Solved

Delayed Email Delivery

Posted on 2016-08-31
10
26 Views
Last Modified: 2016-09-26
Greetings,

I have an issue where from select domains, occasional emails are being delivered several hours after being sent to us.  We have an Exchange 2010 server with its anti-spam in place, Trend Micro's ScanMail 12 installed on the Exchange server, and a SonicWALL firewall.  We have no cloud solutions in place.  When I look at the message header info, all it shows is a time difference between when the sender sent it and Exchange received it.  In most cases, the senders are not getting any type of delay message sent to them.  As it is so sporadic, it is very hard to troubleshoot (as I can't automatically replicate the issue).  I don't have any deep inspection/quarantine zones in place, at least not ones that would automatically release the email after some time.  The header info usually shows that the SCL is 2 or less.

I'm hoping that someone can give me a suggestion or two as to where I need to look.

Any help will be greatly appreciated.

Thank you,

Jeremy
0
Comment
Question by:Jer
  • 5
  • 4
10 Comments
 
LVL 3

Assisted Solution

by:François Peroux
François Peroux earned 100 total points
Comment Utility
Hello,

Any chance with the ScanMail 12 to have more details from the logs ? Maybe those emails are analyzed before delivered and could cause this time lapse ?

Since when you have this issue ? Any change on your configuration ?
0
 
LVL 3

Author Comment

by:Jer
Comment Utility
Been looking at the logs, but they have not suggested anything.  Users didn't initially communicate this, so it is hard to know when it started.  However, I do not believe that there have been any changes to our environment.  If it was our AV, I'd expect a flat quarantine/rejection.  Same with Exchange and our firewall.  Basically, it should be all or nothing.  One of our IPs was showing up on 3 Blacklists for a period, so that could have come into play, but I'd expect that to be an all or nothing issue, too.  The fact that we're receiving the emails expected, but just delayed, is the issue.  And it is just a handful of users/domains.  I've run message header analyzers, but they have not provided any indications of the issue.  They basically just show a long delay for the last hop (external email server -> our internal email server IP).  We don't have an SPF record, currently.  Not sure if that would come into play, as I'd again expect it to be an all or nothing situation.

Thanks,

Jeremy
0
 
LVL 5

Expert Comment

by:JSpoor
Comment Utility
I would look at the email's headers to find if the emails that get delayed take a similar path.
Sounds like some remote servers have issues sending the email the first time.
This could be due to grey listing or other mechanisms to block spoofers on your antispam solutions.

if this is the case, most likely these senders do not have proper SPF records or similar, triggering your antispam solution to not accept the email first time.


View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
 
LVL 5

Expert Comment

by:JSpoor
Comment Utility
Also make sure your own SPF records are setup properly.
How did you get blacklisted?
It's easy to get on, but hard to get off, and yes that has tons of impact in receiving emails...

If you have multiple public IP addresses, it's best to One-to-One NAT your exchange inbound and outbound to a unique IP address, make sure this matches your SPF records and vice versa.
1
 
LVL 3

Author Comment

by:Jer
Comment Utility
We got on a blacklist due to one of our users' profile was compromised by the Gozi Trojan.  Once I got that cleaned up, I monitored for 10 days and then de-listed us.  We have been fine since.  We do have unique IPs for outgoing and incoming IPs, so damage was minimal.  The issue was that the attack doesn't use port 25, so it was going out our firewall's IP.  Anyhow, I do plan to make an SPF, but as I haven't done it before and have to take into consideration our secure email product (Zix Corp), I've been just collected info on it.  These email issues are escalating it, though.  I'll look through the links and see what applies.  My general position has been that its the sender and not us, but I do want to make sure that I'm not sitting on a misconfiguration.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 5

Expert Comment

by:JSpoor
Comment Utility
Here's a good tool http://www.spfwizard.net/ to create the spf record.

What normally happens during an email communication, e.g. I send an email from mydomain.com to your domain.com

my email server will do an MX lookup for yourdomain.com than establish a direct SMTP connection.
if this fails, my server qill put it in the queue and will retry later.

What is your MX record pointing to?
If it's poiting to your own network directly, it sounds like the remote servers are not able to deliver the email at first touch.

From the email header, you can see which paths it took. See if there's a pattern in there and if there's an inbetween MTA agent which is causing the grief.
0
 
LVL 5

Assisted Solution

by:JSpoor
JSpoor earned 400 total points
Comment Utility
also check if your antispam solution has an outbound anti-zombie protection mechanism to prevent such issues.

good practice is to have your LAN users and your Email server go out of different public IPs. And only allow outbound SMTP from the email server. This so that an infected enduser will not put you on a blacklist :)
0
 
LVL 3

Author Comment

by:Jer
Comment Utility
Not abandoned.  People go on PTO and work on other items.  That said, I've checked through all of our AV, firewall, and Exchange products/services.  There is absolutely nothing that would hold an email for 1-6 hours.  Everything is either allowed after initial inspection or rejected after initial inspection.  Out of a handful of impacted senders, I'm seeing that half are using Google servers, so there is something there.  I'm implementing an SPF record today.
0
 
LVL 3

Accepted Solution

by:
Jer earned 0 total points
Comment Utility
Greetings.

It appears that the issue is likely due to the senders.  As I've been collecting info, I'm finding that most of the sending servers are on at least one blacklist.  I didn't find this to be the case initially, as many of the emails that I was researching were a week old or older.  It is possible that the server was being delisted.  As previously mentioned, I'm finding that over half of the delayed emails are from a Google email server, so I can't just allow the IP(s).  Anyhow, I do think that it is weird that the emails are delayed, but not rejected.  However, as the last 5 different delayed senders have all been blacklisted, I don't think it is coincidence.  None of our AV products would hold an email for further inspection, but our network router/firewall does use RBLs, so that may be coming into play. Using https://testconnectivity.microsoft.com/ (Message Header Analyzer) and MxToolbox has been very helpful.  Anyhow, thanks for the input and assistance.
0
 
LVL 3

Author Closing Comment

by:Jer
Comment Utility
Not really resolved, but the evidence suggests that it is out of our control.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
how to add IIS SMTP to handle application/Scanner relays into office 365.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now