I have seen this IP address (I think it is an ISP address) from the header of the original message...

Received: from Name (mail.domain .com [217.206.227.46])
        by mrelayeu.kundenserver.de (node=mreue102) with ESMTP (Nemesis)

Does it mean anything?
0
 

Author Comment

by:M SOS
ID: 40397936
I have seen this IP address (I think it is an ISP address) from the header of the original message...

Received: from Name (mail.domain .com [217.206.227.46])
        by mrelayeu.kundenserver.de (node=mreue102) with ESMTP (Nemesis)

This IP address above 217.206.227.46 is the ip address of firewall of the client that rejects the e-mail. (the client I look after)

The firewall is FortiWiFi

Does that help?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40397972
Right. We need the IP of the sender's mail server. That should be in the header as well.
0
 

Author Comment

by:M SOS
ID: 40397982
Isn't that the one appeared in the NSLOOKUP search?

212.227.17.175
212.227.15.134
212.227.15.150
212.227.17.191

I wonder if I add these IP addresses to firewall whitelist or the FQDN of the domain sending the e-mails will sort out the problem?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40397990
Its possible. But it is not a given that the receiving servers (above) also are the sending servers. But you could try whitelisting those. The message header will give you the definitive answer of what IP sent the original message that failed.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:M SOS
ID: 40397995
Is there any way I can post you the whole header and you hide the details

Do you have that kind of right?

Thanks
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40398009
Probably the best way would be to click my name and then do a Message Me from within Experts Exchange. I will only see it.
0
 

Author Comment

by:M SOS
ID: 40398016
Got it ?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40398046
Hmm, that header is not helping much. Looks like the server that sends out can be any number of potential IP addresses from 1and1.

Because it works sometimes we know that some of the IPs that 1and1 sends out from are ok. But obviously 1 or more it uses is seen as bad by either the Fortinet (assuming you are doing message hygiene with Fortinet) or the Exchange box. My guess is the anti-spam feature on the Fortinet firewall is enabled?

So, you are going to have to check the message tracking logs on either the Fortinet firewall, or, the Exchange server (I'd check the Fortinet first) and see what IP it rejected from 1and1. Check around the time of the rejection notice which was 22 October 2014 14:33.

Another alternative is to call 1and1 ask them for the IPs of the servers they send out on and whitelist all those IPs.
0
 

Author Comment

by:M SOS
ID: 40398062
My client (the one rejecting the mail) uses Exchange 2010

Could it be the Spam setting on the Exchange (although it is empty now) but I can allow this domain that has the problem?

Is there any way we can alter the NDR msg to include the IP block list?
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40398067
Could it be the Spam setting on the Exchange (although it is empty now) but I can allow this domain that has the problem?

Not sure what you mean "although it is empty now". Whitelisting the domain will not help. The IP is part of a block list. It is the IP being blocked, not the sender's domain. So the IP needs to either be removed from the block list, or, possibly whitelisted. If your Fortinet is the first hop and its doing any form of message hygiene, then you need to check there first.
0
 

Author Comment

by:M SOS
ID: 40398081
I meant going to the Hub transport / Anti - Spam and then IP Allow list Providers and then add the domain that gets rejected?

One thing for sure thought...we know from the header that either the Exchange at my client site or the firewall is blocking this right? not anywhere else on the internet? Correct? Cause the rejected e-mail was sent from a network with the firewall ip address on it.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40398518
Well the IP Allow List Providers is just a list of IP Block Lists you subscribe to.

Right. We know that it is reaching your clients network because the mail.x.x server in your network is generating the NDR.
0
 

Author Comment

by:M SOS
ID: 40400353
The solution actually was none of the above

My client was using a free spam filter providers and they are the ones who are blocking some IP addresses
0
 

Author Comment

by:M SOS
ID: 40400379
I've requested that this question be closed as follows:

Accepted answer: 0 points for Mustafa Osman's comment #a40400353

for the following reason:

The only correct answer
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40400380
I have to object to the closure. It was asked if your client had any message hygiene in place that blocked IP addresses.
0
 

Author Comment

by:M SOS
ID: 40402899
In fairness you did ask if there any hygiene in place but I did ask the question very clearly

(How could I know if the user is using a hygiene service?). Read further up a little

Which you ignored.
0
 
LVL 31

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40403081
I did respond with multiple methods on how to find that out.

"You might be able to tell from their MX records. But even if it appears they have a hygiene service for inbound there is no guarantee they are leveraging outbound filtering.

 NSLOOKUP
 SET TYPE=MX
 senderdomain.com

 Another possibility is to examine the message tracking logs. See if any of the SMTP hops in the message header are hygiene service.

 Or, ask the sender. "
0
 

Author Comment

by:M SOS
ID: 40403241
Now I am with you but your answer was way to complicated

The Spam Filtering was happening on the Exchange server itself it was not a software running on the server. They were configured on the Hub Transport.

I came here to find help in a simplified way and get things done not to watch people flex their muscle who talk in riddles.
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40403366
My apologizes if I didn't gauge the correct conversational level.

I am always willing to further clarify or explain any point made with detailed steps or references to articles.

Please close the question in any way you see fit. I will not object to its closing. Please accept your own answer if that best served the end result to your situation.

I appreciate your feedback.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now