Link to home
Start Free TrialLog in
Avatar of davesheppard
davesheppardFlag for United Kingdom of Great Britain and Northern Ireland

asked on

How do I change the 'Message ID' and 'Received From' in Exchange 2013 from being the local Domain

As with many people (according to searches) my client is having email bounced by Microsoft because their recently introduced spam checking system is looking further down the email message Header Block and doing a reverse IP lookup on the internal name of the exchange server. This cannot be an FQDN because when the site was taken over we had to accept what had already been set up.

The scenario is (the names have been changed) that www.fulldomainname.com is their registered domain and all email goes out on to the internet as xyz@fulldomainname.com. This has been the case for several years, but in August 2016 hotmail.co.uk /.com and outlook.com address started to bounce. No other email bounces.

The name for the internal domain is 'shortdomainname.com' and there are 2 servers, the domain controller called DCDP and the Exchange Server called EXDP. Unfortunately 'shortdomainname.com' is registered and held by someone else, suddenly trying to sell it!

When emails go out, the Message ID and Received From always have 'DCPDEXDP.shortdomainname.com' and what Microsoft's new system appears to be doing is looking up the IP for 'shortdomainname.com' and the IP is of course not the same as where the email came from, and in addition the IP from the 'shortdomainnamesite' is blacklisted. I have an SPF record that includes 'DCDPEXDP.shortdomainname.com', but on this occasion that is of no use because Microsoft are looking up the IP of 'shortdomainname.com'.

I have blamed Microsoft's new system, but that may not be the case. It may be that some organisation has 'sniffed out' this problem and realized that they could capitalize on my dilemma.  

I have looked up whether something can be done via a Shell cmdlet as there are TransportRuleActions for SetHeader and RemoveHeader, but I cannot truly establish whether it is safe to use these - equally I cannot locate anything that gives me the command structure.

I have found some software (that is $200) called Header-Writer, but I don't want to buy that if it only changes one element such as the Message ID - because Microsoft's system may be using the 'Received: from' for their checking.

Any assistance is greatly appreciated.
Avatar of Akhater
Akhater
Flag of Lebanon image

Can you share the exact bounce message ?
Avatar of davesheppard

ASKER

As this now includes some actual IP address, email addresses and Domain Names, please treat with respect. I trust Experts Exchange implicitly.

I am remote from the client and so the bounce message was forwarded, but it is below.  I have changed the name of the servers to match the question, but the where I was using 'shortdomainname' before, in the below you will see it as MPDP.COM, whereas (again in the below) my client is 'marketplacedentalpractice.com'

SNT004-MC4F44.hotmail.com rejected your message to the following email addresses:
resisttheglamour@hotmail.co.uk (resisttheglamour@hotmail.co.uk)
A problem occurred while delivering this message to this email address. Try sending this message again. If the problem continues, please contact your helpdesk.
SNT004-MC4F44.hotmail.com gave this error:
SC-001 (SNT004-MC4F44) Unfortunately, messages from 92.27.228.230 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.


Diagnostic information for administrators:
Generating server: CDPEXDP.MPDP.com
resisttheglamour@hotmail.co.uk
SNT004-MC4F44.hotmail.com
Remote Server returned '550 SC-001 (SNT004-MC4F44) Unfortunately, messages from 92.27.228.230 weren't sent. Please contact your Internet service provider since part of their network is on our block list. You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors.'
Original message headers:
Received: from CDPEXDP.MPDP.com (192.168.16.2) by CDPEXDP.MPDP.com
 (192.168.16.2) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Mon, 5 Sep
 2016 09:00:29 +0100
Received: from CDPEXDP.MPDP.com ([fe80::2922:7cf5:5d7d:4c5f]) by
 CDPEXDP.MPDP.com ([fe80::2922:7cf5:5d7d:4c5f%12]) with mapi id
 15.00.1156.000; Mon, 5 Sep 2016 09:00:29 +0100
From: Reception <Reception@marketplacedentalpractice.com>
To: "resisttheglamour@hotmail.co.uk" <resisttheglamour@hotmail.co.uk>
Subject: Appointment Reminder
Thread-Topic: Appointment Reminder
Thread-Index: AdIHS4q+KR1Vdss+Q4iOH32fO1DVBQ==
Date: Mon, 5 Sep 2016 08:00:27 +0000
Message-ID: <ee5a2ee9f3404994aa10f757343d7a69@CMPDPEXCH1.MPDP.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.16.202]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
I totally understand your concern, I have now copied the NDR if you wish to remove it

thanks
I really doubt your issue is from the Message ID and Receive From, which you can both remove with a transport rule but I wouldn't advise to do so.

your rejection message is SC-001 which means
# 550 SC-001 Mail rejected by Microsoft  for policy reasons. Reasons for rejection may be related to content with spam-like characteristics or IP/domain reputation. If you are not an e-mail/network admin please contact your E-mail/Internet Service Provider for help.


For me, so far, it looks like a reverse DNS issue more than anything else.

is the public IP xx.27.228.xxx you send from Fixed ? I know it has a PTR record but it looks pretty generic to me
Reading you NDR more carefully it clearly states "Please contact your Internet service provider since part of their network is on our block list" so even if your IP is not on any blocklist it seems that hotmail blocked the whole range of IPs...

you could contact MS and/or your ISP provider
Hi Akhater

It is a fixed IP and the clients only public IP.

Apologies if I did not make it clear initially, sometimes it is impossible to explain in a single go.
What happens is that Microsoft are reading down the header and picking out CDPEXDP.MPDP.COM.  They are then doing a reverse look up on the domain MPDP.COM and using the returned IP address from that lookup to check against blacklists.  So they look it up and get an address of 72.52.4.91 and that is on a blacklist. I checked this with MX tools.

I just need to ensure that all of the information in the header relates to marketplacedentalpractice.com and not mpdp.com.

I do not know how to withdraw specific information from my earlier response so I will just have to take the risk.
Hello Dave

Your initial post is very clear however I am not convinced that this is the issue. the IP rejected is 92.27.228.230 and not 72.52.4.91

anyhow you have another issue with your SPF record with has a syntax problem and the IP your sending from is not listed in it....

can I know where did you get the info that it is looking in the headers ? split dns (different names inside and outside) are a very common practice Microsoft would know better
My Clients ISP provided the information and when I checked my Clients IP is not on any blacklist, but 72.52.4.91 is. I will check the SPF in the morning as I am out tonight and it is time to go.

Thanks so far.
ASKER CERTIFIED SOLUTION
Avatar of Akhater
Akhater
Flag of Lebanon image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
How do you establish that?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So two questions from these exchanges:

1. If you are both correct and my Client's IP is on a Microsoft Blacklist, how do I appeal to get it removed; and

2. What is the syntax error on my SPF record: v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​include:cm​pdpexch1.m​pdp.com in​lcude:rela​y.webhost-​mail.com -​all

Remember that in an effort to protect confidentiality, I was amending the names of the Servers. The actual name of the exchange server is EXCH1, the actual name of the Domain Controller is CMPDP, and the name of the internal Domain is mpdp.com.

As mentioned earlier in the question, if you do a Web Search, you will find a lot of people suggesting that organisations are using the internal DNS name in the Header as another spam checker. Of course they could all be wrong as I was just checking what my Client's ISP had said and the number of instances found from searching made be believe them.
Thank you Akhater and Simon for your inputs so far.

 Just a further update.

Whilst question 2 from the above still applies (SPF Syntax), I managed to find a form to complete for Microsoft to request mitigation of the IP.  Unfortunately the form only gave the USA options (.com), but hopefully they will replicate across all of their servers.

I have received an automatic email back from Microsoft stating that 92.27.228.230/32 qualifies for conditional mitigation and that replication could take between 24-48 hours. I will retest on Monday and let you know if this had any effect.
your SPF record is contains inlcude:relay.xxxxx instead of include it is a typo
So should it be

1) v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​include:relay.cm​pdpexch1.m​pdp.com in​lcude:rela​y.webhost-​mail.com -​all

or 2) v=spf1 a m​x ip4:5.10​.105.38 ip​4:92.27.22​8.230 ptr ​include:cm​pdpexch1.m​pdp.com in​lcude:webhost-​mail.com -​all
With SPF records you want to limit the number of DNS lookups.
Therefore you need to get it optimised as much as possible.

Take a look online for SPF optimisation and validation checkers - there are a lot of them about. Have you used something to build the SPF record for you?
Thank you both very much, I did not know that MS maintained their own Blacklists and therefore only checked the known blacklists.  With your help and assistance, I managed to find the relevant form on the MS site and completed this last Friday.  As they said it could take up to 48 hours to replicate, I could not really answer until today - when  we tested it and all looks fine.  We now have a conditional mitigation on my clients single IP.  The splitting of the points was done automatically by the EE site, I did not have a choice to allocate.

Just in case anyone else finds this question and sees this closure, the website for the form is https://support.live.com/eform.aspx?productKey=edfsmsbl3&ct=eformts

Once again many thanks to you both.