Category Archives: Bounce Backs

Has your email been Spoofed?

Email spoofing can harm your corporate brand, decrease open rates for your legitimate email, cause legitimate email to be blocked, compromise website security and even create financial complications.  No company is totally immune from malicious email spoofing using their domain, but there are ways to protect yourself.  Spoofing comes in a few different forms:

  • Simple Domain Spoofing – a spammer sends email that looks like it is from your domain, but originates from a server that you do not control or not in your SPF record.
  • Hacked SPF Sender – A spammer hacks a legitimate sender, one listed in your SPF records, and sends email that appears to be from you.  
  • Hacked Internal Account – A hacker compromises an internal email box and sends email via legitimate sources.  
  • Similar Domain Spoofing – A spammer sets up a complete domain that has a similar name to yours.  For example, “example.com” versus “exarnple.com” or “exampIe.com”.

Recently some fraudsters were brazen enough to attempt to spoof email from MxToolbox.com.  This illustrates how our experts (and MxToolbox Delivery Center Product) protect us from fraud and phishing and how we can protect your company too.  

DNS Configuration

Good email delivery and protection from fraud and phishing attempts requires expert management of your DNS.  Four DNS protocols are particularly important:

  • SPF allows you to delegate outbound email to 3rd parties.
  • DKIM allows you to crytographically sign email to take ownership of the email you send.
  • DMARC provides two very useful features:
    • Allows you to designate email addresses to receive feedback on your email delivery.
    • Allows you to set an email delivery policy for how inbox providers handle email that isn’t DMARC compliant with either SPF or DKIM.
  • BIMI allows you to provide an icon that inbox providers may display if your email passes DMARC with a strict DMARC policy

Our spoofer used IP addresses outside of our SPF so failed SPF checks and DMARC compliance.  Additionally, our DMARC policy is set to reject, so inbox providers knew to discard these failed emails immediately.  Our expertly configured DNS helped us reduce the impact of this attack on our email delivery, our customers and the non-customers targeted.

You might think that DNS configuration is all you need to protect your email delivery, but there is more.

Visibility

SPF, DKIM and DMARC Passing Rates

While DNS configuration is the most important first step in email deliverability, you need constant visibility into your email delivery status in order to protect your brand.  MxToolbox Delivery Center provides important insight into your email delivery posture with real-time statistics on SPF, DKIM and DMARC pass and fail rates across all your email senders, legitimate and fraudulent.  

In this case, MxToolbox Experts quickly noticed a spike in email from illegitimate sources.  Delivery Center reported this spike by analyzing DMARC reports approximately 24-48 hours before we began to receive bounceback notices from targeted inbox providers.  With strict ‘Reject’ DMARC policies in effect, our Expert team could rely on most inbox providers dumping these emails without delivery, however, we needed to analyze the potential risk.

Bounce Analysis

MxToolbox Delivery Center integrates a Bounceback analysis tool that allows us to analyze bounceback email messages from dozens of inbox providers to determine the reason an email failed to make it to the intended recipient.

bouncebacktool.JPG

Bounceback messages can help you understand recent attacks and prevent new ones.  For example, a bounceback due to Reverse DNS failure, as above, is an indicator that your spammer was using a server outside of your network and not listed in your SPF as was our recent spammer.  Bounceback messages can also provide insight into other reasons for delivery failure, including blacklisting, malware/spam content and more.

Feedback Loops

The newest visibility feature of MxToolbox Delivery Center incorporates Feedback Loops.  Feedback Loops allow Inbox Providers to return information from inbox owners to the original senders, including much of the original message header.  Analyzing message content and headers returned via feedback loops gives you unique insight into how your email is being perceived by recipients.  Did the recipient report you as spam?  Was the email actually fraudulent?  Was the content yours but appeared spammy?  Feedback loops are very powerful and a necessary part of maintaining high quality email delivery.  

Get ahead with Delivery Center

To maintain the highest levels of email deliverability, businesses like yours need a proven Email Delivery management system like MxToolbox Delivery Center.  Delivery Center provides you with valuable insight into your email delivery posture and the on-going maintenance necessary to maintain peak performance:

  • Who is sending email purporting to be from your domain
  • What is the reputation of your senders’ IPs
  • Geolocation of your senders and What their blacklist reputations are
  • How your SPF, DKIM and DMARC setup is performing
  • What senders are failing DKIM
  • What senders are failing SPF verification
  • When to setup more restrictive policies for DMARC
  • What on-going maintenance you need to maintain and improve your email deliverability

 

The Death of a Blacklist

From time to time a Blacklist will go permanently offline.  Unlike a failed website that often goes down with little or no noise, a blacklist tends to end with a bang.  This was the case with the recent loss of Burn-Tech.   Blacklists typically have many anonymous subscribers using their lists, so there are only a few mechanisms that can be used to let subscribers know the end is near.  Typically, the protocol is to Blacklist the entire Internet.  This may sound extreme, but it is very successful at driving awareness.

For email admins the story is simple

If email admins get a positive blacklisting on their servers, they tend to go look at why the rejection rate for a particular blacklist has spiked.  Once they do visit the blacklist website, they’ll get the complete story and can remove the blacklist from mail filter algorithms pretty easily.  This typically happens within a day or so, but could be delayed over a weekend (as in the case of Burnt-Tech).

The difference is for legitimate emailers

Legitimate emailers subscribe to services like MxToolbox to know when they are at risk of mail rejection due to blacklisting.  When we see an IP on a blacklist, we immediately alert you.  When it happens for all our customers, we look into the blacklist and will suspend the blacklist and try to notify our customers of the change.  While email admins may still block your email while they are removing the failing blacklist from their filters, this is only temporary.  The good news:  you didn’t do anything to get on the blacklist.  It’s safe to ignore the blacklisting event, even though you may experience a few bounce-backs.  Everyone else in the world is experiencing the same bounce-backs as you, but at least you know why!

 

Other Email Bounce Backs and Their Meanings

Bounce backs and error codes for email can be very mysterious and misleading. To help better understand them,we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series please follow this link.

We’ve already covered a few of the different types of bounce backs but we haven’t really even scratched the surface! Email error messages can be broken down into three groups: User Error Messages, Domain Error Messages and Anti-Spam Error Messages.

User Error Messages
These are typically local issues with the user’s email account or email client. They include mailbox is full, message exceeds size limit (attachment size), and user unknown, mailbox unavailable or invalid recipients.

User Unknown
Probably the most common bounce back we see is the user unknown, mailbox unavailable and invalid recipients. Simply put the email address you are attempting to email, doesn’t exist. Typically these are due to misspellings of the user name or domain.

<user@domain.com>: host domain.com said:
550 5.1.1 <user@domain.com> is not a valid mailbox<user@domain.com>: Sorry, no mailbox here by that name. (#5.1.1)<user@domain.com>: host domain.com said:
550 Invalid recipient

If you receive a similar bounce back, confirm the spelling of the entire email address and resend if necessary. If you have confirmed the spelling then you can try and contact the user via an alternate method. Sometimes users don’t know they are having an issue!

Mailbox is full
Most mail systems have a limit on how much email is allowed to remain on the server for each individual user. If that limit is reached the server will not allow them to accept any new mail.

<user@domain.com>: User is over the quota. You can try again later.

<user@domain.com>: host domain.com said:
552 <user@domain.com>… Mailbox is full

Since this is a local issue with the user’s mailbox, their system administrator will need to either make room for new mail or increase their storage allocation. Typically you can resend your message a bit later as this type of problem is easily resolved. Keep in mind, that if you continue to receive the error that may mean that the account is no longer being monitored.

Message Exceeds Size Limit
This error indicates that the size of the message including email headers, message content and attachments exceed the domain per message size limit. Typically most mail servers only allow 5-10mb per message as a default. Email was never meant to be a way to send large attachments, it is instead recommended to use a 3rd party sending service, FTP server or another alternate method.

<user@domain.com>: host domain.com said:
552 message size exceeds maximum message size<user@domain.com>: host domain.com said:
552 Message size exceeds fixed maximum message size

Domain Error Messages
These type of errors usually have to do with a domains registrar expiration or DNS issues. If these issues occur you may receive a bounce back indicating a Connection Timed Out or Domain Not Found.

Connection Timed Out
A “connection refused,” or “connection timed out” error usually indicates a message sending issue. This could be due to a high volume of messages, an external spam attack on the server or an internal setup problem. Typically these are resolved rather quickly by the server automatically so you can resend your message a bit later.

<user@domain.com>: connect to 1.2.3.4: Connection Timed Out

Domain Not Found
If you receive an error indicating that domain could not be found or no DNS record exist, this means that the domain doesn’t exist. This may be a temporary issue where the domain has expired or it could mean there is an MX Record issue with their DNS.

<user@domain.com>: Name service error for domain domain.com:
Host not found, try again

Anti-Spam Error Messages
Everyone hates to get spam and there are hundreds of ways to try and stop it. One way that administrators use is to issue bounce backs if they believe a message is spam.  Often times, these are custom created bounce-backs so the error codes can vary, but the message is all the same. Stop sending spam!

NOTE: We do not advise using bounce backs to combat spam. This form of anti-spam may actually allow your users to get MORE spam. Instead we would highly recommend that anyone running a Business Email Server invest in an advanced heuristic spam, virus and phishing protection service, with controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.

<user@domain.com>: connect to domain.com: 550 Connection refused – we hate spammers!

<user@domain.com>:host domain.com said: 554 Denied

<user@domain.com>:host domain.com said: 552 spam source blocked

If you are receiving these types of bounce backs, we would highly recommend checking if your mail-serer IP Address is on a Blacklist. While your mail may be legitimate to you, others may not see it that way. If your company gets Blacklisted, it could cause major trouble for your business and slow down communication with your current customers or prospects and in general, the outside world.

There are many reasons an IP Address may end up on a Blacklist.  More often that not it’s because the administrators controlling it have not taken appropriate steps to secure their email infrastructure or the network has workstations that have been compromised by spammers, hackers, or virus propagators.

Bounce messages are all very different and may contain different languages but diagnosing the error code can help you understand it.  A good rule of thumb is to ensure that your messages are clean, simple and desirable.  This will go a long way to making sure your message reaches the recipient.

Taking the time to ensure that your messages get delivered is incredibly important.  Take the extra step and get advanced, real-time monitoring of your server against blacklists, as well as availability and performance. Please visit our website to learn more – MxWatch Monitoring – Email | Website | Network.

Additional Resources
400/500 Email Bounce Back Errors Explained
How to Read Email Bounce Backs and Errors
What Blackslists Are & How MxToolBox Helps

Non-Delivery Report (NDR) Spam or Backscatter Spam

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

In our continuing blog series about bounce backs and error codes we wanted to talk about NDR Spam or Backscatter Spam. As we all know, spammers are tricky devils and they spend the majority of their time learning to adapt and circumvent email defense systems. One example that demonstrates the type of adaptability that Email Security professionals have to deal with is Backscatter spam. As an operator of a legitimate email server, one of the things your server does to be helpful to other servers is generate email containing error messages when messages encounter problems. For example if somebody sends you an email to an address that doesn’t exist, it is helpful for your server to send the original sender a Non-Delivery Report (NDR) notification to let them know that their message wasn’t delivered.

Unfortunately spammers can exploit this feature by creating a message with a forged Sender (From: field) so that it will reach their intended target. They then send this message to an email address they know doesn’t exist on your server in your domain. Your server kindly sends back a notification to the person it thought sent the message. In fact you just delivered the message for the spammer from your server and IP address which they most likely trust. This type of spam is difficult to detect and block because it is technically a legitimate notification.

The solution to eradicate this type of spam is to perform the test to see if the user exists during the SMTP conversation. By doing that, your server is never actually accepting the message from the sender and therefore need not generate a notification message. The sending server with a legitimate message for a non-existent address is then responsible for notifying it’s own user of the failure.

How to Handle Non-Delivery Reports
With Exchange servers, non-delivery reports (NDRs) are enabled. You can disable them by using Exchange System Manager. You can also specify who can receive copies of NDRs.

To disable NDRs in Exchange 2003, follow these steps:

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand the Global Settings container in the left pane, click Internet Message Formats, right-click the Default object, and then click Properties.
  3. Click the Advanced tab.
  4. Click to clear the Allow non-delivery reports check box, and then click OK.

To specify who can receive copies of NDRs, follow these steps:

  1. Under Administrative Groups, expand First Administrative Group, expand Servers, expand server name, expand Protocols, expand SMTP, and then open the Default SMTP Virtual Server properties.
  2. Click the Messages tab, and then add an address to the Send copy of non-delivery report to field.
  3. Stop, and then restart the MS Exchange Routing Engine and SMTP services.

“Lock Down”
Another method to ensure that your server is not helping created Backscatter spam is to have a perimeter Lock Down in place. This will protect your entire network and company by using a Perimeter Defense Email system that will protect spam and viruses from ever reaching your network.

We highly recommend that anyone running a Business Email Server invest in an advanced heuristic spam, virus and phishing protection service, with controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.. It will pay off a thousand fold in the long run.  Most good anti-spam solutions do a reasonable job of limiting the impacts of NDR spam attacks.  But almost all still will allow a sender to try quite a few bad recipients before shutting them down.

Additional Resources:
http://support.microsoft.com/kb/294757
How to Read Email Bounces Backs and Errors

Bounce Backs: Denied For Spam, Message Rejected, Spam Source Blocked, What Does it Mean?

Bounce backs and error codes for email can be very mysterious and misleading. To help better understand them, we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series please follow this link.

Have you ever received a bounce back that refers to your message as being blocked because it was considered spam? While the actual language of the bounce back or error message may vary if the error code is a 500 error, that does mean the message could not be delivered to the recipient (400/500 Email Bounce Back Errors Explained). In this particular case, we are referring to bounce backs that reference messages as being denied due to spam or IP reputation. The bounce back message itself will help identify why the message may have been denied (How to Read Email Bounce Backs and Errors); content of the message, unsolicited commercial email, or the Internet Service Provider (ISP) or email provider has a sending IP Address reputation problem (Blacklist).

Example Bounces
551 Denied for Spam
554 Service unavailable; Client host [<hostname>] blocked using Barracuda Reputation
554 Your access to this mail system has been rejected due to the sending MTA’s poor reputation
554 Denied (Mode: normal)
550 5.7.1 Message rejected as spam by Content Filtering
571 spam source blocked – psmtp

Message Content
The subject line and content of an email message are incredibly important! These two components can often lead to a spam filter flagging a message as spam and either placing the message in the recipient’s Junk Folder or worse, sending the message into a black hole never to be seen. We highly recommend taking extra time to ensure that your message has valuable content that someone would want to read and doesn’t sound too “spammy” or “salesy.”  This may seem simple, but it is amazing how often this is overlooked.

Another critical element to consider when constructing your message is that most larger Email Service Providers are using human influence in their spam scoring. This human touch is important to consider as users finally have the power to influence spam filtering. When users mark a message as spam some providers use this data to flag similar emails as spam and may add your email address, domain, or IP to a Blocked List. Sometimes the message is in fact a legitimate mailing that was requested by the end user but in the end if the recipient does not want the message in their inbox, they will often mark it as spam (The Search for the Perfect Spam Filter – October Newsletter).

Email Signatures
We have been seeing more and more issues with email signatures causing messages to be blocked. Just like the content of your message, be sure to keep your signature simple and free of extraneous information. For instance if you are recommending an outside company’s URL, make sure they are not Blacklisted and that they don’t have domain reputation problems. If certain messages are not getting through your recipient’s spam filter, make sure your signature is as clean as possible. You may also consider removing any images in your signature as well as that is a tactic that spammers will often use.

Explicit Blocked List
Another way that you could receive this bounce back message is if your email address or domain has been added to an explicit block list. This means that someone adjusted their spam filters to specifically block messages from your email address or domain. Unfortunately there is not much you can do in this case other than reach out to the recipient by other means to ask if they will consider removing the block. However, if they took the time to adjust the filters they usually have a reason for it.

Blacklist
If your company gets Blacklisted it could cause major trouble for your business and slow down your communication with current customers, prospects and in general, the outside world. A Blacklist, also known as a Real Time Blacklist (RBLs) is a list of problematic IP Addresses that are compiled by organizations monitoring spam on the Internet. There are many such organizations ranging from one person tinkering in their free time to large multinational corporations. MxToolBox provides a Free Blacklist Lookup Tool that will check an IP Address aggainst over 100 different blacklists. We do not control nor are we affiliated with any of the organizations running the lists; the tool simply performs a search against each list and aggregates the data into one result. Without such a tool in place, you would need to go to the website for each list and manually search for yourself. There are many reasons an IP Address may end up on a Blacklist.  More often that not it’s because the administrators controlling it have not taken appropriate steps to secure their email infrastructure or the network has workstations that have been compromised by spammers, hackers, or virus propagators.

Bounce messages are all very different and may contain different language but if they contain wording like Denied, Spam, and the like, it means they were more than likely blocked due to one of the issues listed above. Ensuring that your messages are clean, simple and desirable to the recipient will go a long way to making sure your message reaches the recipient.

Taking the time to ensure that your messages get delivered is incredibly important, take the extra step and get advanced, real-time monitoring of your server against blacklists, as well as availability and performance. Please visit our website to learn more – MxWatch Monitoring – Email | Website | Network.

Additional Resources
400/500 Email Bounce Back Errors Explained
How to Read Email Bounce Backs and Errors
What Blackslists Are & How MxToolBox Helps

400/500 Email Bounce Back Errors Explained

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

Bounce backs and error codes might look like they need to be deciphered with a secret decoder ring. We are going to try here to shed some light on them so you can crack them open and extract the goodness within. So let’s work together to understand the the two most common types of bounce backs. When a bounce back message is generated, the mail server that issued it is attempting to let you know there was a problem with sending the message and give you some information so you have an idea of what went wrong.

We are going to first break bounce backs into two main categories. Every bounce message will include a three digit number which is it’s “reply code”. This is different from the series of numbers, usually three, separated by periods. The reply code is defined by the SMTP protocol.  These other error codes are defined by specific mail server software packages and configurations and can be unique to each vendor.

The three digit reply code will either start with a 4 or a 5. These are commonly referred to as 400’s and 500’s as a group.

Basically if the number starts with a 4 it means the message delivery is having a temporary issue and will be delayed – these are called deferrals. If the message starts with a 5 then the message failed and was not sent to the recipient – these are called fatal message errors.

Deferrals (400)
A 400 bounce back indicates that there has been a delay or issue in sending your message. When this type of bounce back is sent to you, it means that your mail server will attempt to retry to send the message. If the retries are unsuccessful, the mail server will eventually stop trying to send the message after a specified amount of time. This amount of time is dictated by your server administrator but the typical time frame is a few days. If you don’t receive another bounce back it usually indicates that your message was able to be sent after a few tries and/or the issue was resolved. If you receive a fatal bounce back (500 error), it does mean that the message failed.

Fatal Bounce Back (500)
If the issue could not be resolved or there is another type of problem you may receive a 500 error. If the bounce back includes a 500 number, this means that the message was not delivered due to an error. The errors can vary across the board but typically it is an issue with one of the following: the email itself (misspelling, mailbox is full, etc.), your rDNS is not configured correctly, your server may be Blacklisted, or the message was blocked by the recipient spam filters due to content, attachment or a virus.

Remember that knowledge is power!  We at MxToolBox are constantly educating ourselves about all the different bounce backs that exist.  Also keep in mind that with some Vendors and ISPs you have the ability to create custom bounce back errors…so you always have to be on your toes!

If you are concerned about mail delays or other performance issues with your server we would highly recommend trying our Premium MailFlow Monitoring. This service sends a message through your server and back to our datacenter. This unique method allows us to provide complete mail flow visibility on your server. This can help uncover issues that might be creating delays as well as detecting both inbound or outbound mailflow failures.

In addition to alerts for failure, you can login to see daily, weekly and/or monthly historical statistics. This method allows you to get a true picture of the performance of your mail server.

Footnotes:
http://en.wikipedia.org/wiki/Non_delivery_report
http://tools.ietf.org/html/rfc821#page-35 – List of Reply Codes
http://tools.ietf.org/html/rfc821#page-48 – Theory of Reply Codes

550-”5.7.1 Message rejected as spam by Content Filtering.” – Intelligent Mail Filtering with Exchange

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these mysteries. To read all of the blogs in this series, go here.

This is an error that our customers run into pretty often here are MxToolBox so we thought we would help explain the cause and provide some solutions to remedy it. By default Microsoft either installs/or recommends that the Intelligent Message Filtering (IMF) service be enabled on all installations of Exchange.

While the IMF can be somewhat helpful, it can be a detriment if you as the administrator don’t remember or even realize that it was installed on the server in the first place.  This can be especially troublesome when you have an additional 3rd party filtering service in place.  If you have IMF installed it essentially means you are double filtering your mail, once at the 3rd party spam filter and once at the Exchange Server. In cases that a 3rd Party Filtering is in place we typically recommend disabling the IMF feature. This is of course just a recommendation and you should do whatever you feel is best for your network environment.

How Does the IMF Identify Messages as Spam?
When a message reaches an Exchange Server with IMF installed, IMF will evaluate the textual content of the messages and then assign the message a Spam Confidence Level (SCL) rating from 1-9 based on the probability the message is Unsolicited Commercial Email (UCE).  This rating is then compared to the threshold set under Message Delivery Properties > Intelligent Message Filter in the Exchange System Manager.

How Do I Find Messages in the IMF?
Theoretically the IMF is supposed to place messages that it found as spam in your Outlook Junk Folder. Unfortunately, this doesn’t always tend to be the case.  If you have reports that messages are “missing” on your server and you can’t find them, check the IMF! To check this service, you will need to make sure that you have the Archiving option enabled. You can view the *Archived folder location here: C:program files[YOUR SERVER]mailroot[SMTP VIRTUAL SERVER]ucearchive.

*To view these archived messages you will need to download and install a 3rd-party tool.  If you have any recommendations regarding these tools, please leave them in the comments below.

Where is IMF installed?
When IMF is installed a new tab is added to the Exchange System Manager. For Exchange 2003, the tab is under Message Delivery > Properties under Global Settings.

There is also a new Intelligent Message Filtering node under Protocols > SMTP – This is where you enable IMF.

For Exchange 2007, it is under Exchange Management Console Server Configuration > Hub Transport > Anti – Spam.

As you may be aware, the native spam-filtering features in Exchange are typically too basic for most organizations.  While there is no question that IMF can improve Exchange’s ability to catch spam, you shouldn’t rely solely on this feature.  The IMF feature in Exchange simply cannot live up to the advanced heuristic spam, virus and phishing protection and controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.

Additional Sources:
http://technet.microsoft.com/en-us/library/bb266926(EXCHG.65).aspx
http://www.msexchange.org/tutorials/microsoft-exchange-intelligent-message-filter.html
http://support.microsoft.com/kb/867633

‘4.3.1 Insufficient system resources’ – Back Pressure Feature Exchange 2007

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these mysteries. To read all of the blogs in this series, go here.

We see this type of error pretty often here at MxToolbox and so we wanted to post about it here. Customers Exchange servers can mistakenly react to normal mail flow and cause a disruption in service. The error that is posed is ‘4.3.1 Insufficient system resources’.

A feature called Back Pressure in Exchange 2007 can sometimes cause this error to be received when we try to deliver messages to the customer server. When Back Pressure detects overused resources the Exchange Server controls system resources to prevent them from being overwhelmed and it allows the delivery process for current messages to be worked out. All these processes are part of the Back Pressure feature which is responsible for monitoring certain Exchange Server 2007 resources.

The drive on which the Queue DB and logs are stored must have 4GB or more free space otherwise the server will apply back pressure and start slowing the flow of messages! The main database file is called mail.que and by default can be found here:

C:Program FilesMicrosoftExchange ServerTransportRolesdataQueue

Other helpful articles:
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/understanding-back-pressure-feature-exchange-server-2007.html
http://exchangepedia.com/blog/2007/03/exchange-server-2007-transport-452-431.html

How to Read Email Bounce Backs and Errors

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

To kick off our series on demystifying and understanding email bounce backs and errors, we thought it would benefit everyone to go over how to read a bounce back. Some bounce backs are very cryptic and full of codes and numbers. How are you supposed to figure it out? Let’s break down a typical bounce back:

  1. The top part of this message is the actual bounce back. This is the “meat” of what you need to identify.  Sometimes bounces include lots of numbers and codes; ignore all that and find the string that references the 400 or 500 number.  (What’s the difference between a 400 and a 500 error?).  In this case the error is ‘550 No such user’. Since this account doesn’t exist at mxtoolbox.com the message was bounced by the recipient server.
  2. The second half of the bounce is the email headers. Keep in mind that not all bounce backs include this information, however, most do. This information is really helpful as it contains the Sender, Recipient, Date, Time and Subject, as well as server hops. If you are unable to figure out the issue, make sure you send the complete bounce back including the email headers to your IT administrator.  All of this information is critical in understanding a bounce back. If you need help reading headers, try our free tool, the Header Analyzer. It makes the email header a bit easier to read.

Microsoft Exchange
As with all things Exchange, they have their own way of doing things. Exchange bounces include a top header section; however, we tend to ignore that section as it has very little helpful information.  Remember to focus on the “Technical details” or the “Diagnostic Information for administrators;” as this is the “meat” of the data you need to analyze.   You may also notice that Exchange bounces include two conflicting “who rejected your message” statements. The second one labeled “Generating Server” is generally the server that issued the bounce.

Remember that knowledge is power!  We at MxToolBox are constantly educating ourselves about all the different bounce backs that exist.  Also keep in mind that with some Vendors and ISPs you have the ability to create custom bounce back errors…so you always have to be on your toes!

If this is a bit overwhelming or you don’t want to mess with understanding bounce backs or error codes, don’t worry.  It can take years of experience to feel comfortable reading and deciphering this information. We understand that you just want your email to work!  Implementing one of our Managed Business Email Products such as Spam and Virus Filtering or Hosted Email can help alleviate these issues and put someone in your back pocket to help understand when these problems occur.

Blocking Non-Delivery Report (NDR) spam with HTML Attachments

We have posted a few helpful hints for users that are experiencing problems with Password Reset requests, UPS, Western Union, Youtube and other forms of spam. However, it looks like the spammers are altering the message to adapt to the changes that Postini and other vendors are making, so more updates to the filters are expected.
We are recommending that a temporary custom attachment filter to block all messages with a .html attachment is enabled within Postini. NOTE: If this filter is applied, it will block any legitimate message with that type of attachment. See below for the steps to enable the filter and the recommended settings:

Attachment Manager Filter Steps
  1. Access the customer’s Postini User Org and enable the Inbound Attachment Manager.
  2. To build a custom filter for blocking .html attachments, select Filter and follow the image below:

  3. We highly recommend enabling ‘Scan inside compressed file types’ and ‘Enable binary scanning’ as this may also help with any future evolutions.
  4. Be sure to add ‘html’ under 2. Custom Filter Types to either User Quarantine (in case of false positives) or under Quarantine Redirect.
  5. Click Save and the filter is applied.

MxToolbox has partnered with WebRoot to offer Web Filtering to protect your network from attacks through the web browser. For more details on the protection that this program can offer, go here.