Email Security.cloud

Good morning,

We have a huge problem with our IPs and your blacklist. We have a dedicated server with a lot of mailservers IPs. We checked any strange behaviour, but we didn’t detect anything. We have IPs like 137.74.107.26, 164.132.10.230, 137.74.185.217 or 137.74.107.25 blacklisted on your lists everyday, and there are only on your lists (no Spamhaus or Barracuda listing, the only blacklist that lists our IPs is yours). Every day we have to delist our IPs with your online tool (http://ipremoval.sms.symantec.com/lookup/) but the next day, we found them in your blacklist again.

Our server is an uncompromised mailserver, with a lot of clients, each with a particular IP. All of our clients use the mail in a normal mode (not commercial sending or bulk sending). And the Symantec list is the only one that lists our IPs. In some cases, our client cannot send emails to some banks here in Spain (some of them use a MessageLabs/Symantec spam filter) and we cannot find a definitive solution.

How can we resolve this situation? Please, is extremely urgent. We can give you our server information. We checked that the emails are being sent correctly (with the MXToolBox SMTP Test Tool https://mxtoolbox.com/diagnostic.aspx). We checked all the server searching viruses. But all the the tests were good. Even so, Symantec lists us on the blacklist. Please, we need a solution. Contact me for every doubt you have.

Regards,

Hi Nicolas,

I have checked all 4 IP's against the .cloud (messagelabs) infrastructure and found these not to be listed on our blocklist and the reputation is also fine. Therefore we will not be blocking any connections from these IPs.

For me to investigate further I would need specific examples of emails that have failed to our customers, Please could you provide the senders and recipients full email address and when they failed. I will look into this for you.

Kind regards

Kevin Brosnan
Tier 2 Senior Technical Support Engineer

CompTIA Security+ Certified
 

Hi Kevin,

I give you some examples and the server's logs:

From administracions@finquesjoan.com => To marguelles@caixabank.com (Jun 27 18:48:36)

Jun 27 18:48:36 ns3044071 postfix/qmgr[15387]: DCB7857E0291: from=<administracions@finquesjoan.com>, size=2283, nrcpt=2 (queue active)
Jun 27 18:48:36 ns3044071 postfix/smtpd[21025]: disconnect from 170.red-83-61-34.dynamicip.rima-tde.net[83.61.34.170]
Jun 27 18:48:36 ns3044071 postfix/smtp[21174]: DCB7857E0291: host cluster4.eu.messagelabs.com[85.158.143.35] refused to talk to me: 501 Connection rejected by policy [7.7] 2108, please visit www.messagelabs.com/support for more details about this error message.
Jun 27 18:48:36 ns3044071 postfix/smtp[21174]: DCB7857E0291: host cluster4.eu.messagelabs.com[85.158.137.68] refused to talk to me: 501 Connection rejected by policy [7.7] 3112, please visit www.messagelabs.com/support for more details about this error message.
Jun 27 18:48:36 ns3044071 postfix/smtp[21174]: DCB7857E0291: host cluster4.eu.messagelabs.com[193.109.254.147] refused to talk to me: 501 Connection rejected by policy [7.7] 2710, please visit www.messagelabs.com/support for more details about this error message.
Jun 27 18:48:36 ns3044071 postfix/smtp[21174]: DCB7857E0291: host cluster4.eu.messagelabs.com[85.158.139.211] refused to talk to me: 501 Connection rejected by policy [7.7] 20615, please visit www.messagelabs.com/support for more details about this error message.
Jun 27 18:48:37 ns3044071 postfix/smtp[21174]: DCB7857E0291: to=<marguelles@caixabank.com>, relay=cluster4a.eu.messagelabs.com[85.158.139.103]:25, delay=1.6, delays=0.67/0.01/0.76/0.12, dsn=4.0.0, status=deferred (host cluster4a.eu.messagelabs.com[85.158.139.103] said: 421 Service Temporarily Unavailable (in reply to RCPT TO command))

From nico@techni-web.es => To rbarbara@oxfamintermon.org (Jun 27 10:56:14)

Jun 27 10:56:14 ns3044071 postfix/smtp[11061]: 08B0157E0291: to=<rbarbara@OxfamIntermon.org>, relay=mail.OxfamIntermon.org[77.240.125.3]:25, delay=3.6, delays=0.7/0.01/2.8/0, dsn=4.7.1, status=deferred (host mail.OxfamIntermon.org[77.240.125.3] refused to talk to me: 554 5.7.1 You are not allowed to connect.)

From administracio@pneumaticsperello.com => To cfarnos@caixabank.com (Jun 23 08:35:00) - Marked as sent but not received by the recipient.

Jun 23 08:35:00 ns3044071 postfix/cleanup[6375]: 9B70257E04D9: message-id=<2D77B9A8-BED1-4C55-A6AF-3DABB796322A@pneumaticsperello.com>
Jun 23 08:35:01 ns3044071 postfix/qmgr[412]: 9B70257E04D9: from=<administracio@pneumaticsperello.com>, size=903, nrcpt=1 (queue active)
Jun 23 08:35:01 ns3044071 courier-pop3s: LOGOUT, user=administracio@pneumaticsperello.com, ip=[::ffff:83.46.122.62], port=[56850], top=0, retr=0, rcvd=18, sent=16245, time=151, stls=1
Jun 23 08:35:01 ns3044071 postfix/smtp[6407]: 9B70257E04D9: to=<cfarnos@caixabank.com>, relay=cluster4.eu.messagelabs.com[85.158.139.211]:25, delay=0.93, delays=0.38/0/0.38/0.17, dsn=2.0.0, status=sent (250 ok 1498199699 qp 26752 server-2.tower-206.messagelabs.com!1498199699!84106152!1)

From administracio@pneumaticsperello.com => To ejimenezm@bancopopular.es (Jun 23 12:16:21)

Jun 23 12:16:19 ns3044071 postfix/qmgr[412]: BDDE457E0033: from=<administracio@pneumaticsperello.com>, size=6383204, nrcpt=1 (queue active)
Jun 23 12:16:21 ns3044071 postfix/smtp[6641]: BDDE457E0033: to=<ejimenezm@bancopopular.es>, relay=cluster4.eu.messagelabs.com[85.158.139.211]:25, delay=21, delays=19/0.01/0.23/1.3, dsn=2.0.0, status=sent (250 ok 1498212979 qp 432 server-9.tower-206.messagelabs.com!1498212977!104870138!1)

There are different problems, but we don't know how to resolve them. Sometimes the mail arrive, and sometimes not. If the mail is marked as "dererred" the mail don't arrive. But if is marked as "sent", it could arrive, but not for sure. We don't know if is something about our mailserver or what, or maybe we got to register in some Symantec whitelists (we searched but no founded it), but we need to fix this problem.

Regards,

Hi Nicolas

I have managed to find the log for that email and found that Symantec Email Sceurity.Cloud service detected the message as spam. If this is not spam, we can certainly review these messages and remove the incorrect signature that is blocking the email, but a sample is required.

To analyze a false positive sample, Symantec must receive the original false positive email:
•As an "message/rfc822" email attachment*
•One email attachment per submission**

Send the false positive sample as an email attachment to the following address:

CLOUDfeedback@feedback-87.brightmail.com

For more detailed information on how to submit, please take a moment to review the below article.

https://support.symantec.com/en_US/article.TECH233678.html

If you would like me to follow up on your submission, please let me know when a sample has been submitted and what email address it was sent from.

Regards,

Kevin Brosnan
Tier 2 Senior Technical Support Engineer
CompTIA Security+ Certified

OK, Kevin, we already submitted to that email address the cases we gave you. But today, we have a problem sending mails from pneumaticsperello.com (137.74.185.217) to caixabank.com (217.148.69.93 and relay cluster4.eu.messagelabs.com[85.158.139.211]). We're not getting error messages, they sent, but the recipient doesn't recieve. What could be the problem?

Hi Nicolas,

Those 2 IP are also not listed and may be related to the same issue. When you sent the emails as attachments to CLOUDfeedback@feedback-87.brightmail.com what was the sending email address they were sent from.

I need this to find the emails and progress the investigation.

Kind regards

Kevin Brosnan

Hi Kevin,

The address that I used to send the emails to CLOUDfeedback@feedback-87.brightmail.com was nico@techni-web.es

Regards,

Hi Nicolas,

Thanks for the sample, I have obtained the relevants logs and getting our backline Anti-spam team to look at this - I will let you know once their investigation is complete.

Kind regards

Kevin Brosnan

Hi Nicolas,

We can see that the sending IP '137.74.185.217' was listed on our internal list, this was removed on the 27th June and the issue should now be resolved.

Kind regards

Kevin Brosnan

Good morning,

The problem persists. Today we tried to send an email from postmaster@pneumaticsperello.com to cfarnos@caixabank.com and the email didn't arrive. There's no error messages on our server logs. We sent the email informing the false positive to  CLOUDfeedback@feedback-87.brightmail.com from our account, nico@techni-web.es. What could be the problem?

Regards,

Update:

I did a telnet test adn the result is this:

telnet cluster4.eu.messagelabs.com 25
Trying 85.158.137.68...
Connected to cluster4.eu.messagelabs.com.
Escape character is '^]'.
220 server-12.tower-31.messagelabs.com ESMTP
HELO pneumaticsperello.com
250 server-12.tower-31.messagelabs.com
MAIL FROM:<postmaster@pneumaticsperello.com>
250 OK
RCPT TO:<cfarnos@caixabank.com>
250 OK
DATA
354 go ahead
Subject: Prova Pneumatics Perello
Correu de prova, respon si ho reps.
.
553-SPF (Sender Policy Framework) domain authentication
553-fail. Refer to the Troubleshooting page at
553-http://www.symanteccloud.com/troubleshooting for more
553 information. (#5.7.1)
QUIT
221 server-12.tower-31.messagelabs.com
Connection closed by foreign host.

We checked our SPF with online tools (MXToolbox) and they're correct. Could be anything else the problem?

Update 2: I don't think the last comment would be the best practice to do a telnet test. We tried to do this, but nothing happent, the message didn't arrived.

telnet mail.pneumaticsperello.com 25
Trying 137.74.185.217...
Connected to mail.pneumaticsperello.com.
Escape character is '^]'.
220 mail.pneumaticsperello.com ESMTP Postfix (Debian/GNU)
EHLO pneumaticsperello.com
250-mail.pneumaticsperello.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 ***
***
334 ***
***
235 2.7.0 Authentication successful
MAIL FROM:<postmaster@pneumaticsperello.com>
250 2.1.0 Ok
RCPT TO:<cfarnos@caixabank.com>
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: Correu de prova
Prova, respon si ho reps.
.
250 2.0.0 Ok: queued as 16F4D57E0407
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

In resume, the message is sent, but it didn't arrive...

Hi, our server IP address is also listed and isn't sending SPAM. We are not listed in any other list and the server IP is 162.255.137.55. Please your help, Synmantec clients are not getting the emails from our server.