Email Security.cloud

Hi:

We have a server which is hosting several domains. Using this server we cannot send any email to any domain that is behind the email security product.

According to our logs, emails are correctly delivered:

maillog:Jan 25 10:15:26 XXXXXXXX postfix/smtp[10062]: EBC616620183: to=<XXXXXX@XXXXXX>, relay=cluster8.eu.messagelabs.com[XX.XX.XX.XX]:25, delay=1.6, delays=0.9/0/0.26/0.46, dsn=2.0.0, status=sent (250 ok 1485335726 qp 29326 server-13.tower-178.messagelabs.com!1485335726!82147396!1)

However, they are never delivered to the user inbox. Some users of the Email Security have told us that they got a warning that spam was being sent and could whitelist one of our domains. Normally, what happens is that emails are not delivered, recipients get get no warning at all and we get no error message in our server's logs so the message is simply lost without anyone noticing it.

I checked the symantec IP Reputation tool and this was the result:

The IP address XX.XX.XX.XX was found to have a negative reputation. Reasons for this assessment include:

• The host has been observed sending spam in a format that is similar to snow shoe spamming techniques.

We have checked several DNS black lists and the ip is not listed there. We have checked the ougoing email and we are not observing any abnormal email deliveries. Does anybody know why our reputation is negative? I tried to remove the IP using the reputation tool and it worked, but after a few hours it got a negative reputation again.

Hope anyone can help. Thanks in advance,

Alfonso

Also, we have checked the SPF and DKIM of the domains that are sending from our server using this tool http://dkimvalidator.com/ and they are Ok.

Hi Luis,

Using the message ref from above, I was able to pull the log and cant see any failure on our side, I also can confirm that the sending IP is not listed on our blocklist and I have also reset the reputation as high accross our network. Therefore if you are having problems still sending to that customer, I would suggest contacting them as their internal systems may be blocking your emails.

Please do let me know if you have any further information or questions, or please resolve this thread if no further info is required from our side.

Kind regards

Kevin Brosnan

Tier 2 Senior technical Support Engineer.

Hi Luis,

Just following up on this issue and wondered if you require any further assistance from our side. If so please do let me know. Or if the issue is no longer happening. Please set the Thread as resolved to prevent other people making comments on this.

Kind regards

Kevin Brosnan

Hi Kevin:

I'm checking again that emails are correctly delivered to that domain. I expect to have confirmation tomorrow.

In the mean time, I have checked the ip reputation tool and I still get the same message. I don't know if getting this message is ok. Can you confirm that the reputation has not been degraded?

I will contact you as soon as I can confirm that the emails are delivered.

Thanks.

Hi Luis,

Your sending IP is not listed on our internal blacklist and your reputation is high on the .cloud infrastructure, we will not reject your email connections from the sending IP.

Kind regards

Kevin Brosnan

Hi Kevin:

I'm sorry but the problem is still there. I'm having the same problem when sending from the domain aceitunasjope.com hosted in our server to bancopopular.es

Feb  8 10:18:23 1.XXXXXXX postfix/smtp[32691]: DB7AE6620181: to=<XXXXXXXXX@bancopopular.es>, relay=cluster4.eu.messagelabs.com[193.109.254.147]:25, delay=42, delays=41/0/0.2/1.4, dsn=2.0.0, status=sent (250 ok 1486545503 qp 471 server-16.tower-27.messagelabs.com!1486545502!85635080!1)

Again, we get a 250OK but messages are not delivered.

We migrated all our domains to a new server in november. We have this problem since then. Before the migration, none of our hosted domains ever complained about this. Is there any way you could confirm that you did not block the email? Could we have something not properly configured on our side that could cause the problem?

At the moment, emails are properly delivered from our server to almost any domain, including hotmail and gmail. Sometimes we are being blocked but when that happens, we are normally notified about it emails. Unfortunately, emails that are delivered through messagelabs.com are consistently not delivered.

Hope we could solve this issue. Thansk in advance for your help,

Alfonso.

Hello Alfonso

That particular sample was stopped as spam. In order for us to investigate this issue could I ask you to please follow the process set out in the link below.

https://support.symantec.com/en_US/article.TECH233678.html

Once a sample as been submitted as per this process please can you reply with the address it was sent from and what time so I can get this checked.

Thank you.

Kevin Brosnan

I just had another customer complaining with the same issue with two different domains:

- The sending domain is hervaspiel.com and the receiving domain is bancopopular.es. 

maillog.processed:Feb 13 16:48:08 XXXXXX postfix/smtp[7217]: AC13F66200B8: to=<XXXXXX@bancopopular.es>, relay=cluster4.eu.messagelabs.com[85.158.143.35]:25, delay=20, delays=19/0/0.2/1, dsn=2.0.0, status=sent (250 ok 1487000888 qp 11361 server-15.tower-21.messagelabs.com!1487000887!57383606!1)

- The sending domain is hervaspiel.com and the receiving domain is lacaixa.es. 

maillog.processed:Feb 13 16:47:00 XXXXXXX postfix/smtp[7217]: AED4E66200B8: to=<XXXXXXX@lacaixa.es>, relay=cluster4.eu.messagelabs.com[85.158.137.68]:25, delay=19, delays=17/0.01/0.22/1.3, dsn=2.0.0, status=sent (250 ok 1487000820 qp 47218 server-12.tower-31.messagelabs.com!1487000819!68558660!1)

The customer rejected to send those emails to the the address found in the link you sent me (CLOUDfeedback@feedback-87.brightmail.com). They contain attachmentes with confidential information. Is there anything you could tell me about these two emails?

I'm trying to get a sample as indicated in the support document you told me.

We need a solution for this, it's becoming a real problem.

Hi

We would need the sample to clarify and amend detection if safe to do so. As you can imagine we cannot do so without confirmation its not spam first as our customer would then receive spam mails. You may wish to contact our customer (The recipient) and see if they consider serious enough to raise a support ticket with us, we can then investigate further on their request. Also they can whitelist the sending email addres/domain should they wish which will bypass our spam scanners.

Only they can make such changes I'm affraid.

Without a sample currently I am unable to assist.

Kind regards

Kevin Brosnan

Hi Luis,

If your happy that ths is now fixed. Please can you set this thread as resolved to prevent other people adding to it.

Kind regards

Kevin Brosnan

Tier 2 Senior Technical Support Engineer

Hi luis,

Please can you set this thread as resolved to prevent other people adding to it. Or if you do need additional help please let me know.

Kind regards

Kevin Brosnan

Tier 2 Senior Technical Support Engineer

Hi luis,

Please can you set this thread as resolved to prevent other people adding to it. Or if you do need additional help please let me know.

Kind regards

Kevin Brosnan

Tier 2 Senior Technical Support Engineer

Hi Kevin:

Unfortunately the problem persists. The domain novartis.com has the same problem: emails are not delivered but we get no error message:

Mar 31 14:03:57 XXXXXXXX postfix/smtp[24059]: 3499E66200A2: to=<XXXXXX@novartis.com>, relay=cluster8.eu.messagelabs.com[85.158.139.51]:25, delay=2.6, delays=1.7/0/0.52/0.42, dsn=2.0.0, status=sent (250 ok 1490961838 qp 6235 server-15.tower-180.messagelabs.com!1490961837!77843114!1)

On the other hand, the domain ube.es is accepting our emails without any problem, we get an OK and the recipient gets the email correctly:

Mar 30 10:54:27 XXXXXX postfix/smtp[21996]: 3362D6620183: to=<XXXXXX@ube.es>, relay=cluster3.eu.messagelabs.com[85.158.136.35]:25, delay=2.1, delays=1.6/0.01/0.48/0.08, dsn=2.0.0, status=sent (250 ok 1490864067 qp 4331 server-11.tower-125.messagelabs.com!1490864067!72450803!1)

I tried to send you an email as an attachement with one of those false positives to CLOUDfeedback@feedback-87.brightmail.com but I never got a reponse back. 

Any time I check our IP address at http://ipremoval.sms.symantec.com/lookup/ I got the same message:

• The host has been observed sending spam in a format that is similar to snow shoe spamming techniques.

Don't know if it has to do with the problem somehow.

Hi Luiz,

You will not get a reply back from the CLOUDfeedback@feedback-87.brightmail.com address. But if you provide me with the email address that you sent it from, I can chase that up internally. I have pulled the log and this confirms that the email was stopped as spam.

So sending the sample to the above address is correct, but I need to know when and who it was sent by.

Kind regards

Kevin Brosnan

Hi Kevin:

I sent the email to CLOUDfeedback@feedback-87.brightmail.com from prueba@sedinta.es on 2017-02-27. I forwarded it as an attachement as you requested.

Can you find that email back? or do you need me to send it back?

Hi David,

I have checked the IP 45.114.116.198 against the .cloud Blacklist and can confirm that these are not listed with us and we would not be blocking your emails for this reason.

We will not be blocking your connections when sending emails from any of those IPs to our .cloud customers.

Should you still have issues sending to Symantec customers, it may be part of the Messaging gateway products to which the .cloud team have no access to. If you do have problems with them, you will need to raise this in their Forum:

https://www.symantec.com/connect/security/forums/messaging-gateway

Please set this thread as resolved to ensure others do not add to it.

Kind regards

Kevin Brosnan

Tier 2 Senior technical support engineer
CompTIA Security+ Certified

I'm experiencing the exact same issue as the OP.

Our mail server serves a number of domains, however after checking the logs there is a very low volume of mail being delivered via messagelabs filtering. (no more than several emails per day.)

We have submitted the IP to be removed via the ipremoval portal http://ipremoval.sms.symantec.com/lookup/

Each time it is removed promptly, but we only become aware when customers complain they are not receiving email from us. This has occurred 3 times in the last week and twice in the last 24hrs.

Given that the logs show no issue and our mailserver has a good reputation and is not on any blacklists, I'm at a loss and am dealing with some increasingly frustrated customers.

We have contacted the affected recipients to alert them to the fact messagelabs is blocking legitimate email so they can whitelist our server, however this is not a satisfactory solution in the long term.

The mail server IP is 45.114.116.198

Issue referred to relevant area.

Hi Luis,

Just following up on this topic and wondered if you need any further assistance on this matter.

If the issue has since been resolved. Please can you set this thread as resolved to prevent others adding to it.

Kind regards

Kevin Brosnan
Tier 2 Senior Technical Support Engineer

CompTIA Security+ Certified

Hi Luis,

Just following up on this topic and wondered if you need any further assistance on this matter.

If the issue has since been resolved. Please can you set this thread as resolved to prevent others adding to it.

Kind regards

Kevin Brosnan
Tier 2 Senior Technical Support Engineer

CompTIA Security+ Certified

I'm maintaining a personal (Zimbra based) mailserver that serves a couple of domains for me and some friends. The server is part of a VM infrastructure that has 4 ip addresses to share among some VM's. All of these IP's have been blacklisted by symantec because of suspected snow shoeing spam, while only 2 of these IP's send out mails (the other is a Sympa based mailinglist server, rarely used). I've looked at the mail logs of both servers and can't for the life of me find any abnormal mails? I've checked RBL listing on mxtoolbox and none of my IP's are listed on any RBL? SPF records are all correct for these servers.

I requested delisting once and was delisted (but only after having spent some time typing a personal message instead of just clicking the 2 checkboxes that I've done my homework). Now, I'm back on the list and me and my friends can't send mails to the mailservers of KPN (mailin.kpnmail.nl).

host mailin.kpnmail.nl[213.75.3.30] refused to talk to me: 421 5.5.0 Your IP has been blacklisted. Please contact abuse@kpn.com for more information.
 

Yesterday I started the delisting procedure again, but have yet to see the result. I'm completely at a loss what to do next? It's frustrating to maintain a simple (well maintained!) mailserver these days having to battle these false positives all the time.

Involved ip range: 94.103.150.236-239

Hi Martin

I've had your IPs investigated and the listing that was causing your issues has now been removed. Please allow a short time for propagation and then can I ask you check and confirm and if everything is ok mark this thread as resolved.

Thank you

Ian Tiller

Tier 2 Senior Technical Support Engineer

Hello.

We have same issue.

Transferred "News letters" to new mail servers:

185.100.234.153

185.100.234.153

185.100.234.156

We send email from this servers for our customers. On servers we have antivirus and anti-spam. We close by maximum allowed ports for users connection.

But we are again and again appear in https://ipremoval.sms.symantec.com/lookup

We are carefully check ratings of our IPs and domains.

Thank you.

Hello,

Please post all questions relating to IP removal in the SMG forum (https://community.broadcom.com/symantecenterprise/communities/communityhomeblogs?CommunityKey=bba1e9dc-0c56-4fb5-9e3d-ef7f0d79b7ee).  The IP reputation list is part of the SMG product, and merely consumed by Email Security.cloud in the same way that it might consume any other number of DNSBLs etc. (and in the same way that other third parties can consume the SMG list).

Paul

It seems to be ok for now, I just wonder for how long given that the earlier reputation hits were also bogus? Have you whitelisted my server now?

And by the way, I hijacked this thread, so I can't mark it resolved as far as I understand.

Dear Ian,

94.103.150.236 has been marked sending snow shoe spam again (I'm sure it doesn't, so I'm curious what triggers this listing for you guys?) could you please do something about this?

Best regards,

Martin

Dear Ian,

94.103.150.236 is listed as having sent snow shoeing spam again, although I'm sure it hasn't. Could you please remove my server from the list again?

Best regards,

Martin