2

A couple of months ago some of our emails got hacked (they got hands on the passwords) and they sent out 1000+ spam emails from those specfic accounts to random adresses. Now months later after having the hack problem fixed, the email accounts still face outgoing mail errors. Not with all emails, some get sent fine others will be blocked.

For instance some of the errors we get are:

Error example 1

href="mailto:xxx@hotmail.com">xxx@hotmail.com host s01.spamexperts.axc.nl [185.182.56.9] SMTP error from remote mail server after end of data: 550 To contains invalid characters.

Error example 2

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

steven@jeni.be host s01.spamexperts.axc.nl [185.182.56.9] SMTP error from remote mail server after end of data: 550 To contains invalid characters.

Error Example 3

Reporting-MTA: dns; vserver87.axc.nl

Action: failed Final-Recipient: rfc822;Txxx@xxx.com Status: 5.0.0 Remote-MTA: dns; s01.spamexperts.axc.nl Diagnostic-Code: smtp; 550 Maximum line length exceeded (see RFC 5322 2.1.1).

Error Example 4

Reporting-MTA: dns; vserver87.acx.nl

Action: failed Final-Recipient: rfc882;xxxx@xxx.be Status: 5.0.0 Remote-MTA: dns; s01.spamexpers.axc.nl Diagnostic-Code: smtp; 550 Maximum line length exceeded (See RFC 5322 2.1.1)

We are getting kinda desperate here to get this problem fixed because we don't know what to do anymore.

If it matters everything is hosted on Versio.nl

Does anyone has any clue what is going on with the emails and/or has an idea on how to fix the issues?

Kind regards

Filip Huysmans
  • 121
  • 6
  • The error 550 is strange, did you looked at the mail itselft to see if something is not ok? – yagmoth555 Oct 13 '17 at 10:44
  • @yagmoth555 Yes, at first we thought the actual content or something was wrong but it also happens with really basic emails. No specials chars, no attachments, just plain text emails. – Filip Huysmans Oct 13 '17 at 10:47
  • 1
    If i were you, i'd create a new mail servers with better security and refuse old servers. You don't know about hackers impact on your servers and this is a problem – Egor Vasilyev Oct 13 '17 at 11:02
  • @EgorVasilyev Only the affected emails have the sending problem and its on a shared hosting. Let's that 95% of emails addresses we have don't have any problem. – Filip Huysmans Oct 13 '17 at 11:19
  • @EgorVasilyev Its also on a shared hosting so I'm not to keen on creating new mailserver. Would it however be a solution if we delete the email addresses and create them again? Or will the problems shift to new emails as well? – Filip Huysmans Oct 13 '17 at 11:20
  • @Filip Huysmans, what MTA do you use? Try to set up detailed logging (or debug) for this emails. – Egor Vasilyev Oct 13 '17 at 11:21
  • Time for a new email address and/or domain. Unless you can get ahold of every 3rd party and request they clear your bad reputation (most unlikely). – Jacob Evans Oct 13 '17 at 11:28
  • @EgorVasilyev Im not home in all the terminology, the MTA is it like an outlook program or really the mail server behind? – Filip Huysmans Oct 13 '17 at 11:30
  • @JacobEvans Even in the case were 95% of the mails of a single emailadress are sent fine and 5% get the bounce errors? And the third party you mean the receiving emailadress we sent the mail to? – Filip Huysmans Oct 13 '17 at 11:31
  • If the reputation issues are by email address and not source IP, and the 3rd party systems will not reset the reputation... Yup – Jacob Evans Oct 13 '17 at 11:47

2 Answers2

1

These errors don't seem to indicate a reputation issue.

The first three indicate issues with the destination address being sent by your server. It appears the address entry has been mangled. This likely applies to the address in the RCPT TO data.

The last may be related, or a different issue. Again it points to mangling of the message.

Try running a program like tcpdump to capture the traffic to one or two of the destinations having problems. Examine the contents to see what is being mangled.

It is possible that some address rewrite rules were implemented on your server that are mangling the data. This may be expanding the addresses to excessive lengths and or inserting invalid characters

The bounce messages should include the original message or at least the headers of the message. These may help understanding what is happening. The RFC describes the headers and their correct format.

Building a new mail server and replacing the existing server may be in order.

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • Second that - the MTA (mail server) needs to be analyzed by detailed logging and any mess sorted out. Failing that it'll need to be replaced. – Zac67 Oct 13 '17 at 20:37
  • with the mangled are you pointed on the emailadress like 'xxx@hotmail.com' in the errors, cause thats were I changed the emailadress just not to show it on the internet here – Filip Huysmans Oct 14 '17 at 13:11
  • @FilipHuysmans I meant mangling into invalid addresses. I've updated the post. – BillThor Oct 14 '17 at 22:50
  • I'm gonna try, i'll keep this topic posted! – Filip Huysmans Oct 16 '17 at 06:33
0

I think you need to raise your sender reputation to have a delivery guarantee.

Several ways are exist:

  1. Create spf record and type a list of servers wich allow to send emails from your domains (you can use spf-generators);
  2. Deploy DKIM/DMARK technologies
Egor Vasilyev
  • 270
  • 1
  • 5
  • The current spf record is v=spf1 a mx ip4:185.182.59.59 a:spf.spamexperts.axc.nl -all. Compared it with a different one we use and it is the same so this should already be good. I assume those tech need to be installed on the server itself? – Filip Huysmans Oct 13 '17 at 12:26
  • Looks strange... Your servers name is `spf.spamexperts.axc.nl`? – Egor Vasilyev Oct 13 '17 at 12:38
  • Our provider uses the outgoing email filters of https://www.spamexperts.com/ i assume it is because of that – Filip Huysmans Oct 13 '17 at 12:53
  • `v=spf1 a mx ip4:185.182.59.59 a:spf.spamexperts.axc.nl -all` - this string are literally means: allow to receive emails from servers which are listed in `a` and `mx` record, including server with ip `185.182.59.59` and from all servers listed with a-record `spf.spamexperts.axc.nl`. `-all` - deny emails from other servers – Egor Vasilyev Oct 13 '17 at 13:36
  • should it be ~all instead? – Filip Huysmans Oct 13 '17 at 13:43
  • If you have only one server (185.182.59.59) to send emails, you can leave spf as is but without `a:spf.spamexperts.axc.nl` record. – Egor Vasilyev Oct 13 '17 at 14:15