[SOLVED] Email Delivery Problem

[ViperCS]

Can anyone help me understand this and what needs to be done to fix the delivery problem? It looks to me like the sender's email or IP address is part of a block list?

-----Original Message-----
From: System Administrator [mailto:System Administrator]
Sent: Tuesday, October 31, 2017 9:00 AM
To: ****@************.org
Subject: Delivery Failure


Could not deliver message to the following recipient(s):

Failed Recipient: **********@msn.com
Reason: Remote host said: 550 5.7.1 Unfortunately, messages from [**.***.***.***] weren't sent. Please contact your Internet service provider since part of their network is on our block list (AS3150). You can also refer your provider to http://mail.live.com/mail/troubleshooting.aspx#errors. [BY2NAM01FT016.eop-nam01.prod.protection.outlook.com]


-- The header and top 20 lines of the message follows --

Received: from **************** (**-**-***-***-static.hfc.comcastbusiness.net [**.**.***.***]) by mail.*****.com with SMTP;
Tue, 31 Oct 2017 08:59:21 -0400
From: "***" <****@************.org>
To: "***** *******" <**********@msn.com>
Subject: ******* *************
Date: Tue, 31 Oct 2017 08:59:42 -0400
Message-ID: <003d01d35248$23e46550$6bad2ff0$@************.org>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_003E_01D35226.9CD2C550"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AdNSR/GV0u2SV4B4SuGoawnlWhljrg==
Content-Language: en-us

This is a multipart message in MIME format.

------=_NextPart_000_003E_01D35226.9CD2C550
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

 

[fencepost]

Let me guess, running their own email server on their Comcast Business connection, hopefully with a static IP.

Go to https://mxtoolbox.com/blacklists.aspx and check the IP to see which blacklists they might be on. There's a fair chance that the issue is because they're on a list of broadband carrier allocated blocks (aka, they're a Comcast customer) but if it's a static IP you may be able to request removal.

If they're on any lists that indicate that they've been sending spam, find out what's been going on there and make sure you're not an open relay. For running an in-house mail server there's a good chance you're also going to need to look into making sure there's an appropriate reverse DNS entry, and you'll probably need to set up SPF records that indicate that that IP address is authorized to send email for that domain. The reverse DNS will require talking to Comcast, the SPF will require that you have access to update the DNS server for whatever.org.

 

[YeOldeStonecat]

Yup FencePost nailed it!
Thoroughly check that on-prem e-mail server...make sure she's clamped down in all proper areas.
Check their network at the firewall for any mass-out-going SMTP traffic...could be a bot or hijacked device on their network, in addition to the mail server.
MXToolbox...great little quick reference..run the tests..address anything not checked green. SPF is a big one many people never do. These days, DKIM is taking over.

 

[trevm999]

SPF is a big one many people never do. These days, DKIM is taking over.

It's not a matter of DKIM taking over. In order properly set up email you should have SPF, DKIM, and DMARC.

Some types of email 'forwarding' simply will never pass a DKIM alignment check, so you need SPF so that it can pass SPF and SPF alignment and thus get a passing grade from DMARC

 

[fencepost]

Ah, I missed locking down the firewall so outbound SMTP could only originate from the email server (or possibly from other non-DHCP clients if you have devices going out direct without local addresses).

I've never actually set up DKIM, but we don't have many folks with internal mail servers at this point and I'd dearly love to get all of them on O365 and eliminate all in-house email servers. We don't do enough volume on them for me to feel like I'm staying fully up-to-speed on them, and I'd rather offload it with a bit of margin than expand it.

 

[YeOldeStonecat]

I remember many years ago, we got a referral to a law firm. A law firm that specialized in sex cases.
They had "Gateway computers" come setup their network. Yup..remember Gateway 2000? They had an onsite setup team. Some old Small Business Server 2000 box, behind a Linksys BEFSR41 router. Well..let me rephrase that. Not technically "behind"...because, they made the horrific mistake of sticking the LAN IP of the SBS box in the DMZ of the Linksys. On residential grade routers, sticking a LAN IP in the DMZ simply means all 65,000+ ports are exposed..wiiiide open. Not even behind NAT.

So the funny part..the Exchange server was hijacked and spewing out porn mail! (remember..this was a law firm that specialized in sex cases!)

Ayy yie yie!

 

[Markverhyden]

In addition to the above you really need to get a handle on what is going on. New setup or existing? What email server is being used? On premise or hosted? If hosted are they using virtual servers sharing an IP or a dedicated IP. If it's on premise do they have a fixed IP address? What volume of emails? Server not compromised? Have you processed the header to make sure that it's not from a spam bot from somewhere else? https://mxtoolbox.com/EmailHeaders.aspx

I get blocked email emails on occasion because someone forged the headers on a spam bot.

 

[ViperCS]

Thank you everyone for the great advice as usual!