Solved

How do I change the 'Message ID' and 'Received From' in Exchange 2013 from being the local Domain

Posted on 2016-09-15
17
37 Views
Last Modified: 2016-09-19
As with many people (according to searches) my client is having email bounced by Microsoft because their recently introduced spam checking system is looking further down the email message Header Block and doing a reverse IP lookup on the internal name of the exchange server. This cannot be an FQDN because when the site was taken over we had to accept what had already been set up.

The scenario is (the names have been changed) that www.fulldomainname.com is their registered domain and all email goes out on to the internet as xyz@fulldomainname.com. This has been the case for several years, but in August 2016 hotmail.co.uk /.com and outlook.com address started to bounce. No other email bounces.

The name for the internal domain is 'shortdomainname.com' and there are 2 servers, the domain controller called DCDP and the Exchange Server called EXDP. Unfortunately 'shortdomainname.com' is registered and held by someone else, suddenly trying to sell it!

When emails go out, the Message ID and Received From always have 'DCPDEXDP.shortdomainname.com' and what Microsoft's new system appears to be doing is looking up the IP for 'shortdomainname.com' and the IP is of course not the same as where the email came from, and in addition the IP from the 'shortdomainnamesite' is blacklisted. I have an SPF record that includes 'DCDPEXDP.shortdomainname.com', but on this occasion that is of no use because Microsoft are looking up the IP of 'shortdomainname.com'.

I have blamed Microsoft's new system, but that may not be the case. It may be that some organisation has 'sniffed out' this problem and realized that they could capitalize on my dilemma.  

I have looked up whether something can be done via a Shell cmdlet as there are TransportRuleActions for SetHeader and RemoveHeader, but I cannot truly establish whether it is safe to use these - equally I cannot locate anything that gives me the command structure.

I have found some software (that is $200) called Header-Writer, but I don't want to buy that if it only changes one element such as the Message ID - because Microsoft's system may be using the 'Received: from' for their checking.

Any assistance is greatly appreciated.
0
Comment
Question by:davesheppard
  • 8
  • 7
  • 2
17 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 41800140
Can you share the exact bounce message ?
0
 

Author Comment

by:davesheppard
ID: 41800212
As this now includes some actual IP address, email addresses and Domain Names, please treat with respect. I trust Experts Exchange implicitly.

I am remote from the client and so the bounce message was forwarded, but it is below.  I have changed the name of the servers to match the question, but the where I was using 'shortdomainname' before, in the below you will see it as MPDP.COM, whereas (again in the below) my client is 'marketplacedentalpractice.com'

SNT004-MC4F44.hotmail.com rejected your message to the following email addresses:
resisttheglamour@hotmail.co.uk (resisttheglamour@hotmail.co.uk)
A problem occurred while delivering this message to this email address. Try sending this message again. If the problem continues, please contact your helpdesk.
SNT004-MC4F44.hotmail.com gave this error:
SC-001 (SNT004-MC4F44) Unfortunately, messages from 92.27.228.230 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.


Diagnostic information for administrators:
Generating server: CDPEXDP.MPDP.com
resisttheglamour@hotmail.co.uk
SNT004-MC4F44.hotmail.com
Remote Server returned '550 SC-001 (SNT004-MC4F44) Unfortunately, messages from 92.27.228.230 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.'
Original message headers:
Received: from CDPEXDP.MPDP.com (192.168.16.2) by CDPEXDP.MPDP.com
 (192.168.16.2) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Mon, 5 Sep
 2016 09:00:29 +0100
Received: from CDPEXDP.MPDP.com ([fe80::2922:7cf5:5d7d:4c5f]) by
 CDPEXDP.MPDP.com ([fe80::2922:7cf5:5d7d:4c5f%12]) with mapi id
 15.00.1156.000; Mon, 5 Sep 2016 09:00:29 +0100
From: Reception <Reception@marketplacedentalpractice.com>
To: "resisttheglamour@hotmail.co.uk" <resisttheglamour@hotmail.co.uk>
Subject: Appointment Reminder
Thread-Topic: Appointment Reminder
Thread-Index: AdIHS4q+KR1Vdss+Q4iOH32fO1DVBQ==
Date: Mon, 5 Sep 2016 08:00:27 +0000
Message-ID: <ee5a2ee9f3404994aa10f757343d7a69@CMPDPEXCH1.MPDP.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.16.202]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41800302
I totally understand your concern, I have now copied the NDR if you wish to remove it

thanks
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41800322
I really doubt your issue is from the Message ID and Receive From, which you can both remove with a transport rule but I wouldn't advise to do so.

your rejection message is SC-001 which means
# 550 SC-001 Mail rejected by Microsoft  for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation. If you are not an e-mail/network admin please contact your E-mail/Internet Service Provider for help.


For me, so far, it looks like a reverse DNS issue more than anything else.

is the public IP xx.27.228.xxx you send from Fixed ? I know it has a PTR record but it looks pretty generic to me
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41800329
Reading you NDR more carefully it clearly states "Please contact your Internet service provider since part of their network is on our block list" so even if your IP is not on any blocklist it seems that hotmail blocked the whole range of IPs...

you could contact MS and/or your ISP provider
0
 

Author Comment

by:davesheppard
ID: 41800337
Hi Akhater

It is a fixed IP and the clients only public IP.

Apologies if I did not make it clear initially, sometimes it is impossible to explain in a single go.
What happens is that Microsoft are reading down the header and picking out CDPEXDP.MPDP.COM.  They are then doing a reverse look up on the domain MPDP.COM and using the returned IP address from that lookup to check against blacklists.  So they look it up and get an address of 72.52.4.91 and that is on a blacklist. I checked this with MX tools.

I just need to ensure that all of the information in the header relates to marketplacedentalpractice.com and not mpdp.com.

I do not know how to withdraw specific information from my earlier response so I will just have to take the risk.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41800345
Hello Dave

Your initial post is very clear however I am not convinced that this is the issue. the IP rejected is 92.27.228.230 and not 72.52.4.91

anyhow you have another issue with your SPF record with has a syntax problem and the IP your sending from is not listed in it....

can I know where did you get the info that it is looking in the headers ? split dns (different names inside and outside) are a very common practice Microsoft would know better
0
 

Author Comment

by:davesheppard
ID: 41800356
My Clients ISP provided the information and when I checked my Clients IP is not on any blacklist, but 72.52.4.91 is. I will check the SPF in the morning as I am out tonight and it is time to go.

Thanks so far.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 49

Accepted Solution

by:
Akhater earned 250 total points
ID: 41800362
I agree that you IP is not on the blacklist but Microsoft is blocking the whole range it seems, I do not agree with your ISP assessment but I might be wrong (wouldn't be the first time :) )
0
 

Author Comment

by:davesheppard
ID: 41800644
How do you establish that?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 250 total points
ID: 41800657
Microsoft don't use public blacklists - they operate their own.
Therefore it is possible to be blacklisted by Microsoft and no one else. They also don't provide tools to check their blacklists.

I would have to agree with the above that checking further down the headers is a pointless exercise and Microsoft's filtering doesn't do that. There are simply too many sites out there using domains they don't own or non-resolving domains.

I expect if you were to route email via another host (such as your ISPs SMTP server) that the emails will go straight through. Although if you are using SPF then you should ensure the server is listed in the SPF record before changing. I would also encourage you to setup a DMARC record as well.
0
 

Author Comment

by:davesheppard
ID: 41800888
So two questions from these exchanges:

1. If you are both correct and my Client's IP is on a Microsoft Blacklist, how do I appeal to get it removed; and

2. What is the syntax error on my SPF record: v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​include:cm​pdpexch1.m​pdp.com in​lcude:rela​y.webhost-​mail.com -​all

Remember that in an effort to protect confidentiality, I was amending the names of the Servers. The actual name of the exchange server is EXCH1, the actual name of the Domain Controller is CMPDP, and the name of the internal Domain is mpdp.com.

As mentioned earlier in the question, if you do a Web Search, you will find a lot of people suggesting that organisations are using the internal DNS name in the Header as another spam checker. Of course they could all be wrong as I was just checking what my Client's ISP had said and the number of instances found from searching made be believe them.
0
 

Author Comment

by:davesheppard
ID: 41800962
Thank you Akhater and Simon for your inputs so far.

 Just a further update.

Whilst question 2 from the above still applies (SPF Syntax), I managed to find a form to complete for Microsoft to request mitigation of the IP.  Unfortunately the form only gave the USA options (.com), but hopefully they will replicate across all of their servers.

I have received an automatic email back from Microsoft stating that 92.27.228.230/32 qualifies for conditional mitigation and that replication could take between 24-48 hours. I will retest on Monday and let you know if this had any effect.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 41800994
your SPF record is contains inlcude:relay.xxxxx instead of include it is a typo
0
 

Author Comment

by:davesheppard
ID: 41800999
So should it be

1) v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​include:relay.cm​pdpexch1.m​pdp.com in​lcude:rela​y.webhost-​mail.com -​all

or 2) v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​include:cm​pdpexch1.m​pdp.com in​lcude:webhost-​mail.com -​all
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 41801469
With SPF records you want to limit the number of DNS lookups.
Therefore you need to get it optimised as much as possible.

Take a look online for SPF optimisation and validation checkers - there are a lot of them about. Have you used something to build the SPF record for you?
0
 

Author Closing Comment

by:davesheppard
ID: 41805357
Thank you both very much, I did not know that MS maintained their own Blacklists and therefore only checked the known blacklists.  With your help and assistance, I managed to find the relevant form on the MS site and completed this last Friday.  As they said it could take up to 48 hours to replicate, I could not really answer until today - when  we tested it and all looks fine.  We now have a conditional mitigation on my clients single IP.  The splitting of the points was done automatically by the EE site, I did not have a choice to allocate.

Just in case anyone else finds this question and sees this closure, the website for the form is https://support.live.com/eform.aspx?productKey=edfsmsbl3&ct=eformts

Once again many thanks to you both.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now