I have run into a problem with the first ever report from one of our users
that our spam filter settings had deleted an email when it was
received. Our "Connection" filter settings are set to delete after two
matches. The server that is being affected is not found on any of the four
Blacklists that we consult but it is failing on both the "Verify MAIL FROM
address" test and the "Verify HELO/EHLO domain" test resulting in two
failures and deletion. The odd thing is that "sometimes" mail from this
person does not fail the "Verify MAIL FROM address" but always fails the
"Verify HELO/EHLO domain".
It looks like a configuration issue on the sending servers side but they
are telling me that their IT staff says:
"I have checked with our IT department, showed them the email
Dave sent and have been told there is nothing we can change on our end.
They have run several tests and everythink checks out OK. I have not had
this problem with any other emails I have sent. The suggestion made my our
IT guys is that my email address is added to a "white list" to let it get
through."
Any ideas as to what to tell them they need to fix because I would prefer
not to whitelist their server - especially if they do have config issues -
and I don't want to modify our settings that we have been happy with
especially if the "problem" is on their end.
Here is the email I sent to our user and the person who's mail was being
affected that has all the detail that the experts on this list should need
to pinpoint the problem.
----------------
"Did some checking and it looks like a problem with the mail server on
Mark's end is not validating itself nor his email account. That failure is
causing the spam filters on our end to reject his email. To resolve this I
can either turn off some of the anti-spam settings (this of course would
result in additional actual spam emails being able to get through to your
mailbox) or more correctly he can check with his hosting company to find
out why his mail server is not reporting itself correctly and has stopped
validating his email account. If I "fix" it on my end to address a
configuration problem on his end the problem still exists and I am sure
that there will be other mail systems that will reject his email too.
I have copied this note back to Mark's account so that he can forward this
note to his hosting company.
Here is a the "spam" log that was generated for the email that you
forwarded to me showing the message clearing the filters and being
delivered to you on the 17th. Even with this message his domain fails
validation (something that his hosting company can fix) but at least his
mail server validates his email account and thereby managed to clear our
filters.
Below this entry I have copied the log entry showing his mail (from the
19th) now failing to clear our filters.
Mark, if you try to reply to me directly your mail will probably not come
through either for the same validation failure reasons.
In addition to your mail server no longer validating that the account
"[EMAIL PROTECTED]" actually exists on your mail server it is also
reporting the name of your mail server as being "ewlnm01.ewing1.com" and
originating from the IP address of 12.9.131.198. There are no DNS records
for a mail server having the name of "ewlnm01.ewing1.com". The name that
your mail server "should" be reporting for that IP address is "mail.ewing1.com"
------------------
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> BLACKLIST:
connecting to service (spamhaus:*:sbl-xbl.spamhaus.org)
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> BLACKLIST:
12.9.131.198 was not found on list (spamhaus:*:sbl-xbl.spamhaus.org)
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> BLACKLIST:
connecting to service (SpamCop:*:bl.spamcop.net)
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> BLACKLIST:
12.9.131.198 was not found on list (SpamCop:*:bl.spamcop.net)
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> BLACKLIST:
connecting to service (List:*:list.dsbl.org)
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> BLACKLIST:
12.9.131.198 was not found on list (List:*:list.dsbl.org)
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> BLACKLIST:
connecting to service (ahbl:*:dnsbl.ahbl.org)
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> BLACKLIST:
12.9.131.198 was not found on list (ahbl:*:dnsbl.ahbl.org)
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> VALIDATION:
(HELO) potenzacpa.com performing DNS lookup for HELO domain ewlnm01.ewing1.com
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> VALIDATION:
(HELO) potenzacpa.com received reply from DNS server for HELO domain
ewlnm01.ewing1.com
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> VALIDATION:
(HELO) ewlnm01.ewing1.com domain failed active validation
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> VALIDATION:
(MAIL FROM) potenzacpa.com validating MAIL FROM address [EMAIL PROTECTED]
08:17 16:24 SMTPD(c722005801d6e3ff) [00003080] <potenzacpa.com> VALIDATION:
(MAIL FROM) potenzacpa.com SUCCEEDED for user [EMAIL PROTECTED]
08:17 16:24 SMTP(c722005801d6e3ff) Got Content Filter for potenzacpa.com
08:17 16:24 SMTP(c722005801d6e3ff) scanning the subject for phrases
08:17 16:24 SMTP(c722005801d6e3ff) scanning the body for phrases
08:17 16:24 SMTP(c722005801d6e3ff) performing statistical analysis
08:17 16:24 SMTP(c722005801d6e3ff) The following words were used to compute
the probability email is spam
08:17 16:24 SMTP(c722005801d6e3ff) word = file, probability = 0.026277
08:17 16:24 SMTP(c722005801d6e3ff) word = controller, probability = 0.027243
08:17 16:24 SMTP(c722005801d6e3ff) word = attached, probability = 0.047569
08:17 16:24 SMTP(c722005801d6e3ff) word = jana, probability = 0.052656
08:17 16:24 SMTP(c722005801d6e3ff) word = mark, probability = 0.073782
08:17 16:24 SMTP(c722005801d6e3ff) word = schedules, probability = 0.084372
08:17 16:24 SMTP(c722005801d6e3ff) word = fax, probability = 0.090525
08:17 16:24 SMTP(c722005801d6e3ff) word = irrigation, probability = 0.119791
08:17 16:24 SMTP(c722005801d6e3ff) word = info, probability = 0.126556
08:17 16:24 SMTP(c722005801d6e3ff) word = fixed, probability = 0.149604
08:17 16:24 SMTP(c722005801d6e3ff) word = started, probability = 0.180383
08:17 16:24 SMTP(c722005801d6e3ff) word = few, probability = 0.193153
08:17 16:24 SMTP(c722005801d6e3ff) word = phone, probability = 0.216942
08:17 16:24 SMTP(c722005801d6e3ff) word = asset, probability = 0.281811
08:17 16:24 SMTP(c722005801d6e3ff) word = tax, probability = 0.340278
08:17 16:24 SMTP(c722005801d6e3ff) probability email is spam 0.000000:
email is good
----------------------
Here is a log entry from the last time he tried to send you email back on
the 19th (there have been no other attempted connections from his server to
ours since this entry at 4:28pm on 8/19/05. This entry shows that Mark's
mail server is failing validation for itself and his email account
address. This is very "spam-like" activity since a "zombie" computer
spewing spam is also not a valid server and would not have valid addresses
to send from. Therefore our mail server is treating it as such.
----------------------
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> BLACKLIST:
connecting to service (spamhaus:*:sbl-xbl.spamhaus.org)
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> BLACKLIST:
12.9.131.198 was not found on list (spamhaus:*:sbl-xbl.spamhaus.org)
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> BLACKLIST:
connecting to service (SpamCop:*:bl.spamcop.net)
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> BLACKLIST:
12.9.131.198 was not found on list (SpamCop:*:bl.spamcop.net)
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> BLACKLIST:
connecting to service (List:*:list.dsbl.org)
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> BLACKLIST:
12.9.131.198 was not found on list (List:*:list.dsbl.org)
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> BLACKLIST:
connecting to service (ahbl:*:dnsbl.ahbl.org)
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> BLACKLIST:
12.9.131.198 was not found on list (ahbl:*:dnsbl.ahbl.org)
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> VALIDATION:
(HELO) potenzacpa.com performing DNS lookup for HELO domain ewlnm01.ewing1.com
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> VALIDATION:
(HELO) potenzacpa.com received reply from DNS server for HELO domain
ewlnm01.ewing1.com
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> VALIDATION:
(HELO) ewlnm01.ewing1.com domain failed active validation
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> VALIDATION:
(MAIL FROM) potenzacpa.com validating MAIL FROM address [EMAIL PROTECTED]
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> VALIDATION:
(MAIL FROM) potenzacpa.com FAILED SMTP server error: 554 Mail from
[EMAIL PROTECTED] rejected for policy reasons.
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> VALIDATION:
(MAIL FROM) <[EMAIL PROTECTED]> user does not exist on remote system
08:19 16:28 SMTPD(6b2605730212f592) [00000396] <potenzacpa.com> message
failed 2 of 6 checks, deleting"
To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html
List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
