Very odd email issue

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

My boss had an email he sent rejected yesterday because of a dnsbl.

Here's what's really strange about this.

1. His ISP is Comcast.
2. The netblock his actual IP address is located in begins 74.93. It's a static IP and been in use for several years.
3. His reported computer's host name is xxxxxx.comcast.net
4. A dns lookup on his computer's host name returns an IP address starting with 204. That's using 6 different name servers belonging to as many different domains.
5. A whois on the 204. IP address returns the network owner as AT&T WorldNet, not Comcast.

Has anyone ever seen anything even remotely resembling this? I'm really stumped as to what is going on here. I've never seen anything like it. It looks like it might possibly be cache poisoning of name servers, but that would mean some major ISP's and some very well known dns servers have big problems with respect to dns. I have pointed my internal dns servers to several different name servers to use as forwarders for resolving url's outside my internal network, and all them return the same thing. The dns servers our business servers utilize, Comcast's, return the same thing mine do.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

A further puzzler on this issue is that his computer host name is reported as being different in the email headers when he sends email to me, than when he sent the email that bounced because of the dnsbl.

 

For the email part - you need to see *full* email headers to get a handle on what happened.

Important as well is how the email is sent - i.e. SMTP from his desktop/ via an exchange server/ via a web-mail client.

The other problems sound like a DNS messup. Check 'whois' to see if anything has happened to the domain.

Harry.

 

ffreeloader,

Which e-mail program is he using?

 

The dnsbl that blacklisted the IP address did it's own lookup on the host name. They came up with the exact same results as I do. That's how they work.

Here's how the system works. The mail server receives an email message. It checks the headers, then sends a query to the dnsbl provider with the host url it finds in the email header. The dnsbl provider then uses dns to find the IP address, and checks that against their database of IP addresses to see if it's been blacklisted. If the IP address has been listed, the dnsbl provider sends a message back to the mail server saying that the IP address has been blacklisted. That causes the mail server to bounce(reject rcpt) the email.

This really has nothing to do with my internal dns servers, or the dns servers our business uses. Our dns queries are nothing more than confirmation of what the dnsbl provider found during its dns lookup.

 

But you can largely put anything you like in the headers. Is this the envelope that is being looked up? (And those can be spoofed as well!).

Harry.

 

His email is sent smtp to his isp. The route it took was from his desktop, to his isp's mail server, then it hit our mail server which bounced it due to it being blacklisted. That caused his ISP's email server to send it back to him. I got involved looking into why it was rejected.

The boss just left to attend a conference so he's gone for the rest of the week and I can't get access to the full email headers until he returns.

The dnsbl info, host url, and IP address information first came from the logs of our email server as we host a commercial domain for his brother, and that's who the email was sent to. We run an smtp service for the domains we host, and his brother has his business mail hosted in his domain name.

My dns confirmation of the information on our mail server logs is completely separate from the business dns servers(we don't host our own dns at work), the dnsbl providers name servers, etc.... None of the name server queries made use anything of in common other than the root name servers for the internet.

 

I know this isn't spoofed. It's an email my boss sent, and wants to know why it bounced back to him.

 

He's using Outlook. I don't know why that's even relevant though.

 

He just uses his ISP's mail server because that's how his email client has always been set up. He could use our smtp server to directly send mail to his brother, but, not use it as his main smtp server. We are set up to be very picky about what we will accept and what we will forward. If the email address isn't in the list of valid email addresses for each virtual domain on the mail server, it will bounce that mail.

You can send mail to any domain from a local address on the machine, just not when the incoming message has to reach the mail server externally(the internet). It's locked down very tightly. His mail servers always got hammered with spam before and forwarded it by the ton. Since I took it over and moved it to Exim things have changed a lot. Now we bounce, or just black-hole, 99% of the spam without even using an external spam program. We justs use acl's, mail routers, and dnsbl's to do it. It took me a long time to get it right, but it was worth the effort to see all that spam that hits that server die.

Edit

We don't run a pop3 server either. So, he'd still have to rely on his ISP's mail service for incoming mail.

 

ffreeloader,

I think it is relevant because the application is the beginning of the encapsulation process. An interruption of the encapsulation process may lead to connectivity issues. The classic encapsulation and decapsulation process interruption is a disconnected network cable. However, you gotta start tracing the problem at the beginning of the encapsulation process.

Next question, what SMTP server address is configured into Outlook?

 

Freddie

DNSBLs are a nightmare at the best of times. I've lost count of the number of mail admins I know who think they are dealing with a professional organisation when they subscribe to an RBL only to find out with horror that they are little more than an over-zealous NANAE-nut running from their mum's basement.

If you PM me some of the mail headers I'll take a look - but it sounds like a DNS issue somewhere. Its not likely to be NS Cache Poisoning as there would be some big noise about it in newsgroups and I've seen nowt about it (I was on a couple earlier today trying to locate the source of a similar issue with one of the police force domains in the UK)

Have you tried running the IP through Trusted Source? That's usually a pretty reliable indicator of any nefarious activity asscoiated with an address

 

Nope. It's our smtp server. I can see it the logs. I can see where it enters the system, and I can see it rejected, and why. I just can't figure out where the information that causes it be rejected comes from. Like I said, this is a very strange issue.

 

BTW, that I know of, none of his other email is bouncing this way. It's just this one email that I'm aware of.

 

Er - that doesn't make any sense. If it goes from his machine to the ISP why would they send it back to you?

And if *your* mail-server is bouncing it then it is down to *you* to fix it.

Harry.

 

Very relevant. Apart from Outlook being a not very good mail client, the settings are important.

Harry.