Solved

Delayed Email Delivery

Posted on 2016-08-31
10
30 Views
Last Modified: 2016-09-26
Greetings,

I have an issue where from select domains, occasional emails are being delivered several hours after being sent to us.  We have an Exchange 2010 server with its anti-spam in place, Trend Micro's ScanMail 12 installed on the Exchange server, and a SonicWALL firewall.  We have no cloud solutions in place.  When I look at the message header info, all it shows is a time difference between when the sender sent it and Exchange received it.  In most cases, the senders are not getting any type of delay message sent to them.  As it is so sporadic, it is very hard to troubleshoot (as I can't automatically replicate the issue).  I don't have any deep inspection/quarantine zones in place, at least not ones that would automatically release the email after some time.  The header info usually shows that the SCL is 2 or less.

I'm hoping that someone can give me a suggestion or two as to where I need to look.

Any help will be greatly appreciated.

Thank you,

Jeremy
0
Comment
Question by:Jer
  • 5
  • 4
10 Comments
 
LVL 3

Assisted Solution

by:François Peroux
François Peroux earned 100 total points
ID: 41778599
Hello,

Any chance with the ScanMail 12 to have more details from the logs ? Maybe those emails are analyzed before delivered and could cause this time lapse ?

Since when you have this issue ? Any change on your configuration ?
0
 
LVL 3

Author Comment

by:Jer
ID: 41778661
Been looking at the logs, but they have not suggested anything.  Users didn't initially communicate this, so it is hard to know when it started.  However, I do not believe that there have been any changes to our environment.  If it was our AV, I'd expect a flat quarantine/rejection.  Same with Exchange and our firewall.  Basically, it should be all or nothing.  One of our IPs was showing up on 3 Blacklists for a period, so that could have come into play, but I'd expect that to be an all or nothing issue, too.  The fact that we're receiving the emails expected, but just delayed, is the issue.  And it is just a handful of users/domains.  I've run message header analyzers, but they have not provided any indications of the issue.  They basically just show a long delay for the last hop (external email server -> our internal email server IP).  We don't have an SPF record, currently.  Not sure if that would come into play, as I'd again expect it to be an all or nothing situation.

Thanks,

Jeremy
0
 
LVL 7

Expert Comment

by:J Spoor
ID: 41778684
I would look at the email's headers to find if the emails that get delayed take a similar path.
Sounds like some remote servers have issues sending the email the first time.
This could be due to grey listing or other mechanisms to block spoofers on your antispam solutions.

if this is the case, most likely these senders do not have proper SPF records or similar, triggering your antispam solution to not accept the email first time.


View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 7

Expert Comment

by:J Spoor
ID: 41778691
Also make sure your own SPF records are setup properly.
How did you get blacklisted?
It's easy to get on, but hard to get off, and yes that has tons of impact in receiving emails...

If you have multiple public IP addresses, it's best to One-to-One NAT your exchange inbound and outbound to a unique IP address, make sure this matches your SPF records and vice versa.
1
 
LVL 3

Author Comment

by:Jer
ID: 41778729
We got on a blacklist due to one of our users' profile was compromised by the Gozi Trojan.  Once I got that cleaned up, I monitored for 10 days and then de-listed us.  We have been fine since.  We do have unique IPs for outgoing and incoming IPs, so damage was minimal.  The issue was that the attack doesn't use port 25, so it was going out our firewall's IP.  Anyhow, I do plan to make an SPF, but as I haven't done it before and have to take into consideration our secure email product (Zix Corp), I've been just collected info on it.  These email issues are escalating it, though.  I'll look through the links and see what applies.  My general position has been that its the sender and not us, but I do want to make sure that I'm not sitting on a misconfiguration.
0
 
LVL 7

Expert Comment

by:J Spoor
ID: 41778743
Here's a good tool http://www.spfwizard.net/ to create the spf record.

What normally happens during an email communication, e.g. I send an email from mydomain.com to your domain.com

my email server will do an MX lookup for yourdomain.com than establish a direct SMTP connection.
if this fails, my server qill put it in the queue and will retry later.

What is your MX record pointing to?
If it's poiting to your own network directly, it sounds like the remote servers are not able to deliver the email at first touch.

From the email header, you can see which paths it took. See if there's a pattern in there and if there's an inbetween MTA agent which is causing the grief.
0
 
LVL 7

Assisted Solution

by:J Spoor
J Spoor earned 400 total points
ID: 41778748
also check if your antispam solution has an outbound anti-zombie protection mechanism to prevent such issues.

good practice is to have your LAN users and your Email server go out of different public IPs. And only allow outbound SMTP from the email server. This so that an infected enduser will not put you on a blacklist :)
0
 
LVL 3

Author Comment

by:Jer
ID: 41798540
Not abandoned.  People go on PTO and work on other items.  That said, I've checked through all of our AV, firewall, and Exchange products/services.  There is absolutely nothing that would hold an email for 1-6 hours.  Everything is either allowed after initial inspection or rejected after initial inspection.  Out of a handful of impacted senders, I'm seeing that half are using Google servers, so there is something there.  I'm implementing an SPF record today.
0
 
LVL 3

Accepted Solution

by:
Jer earned 0 total points
ID: 41809080
Greetings.

It appears that the issue is likely due to the senders.  As I've been collecting info, I'm finding that most of the sending servers are on at least one blacklist.  I didn't find this to be the case initially, as many of the emails that I was researching were a week old or older.  It is possible that the server was being delisted.  As previously mentioned, I'm finding that over half of the delayed emails are from a Google email server, so I can't just allow the IP(s).  Anyhow, I do think that it is weird that the emails are delayed, but not rejected.  However, as the last 5 different delayed senders have all been blacklisted, I don't think it is coincidence.  None of our AV products would hold an email for further inspection, but our network router/firewall does use RBLs, so that may be coming into play. Using https://testconnectivity.microsoft.com/ (Message Header Analyzer) and MxToolbox has been very helpful.  Anyhow, thanks for the input and assistance.
0
 
LVL 3

Author Closing Comment

by:Jer
ID: 41815713
Not really resolved, but the evidence suggests that it is out of our control.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
This video discusses moving either the default database or any database to a new volume.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question