what does it mean?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

what does it mean?

Poliman - Serwis
I have domain kamir-transport.pl deployed on the server with dns zone where are configured google MX servers like aspmx.l.google.com, alt1.aspmx.l.google.com (and few more). Mailboxes are not on my server, all email things are deployed on google. Yesterday I saw in log the message:

9FBE713D05F 1564 Tue Nov 6 06:34:55 [hidden email]
(host alt2.aspmx.l.google.com[74.125.24.27] said: 421-4.7.0 [54.38.202.128 15] Our system has detected that this message is 421-4.7.0 suspicious due to the nature of the content and/or the links within. 421-4.7.0 To best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0 https://support.google.com/mail/answer/188131 for more information. t1-v6si2536163pgv.349 - gsmtp (in reply to end of DATA command))

Honestly I don't fully understand this log. Looks like google mx says that some message from [hidden email] belong to ip 54.38.202.128 (what is 15 after ip address?) looks suspicious, although is send to another mailbox in this same domain. But both mailboxes are hosted on google, so why google mx mention something about not their ip?

PS
SPF record configured in DNS zone looks like google advices -> v=spf1 include:_spf.google.com ~all
--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: what does it mean?

Dominic Raferd
On Thu, 8 Nov 2018 at 07:35, Poliman - Serwis <[hidden email]> wrote:
I have domain kamir-transport.pl deployed on the server with dns zone where are configured google MX servers like aspmx.l.google.com, alt1.aspmx.l.google.com (and few more). Mailboxes are not on my server, all email things are deployed on google. Yesterday I saw in log the message:

9FBE713D05F 1564 Tue Nov 6 06:34:55 [hidden email]
(host alt2.aspmx.l.google.com[74.125.24.27] said: 421-4.7.0 [54.38.202.128 15] Our system has detected that this message is 421-4.7.0 suspicious due to the nature of the content and/or the links within. 421-4.7.0 To best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0 https://support.google.com/mail/answer/188131 for more information. t1-v6si2536163pgv.349 - gsmtp (in reply to end of DATA command))

Honestly I don't fully understand this log. Looks like google mx says that some message from [hidden email] belong to ip 54.38.202.128 (what is 15 after ip address?) looks suspicious, although is send to another mailbox in this same domain. But both mailboxes are hosted on google, so why google mx mention something about not their ip?

PS
SPF record configured in DNS zone looks like google advices -> v=spf1 include:_spf.google.com ~all

This is a response from gsmtp (Gmail) saying that the email your server relayed to them looks suspicious (detailed reasons not given) - and so it was temp blocked. I am not sure why gsmtp gives a temp 4xx response, I rewrite them to permanent 5xx to prevent pointless retries. If you are relaying world-sourced mails into your users' Gmail mailboxes then messages of this type are a perennial problem. You might reduce their frequency with improved anti-spam/anti-virus checks.
Reply | Threaded
Open this post in threaded view
|

Re: what does it mean?

Poliman - Serwis


2018-11-08 8:49 GMT+01:00 Dominic Raferd <[hidden email]>:
On Thu, 8 Nov 2018 at 07:35, Poliman - Serwis <[hidden email]> wrote:
I have domain kamir-transport.pl deployed on the server with dns zone where are configured google MX servers like aspmx.l.google.com, alt1.aspmx.l.google.com (and few more). Mailboxes are not on my server, all email things are deployed on google. Yesterday I saw in log the message:

9FBE713D05F 1564 Tue Nov 6 06:34:55 [hidden email]
(host alt2.aspmx.l.google.com[74.125.24.27] said: 421-4.7.0 [54.38.202.128 15] Our system has detected that this message is 421-4.7.0 suspicious due to the nature of the content and/or the links within. 421-4.7.0 To best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0 https://support.google.com/mail/answer/188131 for more information. t1-v6si2536163pgv.349 - gsmtp (in reply to end of DATA command))

Honestly I don't fully understand this log. Looks like google mx says that some message from [hidden email] belong to ip 54.38.202.128 (what is 15 after ip address?) looks suspicious, although is send to another mailbox in this same domain. But both mailboxes are hosted on google, so why google mx mention something about not their ip?

PS
SPF record configured in DNS zone looks like google advices -> v=spf1 include:_spf.google.com ~all

This is a response from gsmtp (Gmail) saying that the email your server relayed to them looks suspicious (detailed reasons not given) - and so it was temp blocked. I am not sure why gsmtp gives a temp 4xx response, I rewrite them to permanent 5xx to prevent pointless retries. If you are relaying world-sourced mails into your users' Gmail mailboxes then messages of this type are a perennial problem. You might reduce their frequency with improved anti-spam/anti-virus checks.

Hmm, I am relaying emails. In this example between mailboxes of specific domain which has mx on google. I have on the server - amavisd, clamav, fail2ban, postgrey, [spf, dkim, dmarc - currently not for each domain, which have my server as MX]. Could you advice me what exactly should I improve? I can provide some configs if needed. I am not sure what I can do better.

PS
What does exactly mean " If you are relaying world-sourced mails into your users' Gmail mailboxes " - my server acts as open relay?

--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: what does it mean?

Dominic Raferd


On Thu, 8 Nov 2018 at 08:07, Poliman - Serwis <[hidden email]> wrote:


2018-11-08 8:49 GMT+01:00 Dominic Raferd <[hidden email]>:
On Thu, 8 Nov 2018 at 07:35, Poliman - Serwis <[hidden email]> wrote:
I have domain kamir-transport.pl deployed on the server with dns zone where are configured google MX servers like aspmx.l.google.com, alt1.aspmx.l.google.com (and few more). Mailboxes are not on my server, all email things are deployed on google. Yesterday I saw in log the message:

9FBE713D05F 1564 Tue Nov 6 06:34:55 [hidden email]
(host alt2.aspmx.l.google.com[74.125.24.27] said: 421-4.7.0 [54.38.202.128 15] Our system has detected that this message is 421-4.7.0 suspicious due to the nature of the content and/or the links within. 421-4.7.0 To best protect our users from spam, the message has been blocked. 421-4.7.0 Please visit 421 4.7.0 https://support.google.com/mail/answer/188131 for more information. t1-v6si2536163pgv.349 - gsmtp (in reply to end of DATA command))

Honestly I don't fully understand this log. Looks like google mx says that some message from [hidden email] belong to ip 54.38.202.128 (what is 15 after ip address?) looks suspicious, although is send to another mailbox in this same domain. But both mailboxes are hosted on google, so why google mx mention something about not their ip?

PS
SPF record configured in DNS zone looks like google advices -> v=spf1 include:_spf.google.com ~all

This is a response from gsmtp (Gmail) saying that the email your server relayed to them looks suspicious (detailed reasons not given) - and so it was temp blocked. I am not sure why gsmtp gives a temp 4xx response, I rewrite them to permanent 5xx to prevent pointless retries. If you are relaying world-sourced mails into your users' Gmail mailboxes then messages of this type are a perennial problem. You might reduce their frequency with improved anti-spam/anti-virus checks.

Hmm, I am relaying emails. In this example between mailboxes of specific domain which has mx on google. I have on the server - amavisd, clamav, fail2ban, postgrey, [spf, dkim, dmarc - currently not for each domain, which have my server as MX]. Could you advice me what exactly should I improve? I can provide some configs if needed. I am not sure what I can do better.

PS
What does exactly mean " If you are relaying world-sourced mails into your users' Gmail mailboxes " - my server acts as open relay?

I also relay incoming mails into our users Gmail boxes. It sounds as if you have pretty good mail checking already, so there may be little more you can do in this direction. If you are not already blocking emails based on DMARC (e.g. using opendkim and opendmarc) then that is something to add to your armoury (but don't block on p=quarantine, only on p=reject).

Generally these messages from gsmtp indicate that the mail was bad, so you don't have to worry too much - your users haven't missed anything. But if your server relays a large number of such emails it might be blacklisted by Gmail.

However a few 'good' mails can be blocked by Gmail precisely because you are relaying: in particular, ones where the sender domain has DMARC p=reject policy but legitimate emails therefrom are sent without dkim header (relying only on SPF for delivery), or - if there are many recipients - where sender has a hotmail (or presumably other MS) address. You will have to find workarounds for these edge cases.
Reply | Threaded
Open this post in threaded view
|

Re: what does it mean?

Bill Cole-3
In reply to this post by Poliman - Serwis
On 8 Nov 2018, at 2:34, Poliman - Serwis wrote:

> Honestly I don't fully understand this log. Looks like google mx says
> that
> some message from [hidden email] belong to ip
> 54.38.202.128
> (what is 15 after ip address?) looks suspicious, although is send to
> another mailbox in this same domain. But both mailboxes are hosted on
> google, so why google mx mention something about not their ip?

Perhaps because it is an OVH IP and OVH is an open sewer of spam?

It's an unfortunate fact that if your hosting provider has a history of
accommodating spammers, others will treat you as a spammer by default.
OVH is such a hosting provider.

> PS
> SPF record configured in DNS zone looks like google advices -> v=spf1
> include:_spf.google.com ~all

That SPF record probably should be supplemented with any non-Google
addresses that send messages claiming to be from that domain.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
Reply | Threaded
Open this post in threaded view
|

Re: what does it mean?

Poliman - Serwis


2018-11-08 14:52 GMT+01:00 Bill Cole <[hidden email]>:
On 8 Nov 2018, at 2:34, Poliman - Serwis wrote:

Honestly I don't fully understand this log. Looks like google mx says that
some message from [hidden email] belong to ip 54.38.202.128
(what is 15 after ip address?) looks suspicious, although is send to
another mailbox in this same domain. But both mailboxes are hosted on
google, so why google mx mention something about not their ip?

Perhaps because it is an OVH IP and OVH is an open sewer of spam?

It's an unfortunate fact that if your hosting provider has a history of accommodating spammers, others will treat you as a spammer by default. OVH is such a hosting provider.

PS
SPF record configured in DNS zone looks like google advices -> v=spf1
include:_spf.google.com ~all

That SPF record probably should be supplemented with any non-Google addresses that send messages claiming to be from that domain.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Maybe you have right but I have no idea how could I check it. Currently I tested my IP and I am not blacklisted and also clear about sending spam and my server is not an open relay.
Are you sure that I should supplement this record by some anothers? I configured it basing on support google -> https://support.google.com/a/answer/140034?visit_id=636772709321477569-627126811&rd=1.
--
Pozdrawiam / Best Regards
Piotr Bracha