Messaging Gateway

Need help,

I am managing a mail server.

And i sent mail using it.

The problem is all of my mail that sent from it is marked as spam by Norton.

it give [Norton AntiSpam] at my mails subject.

I already check my ip and domain http://ipremoval.sms.symantec.com/lookup/ 

and it said : "The IP address you submitted, ***.**.**.**, does not have a negative reputation and therefore cannot be submitted for investigation."

Please, tell me how to get rid of it.

I already calls Norton support and they are not helping at all

The worst answer is they tell me to register on all of computer in the world that installed norton.

Hi Andy,

Sorry, but i didnt get your question.

You are sending mail to the internet and all of them are marked as spam by norton or you are receiving mail from the internet and mails get marked by norton.

What is installed at your site, norton?

And how is Symantec Messaging Gateway involed here?

Thomas

Hi Thomas,

Thank you for replying.

The email that i send are marked as spam by Norton. That is the problem.

I know that because i have some computer that using norton internet security and all of it marked the mails that i send from my server as spam.

> And how is Symantec Messaging Gateway involed here?

I'm sorry if i post in wrong section. i thought i can post it here because, the problem is my mail server it seems to be listed by norton. And there is connection beetween symantec messaging gateway and their antispam list.

Andy

Andy,

Just zo clarify your situation, you are sending mails to someone on the internet.

If this recipient uses Nortons Antispam Solution all of your mails get marked as spam, right?

If thats the case you could check on usual events like RBL, Surbl, etc (lookup your ip eg at http://multirbl.valli.org/lookup/).

There are many helpful online tools out there to get your server and domain checked (reputation, mx, spf, a, ptr, etc) - eg http://mxtoolbox.com/

On the other side have you seen such a marked mail including the header?

I've seen so many mime-mismatches, localhost in received-header info, non rfc-compliant greylisting etc - its hard to say why your mails get marked.

What about the recipient marking your mails opening an incident at norton?

Thomas

Thank you for your sincerely respons.

Sorry for the late reply.

> if this recipient uses Nortons Antispam Solution all of your mails get marked as spam, right?

Yeap !

> If thats the case you could check on usual events like RBL, Surbl, etc (lookup your ip eg at http://multirbl.valli.org/lookup/).

> There are many helpful online tools out there to get your server and domain checked (reputation, mx, spf, a, ptr, etc) - eg http://mxtoolbox.com/

I already checked my domain and my ip there, but it seems that there is no clue at all, because i got the result clean and not listed.

> On the other side have you seen such a marked mail including the header?

> I've seen so many mime-mismatches, localhost in received-header info, non rfc-compliant greylisting etc - its hard to say why your mails get marked.

I already double-check the mail header and found no clue at all why it got marked as spam by norton.

I tried to sending mail using telnet, and the result is still the same (sending mail using the minimum header)

> What about the recipient marking your mails opening an incident at norton?

I already ask them, and call their support center and the result is they told me to register my mail address

in norton soft1ware whitelist on every computer that installed norton in this world.

That is why i posting my problem here, hope i can get any solutions for this.

Best regards,

Andy.

Hi Andi,

In that case only norton can tell you exactly why you get marked.

Sorry

Thomas

Hi Thomas,

I called norton Symantec maybe around 5 times, and they are not giving me a solution.

That's why, i hope i can get a solution if i post my problem here.

I saw another post that have simmiliar problem like this threat,

https://www-secure.symantec.com/connect/forums/how-clear-brightmail-blacklist

But that threat is already locked, so i can't ask there.

Please maybe anyone can help ?

Andi,

I hope you called nortons support, right?

In that case only they can tell you why they mark your mails.

Just to get a step further:

- do you get an error by submitting a message?

- if no, have you seen a complete header of a marked mail received at norton-protected site?

- There must be a support forum for norton customers. Have you tried there?

Thomas

Thomas,

Thank you for your sincerely reply.

I already called Norton 5 times, and no one can give me a solution.

Their only solution is to whitelist my mail address in all of computer in this world

that installed norton in their PC.

> - do you get an error by submitting a message?

I am using chat support and call support. there is no error about it.... (I am sorry if i don't get right about your question)

> - if no, have you seen a complete header of a marked mail received at norton-protected site?

I can see e-mail that is marked as spam by Norton, because i have 3 computers that installed Norton.

> - There must be a support forum for norton customers. Have you tried there?

I don't find another forum beside this forum. like i post in my last reply. That's why i posted it here.

Andy,

> - do you get an error by submitting a message?

If you send a mail to a norton protected site do you, as the sender receive any kind of error message, eg SMTP Error 554 etc?

> I can see e-mail that is marked as spam by Norton, because i have 3 computers that installed Norton

I can only assume that 3 client pcs have installed a norton anti spam product - which?

There should be a debug logging option in any product, did you take a look there for the spam-classification reason?

White-Listing can't be the solution, try to send the same mail from different mail accounts:

Use different sender-domains, use telnet to submit locally to avoid possibly eg 127.0.0.1 received-headers, etc

These are just a few hints, again only their support can tell you the reason - or the product forum

Thomas

Hi Thomas,

Sory for the late reply

> If you send a mail to a norton protected site do you, as the sender receive any kind of error message, eg SMTP Error 554 etc?

Nope, no error. it is only marked [Norton Antispam] at my subject.

> I can only assume that 3 client pcs have installed a norton anti spam product - which?

Those 3 using Norton Internet Security

> There should be a debug logging option in any product, did you take a look there for the spam-classification reason?

Already looking for it, there is no clue about it.

> White-Listing can't be the solution, try to send the same mail from different mail accounts:

> Use different sender-domains, use telnet to submit locally to avoid possibly eg 127.0.0.1 received-headers, etc

I already try using another mail server and it goes fine.

Tried using telnet to send email from my mail server with only minimal headers, it is marked as spam. that is why, i think the problem is on my server ip or domain.

But, like i mentioned earlier, i already try using dnsbl or some kind like that to search if my ip or domain is blacklisted, and it clean.

> These are just a few hints, again only their support can tell you the reason - or the product forum

Can't find any clue at all from it that is why i posted it here.

Thank you for your sincere reply.

Andy,

>Those 3 using Norton Internet Security

>> There should be a debug logging option in any product, did you take a look there for the spam-classification reason?

>Already looking for it, there is no clue about it.

So we're talking about a client product, right?

You should find something like: Right-click the nis icon in system tray, view recent history ...

There you should find the reason you/we are looking.

Just to be shure, when you send a mail internally from user a to b and open up outlook (i guess) for that mailbox this mail is marked as spam.

If you repeat sending a new mail and open up the mailbox via owa mail is not maked, right?

Thomas

Thomas,

> So we're talking about a client product, right?

> You should find something like: Right-click the nis icon in system tray, view recent history ...

> There you should find the reason you/we are looking.

Yes, a client product. And i find the history.

And what i found is somekind like "submitted to Symantec spam statistics". (i don't know the exact words, because my program is using Japanese. I translate it)

> Just to be shure, when you send a mail internally from user a to b and open up outlook (i guess) for that mailbox this mail is marked as spam.

I am using Japanese software named Becky! yes it is always marked as spam.

> If you repeat sending a new mail and open up the mailbox via owa mail is not maked, right?

I am sorry, I don't know what you mean by "owa mail".

Andy

Andy,

> submitted to Symantec spam statistics

Just means that your stats gets updated - has nothing to do with the root case

> using Japanese software named Becky

What about your backend? As i know becky (in the past) was only a mail client.

> owa

Outlook Web Access

Thomas

Thomas,

I sent my mails from my mail server that using centos and we are using our own MTA.

the MTA is no problem because i already check it by sending using that server but i use another host name and ip address.

The problem is when i send from that domain and ip address, it is marked as spam by Norton. Eventhough i only sent simple mail using telnet.

Andy,

I still have no clue how your site is set up, which client is connecting how, what protocols you are using to access etc

Just a few things you should think about:

Your client or the config of your client could cause the marking as spam. Besides that, using telnet (as you described "using minimal header") is a different case and causes these kind of mails beeing marked as spam, too. But the reason is different, eg missing date, routing info, message id ... who knows

> problem is when i send from that domain and ip address

What do you mean by that? Do you own multiple domains and if so changing sender domain using the same mail client and same backend the mail is not marked as spam?

Thomas

Thomas,

Yes, we have multiple domain.

And we have a server that work only for sending mails.

How it works is there is 2 server, 1 is for the http server and one is for sending mails.

We send mails using data from the http server.

That is why the return path domain will be the http server domain.

That is why in our mail header there is two Received:

(one received from my mail servers, and one is pointing to my http server)

What i mean by i checked using another domain is i use another http server and using same mail server and it is okay.

Andy.

Andy,

Sorry, but i still have no idea on how you send mail.

A mail client is creating a messaage, connecting to server using a specific protocol (mapi, rpc over https, imap, etc)

The mail server is sending the mail to the recipient domain.

If you forget about your http-server, just using your mail-server (were the mailboxes, mail-data is stored, server providing mail-client connectivity protocol) - are mails received at the 3 norton protected clients marked as spam?

Thomas

Thomas, 

> Sorry, but i still have no idea on how you send mail.

If i sent you header information, will you know it ?

If i sent directly from my mail server, my mail is not marked as spam.

If i sent from another server through the same mail server, my mail is not marked as spam as well

> Header

No

> sent directly from my mail server

If you compare this not marked mail and the ones "via https server" what is the difference?

Sender (at least domain) is equal?

Is a official ip address bound to your http server?

Thomas

>Sender (at least domain) is equal?

no.

The Different is :

Return-path is different. (if i sent it from my http server it will be my http server domain)

the Received: From will be only one (if i sent it from my http server,

it will be two. one contain my http server(domain and ip) and one is contain my mail server domain and ip)

> is a official ip address bound to your http server?

Yes.

Have you checked the reputation (RBL, etc) of your http-servers ip?

Same for return-path domain.

Is that domain completly registered at intern dns incl mx, a, ptr?

> Return-path is different

Is there any change in nortons spam-detection if you alter the return-path, eg change it to sender domain, use reply-to instead etc

Thomas

Hi Thomas,

Sorry for the late reply.

> Have you checked the reputation (RBL, etc) of your http-servers ip?

> Same for return-path domain.

Yeap, i already checked it on mx tools and dnsbl and some other lists, and it's result is clean.

> Is that domain completly registered at intern dns incl mx, a, ptr?

Yeap !

> Is there any change in nortons spam-detection if you alter the return-path, eg change it to sender domain, use reply-to instead etc

I don't know about that but, the differrent about the mail is marked as spam and not is only the HTTP server's IP and Domain only.

The other format is same.

Thats why i think, norton is blacklisting my ip or domain

Hi Andy,

> I don't know about that but, the differrent about the mail is marked as spam and not is only the HTTP server's IP and Domain only.

> The other format is same.

> Thats why i think, norton is blacklisting my ip or domain

Then you only can send exactly the http servers mails by using telnet.

First use telnet on the http server and produce a "spam" mail. Next, change host where you're using telnet and try&error which property causes the detection.

If that way does not work - still, only product support can help you - and every pc on the planet should install their anti-spam isnt a solution.

Thomas

Thank you for your reply Thomas,

> First use telnet on the http server and produce a "spam" mail. Next, change host where you're using telnet and try&error which property causes the detection.

This is something that i can't because it will effect my system that is running now.

> If that way does not work - still, only product support can help you - and every pc on the planet should install their anti-spam isnt a solution.

Anyway, my mail is not marked as spam on webmail like yahoo or gmail. 

it will go to junk mail on hotmail (i think outlook will come with same result)

And it will be marked as spam by norton if you use 3rd party mail software like becky!

Thank you.

I still hope norton can do something about this.

Andy,

> his is something that i can't

If you just can open up a telnet in an ssh, rdp, etc session you'll be fine. Use "Telnet your_mailserver 25" (command depending on OS) and use ehlo, mail from, rcpt to, data, from:, to:, date, subject, etc to bypass your application. You could also use tcpdump, netmon, wiresharc to get the commands your http server is sending towards your mailserver.

Just reverse engineer your app ;-)

With this command-set of a manually generated spam change sending ip (telnet from another server), change sending domain (alter mail from) etc

> it will go to junk mail on hotmail

All the providers have different spam tracking and antispam mechanisms in place and at least 2 of them are "marking" your mails.

I would try to get rid of that - there must be something about your http-servers sender domain, ip, rdns, route, reply to, etc.

Only you can figure out what.

Thomas