Solved

421 errors sending to domains after being blacklisted

Posted on 2014-12-08
19
191 Views
Last Modified: 2014-12-11
We unfortunately appeared on a couple blacklists a couple weeks ago which was rapidly resolved in a couple hours.  Since that time, we are having an issue sending email to a couple external domains, but all other email is flowing correctly.  

The outgoing email messages to those domains are stuck in the queue with an error of "451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect."   We have an Exchange 2010 server in-house.  The email admin of the external domain says that they use Symantec's Anti-Spam and Virus protection and that he has whitelisted our domain and sending IP.  I have tried sending an email to them via Telnet, but that ends up being stuck in the queue also.  

Any suggestions?
0
Comment
Question by:Pittsford
  • 13
  • 5
19 Comments
 
LVL 1

Accepted Solution

by:
crcsupport earned 500 total points
ID: 40487292
Some spam filters maintain their ow blacklist and there are sync interval. I suggest to contact the recipient domain administrator and find what spam filters they use and put your domain to whitelist manually.

Try  'nslookup domainname' on your email server first to see if dns name is resolved correctly. If it's ok, I guess mostly the recipient mail sever's spam filtering.

If it's turned out as dns resolution, configure a forwarder in your dns server to a well known dns root server
0
 

Author Comment

by:Pittsford
ID: 40487301
Thanks, but in my original post I wrote that the email admin of the external domain says that they use Symantec's Anti-Spam and Virus protection and that he has whitelisted our domain and sending IP.   But we still cannot send to them successfully.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40487309
https://tools.email-checker.com/
http://verify-email.org/

go to there and type recipeint email address and see what the result is.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40487313
How about dns resolution to the recipient email server?

nslookup
q=mx

Does it return dns name and ip address of their email server?
0
 
LVL 1

Assisted Solution

by:crcsupport
crcsupport earned 500 total points
ID: 40487327
I also suggest to find the recipeint's ISP and call them to check if your email server is listed on their blacklist as well.
0
 

Author Comment

by:Pittsford
ID: 40487381
His email address is correct and we sent email to him successfully prior to us being on those blacklists.  I did try your 2 links to verify his email address and both were successful.

I believe the person I have been talking to about this is with their ISP, but I just emailed him to verify that.  

I attached the email test results from DNSStuff for the email address that I am trying to send to.  I tried the nslookup command with "q=ogdenny.com" and it did not return these IP addresses that are listed in this attachment, but rather 2 IP addresses in the 198... range.
0
 
LVL 1

Assisted Solution

by:crcsupport
crcsupport earned 500 total points
ID: 40487429
1. First, you have to make sure your email sever can resolve the recipient's email server. Do this on your mail server;

c:>nslookup
>set q=mx
>ogdenny.com

This should return two mx records for ogdenny.com

cluster9a.us.messagelabs.com      20
cluster9.us.messagelabs.com      10

Then, ping each of them, and see if both tests return ip address. If then, DNS resolution is not the problem of this.
c:> ping cluster9a.us.messagelabs.com      
c:>ping cluster9.us.messagelabs.com (this is the primary email serveR)

2. If it's not DNS problem, mostly it's their spam filter unless you set outgoing spam filter. Their spam filter is still looking at DNS blacklist. I don't know how you made sure your email server is not on the DNSBL list, but there are a bunch of them, anyone can use any DNSBL. Go to there and see if your email server is not listed on any of them. For example, my email server returns all 'OK;

http://mxtoolbox.com/blacklists.aspx

3. If your email server is not listed on DNSBL list, then it's either the email server or their ISP blocking your outgoing emails through spam filter or their own spam filter. I see ogdenny.com uses Symantec cloud spam filter, contact Symantec cloud and have them to see if they block your email server for some reasons. http://www.symantec.com/products-solutions/families/?fid=symantec-cloud

4. Find their ISP and contact them to check the same as well.

It requires work to find the reason if only some of recipient servers reject your emails. In my experience, it's mostly their spam filters.

Turn on SMTP log:
You can turn on Exchange log and see what their response was in SMTP protocol. It will include the reason more than 421 STMP code such as 'Symantec spam blocked your email for ....'

Open Exchange System Manager,
Right-click on SMTP virtual server, go to properties/General, Enable logging.
Then try to send a couple of emails again to ogdenny.com, and check responses
0
 
LVL 1

Assisted Solution

by:crcsupport
crcsupport earned 500 total points
ID: 40487433
In my cases, all of my similar problems were resolved following the steps. And mostly it was their or their ISP's filtering. Rare case, my email server couldn't find IP of their email server (only once until I found the problem for the first time).
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 40488154
0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 1

Expert Comment

by:crcsupport
ID: 40488190
come on, you're not using dynamic ip address for exchange server..
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40488209
I think it could be a good test, configuring a smart host to your ISP mail server as the last link suggestes, then see if the email goes through. After testing, remove the smart host.  But only during off business hours. Otherwise, other outgoing emails might result to be filtered as spams on other recipient email servers.
0
 

Author Comment

by:Pittsford
ID: 40488917
Ok, so I called MessageLabs tech support this morning and they verified that they are still blocking our external IP address although we are not appearing on any blacklists.  They said that one of their customers would have to call MessageLabs directly and request that we be unblocked.  That will solve it for all of the entities that we send to that are using MessageLabs.  I emailed one of those entities this morning to see if they would be willing to do that so I will leave this question open until I hear back and our email starts flowing again to them....
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40489049
I had the exactly same situation. It's not only symantec, some spam filter vendors maintain their own DNSBL, so you must go each point of traffic if the problem happens only to a certain group. It's pain.
Always regularly   check DNSBL list on the above link to not get blocked again.
0
 

Author Comment

by:Pittsford
ID: 40489076
We hadn't been blacklisted in about 10 years, then we had a PC get an infection that caused it to shoot out a ton of email causing us to get on the lists as a spammer.  Unfortunately that PC was in a group on our firewall that had been given the ability to send SMTP traffic directly for another purpose...what's the chance??  So it was cleaned up and the rules tightened up and hopefully I can go another 10 years without being blacklisted!
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40489082
if your exchange server uses a separate static ip address, then you probably have relay settings are not secured. Give only the internal developers or any computers which are supposed to use your exchange server as relay server. It's in the properties of your exchange server.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40489088
If you use a single IP address with port forwarding, then, set firewall rules on your router or firewall so that only your exchange server can use SMTP outgoing traffic.
0
 

Author Closing Comment

by:Pittsford
ID: 40494785
In summary, turns out MessageLabs had blocked us and needed their own customer to call them to get us unblocked.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40495094
Good luck. I actually had to follow the steps again yesterday. They blocked our emails with Greylisting with minecast cloud spam filtering. I have no idea how cloud spam filtering works, but it seems that there's some inefficiency between on-premise administrator and the cloud spam filtering.

Anyway, It's really a pain on a$$, especially the recipient's administrator is not really into the problem because he's the one should contact their cloud spam filtering vendor and resolve it. Providing the evidence as much as you can on your side is the only option you have to help him/her. In order to do that, I always leave my SMTP log enabled for detailed SMTP protocol communication. With that showing their spam filter blocked it, if any BS he/she talks and cuts communication, it's not your fault.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40495124
If you wonder how SMTP log looks alike for the trouble I had yesterday, here it is. Notice, SMTP error code 451 and mimecast blocked my email.

2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 220+us-smtp-1.mimecast.com<http://us-smtp-1.mimecast.com><http://us-smtp-1.mimecast.com>+ESMTP+;+Mon,+08+Dec+2014+08:31:52+-0500 0 0 66 0 31 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 EHLO - mail.mydomain.com<http://mail.mydomain.com><http://mail.mydomain.com> 0 0 4 0 31 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250-us-smtp-1.mimecast.com<http://250-us-smtp-1.mimecast.com><http://250-us-smtp-1.mimecast.com>+Hello+[mail.mydomain.com<http://mail.mydomain.com><http://mail.mydomain.com>+(111.111.111.111)] 0 0 74 0 62 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 MAIL - FROM:<do-not-reply@mydomain.com<mailto:do-not-reply@mydomain.com><mailto:do-not-reply@mydomain.com<mailto:do-not-reply@mydomain.com>>> 0 0 4 0 125 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250+Sender+OK 0 0 13 0 140 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 RCPT - TO:<recipientusername@hisdomain.com<mailto:recipientusername@hisdomain.com><mailto:recipientusername@hisdomain.com<mailto:recipientusername@hisdomain.com>>> 0 0 4 0 140 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 451+Internal+resource+temporarily+unavailable+-+http://kb.mimecast.com/Mimecast_Knowledge_Base/Administration_Console/Monitoring/Mimecast_SMTP_Error_Codes#451 0 0 158 0 218 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 RSET - - 0 0 4 0 218 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250+Transaction+Reset+OK 0 0 24 0 297 SMTP - - - -

Open in new window

0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

Suggested Solutions

Resolve DNS query failed errors for Exchange
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now