1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Very odd email issue

Discussion in 'Networks' started by ffreeloader, Oct 31, 2007.

  1. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    My boss had an email he sent rejected yesterday because of a dnsbl.

    Here's what's really strange about this.

    1. His ISP is Comcast.
    2. The netblock his actual IP address is located in begins 74.93. It's a static IP and been in use for several years.
    3. His reported computer's host name is xxxxxx.comcast.net
    4. A dns lookup on his computer's host name returns an IP address starting with 204. That's using 6 different name servers belonging to as many different domains.
    5. A whois on the 204. IP address returns the network owner as AT&T WorldNet, not Comcast.

    Has anyone ever seen anything even remotely resembling this? I'm really stumped as to what is going on here. I've never seen anything like it. It looks like it might possibly be cache poisoning of name servers, but that would mean some major ISP's and some very well known dns servers have big problems with respect to dns. I have pointed my internal dns servers to several different name servers to use as forwarders for resolving url's outside my internal network, and all them return the same thing. The dns servers our business servers utilize, Comcast's, return the same thing mine do.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  2. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    A further puzzler on this issue is that his computer host name is reported as being different in the email headers when he sends email to me, than when he sent the email that bounced because of the dnsbl.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  3. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Have you tried using root hints DNS instead of forwarders? Also do you have a reverse DNS zone for your published domain?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  4. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    For the email part - you need to see *full* email headers to get a handle on what happened.

    Important as well is how the email is sent - i.e. SMTP from his desktop/ via an exchange server/ via a web-mail client.

    The other problems sound like a DNS messup. Check 'whois' to see if anything has happened to the domain.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  5. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    ffreeloader,

    Which e-mail program is he using?
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  6. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    The dnsbl that blacklisted the IP address did it's own lookup on the host name. They came up with the exact same results as I do. That's how they work.

    Here's how the system works. The mail server receives an email message. It checks the headers, then sends a query to the dnsbl provider with the host url it finds in the email header. The dnsbl provider then uses dns to find the IP address, and checks that against their database of IP addresses to see if it's been blacklisted. If the IP address has been listed, the dnsbl provider sends a message back to the mail server saying that the IP address has been blacklisted. That causes the mail server to bounce(reject rcpt) the email.

    This really has nothing to do with my internal dns servers, or the dns servers our business uses. Our dns queries are nothing more than confirmation of what the dnsbl provider found during its dns lookup.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  7. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    But you can largely put anything you like in the headers. Is this the envelope that is being looked up? (And those can be spoofed as well!).

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  8. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    His email is sent smtp to his isp. The route it took was from his desktop, to his isp's mail server, then it hit our mail server which bounced it due to it being blacklisted. That caused his ISP's email server to send it back to him. I got involved looking into why it was rejected.

    The boss just left to attend a conference so he's gone for the rest of the week and I can't get access to the full email headers until he returns.

    The dnsbl info, host url, and IP address information first came from the logs of our email server as we host a commercial domain for his brother, and that's who the email was sent to. We run an smtp service for the domains we host, and his brother has his business mail hosted in his domain name.

    My dns confirmation of the information on our mail server logs is completely separate from the business dns servers(we don't host our own dns at work), the dnsbl providers name servers, etc.... None of the name server queries made use anything of in common other than the root name servers for the internet.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  9. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    I know this isn't spoofed. It's an email my boss sent, and wants to know why it bounced back to him.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  10. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    He's using Outlook. I don't know why that's even relevant though.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  11. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Why is he using the ISPs SMTP server, can he not use SMTP on your mail server directly from his mail client? Can you give more detail on the setup?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  12. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    He just uses his ISP's mail server because that's how his email client has always been set up. He could use our smtp server to directly send mail to his brother, but, not use it as his main smtp server. We are set up to be very picky about what we will accept and what we will forward. If the email address isn't in the list of valid email addresses for each virtual domain on the mail server, it will bounce that mail.

    You can send mail to any domain from a local address on the machine, just not when the incoming message has to reach the mail server externally(the internet). It's locked down very tightly. His mail servers always got hammered with spam before and forwarded it by the ton. Since I took it over and moved it to Exim things have changed a lot. Now we bounce, or just black-hole, 99% of the spam without even using an external spam program. We justs use acl's, mail routers, and dnsbl's to do it. It took me a long time to get it right, but it was worth the effort to see all that spam that hits that server die.

    Edit

    We don't run a pop3 server either. So, he'd still have to rely on his ISP's mail service for incoming mail.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  13. r.h.lee

    r.h.lee Gigabyte Poster

    1,011
    52
    105
    ffreeloader,

    I think it is relevant because the application is the beginning of the encapsulation process. An interruption of the encapsulation process may lead to connectivity issues. The classic encapsulation and decapsulation process interruption is a disconnected network cable. However, you gotta start tracing the problem at the beginning of the encapsulation process.

    Next question, what SMTP server address is configured into Outlook?
     
    Certifications: MCSE, MCP+I, MCP, CCNA, A+
    WIP: CCDA
  14. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Freddie

    DNSBLs are a nightmare at the best of times. I've lost count of the number of mail admins I know who think they are dealing with a professional organisation when they subscribe to an RBL only to find out with horror that they are little more than an over-zealous NANAE-nut running from their mum's basement.

    If you PM me some of the mail headers I'll take a look - but it sounds like a DNS issue somewhere. Its not likely to be NS Cache Poisoning as there would be some big noise about it in newsgroups and I've seen nowt about it (I was on a couple earlier today trying to locate the source of a similar issue with one of the police force domains in the UK)

    Have you tried running the IP through Trusted Source? That's usually a pretty reliable indicator of any nefarious activity asscoiated with an address
     
    Certifications: A few
    WIP: None - f*** 'em
  15. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Is is just your bosses brothers email domain that is rejecting the email, is there any other domains that are rejecting the email?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  16. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Nope. It's our smtp server. I can see it the logs. I can see where it enters the system, and I can see it rejected, and why. I just can't figure out where the information that causes it be rejected comes from. Like I said, this is a very strange issue.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  17. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    BTW, that I know of, none of his other email is bouncing this way. It's just this one email that I'm aware of.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  18. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    So it looks like it may be a DNS issue (as Zeb has said) as email that is addressed *to* your bosses brothers domain is being rejected. Can you run any SMTP diags do get more info?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  19. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    Er - that doesn't make any sense. If it goes from his machine to the ISP why would they send it back to you?

    And if *your* mail-server is bouncing it then it is down to *you* to fix it.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  20. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    Very relevant. Apart from Outlook being a not very good mail client, the settings are important.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+

Share This Page

Loading...