Solved

tiny plain-text string in body causes email to bounce back from some servers

Posted on 2015-02-07
12
144 Views
Last Modified: 2015-04-03
A company with Comcast Small Business router and Godaddy package for email finds that SOME of their emails to SOME people bounce back with "return codes" (usually 554 or 550). The "return code 550" bouncebacks happen even when the addressees are people who have been emailed hundreds of times successfully.  Problem happens with webmail as well as mail clients (Outlook, Mac Mail with recommended server/port settings).  Recipients have checked their spam folders.

When they send to my yahoo acct, it always goes through.  When they send to my gmail acct, it bounces back to them SOMEtimes. Usually it's when other emails are forwarded/attached.  

After great trial and error I found that, in ONE case, if they send me a NEW email msg that contains nothing but the plain text string "believeadjust.us" in the body, it will go to my yahoo but bounce back from my gmail. (If they delete the first "b" it doesn't bounce back.)  The bounceback messages say:

---------------------
Reporting-MTA: dns; p3plwbeout18-05.prod.phx3.secureserver.net [173.201.193.190]
Received-From-MTA: dns; localhost [173.201.193.243]
Arrival-Date: Sat, 07 Feb 2015 00:56:29 -0700


Final-recipient: rfc822; losersaysdoh@gmail.com
Action: failed
Status: 5.1.1
Diagnostic-Code: smtp;  550 5.7.1 more information. e10si13050465pds.193 - gsmtp
Last-attempt-Date: Sat, 07 Feb 2015 00:56:29 -0700
---------------------

I also have full message headers from yahoo I can upload if nec.

Any ideas?
0
Comment
Question by:dgrrr
  • 6
  • 6
12 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40595375
"believeadjust.us" is probably being considered a malicious web site address.  If that's the case, then all you can do is don't put that in your email.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40595471
"believeadjust.us" is listed in the DBL (Domain Block List) on Spamhaus http://www.spamhaus.org/query/domain/believeadjust.us  That's why the emails are bouncing when you include that text.
0
 

Author Comment

by:dgrrr
ID: 40595522
Does that explain what's happening here? Are you saying that if I refer by name to blocklisted site in an email, the email can get rejected? I've never heard of that.

Also, is there a way to search a document or email for such text?
0
 

Author Comment

by:dgrrr
ID: 40595523
And would a few email servers react like that to a phrase in such a way, and the rest not? Seems like GMAIL wouldn't be that vulnerable to that kind of thing. You could use this to sabotage documents, so they'd never get forwarded.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40595536
Yes.  Frankly, email is a mess.  Different servers do different things.  And it's not a matter of being 'vulnerable', it's a matter of the rules they use to scan email for problems.  You should realize that 80% or more of email is spam that never gets passed on by the mail servers.  If 'you' break their rules, your email gets rejected or just plain dumped.
0
 

Author Comment

by:dgrrr
ID: 40602512
At the end of a 4 hours chat with go daddy, the tech said that MXToolbox was unable to connect to some of the recipient email address (ones that are valid and in constant use), and that I needed to get all of these random email addresses and servers off of blacklists (that are intermittent)

But on further testing, that tool doesn't connect to ANY GMAIL ADDRESSES!

(1) Am I using that tool right? I.E. Go to mxtoolbox.com/diagnostic.apx, and pasting in the whole email address? It doesn't say anywhere its for email addresses, it just says servers. And it says a bunch of valid emails are bad. WTF?

(2) Is it a waste of time? Can a blacklist only apply some of the time? Every other email from person a to person b?

(3) I've made a list of all the mail servers listed in the NDR's,and all the sender and recipient email addresses involved. What do I do now? Contact all the domains, ask for whitelisting of all the email addresses.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40602552
1.  Yes, it is just for servers.

2.  Technically it is a Block List as in your email is blocked.  On large email servers, the email filter software doesn't always have the same lists on all the machine.  And each different server has it's own block list.  There really isn't any 'master' block list.

3.  As far as I know (and Gmail says this explicitly), you can not whitelist your email addresses on someone else's server.  Every email's content is scanned separately even when it comes from the same email address.

Your original post above says that you are being blocked for 'content', specifically the words "believeadjust.us".  You can't whitelist your content.  At all.  Anywhere.  My anti-virus will block content that is in it's block lists.
0
 

Author Comment

by:dgrrr
ID: 40602642
Thanks DB. I've confused things a bit on this page by discussing two diff probs, the specific "believeadjust.us" phenom, and the larger issue of my client not being able to send mails (sometimes) to about 15 industry colleages.

But I fiinally wsa able to sit at her desk and use mac mail to display the headers, in full, of the "believe adjust.us" mails:
_____
ORIGINAL MESSAGE FULL HEADER


      From:       Firstname Lastname <******.*****.com>
      Subject:       contains phrase
      Date:       February 11, 2015 12:31:55 AM PST
      To:       <*****@yahoo.com>
      Cc:       <******@gmail.com>
      X-Spam-Cmae:       v=2.1 cv=ZeGTN6lA c=1 sm=1 tr=0 p=cID9LFI6AAAA:8 a=naB2BCbaJ9Eq8U3whXKdZw==:117 a=naB2BCbaJ9Eq8U3whXKdZw==:17 a=TZb1taSUAAAA:8 a=E1P78B39AAAA:8 a=FET0fiAFXxfquXtmqXMA:9 a=8ACy7X37OUdJvLyn:21 a=ZnpFFi6dliDsguFF:21 a=CjuIK1q_8ugA:10 a=MDelWGONZl8A:10 a=pKq1ibsGsj0A:10 a=l4Fz4kFV6kMA:10 a=8JMbB6Wc3gMA:10 a=EtMeagz1OWEA:10 a=X1WmsetFAAAA:20 a=mlkOrGLNAgnqMg1pHs8A:9 a=Wnlcm3z8AF2qtV-J:21 a=RQaohEBp8KolmS8x:21 a=ATGJaemb7jEZhHaC:21 a=_W_S_7VecoQA:10
      X-Spam-Account:       *****.*****.com
      X-Spam-Domain:       *****.com
      Content-Type:       multipart/alternative; boundary="Apple-Mail=_85F9FA4C-0D85-41A7-9134-9994878A9FC6"
      Message-Id:       <A46D3456-E8E0-4BA7-A99E-C78A6CCAFF64@***************.com>
      Mime-Version:       1.0 (Apple Message framework v1283)
      X-Mailer:       Apple Mail (2.1283)
_______

SUBSEQUENT NDR FULL  HEADERS

From: Mail Delivery System
Subject: Delivery Status Notification
Date: February 11, 2015 12:31:58 AM PST
To: ********@*************.com
Received: (qmail 3209 invoked by uid 30297); 11 Feb 2015 08:31:58 -0000
Received: from unknown (HELO p3plibsmtp03-06.prod.phx3.secureserver.net) ([68.178.213.105]) (envelope-sender <>) by p3plsmtp18-05.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <******@******.com>; 11 Feb 2015 08:31:58 -0000
Received: from p3plsmtpa07-08.prod.phx3.secureserver.net ([173.201.192.237]) by p3plibsmtp03-06.prod.phx3.secureserver.net with bizsmtp id qwXg1p00s57mpet01wXyi3; Wed, 11 Feb 2015 01:31:58 -0700
Mime-Version: 1.0
Content-Type: multipart/report; boundary="------------I305M09060309060P_989014236435180"
X-Nonspam: None


[Return Code 550] sid: qwXw1p00E3DgBUa01 :: 5.7.1 more information. ru7si1240641igb.56 - gsmtp
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 40602703
"believeadjust.us" is a content problem and you can not 'whitelist' it away.  If that phrase is on a Block List or anti-virus list, it will simply be blocked.  There is nothing you can do about that unless that is your domain and you can submit a request to have it removed.  Even so, it is impossible to tell how long that would take.

As for the other problems, you will have to get the NDRs and see why they are being bounced.  Only then can you figure out what to do.
0
 

Author Comment

by:dgrrr
ID: 40604986
I see so the "believeadjust.us" bounces are not really relevant in to the issue of the other emails being blocked for unknown reasons.... I thought they might be related.

They still might be -- Most of the returned mails are forwards of forwards of forwards.  But you're suggesting I may need to deal with each separate NDR, yes?
0
 

Author Comment

by:dgrrr
ID: 40604988
But I'm still looking for a confirmation that the "believeadjust.us" emails are being returned because it's blacklisted content. I'm just ASSUMING that.  The codes could suggest it's some other issue that IS related to the others (even tho it's TRIGGERED  by the phrase.)
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40605119
The fact that the emails bounce when they contain "believeadjust.us" and don't bounce if you change even one letter would be more than enough proof for me.

It is not unusual for "forwards of forwards of forwards" to set off spam filters.  You will have to look at the NDRs to see what the reasons are.  It is possible that they have a common problem... but you won't know until you look at them.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

MS outlook is a premier email client that enable you to send and receive the e-mails with various file formats of attachments such as document files, media file, and many others formats. There is some scenario occurs when a receiver of an e-mail mes…
Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Familiarize people with the process of utilizing SQL Server views from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Access…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now