List Generating 530 Mail Denied Access Error

bellaonline
Posts: 98
Joined: Tue Feb 28, 2006 7:15 am

List Generating 530 Mail Denied Access Error

Postby bellaonline » Tue Mar 21, 2017 3:47 am

Greetings again!

I am running MailEnable Professional edition 6.88.

I've been running MailEnable for years and years and really haven't touched the configuration in quite some time. I have a list on my LisaShea server that gets used a few times a day.

All of a sudden, members get errors when mailing to that list. Nothing should have changed to cause this.

Note that I *do* have MailEnable set, after 8 incorrect commands, to block an IP, but they're just sending regular messages to the list. I can't imagine all the different people are all having issues. And, also, related to that, while I was in trying to troubleshoot this I saw my SMTP log file from two days ago was HUGE. 40 times as large as normal. It turns out someone was hammering my mail server trying to log into one of my accounts by guessing password after password. Why didn't they trigger the block? That is what I was trying to block with the incorrect-blocks-you-out setting, not my list members :).

Any thoughts? I don't even know how to begin troubleshooting this. I Tried looking through the SMTP logs for references to bostonwriters and didn't find any at all.

This is what a member just sent to me, to demonstrate the error.

-------------------------------

This is an automatically generated Delivery Status Notification

Delivery to the following recipient failed:

bostonwriters@lisashea.com

Technical details of this delivery failure are below:

Message Ref ID: 1490062562.35777.cal1-mh1234

Error Message from Destination Mail Server:
530 mail.minervawebworks.com ESMTP MailEnable Service, Version:
6.88-6.88- denied access at 03/20/17 22:16:24

Reporting-MTA: dns; cal1-mh1234.smtproutes.com
Received-From-MTA: dns; 208.70.91.168
Arrival-Date: Tue, 21 Mar 2017 02:16:25 +0000

Final-Recipient: rfc; bostonwriters@lisashea.com
Original-Recipient: rfc; bostonwriters@lisashea.com
Action: failed
Status: 5.0.0
Diagnostic-Code: smtp; 530 mail.minervawebworks.com ESMTP MailEnable
Service, Version: 6.88-6.88- denied access at 03/20/17 22:16:24

...........................

Thanks!

MailEnable-Ian
Site Admin
Posts: 8557
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: List Generating 530 Mail Denied Access Error

Postby MailEnable-Ian » Tue Mar 21, 2017 4:12 am

Hi,

You will find the security option for "Connection blocking" has actually worked and banned the incoming IP address from connecting. This would explain why you see the following error in the bounce:

530 mail.minervawebworks.com ESMTP MailEnable Service, Version: 6.88-6.88- denied access

The error indicates that the incoming IP address is being denied access because its present int he SMTP access control list under the deny list. You will need to inspect your SMTP activity log file and search fro the same error. Once you find it you will see the IP connecting IP Address that is being blocked. You will need to remove the IP address from the SMTP Access control list - http://www.mailenable.com/documentation/6.0/Professional/SMTP_props_-_Inbound.html

As to why that IP is blocked I can only assume you route all your incoming mail via a spam gateway. The harvest attacks are coming through the via gateway address and thus MailEnable blocks that IP (after total amount of invalid AUTH attempts) and prevents legitimate connections from being able to connect.
Regards,

Ian Margarone
MailEnable Support

bellaonline
Posts: 98
Joined: Tue Feb 28, 2006 7:15 am

Re: List Generating 530 Mail Denied Access Error

Postby bellaonline » Tue Mar 21, 2017 4:31 am

Dear Ian -

Good to hear from you!

In terms of spam, I use SolarWinds which is a spam filtering external-to-me system. They block 90% of incoming email as spam before it even gets to my server which saves my server a lot of wear and tear. On a side note, I sent them a message just a half hour ago about reducing their price or dropping them. I'm paying them $218/mo just to keep out the spam and that expense is just too much right now. For that cost, with the way server prices have dropped in the past decade, I could lease an entire server that did nothing but handle email again, like I used to do.

I imagine you have lots of people who just use MailEnable without any sort of pre-filter. Would you say the MailEnable anti-spam handling would be up to that task, of getting in the other 90% of the spam and sorting it out? Or is a lot of that new spam going to get passed through to my editors? If I have to go through another third party solution first I'll do that - I'm sure one exists that's cheaper than $218/mo now.

But in terms of this current issue, SolarWinds is just for incoming spam or not-spam email. They pass along the not-spam email and hold onto the spam email. That shouldn't have anything at all to do with the actual direct logon attempts on my server by the people trying to guess my passwords. Those people are doing direct connections to my mail server by IP address. So they aren't going anywhere near SolarWinds. I can see all the various IP addresses in my SMTP log of those hackers trying to make guesses and the IP addresses are all over the place. Like 203.156.135.21 from Bangkok. That's not SolarWinds :). Or 203.115.13.198 from Sri Lanka. I'm getting hammered by these IP addresses, far more than 8 times, with invalid logon attempts. That is what I wanted to block with that setting.

I'm not sure how SolarWinds just passing along a message they've vetted would trigger an error? I can't even find the SMTP log entry for when the bostonwriters@lisashea.com email comes in to see what happens to it. I'll keep looking. I just sent another message, myself, to that list from my house and I didn't get a bounceback, nothing's showing up on the SMTP logs, and nothing came through.

Lisa

bellaonline
Posts: 98
Joined: Tue Feb 28, 2006 7:15 am

Re: List Generating 530 Mail Denied Access Error

Postby bellaonline » Tue Mar 21, 2017 4:32 am

This is one page of yours I was reading:

https://www.mailenable.com/kb/content/article.asp?ID=ME020417

When it says:

"IP addresses can be added here if the IP has been automatically banned because of too many subsequent invalid commands."

Should that be *sequential* invalid commands? If subsequent is the right word, subsequent to what?

Lisa

bellaonline
Posts: 98
Joined: Tue Feb 28, 2006 7:15 am

Re: List Generating 530 Mail Denied Access Error

Postby bellaonline » Tue Mar 21, 2017 6:12 am

I logged into SolarWinds to see what their records said, and I found the record for Lynn's attempt to mail the list.

..............

03/20/2017 07:16 PM Lynn Lewis Ribeiro bostonwriters@lisashea.com Re: Reminder Meeting Tue 3/21 at Noon in Andover / Grassfields
BOUNCE (PERM FAIL)
IN 530 mail.minervawebworks.com ESMTP MailEnable Service, Version: 6.88-6.88- denied access at 03/20/17 22:16:24
..............

Looking at the SMTP activity log on the LisaShea server, at the time of Lynn's bounce I see this:


03/20/17 22:16:24 SMTP-IN AA51B07053E64460A68ADD1998F4698E.MAI 20 208.70.91.168 530 mail.minervawebworks.com ESMTP MailEnable Service, Version: 6.88-6.88- denied access at 03/20/17 22:16:24 0 0


So that 22:16 matches up with her bounce. And when I then search the SMTP log file for that IP address 208.70.91.168 I find it's being denied access a number of times - but *nowhere* do I see any sign that it's doing anything wrong. It just kept being denied. It never even had a chance to do anything wrong. I went through the whole day. If it was being temporarily tossed onto a list, surely I'd see what was causing it each time?

I can't find that IP address on any permanent "bad" list in the SMTP area. So it's not that it got permanently blocked somehow.

Should I put all the SolarWinds IP addresses into the whitelist area? Where else should I look?

Lisa

bellaonline
Posts: 98
Joined: Tue Feb 28, 2006 7:15 am

Re: List Generating 530 Mail Denied Access Error

Postby bellaonline » Tue Mar 21, 2017 6:20 am

OK I went digging through the Inbound / Access Control list, where specific IP addresses are denied access, and I'm finding all sorts of IP addresses in here associated with Solar Winds. That doesn't make sense. I can't imagine how they would even be added to this list. Would seeing a spam message come through (that Solar Winds missed, for example) then trigger the system to toss an IP address on this list - and then if the server crashed or something could it get stuck in here? I'm baffled how these addresses got into this listing.

This means it was blocking ALL sorts of mail I needed to get in.

I'm taking them out. I need to figure out how they got onto this list so it doesn't happen again. Will the whitelist do that?

Lisa

MailEnable-Ian
Site Admin
Posts: 8557
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: List Generating 530 Mail Denied Access Error

Postby MailEnable-Ian » Tue Mar 21, 2017 10:02 pm

Hi,

You really need to find out why they the IP's are being banned. The SMTP log files will report why. As to what date/time this occurred you will need to iterate through each SMTP log file. Yes you can whitelist the IP addresses to avoid the Solar Winds IP address being banned by the connection dropping option.
Regards,

Ian Margarone
MailEnable Support

bellaonline
Posts: 98
Joined: Tue Feb 28, 2006 7:15 am

Re: List Generating 530 Mail Denied Access Error

Postby bellaonline » Wed Mar 22, 2017 3:12 am

OK it looks like this particular IP address got banned back on 3/2:

03/02/17 23:32:48 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 220 mail.minervawebworks.com ESMTP MailEnable Service, Version: 6.88-6.88- ready at 03/02/17 23:32:48 0 0
03/02/17 23:32:48 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 HELO HELO cal1-mh1234.smtproutes.com 250 Requested mail action okay, completed 43 33
03/02/17 23:32:48 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 MAIL MAIL FROM:<elis-t@aspisfun.com> 250 Requested mail action okay, completed 43 33
03/02/17 23:32:48 # ME-E0103: [764] Local Delivery: Failure - Domain for ([SMTP:elis-t@aspisfun.com]) is locally serviced, but recipient is not defined in address map.
03/02/17 23:32:48 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:32:54 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:33:02 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:33:11 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:33:20 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:33:29 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:33:38 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:33:46 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:33:55 SMTP-IN 1F79DFC3A2C247D0B22CFD424D82EA7B.MAI 764 208.70.91.168 RCPT RCPT TO:<elis-t@aspisfun.com> 550 Requested action not taken: mailbox unavailable or not local 66 31
03/02/17 23:33:55 # ME-I0073: IP Address 208.70.91.168 banned.
03/02/17 23:33:55 # ME-I0074: [764] (Debug) End of conversation

OK so why in the world would someone repeatedly send spam to the exact same email address over and over again within two minutes? Are they just trying to get the IP address banned to be a nuisance?

If this is the case, doesn't it mean if one person at AOL (just to choose a location) spams me 8 times they're now going to lock an entire AOL mail system IP address from being able to reach me? Is there a way to have it ban people who are trying logon attempts - which do concern me - but not people who are just spamming imaginary email addresses - which I don't care much about?

Lisa

MailEnable-Ian
Site Admin
Posts: 8557
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: List Generating 530 Mail Denied Access Error

Postby MailEnable-Ian » Wed Mar 22, 2017 9:55 pm

Hi,

Normally this would only occur when spam bots try to perform dictionary attacks. Did the IP 208.70.91.168 route via the SolarWinds service? IS the 208.70.91.168 the SolarWinds gateway?
Regards,

Ian Margarone
MailEnable Support

Who is online

Users browsing this forum: No registered users and 1 guest