Random mail delivery from GMail

Barry Fields
Barry Fields used Ask the Experts™
on
We have experienced random mail delivery from some gmail hosted domains. In all cases, up to now, the offending gmail server was on some internet blacklist, therefore we refused the connection. I had a client who was experiencing this issue send me the message header of the failed message and below was what i received. Any ideas?


From: xxxxxxx@xxxxxxxx.com>

References: <07c49beac47344959fcf3b7347f7be5c@xxxxxxxx.com> <b865e3dd-f7e9-4e98-95aa-01c954bda1cc@11223344.xxxxxxxxxs.com> <a5a2eb16346242219e8c8a940d726e48@mail.gmail.com> <1c0e6dc2-9e3c-4c08-b1c4-fd7cc6a8c1ed@mail2k16.wienerrealtors.com> <d3f26f7edd48d7862a6af5d0d3cfeb5b@mail.gmail.com> <34424a3df8374615978232cba177d859@pinnacleny.com> <b3cb993d08df1d90ca9d19fc7bd4d966@mail.gmail.com> <fc1e9e69c5074c3db13eadf6f3f59ca2@xxxxxxxxx.com> <34bee67c8029863e1a5d86396cd35682@mail.gmail.com> <5db8cc4c.1c69fb81.3b48f.8f0e.GMR@mx.google.com> <220b3e61872a195c78492927ce6af48c@mail.gmail.com>

In-Reply-To: <220b3e61872a195c78492927ce6af48c@mail.gmail.com>

MIME-Version: 1.0

X-Mailer: Microsoft Outlook 16.0

Thread-Index: AQJbLLEysfzQpKdVhMsJl/5xMKJlsgEu6u3IAmIXYVoCTomckgHU4umYAXge2K4CjJGDJQLnjqjkARP2BWsAwb7RywIWOtr2pf+m0yA=
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
There should be more information in the NDR as to why. Also, check their IP against a Blackhole list like network-tools.com.

Meanwhile, you should be able to whitelist them in your email filter so their mail gets through to you.
Barry FieldsIT manager

Author

Commented:
Problem is there is no ip info in the "header". I have analyzed some of the gmail servers in the past and they were on an internet blacklist, I am not going to whitelist. i don't have an ip address to white list anyway
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Any mail from mail.gmail.com is bogus, as a DNS lookup on this host returns NXDOMAIN (no IP).

Said another way, mail.gmail.com - there is no mail host name related to the gmail.com domain name.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Barry FieldsIT manager

Author

Commented:
Yeah, I saw the same thing but the sender is a legit sender so there is something else going on here. Even the message 'header" that was sent to me appears to be bogus.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
The sender is no legit, because they're forging an email to appear to be from a gmail.com host which is nonexistent.

Forged Mail == Bogus/Nonlegit Mail.

Super easy to block this type of Forgery. Just run SPF analysis at your MTA + immediately bounce or blackhole (drop with no response) Forgeries.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Tip: The way I handled Forgeries + SPAM is simple.

In my incoming filtering, I sense both conditions, then return a 550: User not found response.

After a 550 is returned a few times, mail from this sender (whoever the sender might be) will stop, because they're wasting resources sending to what appears to be a non-existent user.
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
To be honest, there may not be a lot you can do. If they aren't using properly formed header that comply with RFC1822, then your company probably isn't the only one who is rejecting their email. To be blunt, you shouldn't be expected to compromise your email security to accommodate someone who doesn't follow the rules.
Barry FieldsIT manager

Author

Commented:
Agreed
Barry FieldsIT manager

Author

Commented:
I am also having a mail delivery issue from smtp.gmail.com, an nslookup returns an ipv6 as well as an ipv4 address. This is the first time I have encountered this. My SPAM filter is rejecting the connection but I don't see anything in the logs. When I check the txt records for the hosted domain i get the following;
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\bfields>nslookup
Default Server:  UnKnown
Address:  192.168.101.217

> server 4.2.2.2
Default Server:  b.resolvers.level3.net
Address:  4.2.2.2

> set type=txt
> compass.com
Server:  b.resolvers.level3.net
Address:  4.2.2.2

Non-authoritative answer:
compass.com     text =

        "MS=ms64829634"
compass.com     text =

        "adobe-idp-site-verification=54008c3c-af25-4f80-9730-49ae3e1cd6d2"
compass.com     text =

        "docusign=2c9c554e-4930-4ba3-a878-682a34c8eda9"
compass.com     text =

        "docusign=5fe9d34d-a96e-4ad1-8edc-d67ce4e4543b"
compass.com     text =

        "facebook-domain-verification=smzi54npour6196nzgjhnmsap8l0y7"
compass.com     text =

        "google-site-verification=3C-S081T9gRRdoRFltMBhUaOJX722peEUrLKlqq05OM"
compass.com     text =

        "google-site-verification=HrOiZEDlh12IeA-17RI4XgSorGnzWEtvC7pRS2TjTEI"
compass.com     text =

        "google-site-verification=pJwvcYwAL54K1ta6dA0tCUA8ZpR68XlwvQlAB7l-LmM"
compass.com     text =

        "northpass-domain-verification=e94680713396c2445f35c491059c7444"
compass.com     text =

        "segment-site-verification=UoY8Sw0ubYDFEtxrEqvM3wba9jG51JRB"
compass.com     text =

        "v=spf1 include:compass.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:servers.mcsv.net include:sendgrid.net include:zcsend.net ~all"

Does anyone know how decipher this?
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
Since this an old question and that's not related to the original question, you might be better off asking it as a separate question.
IT manager
Commented:
The main problem cleared on its own
Brian BEE Topic Advisor, Independant Technology Professional
Commented:
Like I said, it most likely was the sender's problem. Sounds like they fixed it. Thanks for the update.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial