421 errors sending to domains after being blacklisted

We unfortunately appeared on a couple blacklists a couple weeks ago which was rapidly resolved in a couple hours.  Since that time, we are having an issue sending email to a couple external domains, but all other email is flowing correctly.  

The outgoing email messages to those domains are stuck in the queue with an error of "451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect."   We have an Exchange 2010 server in-house.  The email admin of the external domain says that they use Symantec's Anti-Spam and Virus protection and that he has whitelisted our domain and sending IP.  I have tried sending an email to them via Telnet, but that ends up being stuck in the queue also.  

Any suggestions?
PittsfordAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

crcsupportCommented:
Some spam filters maintain their ow blacklist and there are sync interval. I suggest to contact the recipient domain administrator and find what spam filters they use and put your domain to whitelist manually.

Try  'nslookup domainname' on your email server first to see if dns name is resolved correctly. If it's ok, I guess mostly the recipient mail sever's spam filtering.

If it's turned out as dns resolution, configure a forwarder in your dns server to a well known dns root server
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PittsfordAuthor Commented:
Thanks, but in my original post I wrote that the email admin of the external domain says that they use Symantec's Anti-Spam and Virus protection and that he has whitelisted our domain and sending IP.   But we still cannot send to them successfully.
0
crcsupportCommented:
https://tools.email-checker.com/
http://verify-email.org/

go to there and type recipeint email address and see what the result is.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

crcsupportCommented:
How about dns resolution to the recipient email server?

nslookup
q=mx

Does it return dns name and ip address of their email server?
0
crcsupportCommented:
I also suggest to find the recipeint's ISP and call them to check if your email server is listed on their blacklist as well.
0
PittsfordAuthor Commented:
His email address is correct and we sent email to him successfully prior to us being on those blacklists.  I did try your 2 links to verify his email address and both were successful.

I believe the person I have been talking to about this is with their ISP, but I just emailed him to verify that.  

I attached the email test results from DNSStuff for the email address that I am trying to send to.  I tried the nslookup command with "q=ogdenny.com" and it did not return these IP addresses that are listed in this attachment, but rather 2 IP addresses in the 198... range.
0
crcsupportCommented:
1. First, you have to make sure your email sever can resolve the recipient's email server. Do this on your mail server;

c:>nslookup
>set q=mx
>ogdenny.com

This should return two mx records for ogdenny.com

cluster9a.us.messagelabs.com      20
cluster9.us.messagelabs.com      10

Then, ping each of them, and see if both tests return ip address. If then, DNS resolution is not the problem of this.
c:> ping cluster9a.us.messagelabs.com      
c:>ping cluster9.us.messagelabs.com (this is the primary email serveR)

2. If it's not DNS problem, mostly it's their spam filter unless you set outgoing spam filter. Their spam filter is still looking at DNS blacklist. I don't know how you made sure your email server is not on the DNSBL list, but there are a bunch of them, anyone can use any DNSBL. Go to there and see if your email server is not listed on any of them. For example, my email server returns all 'OK;

http://mxtoolbox.com/blacklists.aspx

3. If your email server is not listed on DNSBL list, then it's either the email server or their ISP blocking your outgoing emails through spam filter or their own spam filter. I see ogdenny.com uses Symantec cloud spam filter, contact Symantec cloud and have them to see if they block your email server for some reasons. http://www.symantec.com/products-solutions/families/?fid=symantec-cloud

4. Find their ISP and contact them to check the same as well.

It requires work to find the reason if only some of recipient servers reject your emails. In my experience, it's mostly their spam filters.

Turn on SMTP log:
You can turn on Exchange log and see what their response was in SMTP protocol. It will include the reason more than 421 STMP code such as 'Symantec spam blocked your email for ....'

Open Exchange System Manager,
Right-click on SMTP virtual server, go to properties/General, Enable logging.
Then try to send a couple of emails again to ogdenny.com, and check responses
0
crcsupportCommented:
In my cases, all of my similar problems were resolved following the steps. And mostly it was their or their ISP's filtering. Rare case, my email server couldn't find IP of their email server (only once until I found the problem for the first time).
0
Md. MojahidCommented:
0
crcsupportCommented:
come on, you're not using dynamic ip address for exchange server..
0
crcsupportCommented:
I think it could be a good test, configuring a smart host to your ISP mail server as the last link suggestes, then see if the email goes through. After testing, remove the smart host.  But only during off business hours. Otherwise, other outgoing emails might result to be filtered as spams on other recipient email servers.
0
PittsfordAuthor Commented:
Ok, so I called MessageLabs tech support this morning and they verified that they are still blocking our external IP address although we are not appearing on any blacklists.  They said that one of their customers would have to call MessageLabs directly and request that we be unblocked.  That will solve it for all of the entities that we send to that are using MessageLabs.  I emailed one of those entities this morning to see if they would be willing to do that so I will leave this question open until I hear back and our email starts flowing again to them....
0
crcsupportCommented:
I had the exactly same situation. It's not only symantec, some spam filter vendors maintain their own DNSBL, so you must go each point of traffic if the problem happens only to a certain group. It's pain.
Always regularly   check DNSBL list on the above link to not get blocked again.
0
PittsfordAuthor Commented:
We hadn't been blacklisted in about 10 years, then we had a PC get an infection that caused it to shoot out a ton of email causing us to get on the lists as a spammer.  Unfortunately that PC was in a group on our firewall that had been given the ability to send SMTP traffic directly for another purpose...what's the chance??  So it was cleaned up and the rules tightened up and hopefully I can go another 10 years without being blacklisted!
0
crcsupportCommented:
if your exchange server uses a separate static ip address, then you probably have relay settings are not secured. Give only the internal developers or any computers which are supposed to use your exchange server as relay server. It's in the properties of your exchange server.
0
crcsupportCommented:
If you use a single IP address with port forwarding, then, set firewall rules on your router or firewall so that only your exchange server can use SMTP outgoing traffic.
0
PittsfordAuthor Commented:
In summary, turns out MessageLabs had blocked us and needed their own customer to call them to get us unblocked.
0
crcsupportCommented:
Good luck. I actually had to follow the steps again yesterday. They blocked our emails with Greylisting with minecast cloud spam filtering. I have no idea how cloud spam filtering works, but it seems that there's some inefficiency between on-premise administrator and the cloud spam filtering.

Anyway, It's really a pain on a$$, especially the recipient's administrator is not really into the problem because he's the one should contact their cloud spam filtering vendor and resolve it. Providing the evidence as much as you can on your side is the only option you have to help him/her. In order to do that, I always leave my SMTP log enabled for detailed SMTP protocol communication. With that showing their spam filter blocked it, if any BS he/she talks and cuts communication, it's not your fault.
0
crcsupportCommented:
If you wonder how SMTP log looks alike for the trouble I had yesterday, here it is. Notice, SMTP error code 451 and mimecast blocked my email.

2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 220+us-smtp-1.mimecast.com<http://us-smtp-1.mimecast.com><http://us-smtp-1.mimecast.com>+ESMTP+;+Mon,+08+Dec+2014+08:31:52+-0500 0 0 66 0 31 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 EHLO - mail.mydomain.com<http://mail.mydomain.com><http://mail.mydomain.com> 0 0 4 0 31 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250-us-smtp-1.mimecast.com<http://250-us-smtp-1.mimecast.com><http://250-us-smtp-1.mimecast.com>+Hello+[mail.mydomain.com<http://mail.mydomain.com><http://mail.mydomain.com>+(111.111.111.111)] 0 0 74 0 62 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 MAIL - FROM:<do-not-reply@mydomain.com<mailto:do-not-reply@mydomain.com><mailto:do-not-reply@mydomain.com<mailto:do-not-reply@mydomain.com>>> 0 0 4 0 125 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250+Sender+OK 0 0 13 0 140 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 RCPT - TO:<recipientusername@hisdomain.com<mailto:recipientusername@hisdomain.com><mailto:recipientusername@hisdomain.com<mailto:recipientusername@hisdomain.com>>> 0 0 4 0 140 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 451+Internal+resource+temporarily+unavailable+-+http://kb.mimecast.com/Mimecast_Knowledge_Base/Administration_Console/Monitoring/Mimecast_SMTP_Error_Codes#451 0 0 158 0 218 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 RSET - - 0 0 4 0 218 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250+Transaction+Reset+OK 0 0 24 0 297 SMTP - - - -

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.