Return-Path: <listbill@scconsult.com>
Received: from bigsky.scconsult.com ([66.73.230.187] verified)
  by mail.stalker.com (CommuniGate Pro SMTP 5.1.4)
  with ESMTP id 38381633 for SIMS@mail.stalker.com; Wed, 10 Jan 2007 20:52:20 -0800
Received-SPF: pass
 receiver=mail.stalker.com; client-ip=66.73.230.187; envelope-from=listbill@scconsult.com
Received: from bigsky.scconsult.com (localhost [127.0.0.1])
	by bigsky.scconsult.com (Postfix) with ESMTP id 253AA3B6481
	for <SIMS@mail.stalker.com>; Wed, 10 Jan 2007 23:50:20 -0500 (EST)
Mime-Version: 1.0
Message-Id: <p06240827c1cb5e74a03c@bigsky.scconsult.com>
In-Reply-To: <list-38379082@mail.stalker.com>
References: <list-38379082@mail.stalker.com>
X-Message-Flag: Use of Microsoft mail clients is the primary cause of cracked systems.  Please switch!
Date: Wed, 10 Jan 2007 23:19:32 -0500
To: "SIMS Discussions" <SIMS@mail.stalker.com>
From: Bill Cole <listbill@scconsult.com>
Subject: Re: DNS issues with sending server or what?
Content-Type: text/plain; charset="us-ascii" ; format="flowed"

At 12:59 PM -0800 1/10/07, Paul Didzerekis  imposed structure on a 
stream of electrons, yielding:
>Can anyone here see what is causing the following problem and 
>suggest a solution?
>
>The problem is that someone tries to send email from 
>tricityregionalchamber.com to one of our client domains tcajob.com 
>and our server instantly bounces back the message to the sending 
>server with an error that the user is unknown.  I think it is 
>bouncing all messages they try to send to us at any of the domains 
>we host.  The server at tcajob.com (Web*V) performs spam content and 
>RBL filtering and such and is setup to forward messages for that 
>domain on to another server (SIMS) that handles the POP accounts for 
>that domain.  We don't have this problem with any other domains we 
>host or emails coming from any other place.


There's a contradiction there. Is it all of your domains or just one?



>
>I suspect that the sending server/domain may have a DNS issue or 
>something and that is confusing our receiving server and causing it 
>to bounce the message back to them.  Our server that is bouncing the 
>messages does not show any kind of error in the log just that the 
>message is received and then instantly returned.

That is very broken. A mail server that does not log what it does 
with every message should be dumped.


>Here is the info I got back when I asked the sending people to 
>forward me the bounced message with header (sent to my .mac account).
>
>Thanks in advance,
>Paul Didzerekis
>
>Here is the header info
>Bounced notification
>And the original message is attached


The message looks wrong. Incomplete. Full Internet headers(not the 
Microsoftian reductions)  for the bounce itself would help, and it 
looks like something has removed and 'simplified' the actual SMTP 
response. That's a known Exchange behavior.

With that in mind, I will make a couple of notes:

>-----Original Message-----
>From: Mattson, Lori [mailto:Lori.Mattson@tricityregionalchamber.com]
>Sent: Monday, January 08, 2007 3:26 PM
>To: Stone, Renee K
>Subject: FW: Returned mail: Message Undeliverable
>
>Microsoft Mail Internet Headers Version 2.0
>Received: from mail.tri-city.net ([63.95.200.12]) by
>tricityregionalchamber.com with Microsoft SMTPSVC(6.0.3790.1830);
>	 Mon, 8 Jan 2007 14:50:11 -0800
>Date: Mon, 08 Jan 2007 22:50:10 GMT
>From: Mail Delivery Subsystem
>Subject: Returned mail: Message Undeliverable
>To: <Lori.Mattson@tricityregionalchamber.com>
>MIME-Version: 1.0
>Content-Type: multipart/report; report-type=delivery-status;
>	boundary="Relay/45a2caa2-289a200-ca.bounce"
>Return-Path: <>
>Message-ID: <TCRCC01m80t26Cvnrcl00000eea@tricityregionalchamber.com>
>X-OriginalArrivalTime: 08 Jan 2007 22:50:12.0045 (UTC)
>FILETIME=[5AC6C7D0:01C73377]
>
>--Relay/45a2caa2-289a200-ca.bounce
>Content-Type: text/plain; charset=iso-8859-1
>Content-Transfer-Encoding: 7bit
>
>--Relay/45a2caa2-289a200-ca.bounce
>Content-Type: message/rfc822
>Content-Transfer-Encoding: 7bit
>
>Received: from tricityregionalchamber.com
>(64-13-28-32.kwk.clearwire-dns.net [64.13.28.32]) BY mail.tri-city.net
>([63.95.200.12])
>  WITH ESMTP (4D WebSTAR V Mail (5.4.0)); Mon, 08 Jan 2007 14:50:10 -0800

A machine at IP address 64.13.28.32 claimed in it's EHLO to be named 
"tricityregionalchamber.com" but in fact that name resolves to 
65.61.117.202.

That is not supposed to be grounds for rejecting mail, but some 
people ignore the admonition against that practice in RFC2821, 
because such a verification can be useful: many spammers use fake 
HELO/EHLO names.

The resolvable name for 64.13.28.32 is one that looks very generic, 
as if the owner of the IP address doesn't care what its name is 
except to assure that he can resolve it in his head without DNS. That 
also "looks spammy" to many spam control systems.

Combine a fraudulent EHLO with a generic real name, and there are a 
lot of spam filters that won't even look any further.

However, this does indicate that mail.tri-city.net (the Web* server) 
accepted the message. Unfortunately, it looks like Web* is too stupid 
to create SMTP transaction ID's for Received headers and log tracking 
or Message-ID's for its bounces. It sure makes tracking hard...


>X-MimeOLE: Produced By Microsoft Exchange V6.5
>Content-class: urn:content-classes:message
>MIME-Version: 1.0
>Content-Type: multipart/alternative;
>	boundary="----_=_NextPart_001_01C73377.56B9CB10"
>Subject: test 100
>Date: Mon, 8 Jan 2007 14:50:05 -0800
>Message-ID: <BF2AF0B9A2A0574EBCFEC37A7F3104F40CA934@TCRCC01.tcrcc.local>
>X-MS-Has-Attach:
>X-MS-TNEF-Correlator:
>Thread-Topic: test 100
>Thread-Index: Acczd1SIyFvR5YEZRjm2CQs1HSzijw==
>From: "Mattson, Lori" <Lori.Mattson@tricityregionalchamber.com>
>To: <hostmaster@3-rivers.com>,
>	<melanie@tcajob.com>
>
>------_=_NextPart_001_01C73377.56B9CB10
>Content-Type: text/plain;
>	charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>
>------_=_NextPart_001_01C73377.56B9CB10
>Content-Type: text/html;
>	charset="us-ascii"
>Content-Transfer-Encoding: quoted-printable
>
>
>------_=_NextPart_001_01C73377.56B9CB10--
>
>--Relay/45a2caa2-289a200-ca.bounce--


I'm not sure I'm getting this right. This is looking like the bounce 
of a bounce???


>
>-----Original Message-----
>From: Mail Delivery Subsystem [mailto:Mail Delivery Subsystem]
>Sent: Monday, January 08, 2007 2:50 PM
>To: Mattson, Lori
>Subject: Returned mail: Message Undeliverable
>
>This message could not be delivered to the following recipients:
>
><melanie@tcajob.com>: Unable to reach destination or recipient is
>invalid.
>


That looks like the Exchange bounce re-writing stupidity. Somewhere 
there once was a set of real headers for that, a domain for the 
sender, and a clear specification of what was said last in the SMTP 
conversation by what machine and to what machine. Without those, 
diagnosis is impossible. As long as the bounces are going back in to 
a default-configured Exchange, you won't get them.

Based on what you DO have, I'd suggest two possibilities:

1. The spam filtering in Web* is causing the problem. If it is an 
asynchronous filtering system that accepts mail, filters it, then 
bounces what it dislikes, that's a possibility.

2. SIMS might be rejecting this for some reason.


Diagnosis is made immensely more difficult by the interaction of two 
junkware mail servers: WebStar and Exchange. If you canfix one or 
both to provide more information, you have a far better shot of 
figuring this out.


-- 
Bill Cole                                  
bill@scconsult.com