I've got a local user on my server that as of today cannot send email from any of their devices. Only Webmail (which doesn't touch any of their devices) works.
Here are the various email failures I'm receiving in the logs.
Dec-04-12 19:52:47 75966-05166 [SpoofedSender] 111.111.111.111 <[email protected]> to: [email protected] [scoring:20] -- No Spoofing Allowed -- [Test];
Dec-04-12 19:52:47 75966-05166 [Extreme] 111.111.111.111 <[email protected]> to: [email protected] [spam found] -- score for 111.111.111.111 is 1980, surpassing extreme level of 500 -- [Test] -> spam/Test__1.eml;
Dec-04-12 19:52:48 75968-05169 111.111.111.111 <[email protected]> to: [email protected] [scoring:10] -- IP in HELO does not match connection: '[192.168.0.10]' -- [Re Demo Feedbacks for End of November Sales];
Dec-04-12 19:52:48 75968-05169 [SpoofedSender] 111.111.111.111 <[email protected]> to: [email protected] [scoring:20] -- No Spoofing Allowed -- [Re Demo Feedbacks for End of November Sales];
Dec-04-12 19:52:48 75968-05169 [Extreme] 111.111.111.111 <[email protected]> to: [email protected] [spam found] -- score for 111.111.111.111 is 2020, surpassing extreme level of 500 -- [Re Demo Feedbacks for End of November Sales] ->spam/Re_Demo_Feedbacks_for_End_of_N__2.eml;
Dec-04-12 19:52:57 75977-05179 [SpoofedSender] 111.111.111.111 <[email protected]> to: [email protected] [scoring:20] -- No Spoofing Allowed -- [test];
Dec-04-12 19:52:57 75977-05179 [Extreme] 111.111.111.111 <[email protected]> to: [email protected] [spam found] -- score for 111.111.111.111 is 2040, surpassing extreme level of 500 -- [test] -> spam/test__3.eml;
…………….
Dec-04-12 19:55:35 76135-05338 [SpoofedSender] 111.111.111.111 <[email protected]> to: [email protected] [scoring:20] -- No Spoofing Allowed -- [test];
Dec-04-12 19:55:35 76135-05338 [MsgID] 111.111.111.111 <[email protected]> to: [email protected] [scoring] (Message-ID not valid: 'E8472A91545B44FBAE413F6D8760C7C3@bts');
Dec-04-12 19:55:35 76135-05338 [InvalidHELO] 111.111.111.111 <[email protected]> to: [email protected] [spam found] -- Invalid HELO: 'bts' -- [test] -> discarded/test__4.eml;
note: 111.111.111.111 is a replacement for the users home IP address
Here is the headers of one of the messages
X-Assp-Score: 10 (HELO contains IP: '[192.168.0.10]')
X-Assp-Score: 10 (IP in HELO does not match connection: '[192.168.0.10]')
X-Assp-Score: 20 (No Spoofing Allowed)
X-Assp-Score: 10 (bombSubjectRe: 'sale')
X-Assp-Score: 20 (blacklisted HELO '[192.168.0.10]')
X-Assp-Score: 45 (DNSBLcache: failed, 111.111.111.111 listed in safe.dnsbl.sorbs.net)
X-Assp-DNSBLcache: failed, 174.0.35.31 listed in safe.dnsbl.sorbs.net
X-Assp-Received-SPF: fail (cache) ip=174.0.35.31 [email protected]
helo=[192.168.0.10]
X-Assp-Score: 10 (SPF fail)
X-Assp-Envelope-From: [email protected]
X-Assp-Intended-For: [email protected]
X-Assp-Version: 1.7.5.7(1.0.07) on ASSP.nospam
X-Assp-ID: ASSP.nospam (77953-07232)
X-Assp-Spam: YES
X-Assp-Original-Subject: Re: Demo Feedbacks for End of November Sales
X-Spam-Status:yes
X-Assp-Spam-Reason: MessageScore (125) over limit (50)
X-Assp-Message-Totalscore: 125
Received: from [192.168.0.10] ([111.111.111.111] helo=[192.168.0.10]) with
IPv4:25 by ASSP.nospam; 4 Dec 2012 20:25:52 -0700
Content-Type: multipart/alternative; boundary=Apple-Mail-40FE7453-4BE7-4AD6-B297-FB81DAA554EC
Content-Transfer-Encoding: 7bit
Subject: Re: Demo Feedbacks for End of November Sales
References: <003c01cdd22e$eafbc6f0$c0f354d0$@com>
From: Some User <[email protected]>
In-Reply-To: <003c01cdd22e$eafbc6f0$c0f354d0$@com>
Message-Id: <[email protected]>
Date: Tue, 4 Dec 2012 19:32:28 -0700
To: External User <[email protected]>
Mime-Version: 1.0 (1.0)
X-Mailer: iPhone Mail (10A523)
Why is it that a local sender has been banned on our local server, and how can I fix this?
Is it just me, or does the header not tell you exactly why this user is getting his mail rejected?
His message is scoring too high as spam. The specific reasons for which are also listed further up in the header...
+10 for the HELO containing an IP, +10 for the IP not matching the connection IP, +20 for no spoofing, +10 for the word
salein the subject, +20 for a blacklisted HELO (with that IP again), +45 for the IP being on a blacklist (safe.dnsbl.sorbs.net) and +10 for an SPF fail. Adds up to 125, which is greater than your spam threshold of 50.Seems pretty clear to me. Did I miss something?
EDIT:
In response to your comment,
I see two problems, the first of which being that your external IP is on the
SORBS-DUHLblacklist, though it's giving me a weird return code, and seems to be the only blacklist you're on... so I'd contact them and politely ask what the hell's up. That's 45 of 125 spam score there.The second problem seems to be that your ASSP is configured to score as spam anything coming from a private IP (192.168.0.10), and as your user is at home when this happens (according to your comment), he is likely behind some SOHO router or switch that's assigning his PC a private IP (192.168.0.10). That's at least 40 of the 125 spam score, and possibly 60 or 70 - I can't say for sure why the SPF failure and the spoofing failure are occurring, but I suspect they're both related to the fact that this user is trying to send mail as from your domain, but with an IP address that's not valid for mail coming from your corporate network.
Either way, the only solutions to this I can see are either sorting out the user's home network so that his PC sees itself at his external, ISP-provided IP address or changing your spam filter's rules to accommodate this user. I recommend the option that doesn't involve having to support some user's home network. Or, come to think of it telling the user that his home setup isn't compatible with your mail setup, and he'll have to either deal with it, fix it himself, or use webmail. Actually, that's what I'd do, on account of it being less work, and me generally not wanting to change the whole spam filtering scheme for one user.
So a mail that would normally score 10 (for containing
salein the subject), is scoring over the threshold because of either issue. So it looks like you'll have to resolve both the blacklist and the IP issues we're seeing here to get mail flowing reliably from local senders.