Topic: email failure notice interpretation

[wjhobbs]

My vast ignorance is showing. I received 2 'failure notice' messages from qmail-send (same time) and I do not know how to interpret what they are telling me. The messages are reproduced below (with the original message content removed). I would like to understand what has happened and what I should do in response.


Message 1

Code: [Select]

Hi. This is the qmail-send program at primary.chryxus.ca.
I tried to deliver a bounce message to this address, but the bounce bounced!

<wcorso@bankatlantic.com>:
216.254.136.210 does not like recipient.
Remote host said: 550 ip address 216.138.220.233 blacklisted due to high mail volume
Giving up on 216.254.136.210.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 31645 invoked for bounce); 1 Jan 2009 20:37:45 -0000
Date: 1 Jan 2009 20:37:45 -0000
From: MAILER-DAEMON@primary.chryxus.ca
To: wcorso@bankatlantic.com
Subject: failure notice

Hi. This is the qmail-send program at primary.chryxus.ca.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<proberts@letter-perfect.ca>:
216.254.136.210 does not like recipient.
Remote host said: 550 ip address 216.138.220.233 blacklisted due to high mail volume
Giving up on 216.254.136.210.

--- Below this line is a copy of the message.

<content removed>

Message 2

Code: [Select]

Hi. This is the qmail-send program at primary.chryxus.ca.
I tried to deliver a bounce message to this address, but the bounce bounced!

<wcorso@bankatlantic.com>:
216.254.136.210 does not like recipient.
Remote host said: 550 ip address 216.138.220.233 blacklisted due to high mail volume
Giving up on 216.254.136.210.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 31645 invoked for bounce); 1 Jan 2009 20:37:45 -0000
Date: 1 Jan 2009 20:37:45 -0000
From: MAILER-DAEMON@primary.chryxus.ca
To: wcorso@bankatlantic.com
Subject: failure notice

Hi. This is the qmail-send program at primary.chryxus.ca.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<proberts@letter-perfect.ca>:
216.254.136.210 does not like recipient.
Remote host said: 550 ip address 216.138.220.233 blacklisted due to high mail volume
Giving up on 216.254.136.210.

--- Below this line is a copy of the message.
<content removed>
Thank you for your help.

John

[mmccarn]

There are two potential problems indicated here:

1) Remote host said: 550 ip address 216.138.220.233 blacklisted due to high mail volume
If 216.138.220.233 is your IP, this is saying that the mail server at 216.254.136.210 has blacklisted your IP.  You should do some research on your IP's blacklist status using http://www.robtex.com/ and http://www.mob.net/~ted/tools/rbl.php3 to see what's up.

2) I tried to deliver a bounce message to this address, but the bounce bounced!
This indicates a possible configuration "situation" with your SME server, or your MX configuration.  In the optimal configuraiton, SME will never attempt to deliver any bounce messages, but will instead refuse to accept the message that would need bouncing - eliminating the need for a bounce message.

You should try to find out why your SME server is trying to send bounce messages. 

It is possible that the situation with bounce messages is generating the blacklisting - if your SME server delivers bounce messages then a spammer can use your server to bounce spam to others - just send a message to your SME server with a "From:" address for me, and your sme will attempt to "bounce" the message to me, even though I had nothing to do with it.

Things that might cause your SME server to deliver bounce messages:
1) It is running an older version of SME server and is configured to "bounce" email to non-existent users instead of to "reject" it.
2) You have an older version of SME server configured in front of an Internal mail server.  Prior to (about) SME 7.1, this configuration would cause the SME to accept all email, then generate bounce messages for email that was rejected by the internal mail server.  (This was fixed with the introduction of the check_smtp_forward plugin around v 7.1.1)
3) You have a "backup MX server" that accepts email to non-existent users, then attempts to deliver them to your SME - which either accepts them (because you have added your backup MX as a "local" network) and generates a bounce message, or rejects them, causing the backup MX to generate a bounce message.
4) You may have misconfigured your "local networks" settings - since the "check_smtp_forward" plugin is only applied to non-local connections, if you have added "0.0.0.0/0" to your "local" networks, your server will not use the "check_smtp_forward" plugin at all.
5) You may have an infected workstation on your network.

[wjhobbs]

Thanks for the feedback.

Using the tools suggested I confirmed that neither IP address is on a blacklist.

With respect to your list of possible causes of bounce messages...
1) email to unknown users is set to "reject"
2) I am running SME 7.4
3) I had a backup MX server specified. Based on your comments, I have removed the backup MX.
4) "local" network settings are correct
5) after reviewing the log files I can find no evidence of spurious email messages coming from internal workstations.

However, the two failure notice messages involve a single user. The email for that user is forwarded to an external mail server.

Can you tell me if spam filtering and rbl processing occurs for messages to accounts that are forwarded externally? If not, any spam addressed to that user will just be sent on and it could result in significant volume. This could be the source of the problem.

Can anyone clarify this for me?

Thanks.

John

[CharlieBrady]

Using the tools suggested I confirmed that neither IP address is on a blacklist.

No, it is on a blacklist (216.254.136.210 told you so), but it's not a blacklist which is known about by the tools mmcarn has mentioned. I would guess that it is a locally maintained blacklist (at 216.254.136.210) which indicated high mail volume sites.

5) after reviewing the log files I can find no evidence of spurious email messages coming from internal workstations.

You need to find a message from wcorso@bankatlantic.com and to proberts@letter-perfect.ca. Or you need to find all messages to proberts@letter-perfect.ca - are there "too many" of them (as defined by ?

[CharlieBrady]

Can you tell me if spam filtering and rbl processing occurs for messages to accounts that are forwarded externally?

spam filtering and rbl processing occurs in incoming messages, and does not consider whether a message will be delivered locally or forwarded elsewhere.

In your case, your server accepted a message from wcorso@bankatlantic.com to one of your users, and then attempted to forward that message to proberts@letter-perfect.ca. Your server is configured to send all outgoing mail via your ISP's mail server (216.254.136.210). Your ISP's mail server refused to accept it, because it considered (perhaps temporarily) your site to be a high volume mail site. Your server then tried to send a bounce message to wcorso@bankatlantic.com, and  216.254.136.210 also refused that message.

My guess is that your ISP's mail server will be refusing all messages from your server, and your users will be getting bounce messages when they try to send off-site. Check your logs and contact your ISP.

[wjhobbs]

Thank you, Charlie.

As always, you bring clarity to the table.

At your suggestion I did some further digging into the log files.

It turns out that my user proberts sent an email message with a recipient list containing 85 addresses. Looks like my ISP considered it a spam attempt and temporarily blocked mail processing. Subsequent messages have gone through OK.

I need to have a word with my user.

John