Problems to deliver mails to certain domains

victor.blanco_ironport · ‎03-04-2008

Hello all,

Currently we have problems to deliver mails to a few domains, like:

cesco.com
ceelectronics.com
foulgerpratt.com
t-online.de

E.g for fourgerpratt.com, we are able to receive mails from them; but if we reply an NDR is generated as follows:

"The following organization rejected your message: [207.32.75.2]."
An IronPort mail log shows:
"Bounced: DCID 1088007 MID 8598048 to RID 0 - 5.1.0 - Unknown address error ('550', ['Denied by policy.'])"

However, the address@foulgerpratt.com does exist because we are replying to it.

by doing an nslookup we found:
C:\>nslookup
Default Server: resolver.hp.net
Address: 16.110.135.52

> foulgerpratt.com
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
Name: foulgerpratt.com
Address: 66.117.38.36

> 66.117.38.36
Server: resolver.hp.net
Address: 16.110.135.52

Name: adams.newtargethosting.com
Address: 66.117.38.36

or looking for MX records:
> set type=mx
> foulgerpratt.com
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
foulgerpratt.com MX preference = 5, mail exchanger = mail.foulgerpratt.co
m

mail.foulgerpratt.com internet address = 207.32.75.2
> set type=ptr
> 207.32.75.2
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
2.75.32.207.in-addr.arpa name = bids.foulgerpratt.com
2.75.32.207.in-addr.arpa name = mail.foulgerpratt.com
2.75.32.207.in-addr.arpa name = xmweb.foulgerpratt.com
2.75.32.207.in-addr.arpa name = ems.foulgerpratt.com

2.75.32.207.in-addr.arpa nameserver = auth1.dns.cogentco.com
2.75.32.207.in-addr.arpa nameserver = auth2.dns.cogentco.com
auth1.dns.cogentco.com internet address = 66.28.0.14
auth2.dns.cogentco.com internet address = 66.28.0.30

Look at the strange name which is the inverse of their IP.
Would this be the reason of why we can not send them emails?

On the other hand, our domain "customer.com" has 3 MX records, if you do an nslookup for each of them, you will have both A record as well as PTR record; however, if you do the nslookup directly for "customer.com", there is no A record associated, and neither a PTR, would this be also a problem to send mails out to certain domains?

Below are result of nslookup for other domains with problems to receive our mails:

CESCO.COM
C:\>nslookup
Default Server: resolver.hp.net
Address: 16.110.135.52

> cesco.com
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
Name: cesco.com
Address: 12.21.127.2

> 12.21.127.2
Server: resolver.hp.net
Address: 16.110.135.52

Name: www.cesco.com
Address: 12.21.127.2

> set type=mx
> cesco.com
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
cesco.com MX preference = 200, mail exchanger = smtp4.cesco.com
cesco.com MX preference = 100, mail exchanger = smtp1.cesco.com

cesco.com nameserver = dbru.br.ns.els-gms.att.net
cesco.com nameserver = dmtu.mt.ns.els-gms.att.net
smtp1.cesco.com internet address = 204.11.132.20
smtp4.cesco.com internet address = 12.21.127.17
dmtu.mt.ns.els-gms.att.net internet address = 12.127.16.70
dbru.br.ns.els-gms.att.net internet address = 199.191.128.106

> set type=ptr
> 204.11.132.20
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
20.132.11.204.in-addr.arpa name = clearband_020.lightpoint.net

132.11.204.in-addr.arpa nameserver = ns.internetnoc.com
132.11.204.in-addr.arpa nameserver = ns2.internetnoc.com
ns2.internetnoc.com internet address = 208.148.240.66
ns.internetnoc.com internet address = 209.249.160.21
> 12.21.127.17
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
17.127.21.12.in-addr.arpa name = smtp4.cesco.com

127.21.12.in-addr.arpa nameserver = cmtu.mt.ns.els-gms.att.net
127.21.12.in-addr.arpa nameserver = cbru.br.ns.els-gms.att.net
cbru.br.ns.els-gms.att.net internet address = 199.191.128.105
cmtu.mt.ns.els-gms.att.net internet address = 12.127.16.69

One time a user received this NDR:
> Te Non delivery notification received says:
> unable to deliver to wade.cornick@cesco.com
> Unable to deliver the message due to a communication failure
> The MTS-ID of the original message is........
> ironport.domain.com 5.0.0 smtp 5.4.7 - Delivery expired (message too
> old) 'timeout' (delivery attempts: 0).

and mail logs show:
Thu Feb 28 20:00:47 2008 Info: New SMTP ICID 38970663 interface Data 1 (10.32.2.35) address 82.57.160.119 reverse dns host unknown verified no

Thu Feb 28 20:00:47 2008 Info: Connection Error: DCID: 1021388 domain: cesco.com IP: 204.11.132.20 port: 25 details: timeout interface:
10.32.2.35

Currently the bounceconfig is not configured in our cluster. Which values would you recommend for maximum number of retries and the maximum number of seconds a message may stay in the queue before being hard bounced. At the GUI level, in Bounce Profile we have the following settings:

Initial Period to Wait Before Retrying an Unreachable Host: 60 (between 60 and 86400)
Maximum Interval Allowed Between Retries to an Unreachable Host: 3600 (between 60 and 86400)
Wait Before Timing out Reverse DNS Lookups: 20

What is you opinion about the current values?

--------------------------------------------------
CEELECTRONICS.COM
> set type=mx
> ceelectronics.com
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
ceelectronics.com MX preference = 10, mail exchanger = mymail.bright.net

ceelectronics.com nameserver = secondary.dns.bright.net
ceelectronics.com nameserver = primary.dns.bright.net
primary.dns.bright.net internet address = 209.143.0.10
secondary.dns.bright.net internet address = 66.209.140.124
> set type=a
> mymail.bright.net
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
Name: mymail.bright.net
Address: 209.143.0.180

> set type=ptr
> 209.143.0.180
Server: resolver.hp.net
Address: 16.110.135.52

Non-authoritative answer:
180.0.143.209.in-addr.arpa name = mymail.bright.net

0.143.209.in-addr.arpa nameserver = secondary.dns.bright.net
0.143.209.in-addr.arpa nameserver = primary.dns.bright.net
secondary.dns.bright.net internet address = 66.209.140.124

Thanks in advance for your kind advice.
Best regards

bfayne_ironport · ‎03-05-2008

Errors like "550 Denied by Policy" are usually an indicator that you have been blacklisted. This could either be a in-house list that the reciever maintains, or a third-party RBL.

The same goes for cesco.com. I can reach both of their MX hosts from my system without a problem. The fact that you are getting repeat timeouts could indicate either a routing problem, or they are not accepting your connections because of a blacklist.

I apologize in advance if any of this is redundant.

There are several sites that attempt to query several blacklists so you can check quickly. Here's one that I have had good luck with:

http://www.mxtoolbox.com/blacklists.aspx

Just enter the IP that your mail is delivered from.

I would start from there. If you don't find anything, then a check of whois may be in order. The first two domains appear to be registered with Network Solution's anonymizing registration, so you can try sending an email to what is listed in the whois entry and it will be forwarded to whatever the user has on record.

The last domain, CEELECTRONICS.COM, appears to have a couple of phone numbers that you could call.

Getting off of a blacklist can be a daunting task, but I find that letting the reciever know that you are serious about correcting any issues can go a long way.

Good luck