Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Does anyone else have also massive problems to send emails ?

ThKThK Cybersecurity Overlord ✭✭✭

A few of my customers report that they get NDRs that emails specially to 1und1 also gmx also domains hosted on 1und1 came back with "mailbox not found"

other NDR in the HES Log shows :

451 4.4 0 dns query failed smtpsend dns nonexistentdomain

also : an otherone smtp 550 DMARC Sender invalid

I guess its up to 1und1 but not sure it is...

i did not see any problem on the servers or HES. But all customer have the same ExchangeServer and HES. So i appreciate any information if you see something similar on your customers.

--Thomas

Category: Hosted Email Security
Reply
«1

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @THK,

    I totally overlooked your post, having the same, sorry for the double post.

    --Michael@BWC

  • ThKThK Cybersecurity Overlord ✭✭✭

    @BWC glad to read your post ;-)

    on one customers server the MSX sendconnector could not resolve domain.de.outbound.snwlhostedeu.com so i added the 173.240.221.247 manually. Then sending out was possible for a while. But incomming emails are also inconsistent.

    --Thomas

  • ThKThK Cybersecurity Overlord ✭✭✭

    got an Bounce Back entiry in the HES Log when sending to gmx.de


    smtp;550 Requested action not taken: mailbox unavailable invalid DNS MX or A/AAAA resource record


    Could it be that 1und1 have problems to resolve the sending server aka domain.de.snwlhostedeu.com

    This confirms your post - something is wrong with DNS resolution

    --Thomas

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @THK,

    hard to tell, the inability of your MSX sendconnector resolving the HES host is surely related to the DNS misconfiguration at SNWL.

    The 1&1 thingy I can't for sure. GMX is also using the United Internet infrastructure, so it's related.

    It seems that the SNWL resolver used by HES is not able to get the job done correctly when resolving United Internet zones. Maybe the resolver is not just able to not handle EDNS, maybe it struggles in more areas <giggle>.

    --Michael@BWC

  • franzfranz Newbie

    Hi @THK,

    same for me :(

    The issue started yesterday a 4pm. CEST for my customer and this his domain is hosted at 1und1.

    From external we got the error "550 5.4.350 Remote server returned invalid or missing DNS MX or A record for recipient domain -> 550 invalid DNS MX or A/AAAA resource record"

    We've tried to send a mail via 1und1 webmail and we got the issue with "mailbox not found".

    SNWL Case created.

    Regards,

    Daniel

  • David WDavid W SonicWall Employee

    Please check now guys,

    IT Op's made some corrections to the DNS and I believe it should all be working but may take a little time for some servers to propagate DNS.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • ThKThK Cybersecurity Overlord ✭✭✭

    @David W

    Arrived into gateway from:1xx.1xx.139.74 on Thu Apr 15, 2021 at 14:55 CESTDirection:OutboundArrival notes:Arrived on TLSAudit trail:erikaholzenthal@gmx.de

    Identified as: Good

    Message location: Bounced

    Accepted by: 212.227.15.9:25 on Thu Apr 15, 2021 at 14:55 CEST


    MTA response:5.0.0 (undefined status)

    smtp;550 Requested action not taken: mailbox unavailable invalid DNS MX or A/AAAA resource record

  • David WDavid W SonicWall Employee

    I've been watching and the DNS change just updated a couple minutes ago.

    Give it a little bit then test it again please.

    Thanks

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • David WDavid W SonicWall Employee

    I've been doing some investigation and this appears to be for the most part various DNS servers having issues.

    Example: I can query 8.8.8.8 and 1.1.1.1 and get proper PTR results every time.

    If I query 4.2.2.2 it comes up with different results every time I query and is missing many records.

     This right now this appears to mainly be outbound as reported by sending to gmx.de.

    I've not been seeing anything for inbound for the last couple of hours.

    Are you still seeing issues either inbound or outbound and can you give me any specifics of the sender etc?

    Thanks

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited April 2021

    Hi @David W

    I guess it was you answering to my ticket a minute ago.

    It's not just gmx.de having the issue, my customer sent a message to online.de (which is handled by United Domains) and the problem still persists (outgoing).

    =?iso-8859-1?Q?.2021?= Hostname is ams0vm-hesra06.colo.sonicwall.com Originator is abc@abc.de Recipient is xxxx@online.de Time queued is Thu, 15 Apr 2021 16:33:35 +0200 Date was Thu, 15 Apr 2021 16:33:36 +0200 Retry transient errors every 15 minutes and bounce after 4 days and 5 minutes. The reason for delivery failure: smtp;550 Requested action not taken: mailbox unavailable invalid DNS MX or A/AAAA resource record.

    But you fixed the NS records for snwlhostedeu.com ... next stop snwlhosted.com :)

    --Michael@BWC

  • franzfranz Newbie

    Hi David,

    many thanks for the fast resonse.

    We've had the issues in both directions.

    I've switched the mx records for my customer directly to hoster 1&1 and mailflow in and outbound is working fine again.

    At the moment I could not test, our customer is a patent lawyer and they are not amused, at the moment.

    Many thanks.


    Regards,

    Daniel

  • David WDavid W SonicWall Employee

    @BWC and @franz I'm still looking things over.

    I also personally use IONOS as well and seeing if I can query one of their DNS server but having a hard time finding one.

    @BWC Is this the only ones you are having issues sending to?

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • David WDavid W SonicWall Employee

    Looking at this the errors are the "Requested action not taken: mailbox unavailable invalid DNS MX or A/AAAA resource record."

    However when checking all the proper records are there for everything.

    The only thing I can think of is that their servers are not updating on their DNS and not seeing all of the Records such as the PTR.


    I just checked a domain and indeed they are not updated and not seeing the PTR record.

    It's an issue on the recipient side.


    Reverse MX A records (PTR)ERROR: No reverse DNS (PTR) entries. The problem MX records are:

    167.221.240.173.in-addr.arpa -> no reverse (PTR) detected

    You should contact your ISP and ask him to add a PTR record for your ips

    and here is the query to 8.8.8.8


    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • ThKThK Cybersecurity Overlord ✭✭✭

    @David W

    ----------1 st. -----------

    @dynamicmetalsltd.com

    Identified as: Good

    Message location: Bounced

    Accepted by: 91.220.42.201:25 on Thu Apr 15, 2021 at 15:54 CEST

    MTA response:5.0.0 (undefined status)

    smtp;550 DMARC Sender Invalid - envelope rejected - https://community.mimecast.com/docs/DOC-1369#550

    ---------2nd -------------

    @mwlange-cnc.de

    Identified as: Good

    Message location: Bounced

    Accepted by: 212.227.15.41:25 on Thu Apr 15, 2021 at 12:59 CEST


    MTA response:5.0.0 (undefined status)

    smtp;550 Requested action not taken: mailbox unavailable invalid DNS MX or A/AAAA resource record

    ----------3rd ---------------

    @pfaender-freiburg.de

    Identified as: Good

    Message location: Bounced

    Accepted by: 213.30.233.146:25 on Thu Apr 15, 2021 at 16:24 CEST

    MTA response:5.1.1 (bad destination mailbox address)

    smtp;550 5.1.1 <xxxx@pfaender-freiburg.de>: Recipient address rejected: User unknown in local recipient table

    -------4th-----------

    @movere.sha.de

    Identified as: Good

    Message location: Bounced

    Accepted by: None

    Accepted by: 62.216.170.43:25 on Fri Apr 9, 2021 at 11:21 CEST

    MTA response:5.1.2 (bad destination system: no such domain)


    -------5th-------

    energie@statstik.rlp.de

    Identified as: Good

    Message location: Bounced

    Accepted by: None


    MTA response:5.1.2 (bad destination system: no such domain)



    more to give :-)

    ---Thomas

  • David WDavid W SonicWall Employee

    statstik.rlp.de, movere.sha.de and pfaender-freiburg.de have no MX records.

    this one: smtp;550 Requested action not taken: mailbox unavailable invalid DNS MX or A/AAAA resource record.

    I identified as no PTR resolving on recipient side but it does exist and the other one appears to be an SPF issue.

    smtp;550 DMARC Sender Invalid - envelope rejected - https://community.mimecast.com/docs/DOC-1369#550

    I'll look into the SPF one a little deeper.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • David WDavid W SonicWall Employee

    @BWC The SPF one it looks like the recipient side cannot see the SPF record.

    I've cheeked and its there and all good.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited April 2021

    @David W

    I’am not sure if your SOA serial reflects the actual date of change, but it still says 2021030188 for snwlhostedeu.com, which can be ok or maybe is outdated. Pointing ns1 und ns2.snwlhostedeu.com to the same IP is bad design, IMHO.  I guess you don't do any zone transfers then.

    UPDATE:

    About the PTR, 0.221.240.173.in-addr.arpa is driven my ns1.snwlhostedeu.com, which was troublesome because of the wrong NS records.

    I guess it'll work out overtime.

    --Michael@BWC

  • David WDavid W SonicWall Employee
    edited April 2021

    @BWC All of that is the IT Op's side of the house.

    Not sure exactly how it's all set but it's all load balanced.

    I've asked them if they can force a full public refresh.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • ThKThK Cybersecurity Overlord ✭✭✭

    @David W these examples are existent business partners which are contacted often a day or week. I don´t belive the bounce classification. Its so unprecise. just looked to anthoer customer who send an monthly newsletter to many receipients today i guess 50% are bounced back

    --Thomas

  • David WDavid W SonicWall Employee

    @ThK The responses seen when you open up a message it what the recipient server responded with.

    I would post any relevant information to the case you have open so the tech can help look into it.

    At this time most of this appears to be DNS on recipient side however each one needs to be looked at independently.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • EF999EF999 Newbie ✭

    We have alot of customers that do not use the HES and have no issue. If their DNS servers wouldnt update, wouldnt they have the same issue? Why would they update all entries but the sonicwall ones? This doesnt make sense to me.

  • David WDavid W SonicWall Employee

    It looks like the recipient side for many of these that were an issue finally updated their DNS about an hour ago.

    I can see messages to gmx.de not being delivered since that time.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited April 2021

    Hi guys,

    I have to wait until my customers are waking up, but if it was indeed a DNS related issue like I suspected yesterday you should give the DNS admin a clap on the back of his/her head. snwlhosted.com got fixed too, bravo.

    But it's just another batch of unbillable hours, who counts. 🤯

    UPDATE:
    A test mail to @web.de was sent successfully.
    

    --Michael@BWC

  • ThKThK Cybersecurity Overlord ✭✭✭
    edited April 2021

    Hi guys,

    today its starting with problems with receipients on OUTLOOK.COM

    hav from at least 2 customers feedback that their contacts get no email. both try to send to "outlook.com"

    please urgently have a deeper look to it again...

    -- Thomas


    Die Nachricht wurde nicht zugestellt, da sie vom E-Mail-Anbieter des Empfängers zurückgewiesen wurde.

    Diagnoseinformationen für Administratoren:

    Generierender Server: MWHP114MB0061.NAMP114.PROD.OUTLOOK.COM

    IOBPO.DBAs@accenture.com

    Remote Server returned '554 5.7.0 < #5.7.133 smtp;550 5.7.133 RESOLVER.RST.SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group>'

    Ursprüngliche Nachrichtenköpfe:

    Received: from CY4PR06CA0065.namprd06.prod.outlook.com (2603:10b6:903:13d::27)
     by MWHP114MB0061.NAMP114.PROD.OUTLOOK.COM (2603:10b6:320:33::24) with
     Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SH
    

    ----------------

    Generierender Server: AS8PR08MB6486.eurprd08.prod.outlook.com

    Rene.Henrici@uddeholm.de

    Remote Server returned '< #5.7.1 smtp;550 5.7.1 TRANSPORT.RULES.RejectMessage; the message was rejected by organization policy>'

    Ursprüngliche Nachrichtenköpfe:

    Received: from MR1P264CA0001.FRAP264.PROD.OUTLOOK.COM (2603:10a6:501:2e::6) by
     AS8PR08MB6486.eurprd08.prod.outlook.com (2603:10a6:20b:33c::20) with
     Microsoft SMTP S
    


  • ThKThK Cybersecurity Overlord ✭✭✭

    What the hell is now with this BACKSCATTERER ???? Is sonicwall sende ip now blacklisted on this anti-social criminal gang PLEASE have a lokk to that this would be the worst if yes !!!


    ........

    Arrived into gateway from:193.158.101.42 on Fri Apr 16, 2021 at 10:30 CESTDirection:OutboundArrival notes:Arrived on TLSAudit trail:espnotifications@husky.ca

    Identified as: Policy

    Message location: Rejected

    Accepted by: None

    Message Details

    Unique Message ID:

    202104160830584355207Subject:

    Unzustellbar: Your eSP Alerts for Husky Injection SystemsFrom:

    'unknown' <postmaster@kaiser-wzb.de>To:

    espnotifications@husky.caDate received:Fri Apr 16, 2021, 10:30:00 CESTMessage size:

    20 KThreat:PolicyCategory:backscatter to rejected DW 5-8-2020[Global]

    -------

    Unique Message ID:

    202104160738173555685Subject:

    Unzustellbar: WG: 6541918From:

    'unknown' <postmaster@kaiser-wzb.de>To:

    dennis.wagner@vt.atlascopco.comDate received:Fri Apr 16, 2021, 09:38:00 CESTMessage size:

    41 KThreat:PolicyCategory:backscatter to rejected DW 5-8-2020[Global]

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited April 2021

    Hi @ThK

    I checked the whole network but it seems "only" one outbound server is blacklisted:

    IP 173.240.221.13 NAME outbound13.snwlhostedeu.com.
     13.221.240.173.ips.backscatterer.org.           127.0.0.2
    

    This is probably because of the stupid resetting DHA settings bug, which causes trouble for all HES customers. Shared pain is still painful though :)

    Update:
    Earliest date this IP can expire is 13.05.2021 13:45 CEST.
    
    This IP is temporary listed.
    The listing will expire automatically and free of charge 4 weeks after the last abuse is seen from that IP.
    Expedited manual expressdelisting is available as an option, in case you do not want to wait for the automatic and free expiration.
    You will be charged 89 CHF using the following payment service.
    WARNING: Before requesting expressdelisting make sure the problem which caused the listing is fixed, otherwise you are at risk to get listed again if new abuse becomes known.
    

    --Michael@BWC

  • ThKThK Cybersecurity Overlord ✭✭✭

    @BWC have no words for this...

    Testresult for 173.240.221.13:

    This IP IS CURRENTLY LISTED in our Database.

    Please note that this listing does NOT mean you are a spammer, it means your mailsystem is either poorly configured or it is using abusive techniques.

    This kind of abuse is known as BACKSCATTER (Misdirected Bounces or Misdirected Autoresponders or Sender Callouts). Click the links above to get clue how and why to stop that kind of abuse.



    To track down what happened investigate your smtplogs near 15.04.2021 13:45 CEST +/-1 minute.


    You will either find that your system tried to send misdirected bounces or misdirected autoresponders to claimed but in reality faked senders, or your system tried sender verify callouts against our members near that time.

    So you should look for outgoing emails that have a NULL SENDER or POSTMASTER in MAIL FROM.

    Reading your logs carefully it shouldn't be a big deal to figure out what caused or renewed your listing.


    THIS HAPPEND YESTERDAY at 13:45 CEST

    --Thomas

  • ThKThK Cybersecurity Overlord ✭✭✭
    edited April 2021

    @David W Please contact your guys in backoffice to switch off the 173.240.221.13 for outgonig delivery for a while. We have hope it then automatically clears from the Blacklist after 13.5.2021

    so this would help all the customers and partners to get their emails through.

    ---------

    A total of 20 Impacts were detected during this listing. Last was 15.04.2021 13:45 CEST +/- 1 minute.

    Earliest date this IP can expire is 13.05.2021 13:45 CEST.

    -------------

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Not sure if disabling 173.240.221.13 will be a lasting solution, if the root cause is not fixed all other outbound servers will be burnt real quick :)

    --Michael@BWC

  • ThKThK Cybersecurity Overlord ✭✭✭

    @BWC of cours you right. but this mess we had in 2019/20 for several weeks. I had a lot of work to do to keep the customers engaged to HES

Sign In or Register to comment.