Solved

421 errors sending to domains after being blacklisted

Posted on 2014-12-08
19
202 Views
Last Modified: 2014-12-11
We unfortunately appeared on a couple blacklists a couple weeks ago which was rapidly resolved in a couple hours.  Since that time, we are having an issue sending email to a couple external domains, but all other email is flowing correctly.  

The outgoing email messages to those domains are stuck in the queue with an error of "451 4.4.0 Primary target IP address responded with: "421 4.2.1 Unable to connect."   We have an Exchange 2010 server in-house.  The email admin of the external domain says that they use Symantec's Anti-Spam and Virus protection and that he has whitelisted our domain and sending IP.  I have tried sending an email to them via Telnet, but that ends up being stuck in the queue also.  

Any suggestions?
0
Comment
Question by:Pittsford
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 5
19 Comments
 
LVL 1

Accepted Solution

by:
crcsupport earned 500 total points
ID: 40487292
Some spam filters maintain their ow blacklist and there are sync interval. I suggest to contact the recipient domain administrator and find what spam filters they use and put your domain to whitelist manually.

Try  'nslookup domainname' on your email server first to see if dns name is resolved correctly. If it's ok, I guess mostly the recipient mail sever's spam filtering.

If it's turned out as dns resolution, configure a forwarder in your dns server to a well known dns root server
0
 

Author Comment

by:Pittsford
ID: 40487301
Thanks, but in my original post I wrote that the email admin of the external domain says that they use Symantec's Anti-Spam and Virus protection and that he has whitelisted our domain and sending IP.   But we still cannot send to them successfully.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40487309
https://tools.email-checker.com/
http://verify-email.org/

go to there and type recipeint email address and see what the result is.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 1

Expert Comment

by:crcsupport
ID: 40487313
How about dns resolution to the recipient email server?

nslookup
q=mx

Does it return dns name and ip address of their email server?
0
 
LVL 1

Assisted Solution

by:crcsupport
crcsupport earned 500 total points
ID: 40487327
I also suggest to find the recipeint's ISP and call them to check if your email server is listed on their blacklist as well.
0
 

Author Comment

by:Pittsford
ID: 40487381
His email address is correct and we sent email to him successfully prior to us being on those blacklists.  I did try your 2 links to verify his email address and both were successful.

I believe the person I have been talking to about this is with their ISP, but I just emailed him to verify that.  

I attached the email test results from DNSStuff for the email address that I am trying to send to.  I tried the nslookup command with "q=ogdenny.com" and it did not return these IP addresses that are listed in this attachment, but rather 2 IP addresses in the 198... range.
0
 
LVL 1

Assisted Solution

by:crcsupport
crcsupport earned 500 total points
ID: 40487429
1. First, you have to make sure your email sever can resolve the recipient's email server. Do this on your mail server;

c:>nslookup
>set q=mx
>ogdenny.com

This should return two mx records for ogdenny.com

cluster9a.us.messagelabs.com      20
cluster9.us.messagelabs.com      10

Then, ping each of them, and see if both tests return ip address. If then, DNS resolution is not the problem of this.
c:> ping cluster9a.us.messagelabs.com      
c:>ping cluster9.us.messagelabs.com (this is the primary email serveR)

2. If it's not DNS problem, mostly it's their spam filter unless you set outgoing spam filter. Their spam filter is still looking at DNS blacklist. I don't know how you made sure your email server is not on the DNSBL list, but there are a bunch of them, anyone can use any DNSBL. Go to there and see if your email server is not listed on any of them. For example, my email server returns all 'OK;

http://mxtoolbox.com/blacklists.aspx

3. If your email server is not listed on DNSBL list, then it's either the email server or their ISP blocking your outgoing emails through spam filter or their own spam filter. I see ogdenny.com uses Symantec cloud spam filter, contact Symantec cloud and have them to see if they block your email server for some reasons. http://www.symantec.com/products-solutions/families/?fid=symantec-cloud

4. Find their ISP and contact them to check the same as well.

It requires work to find the reason if only some of recipient servers reject your emails. In my experience, it's mostly their spam filters.

Turn on SMTP log:
You can turn on Exchange log and see what their response was in SMTP protocol. It will include the reason more than 421 STMP code such as 'Symantec spam blocked your email for ....'

Open Exchange System Manager,
Right-click on SMTP virtual server, go to properties/General, Enable logging.
Then try to send a couple of emails again to ogdenny.com, and check responses
0
 
LVL 1

Assisted Solution

by:crcsupport
crcsupport earned 500 total points
ID: 40487433
In my cases, all of my similar problems were resolved following the steps. And mostly it was their or their ISP's filtering. Rare case, my email server couldn't find IP of their email server (only once until I found the problem for the first time).
0
 
LVL 12

Expert Comment

by:Md. Mojahid
ID: 40488154
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40488190
come on, you're not using dynamic ip address for exchange server..
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40488209
I think it could be a good test, configuring a smart host to your ISP mail server as the last link suggestes, then see if the email goes through. After testing, remove the smart host.  But only during off business hours. Otherwise, other outgoing emails might result to be filtered as spams on other recipient email servers.
0
 

Author Comment

by:Pittsford
ID: 40488917
Ok, so I called MessageLabs tech support this morning and they verified that they are still blocking our external IP address although we are not appearing on any blacklists.  They said that one of their customers would have to call MessageLabs directly and request that we be unblocked.  That will solve it for all of the entities that we send to that are using MessageLabs.  I emailed one of those entities this morning to see if they would be willing to do that so I will leave this question open until I hear back and our email starts flowing again to them....
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40489049
I had the exactly same situation. It's not only symantec, some spam filter vendors maintain their own DNSBL, so you must go each point of traffic if the problem happens only to a certain group. It's pain.
Always regularly   check DNSBL list on the above link to not get blocked again.
0
 

Author Comment

by:Pittsford
ID: 40489076
We hadn't been blacklisted in about 10 years, then we had a PC get an infection that caused it to shoot out a ton of email causing us to get on the lists as a spammer.  Unfortunately that PC was in a group on our firewall that had been given the ability to send SMTP traffic directly for another purpose...what's the chance??  So it was cleaned up and the rules tightened up and hopefully I can go another 10 years without being blacklisted!
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40489082
if your exchange server uses a separate static ip address, then you probably have relay settings are not secured. Give only the internal developers or any computers which are supposed to use your exchange server as relay server. It's in the properties of your exchange server.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40489088
If you use a single IP address with port forwarding, then, set firewall rules on your router or firewall so that only your exchange server can use SMTP outgoing traffic.
0
 

Author Closing Comment

by:Pittsford
ID: 40494785
In summary, turns out MessageLabs had blocked us and needed their own customer to call them to get us unblocked.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40495094
Good luck. I actually had to follow the steps again yesterday. They blocked our emails with Greylisting with minecast cloud spam filtering. I have no idea how cloud spam filtering works, but it seems that there's some inefficiency between on-premise administrator and the cloud spam filtering.

Anyway, It's really a pain on a$$, especially the recipient's administrator is not really into the problem because he's the one should contact their cloud spam filtering vendor and resolve it. Providing the evidence as much as you can on your side is the only option you have to help him/her. In order to do that, I always leave my SMTP log enabled for detailed SMTP protocol communication. With that showing their spam filter blocked it, if any BS he/she talks and cuts communication, it's not your fault.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40495124
If you wonder how SMTP log looks alike for the trouble I had yesterday, here it is. Notice, SMTP error code 451 and mimecast blocked my email.

2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 220+us-smtp-1.mimecast.com<http://us-smtp-1.mimecast.com><http://us-smtp-1.mimecast.com>+ESMTP+;+Mon,+08+Dec+2014+08:31:52+-0500 0 0 66 0 31 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 EHLO - mail.mydomain.com<http://mail.mydomain.com><http://mail.mydomain.com> 0 0 4 0 31 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250-us-smtp-1.mimecast.com<http://250-us-smtp-1.mimecast.com><http://250-us-smtp-1.mimecast.com>+Hello+[mail.mydomain.com<http://mail.mydomain.com><http://mail.mydomain.com>+(111.111.111.111)] 0 0 74 0 62 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 MAIL - FROM:<do-not-reply@mydomain.com<mailto:do-not-reply@mydomain.com><mailto:do-not-reply@mydomain.com<mailto:do-not-reply@mydomain.com>>> 0 0 4 0 125 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250+Sender+OK 0 0 13 0 140 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 RCPT - TO:<recipientusername@hisdomain.com<mailto:recipientusername@hisdomain.com><mailto:recipientusername@hisdomain.com<mailto:recipientusername@hisdomain.com>>> 0 0 4 0 140 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 451+Internal+resource+temporarily+unavailable+-+http://kb.mimecast.com/Mimecast_Knowledge_Base/Administration_Console/Monitoring/Mimecast_SMTP_Error_Codes#451 0 0 158 0 218 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionCommand SMTPSVC1 EXCHANG_SERV - 25 RSET - - 0 0 4 0 218 SMTP - - - -
2014-12-08 13:31:51 222.222.222.222 OutboundConnectionResponse SMTPSVC1 EXCHANG_SERV - 25 - - 250+Transaction+Reset+OK 0 0 24 0 297 SMTP - - - -

Open in new window

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
how to add IIS SMTP to handle application/Scanner relays into office 365.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question