Link to home
Create AccountLog in
Avatar of Barry Fields
Barry FieldsFlag for United States of America

asked on

Random mail delivery from GMail

We have experienced random mail delivery from some gmail hosted domains. In all cases, up to now, the offending gmail server was on some internet blacklist, therefore we refused the connection. I had a client who was experiencing this issue send me the message header of the failed message and below was what i received. Any ideas?


From: xxxxxxx@xxxxxxxx.com>

References: <07c49beac47344959fcf3b7347f7be5c@xxxxxxxx.com> <b865e3dd-f7e9-4e98-95aa-01c954bda1cc@11223344.xxxxxxxxxs.com> <a5a2eb16346242219e8c8a940d726e48@mail.gmail.com> <1c0e6dc2-9e3c-4c08-b1c4-fd7cc6a8c1ed@mail2k16.wienerrealtors.com> <d3f26f7edd48d7862a6af5d0d3cfeb5b@mail.gmail.com> <34424a3df8374615978232cba177d859@pinnacleny.com> <b3cb993d08df1d90ca9d19fc7bd4d966@mail.gmail.com> <fc1e9e69c5074c3db13eadf6f3f59ca2@xxxxxxxxx.com> <34bee67c8029863e1a5d86396cd35682@mail.gmail.com> <5db8cc4c.1c69fb81.3b48f.8f0e.GMR@mx.google.com> <220b3e61872a195c78492927ce6af48c@mail.gmail.com>

In-Reply-To: <220b3e61872a195c78492927ce6af48c@mail.gmail.com>

MIME-Version: 1.0

X-Mailer: Microsoft Outlook 16.0

Thread-Index: AQJbLLEysfzQpKdVhMsJl/5xMKJlsgEu6u3IAmIXYVoCTomckgHU4umYAXge2K4CjJGDJQLnjqjkARP2BWsAwb7RywIWOtr2pf+m0yA=
Avatar of Brian B
Brian B
Flag of Canada image

There should be more information in the NDR as to why. Also, check their IP against a Blackhole list like network-tools.com.

Meanwhile, you should be able to whitelist them in your email filter so their mail gets through to you.
Avatar of Barry Fields

ASKER

Problem is there is no ip info in the "header". I have analyzed some of the gmail servers in the past and they were on an internet blacklist, I am not going to whitelist. i don't have an ip address to white list anyway
Any mail from mail.gmail.com is bogus, as a DNS lookup on this host returns NXDOMAIN (no IP).

Said another way, mail.gmail.com - there is no mail host name related to the gmail.com domain name.
Yeah, I saw the same thing but the sender is a legit sender so there is something else going on here. Even the message 'header" that was sent to me appears to be bogus.
The sender is no legit, because they're forging an email to appear to be from a gmail.com host which is nonexistent.

Forged Mail == Bogus/Nonlegit Mail.

Super easy to block this type of Forgery. Just run SPF analysis at your MTA + immediately bounce or blackhole (drop with no response) Forgeries.
Tip: The way I handled Forgeries + SPAM is simple.

In my incoming filtering, I sense both conditions, then return a 550: User not found response.

After a 550 is returned a few times, mail from this sender (whoever the sender might be) will stop, because they're wasting resources sending to what appears to be a non-existent user.
To be honest, there may not be a lot you can do. If they aren't using properly formed header that comply with RFC1822, then your company probably isn't the only one who is rejecting their email. To be blunt, you shouldn't be expected to compromise your email security to accommodate someone who doesn't follow the rules.
Agreed
I am also having a mail delivery issue from smtp.gmail.com, an nslookup returns an ipv6 as well as an ipv4 address. This is the first time I have encountered this. My SPAM filter is rejecting the connection but I don't see anything in the logs. When I check the txt records for the hosted domain i get the following;
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\bfields>nslookup
Default Server:  UnKnown
Address:  192.168.101.217

> server 4.2.2.2
Default Server:  b.resolvers.level3.net
Address:  4.2.2.2

> set type=txt
> compass.com
Server:  b.resolvers.level3.net
Address:  4.2.2.2

Non-authoritative answer:
compass.com     text =

        "MS=ms64829634"
compass.com     text =

        "adobe-idp-site-verification=54008c3c-af25-4f80-9730-49ae3e1cd6d2"
compass.com     text =

        "docusign=2c9c554e-4930-4ba3-a878-682a34c8eda9"
compass.com     text =

        "docusign=5fe9d34d-a96e-4ad1-8edc-d67ce4e4543b"
compass.com     text =

        "facebook-domain-verification=smzi54npour6196nzgjhnmsap8l0y7"
compass.com     text =

        "google-site-verification=3C-S081T9gRRdoRFltMBhUaOJX722peEUrLKlqq05OM"
compass.com     text =

        "google-site-verification=HrOiZEDlh12IeA-17RI4XgSorGnzWEtvC7pRS2TjTEI"
compass.com     text =

        "google-site-verification=pJwvcYwAL54K1ta6dA0tCUA8ZpR68XlwvQlAB7l-LmM"
compass.com     text =

        "northpass-domain-verification=e94680713396c2445f35c491059c7444"
compass.com     text =

        "segment-site-verification=UoY8Sw0ubYDFEtxrEqvM3wba9jG51JRB"
compass.com     text =

        "v=spf1 include:compass.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:servers.mcsv.net include:sendgrid.net include:zcsend.net ~all"

Does anyone know how decipher this?
Since this an old question and that's not related to the original question, you might be better off asking it as a separate question.
ASKER CERTIFIED SOLUTION
Avatar of Barry Fields
Barry Fields
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.