Barry Fields
asked on
Random mail delivery from GMail
We have experienced random mail delivery from some gmail hosted domains. In all cases, up to now, the offending gmail server was on some internet blacklist, therefore we refused the connection. I had a client who was experiencing this issue send me the message header of the failed message and below was what i received. Any ideas?
From: xxxxxxx@xxxxxxxx.com>
References: <07c49beac47344959fcf3b 7347f7be5c @xxxxxxxx. com> <b865e3dd-f7e9-4e98-95a a-01c954bd a1cc@11223 344.xxxxxx xxxs.com&g t; <a5a2eb16346242219e8c8a 940d726e48 @mail.gmai l.com> <1c0e6dc2-9e3c-4c08-b1c 4-fd7cc6a8 c1ed@mail2 k16.wiener realtors.c om> <d3f26f7edd48d7862a6af5 d0d3cfeb5b @mail.gmai l.com> <34424a3df8374615978232 cba177d859 @pinnaclen y.com> <b3cb993d08df1d90ca9d19 fc7bd4d966 @mail.gmai l.com> <fc1e9e69c5074c3db13ead f6f3f59ca2 @xxxxxxxxx .com> <34bee67c8029863e1a5d86 396cd35682 @mail.gmai l.com> <5db8cc4c.1c69fb81.3b48 f.8f0e.GMR @mx.google .com> <220b3e61872a195c784929 27ce6af48c @mail.gmai l.com>
In-Reply-To: <220b3e61872a195c784929 27ce6af48c @mail.gmai l.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJbLLEysfzQpKdVhMsJl/5xMK JlsgEu6u3I AmIXYVoCTo mckgHU4umY AXge2K4CjJ GDJQLnjqjk ARP2BWsAwb 7RywIWOtr2 pf+m0yA=
From: xxxxxxx@xxxxxxxx.com>
References: <07c49beac47344959fcf3b
In-Reply-To: <220b3e61872a195c784929
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJbLLEysfzQpKdVhMsJl/5xMK
ASKER
Problem is there is no ip info in the "header". I have analyzed some of the gmail servers in the past and they were on an internet blacklist, I am not going to whitelist. i don't have an ip address to white list anyway
Any mail from mail.gmail.com is bogus, as a DNS lookup on this host returns NXDOMAIN (no IP).
Said another way, mail.gmail.com - there is no mail host name related to the gmail.com domain name.
Said another way, mail.gmail.com - there is no mail host name related to the gmail.com domain name.
ASKER
Yeah, I saw the same thing but the sender is a legit sender so there is something else going on here. Even the message 'header" that was sent to me appears to be bogus.
The sender is no legit, because they're forging an email to appear to be from a gmail.com host which is nonexistent.
Forged Mail == Bogus/Nonlegit Mail.
Super easy to block this type of Forgery. Just run SPF analysis at your MTA + immediately bounce or blackhole (drop with no response) Forgeries.
Forged Mail == Bogus/Nonlegit Mail.
Super easy to block this type of Forgery. Just run SPF analysis at your MTA + immediately bounce or blackhole (drop with no response) Forgeries.
Tip: The way I handled Forgeries + SPAM is simple.
In my incoming filtering, I sense both conditions, then return a 550: User not found response.
After a 550 is returned a few times, mail from this sender (whoever the sender might be) will stop, because they're wasting resources sending to what appears to be a non-existent user.
In my incoming filtering, I sense both conditions, then return a 550: User not found response.
After a 550 is returned a few times, mail from this sender (whoever the sender might be) will stop, because they're wasting resources sending to what appears to be a non-existent user.
To be honest, there may not be a lot you can do. If they aren't using properly formed header that comply with RFC1822, then your company probably isn't the only one who is rejecting their email. To be blunt, you shouldn't be expected to compromise your email security to accommodate someone who doesn't follow the rules.
ASKER
Agreed
ASKER
I am also having a mail delivery issue from smtp.gmail.com, an nslookup returns an ipv6 as well as an ipv4 address. This is the first time I have encountered this. My SPAM filter is rejecting the connection but I don't see anything in the logs. When I check the txt records for the hosted domain i get the following;
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\bfields>nslookup
Default Server: UnKnown
Address: 192.168.101.217
> server 4.2.2.2
Default Server: b.resolvers.level3.net
Address: 4.2.2.2
> set type=txt
> compass.com
Server: b.resolvers.level3.net
Address: 4.2.2.2
Non-authoritative answer:
compass.com text =
"MS=ms64829634"
compass.com text =
"adobe-idp-site-verificati on=54008c3 c-af25-4f8 0-9730-49a e3e1cd6d2"
compass.com text =
"docusign=2c9c554e-4930-4b a3-a878-68 2a34c8eda9 "
compass.com text =
"docusign=5fe9d34d-a96e-4a d1-8edc-d6 7ce4e4543b "
compass.com text =
"facebook-domain-verificat ion=smzi54 npour6196n zgjhnmsap8 l0y7"
compass.com text =
"google-site-verification= 3C-S081T9g RRdoRFltMB hUaOJX722p eEUrLKlqq0 5OM"
compass.com text =
"google-site-verification= HrOiZEDlh1 2IeA-17RI4 XgSorGnzWE tvC7pRS2Tj TEI"
compass.com text =
"google-site-verification= pJwvcYwAL5 4K1ta6dA0t CUA8ZpR68X lwvQlAB7l- LmM"
compass.com text =
"northpass-domain-verifica tion=e9468 0713396c24 45f35c4910 59c7444"
compass.com text =
"segment-site-verification =UoY8Sw0ub YDFEtxrEqv M3wba9jG51 JRB"
compass.com text =
"v=spf1 include:compass.com._nspf. vali.email include:%{i}._ip.%{h}._ehl o.%{d}._sp f.vali.ema il include:servers.mcsv.net include:sendgrid.net include:zcsend.net ~all"
Does anyone know how decipher this?
Microsoft Windows [Version 10.0.17763.864]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\bfields>nslookup
Default Server: UnKnown
Address: 192.168.101.217
> server 4.2.2.2
Default Server: b.resolvers.level3.net
Address: 4.2.2.2
> set type=txt
> compass.com
Server: b.resolvers.level3.net
Address: 4.2.2.2
Non-authoritative answer:
compass.com text =
"MS=ms64829634"
compass.com text =
"adobe-idp-site-verificati
compass.com text =
"docusign=2c9c554e-4930-4b
compass.com text =
"docusign=5fe9d34d-a96e-4a
compass.com text =
"facebook-domain-verificat
compass.com text =
"google-site-verification=
compass.com text =
"google-site-verification=
compass.com text =
"google-site-verification=
compass.com text =
"northpass-domain-verifica
compass.com text =
"segment-site-verification
compass.com text =
"v=spf1 include:compass.com._nspf.
Does anyone know how decipher this?
Since this an old question and that's not related to the original question, you might be better off asking it as a separate question.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Meanwhile, you should be able to whitelist them in your email filter so their mail gets through to you.