cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
95809
Views
0
Helpful
11
Replies

MTA's poor reputation

DISmekalin
Level 1
Level 1

In recent years, cases of receiving the report of non-delivery of letters.

Basically that's the error:

554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.

Our mail server is not involved in blacklists.

Can you tell me what should i do in this situation?

What settings in C360 can I check and configure?

Thanks in advance.

2 Accepted Solutions

Accepted Solutions

Mathew Huynh
Cisco Employee
Cisco Employee

Hello DISmekalin,

Generally it would be due to some reports of spam coming from your IP by other users so it gets caught by the senderbase sensors.

You can track your IP or domain for mail server reputation in senderbase.org

Essentially if good mail traffic exits from the servers, the reputation score could recover.

Else if you need to establish what may be the issue to begin to correct it, you can reach out to the senderbase team directly in senderbase.org or open a TAC case to reach out to the senderbase team for information for you.

A checklist would be to just audit your mail servers, make sure you can track the type of mails leaving exchange side see if there is any suspicious behaviour and stop it at the source.

Else ensure on your ESA antispam and antivirus scanning is enabled on outgoing mail as well to further protect your mailing environment.

Regards,

Matthew

View solution in original post

Hello DISmekalin,

Ah! So you have set your ESA to an open relay for the moment, this would really attribute into your reputation score getting lowered as being an open relay, spammers will exploit this.

Please change this RAT Default action to - Reject.

RAT Should only allow your internally hosted domains as accept.

If you need to create a setup for an external server to send emails outbound to other addresses that isn't your own.


If you are using 1 listener (which is what i'm suspecting).

Please go to GUI > Mail Policies > Mail Flow Policies


If you do not have a policy called "RELAYED" Please go ahead to create one.

Click Add Policy

Name: RELAYED

Connection Behavior : Choose "Relay"

Leave the rest as it is (default)

Scroll right down to the bottom and Submit.

After this is done.

Go to GUI > Mail Policies > HAT Overview 

If you do not have a RELAYLIST then please click on.

"Add new Sendergroup"

Here you will have an option to input a name

Name it: RELAYLIST

Order: 1

Comment : Leave it blank

Policy : Select RELAYED from your drop down menu

Leave everything else blank and click Submit and Add Sender.

Now add the Mail server IP or hostname to allow this server to relay through your ESA without a RAT check.

Once this is done, submit and commit changes and test.

(If you are confused on where to get the mail-server hostname/IP, you can obtain this with message tracking GUI > Monitor > Message Tracking and find an email sent by this sender before.

Click on Show Details and look under Sending Host Summary, this is what you add to the RELAYLIST sendergroup)

I hope this helps, please let me know.

Regards,

Matthew

View solution in original post

11 Replies 11

Mathew Huynh
Cisco Employee
Cisco Employee

Hello DISmekalin,

Generally it would be due to some reports of spam coming from your IP by other users so it gets caught by the senderbase sensors.

You can track your IP or domain for mail server reputation in senderbase.org

Essentially if good mail traffic exits from the servers, the reputation score could recover.

Else if you need to establish what may be the issue to begin to correct it, you can reach out to the senderbase team directly in senderbase.org or open a TAC case to reach out to the senderbase team for information for you.

A checklist would be to just audit your mail servers, make sure you can track the type of mails leaving exchange side see if there is any suspicious behaviour and stop it at the source.

Else ensure on your ESA antispam and antivirus scanning is enabled on outgoing mail as well to further protect your mailing environment.

Regards,

Matthew

Thank you for answer.

Tell me, please, is it possible to create a separate policy without the use of RAT (Recipient Access Table) ?

We have an external server that needs to send emails to different addresses, but they are rejected by RAT every time, until you have added the address in RAT with default action - allow.

Hello DISmekalin,

Ah! So you have set your ESA to an open relay for the moment, this would really attribute into your reputation score getting lowered as being an open relay, spammers will exploit this.

Please change this RAT Default action to - Reject.

RAT Should only allow your internally hosted domains as accept.

If you need to create a setup for an external server to send emails outbound to other addresses that isn't your own.


If you are using 1 listener (which is what i'm suspecting).

Please go to GUI > Mail Policies > Mail Flow Policies


If you do not have a policy called "RELAYED" Please go ahead to create one.

Click Add Policy

Name: RELAYED

Connection Behavior : Choose "Relay"

Leave the rest as it is (default)

Scroll right down to the bottom and Submit.

After this is done.

Go to GUI > Mail Policies > HAT Overview 

If you do not have a RELAYLIST then please click on.

"Add new Sendergroup"

Here you will have an option to input a name

Name it: RELAYLIST

Order: 1

Comment : Leave it blank

Policy : Select RELAYED from your drop down menu

Leave everything else blank and click Submit and Add Sender.

Now add the Mail server IP or hostname to allow this server to relay through your ESA without a RAT check.

Once this is done, submit and commit changes and test.

(If you are confused on where to get the mail-server hostname/IP, you can obtain this with message tracking GUI > Monitor > Message Tracking and find an email sent by this sender before.

Click on Show Details and look under Sending Host Summary, this is what you add to the RELAYLIST sendergroup)

I hope this helps, please let me know.

Regards,

Matthew

Thank you.

The problem is solved. But for some reason the emails come twice. The first session aborts, second session takes place.

08 Jun 2016 12:42:59 (GMT +03:00) Protocol SMTP interface Data 1 (IP x.x.x.x) on incoming connection (ICID 1104099503) from sender IP y.y.y.y. Reverse DNS host None verified no.
08 Jun 2016 12:42:59 (GMT +03:00) (ICID 1104099503) RELAY sender group RELAYLIST match y.y.y.y SBRS -1.9
08 Jun 2016 12:43:00 (GMT +03:00) (ICID 1104099503) Sender <sender@domain.zone>allowed. Envelope sender matched domain exception
08 Jun 2016 12:43:00 (GMT +03:00) Start message 47181187 on incoming connection (ICID 1104099503).
08 Jun 2016 12:43:00 (GMT +03:00) Message 47181187 enqueued on incoming connection (ICID 1104099503) from sender@domain.zone.
08 Jun 2016 12:43:00 (GMT +03:00) Message 47181187 on incoming connection (ICID 1104099503) added recipient (recipient@domain.zone).
08 Jun 2016 12:43:00 (GMT +03:00) Message 47181187 aborted: Receiving aborted by sender
08 Jun 2016 12:43:00 (GMT +03:00) (ICID 1104099503) Sender <sender@domain.zone>allowed. Envelope sender matched domain exception

Hey DISmekalin,

Receiving aborted is normally due to the sending side closing the connection prematurely for whatever reason.

For what I can see you've also deployed domain exception list envelope sender verification on this RELAY mail flow.

You can disable this at the bottom in GUI > Mail Policies > Mail Flow Policies > Click into RELAY

And see if that helps.


Regards,

Matthew

I disabled exception list envelope sender verification on this RELAY mail flow.

But emails still come twice :)

Hello,

 

We have the same problem - 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. The IP address is 68.233.33.90, please assist.

You should be able to go to https://talosintelligence.com/ and request that the IP address be "unblocked".  Reputation at the top, then "Reputation support"

Hello,

I have made some requests from there, but no luck.

 

Thanks,

HostColor LLC