Messaging Gateway

I have a strange situation with a user who has sent a message with an incorrectly formatted email address.

Perhaps a paste of the DSN the user received is the easiest way to explain it:

I think what you are looking for is covered in this KB:

http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2010052013293554

Cheers,

Kevin

As message is delayed in message queue,it gives a message that mail has been not delivered.Can we stop these messages from coming.

Hi Prashad,

In future if you've got a new question it's best to open a new thread and put in your product version and build number.  I'm assuming you are running the Brightmail Gateway V9.

The settings you are referring to are configurable by editing your Scanner(s) from the Administration -> Hosts -> Configuration page, click the SMTP Tab, then click the Advanced Settings button at the bottom of the page.  Click the Delivery Tab, then check out the SMTP Delivery Configuration Settings.  The Help gives some good details on these settings, if sounds like you are interested in 'Message delay time in queue before notification' setting.  I probably wouldn't turn it off, but you can set it to be a longer period of time.

Cheers,

Kevin

thanks for replying...


Can u please explain me in detail  what can be the reason why  these messages are generated?

whether its problem with the smtp settings or the mail id to be sent is not available or any ohter reason.We are getting many number of these mails and the customer is saying why these mails r coming in that huge number daily.
 

the first message you posted - the WARNING, message was to make sure your sender of the e-mail understood that Brightmail was trying to send the e-mail, but was having problems.  This ensures that the user does not assume the mail was delivered.

The second message "exceeded max time without delivery" is telling your sender that Brightmail has given up.  The e-mail was NOT delivered and the sender needs to know this.

This is normal for an e-mail system.  You should NOT try to prevent these messages. They are intended to inform senders that there is something wrong with the e-mail address they used for a recipient, or, if the address is correct, that the recipients e-mail system is broken in some way.

If your sender thinks the e-mail address is correct, you should test the domain by doing an MX lookup (admin / utilities / nslookup, provide domain name and select record type = MX.  This should return a list of host names or IP addresses.  If it doesn't, the e-mail address is, in fact incorrect.

If you get a list of host/IP's, then the domain is valid, but perhaps the recipient name is invalid.

Look at your Brightmail scanner Delivery queues - are there any messages queued for "wrong domain"? Are there any e-mail in your message audit logs to the "wrong" domain?  If not, then  the original e-mail may NOT be being sent from your users, but by a spammer, using your user's
e-mail address on the spam's From:/Reply To: line. 

If you see queued messages, or message audit logs outbound show activity for this domain, then your users are the source and need to fix who they are sending e-mails to.

I have checked with the things you have said ....

in the message audit logs i have this kind of mesage..

Message Data
	ID:	c0a80103-b7c4eae0000039d3-fc-4bfaa7c0dd0e
	Message-ID:
	Accepted From:	x.x.x.x
	Scanners:	Local Host
	Time accepted:	XXXXXX, May XX, 2010 09:52:24 PM IST
	Direction:	Outbound
	Sender:	(none)
	Authenticated username:	(none)
	Original recipients:	xxxxxxxxxxx@gmail.com
	Original Subject:	undelivered mail returned to sender
	Full attachment list:	None
	Suspect attachments:	None

	Verdict:	Verdict Filter Policy Policy Group Details None  default  default  None
	Tracker:	AAAAAA==
	Actions taken:	Deliver message normally

In the sender ,its showing none.. what does this mean.  Is it a spam?
 Please figure this out.

This looks like an outbound bounce - an e-mail was sent to a non-existent user inside your network, your internal mail server is saying the user is not here sending it back to the original sender.

Accepted from: x.x.x.x is probably your internal mail server, yes?

If you check your scanner logs you should see a message coming from xxxxxxxxxxx@gmail.com.  On that message log, will show who the message was orginally sent to.  Check if the IP address resolves to a server at Google?  If not, the original message was spam, and the "undelivered mail returned to sender" you show is simply the spam bounce.

Soory for the delay in replying....

As u said i have resolved the IP address at google.It is resolved to hostname.The x.x.x.x
is ip my internal mail server.As in my previous attachment it is showing none in the sender option.What does None relate?

Eventhough its spam brightmail should prevent it from entering.. is it right? 

if it s an outbound bounce is there anthing to do with brightmail?

Hi Prasad,

'None' relates to a null sender(<>) sending the message, the null sender address is used to send delivery notification failures etc.  I'm guessing you aren't doing any kind of recipient validation on the Brightmail Gateway and In this case it sounds like a mail came from gmail(it could be spam, the SBG is never going to catch them all) destined for an invalid recipient in your environment, it passes through the Brightmail Gateway into your Exchange server(or whatever the downstream mail server is), this server determines the recipient doesn't exist in the environment and sends a delivery failure to the SBG who in turn tries to deliver it back to gmail, which is where the original sender resides or at least it appears the original sender came from gmail(this could be spoofed).

If this is your problem you might want to look into integrating with LDAP to take advantage of the Recipient Validation functionality(which can be set up so the SBG will reject messages to all invalid recipients) and Directory Harvest Attack functionality.  This means the messages will never get to your downstream mail server, therefore the internal mail server won't be trying to bounce these messages back.  You can read about these features in the product manual.

Cheers,

Kevin

Thanks for your response..

As u said we r not performing any kind of recipient validation as we did not integrate with LDAP.
If that is the reason, we will take ur suggestion and integrate LDAP and also perform directory harvest attack functionality....