Category Archives: Bounce Backs

Other Email Bounce Backs and Their Meanings

Bounce backs and error codes for email can be very mysterious and misleading. To help better understand them,we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series please follow this link.

We’ve already covered a few of the different types of bounce backs but we haven’t really even scratched the surface! Email error messages can be broken down into three groups: User Error Messages, Domain Error Messages and Anti-Spam Error Messages.

User Error Messages
These are typically local issues with the user’s email account or email client. They include mailbox is full, message exceeds size limit (attachment size), and user unknown, mailbox unavailable or invalid recipients.

User Unknown
Probably the most common bounce back we see is the user unknown, mailbox unavailable and invalid recipients. Simply put the email address you are attempting to email, doesn’t exist. Typically these are due to misspellings of the user name or domain.

<user@domain.com>: host domain.com said:
550 5.1.1 <user@domain.com> is not a valid mailbox<user@domain.com>: Sorry, no mailbox here by that name. (#5.1.1)<user@domain.com>: host domain.com said:
550 Invalid recipient

If you receive a similar bounce back, confirm the spelling of the entire email address and resend if necessary. If you have confirmed the spelling then you can try and contact the user via an alternate method. Sometimes users don’t know they are having an issue!

Mailbox is full
Most mail systems have a limit on how much email is allowed to remain on the server for each individual user. If that limit is reached the server will not allow them to accept any new mail.

<user@domain.com>: User is over the quota. You can try again later.

<user@domain.com>: host domain.com said:
552 <user@domain.com>… Mailbox is full

Since this is a local issue with the user’s mailbox, their system administrator will need to either make room for new mail or increase their storage allocation. Typically you can resend your message a bit later as this type of problem is easily resolved. Keep in mind, that if you continue to receive the error that may mean that the account is no longer being monitored.

Message Exceeds Size Limit
This error indicates that the size of the message including email headers, message content and attachments exceed the domain per message size limit. Typically most mail servers only allow 5-10mb per message as a default. Email was never meant to be a way to send large attachments, it is instead recommended to use a 3rd party sending service, FTP server or another alternate method.

<user@domain.com>: host domain.com said:
552 message size exceeds maximum message size<user@domain.com>: host domain.com said:
552 Message size exceeds fixed maximum message size

Domain Error Messages
These type of errors usually have to do with a domains registrar expiration or DNS issues. If these issues occur you may receive a bounce back indicating a Connection Timed Out or Domain Not Found.

Connection Timed Out
A “connection refused,” or “connection timed out” error usually indicates a message sending issue. This could be due to a high volume of messages, an external spam attack on the server or an internal setup problem. Typically these are resolved rather quickly by the server automatically so you can resend your message a bit later.

<user@domain.com>: connect to 1.2.3.4: Connection Timed Out

Domain Not Found
If you receive an error indicating that domain could not be found or no DNS record exist, this means that the domain doesn’t exist. This may be a temporary issue where the domain has expired or it could mean there is an MX Record issue with their DNS.

<user@domain.com>: Name service error for domain domain.com:
Host not found, try again

Anti-Spam Error Messages
Everyone hates to get spam and there are hundreds of ways to try and stop it. One way that administrators use is to issue bounce backs if they believe a message is spam.  Often times, these are custom created bounce-backs so the error codes can vary, but the message is all the same. Stop sending spam!

NOTE: We do not advise using bounce backs to combat spam. This form of anti-spam may actually allow your users to get MORE spam. Instead we would highly recommend that anyone running a Business Email Server invest in an advanced heuristic spam, virus and phishing protection service, with controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.

<user@domain.com>: connect to domain.com: 550 Connection refused – we hate spammers!

<user@domain.com>:host domain.com said: 554 Denied

<user@domain.com>:host domain.com said: 552 spam source blocked

If you are receiving these types of bounce backs, we would highly recommend checking if your mail-serer IP Address is on a Blacklist. While your mail may be legitimate to you, others may not see it that way. If your company gets Blacklisted, it could cause major trouble for your business and slow down communication with your current customers or prospects and in general, the outside world.

There are many reasons an IP Address may end up on a Blacklist.  More often that not it’s because the administrators controlling it have not taken appropriate steps to secure their email infrastructure or the network has workstations that have been compromised by spammers, hackers, or virus propagators.

Bounce messages are all very different and may contain different languages but diagnosing the error code can help you understand it.  A good rule of thumb is to ensure that your messages are clean, simple and desirable.  This will go a long way to making sure your message reaches the recipient.

Taking the time to ensure that your messages get delivered is incredibly important.  Take the extra step and get advanced, real-time monitoring of your server against blacklists, as well as availability and performance. Please visit our website to learn more – MxWatch Monitoring – Email | Website | Network.

Additional Resources
400/500 Email Bounce Back Errors Explained
How to Read Email Bounce Backs and Errors
What Blackslists Are & How MxToolBox Helps

Non-Delivery Report (NDR) Spam or Backscatter Spam

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

In our continuing blog series about bounce backs and error codes we wanted to talk about NDR Spam or Backscatter Spam. As we all know, spammers are tricky devils and they spend the majority of their time learning to adapt and circumvent email defense systems. One example that demonstrates the type of adaptability that Email Security professionals have to deal with is Backscatter spam. As an operator of a legitimate email server, one of the things your server does to be helpful to other servers is generate email containing error messages when messages encounter problems. For example if somebody sends you an email to an address that doesn’t exist, it is helpful for your server to send the original sender a Non-Delivery Report (NDR) notification to let them know that their message wasn’t delivered.

Unfortunately spammers can exploit this feature by creating a message with a forged Sender (From: field) so that it will reach their intended target. They then send this message to an email address they know doesn’t exist on your server in your domain. Your server kindly sends back a notification to the person it thought sent the message. In fact you just delivered the message for the spammer from your server and IP address which they most likely trust. This type of spam is difficult to detect and block because it is technically a legitimate notification.

The solution to eradicate this type of spam is to perform the test to see if the user exists during the SMTP conversation. By doing that, your server is never actually accepting the message from the sender and therefore need not generate a notification message. The sending server with a legitimate message for a non-existent address is then responsible for notifying it’s own user of the failure.

How to Handle Non-Delivery Reports
With Exchange servers, non-delivery reports (NDRs) are enabled. You can disable them by using Exchange System Manager. You can also specify who can receive copies of NDRs.

To disable NDRs in Exchange 2003, follow these steps:

  1. Click Start, point to Programs, point to Microsoft Exchange, and then click System Manager.
  2. Expand the Global Settings container in the left pane, click Internet Message Formats, right-click the Default object, and then click Properties.
  3. Click the Advanced tab.
  4. Click to clear the Allow non-delivery reports check box, and then click OK.

To specify who can receive copies of NDRs, follow these steps:

  1. Under Administrative Groups, expand First Administrative Group, expand Servers, expand server name, expand Protocols, expand SMTP, and then open the Default SMTP Virtual Server properties.
  2. Click the Messages tab, and then add an address to the Send copy of non-delivery report to field.
  3. Stop, and then restart the MS Exchange Routing Engine and SMTP services.

“Lock Down”
Another method to ensure that your server is not helping created Backscatter spam is to have a perimeter Lock Down in place. This will protect your entire network and company by using a Perimeter Defense Email system that will protect spam and viruses from ever reaching your network.

We highly recommend that anyone running a Business Email Server invest in an advanced heuristic spam, virus and phishing protection service, with controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.. It will pay off a thousand fold in the long run.  Most good anti-spam solutions do a reasonable job of limiting the impacts of NDR spam attacks.  But almost all still will allow a sender to try quite a few bad recipients before shutting them down.

Additional Resources:
http://support.microsoft.com/kb/294757
How to Read Email Bounces Backs and Errors

Bounce Backs: Denied For Spam, Message Rejected, Spam Source Blocked, What Does it Mean?

Bounce backs and error codes for email can be very mysterious and misleading. To help better understand them, we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series please follow this link.

Have you ever received a bounce back that refers to your message as being blocked because it was considered spam? While the actual language of the bounce back or error message may vary if the error code is a 500 error, that does mean the message could not be delivered to the recipient (400/500 Email Bounce Back Errors Explained). In this particular case, we are referring to bounce backs that reference messages as being denied due to spam or IP reputation. The bounce back message itself will help identify why the message may have been denied (How to Read Email Bounce Backs and Errors); content of the message, unsolicited commercial email, or the Internet Service Provider (ISP) or email provider has a sending IP Address reputation problem (Blacklist).

Example Bounces
551 Denied for Spam
554 Service unavailable; Client host [<hostname>] blocked using Barracuda Reputation
554 Your access to this mail system has been rejected due to the sending MTA’s poor reputation
554 Denied (Mode: normal)
550 5.7.1 Message rejected as spam by Content Filtering
571 spam source blocked – psmtp

Message Content
The subject line and content of an email message are incredibly important! These two components can often lead to a spam filter flagging a message as spam and either placing the message in the recipient’s Junk Folder or worse, sending the message into a black hole never to be seen. We highly recommend taking extra time to ensure that your message has valuable content that someone would want to read and doesn’t sound too “spammy” or “salesy.”  This may seem simple, but it is amazing how often this is overlooked.

Another critical element to consider when constructing your message is that most larger Email Service Providers are using human influence in their spam scoring. This human touch is important to consider as users finally have the power to influence spam filtering. When users mark a message as spam some providers use this data to flag similar emails as spam and may add your email address, domain, or IP to a Blocked List. Sometimes the message is in fact a legitimate mailing that was requested by the end user but in the end if the recipient does not want the message in their inbox, they will often mark it as spam (The Search for the Perfect Spam Filter – October Newsletter).

Email Signatures
We have been seeing more and more issues with email signatures causing messages to be blocked. Just like the content of your message, be sure to keep your signature simple and free of extraneous information. For instance if you are recommending an outside company’s URL, make sure they are not Blacklisted and that they don’t have domain reputation problems. If certain messages are not getting through your recipient’s spam filter, make sure your signature is as clean as possible. You may also consider removing any images in your signature as well as that is a tactic that spammers will often use.

Explicit Blocked List
Another way that you could receive this bounce back message is if your email address or domain has been added to an explicit block list. This means that someone adjusted their spam filters to specifically block messages from your email address or domain. Unfortunately there is not much you can do in this case other than reach out to the recipient by other means to ask if they will consider removing the block. However, if they took the time to adjust the filters they usually have a reason for it.

Blacklist
If your company gets Blacklisted it could cause major trouble for your business and slow down your communication with current customers, prospects and in general, the outside world. A Blacklist, also known as a Real Time Blacklist (RBLs) is a list of problematic IP Addresses that are compiled by organizations monitoring spam on the Internet. There are many such organizations ranging from one person tinkering in their free time to large multinational corporations. MxToolBox provides a Free Blacklist Lookup Tool that will check an IP Address aggainst over 100 different blacklists. We do not control nor are we affiliated with any of the organizations running the lists; the tool simply performs a search against each list and aggregates the data into one result. Without such a tool in place, you would need to go to the website for each list and manually search for yourself. There are many reasons an IP Address may end up on a Blacklist.  More often that not it’s because the administrators controlling it have not taken appropriate steps to secure their email infrastructure or the network has workstations that have been compromised by spammers, hackers, or virus propagators.

Bounce messages are all very different and may contain different language but if they contain wording like Denied, Spam, and the like, it means they were more than likely blocked due to one of the issues listed above. Ensuring that your messages are clean, simple and desirable to the recipient will go a long way to making sure your message reaches the recipient.

Taking the time to ensure that your messages get delivered is incredibly important, take the extra step and get advanced, real-time monitoring of your server against blacklists, as well as availability and performance. Please visit our website to learn more – MxWatch Monitoring – Email | Website | Network.

Additional Resources
400/500 Email Bounce Back Errors Explained
How to Read Email Bounce Backs and Errors
What Blackslists Are & How MxToolBox Helps

400/500 Email Bounce Back Errors Explained

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

Bounce backs and error codes might look like they need to be deciphered with a secret decoder ring. We are going to try here to shed some light on them so you can crack them open and extract the goodness within. So let’s work together to understand the the two most common types of bounce backs. When a bounce back message is generated, the mail server that issued it is attempting to let you know there was a problem with sending the message and give you some information so you have an idea of what went wrong.

We are going to first break bounce backs into two main categories. Every bounce message will include a three digit number which is it’s “reply code”. This is different from the series of numbers, usually three, separated by periods. The reply code is defined by the SMTP protocol.  These other error codes are defined by specific mail server software packages and configurations and can be unique to each vendor.

The three digit reply code will either start with a 4 or a 5. These are commonly referred to as 400’s and 500’s as a group.

Basically if the number starts with a 4 it means the message delivery is having a temporary issue and will be delayed – these are called deferrals. If the message starts with a 5 then the message failed and was not sent to the recipient – these are called fatal message errors.

Deferrals (400)
A 400 bounce back indicates that there has been a delay or issue in sending your message. When this type of bounce back is sent to you, it means that your mail server will attempt to retry to send the message. If the retries are unsuccessful, the mail server will eventually stop trying to send the message after a specified amount of time. This amount of time is dictated by your server administrator but the typical time frame is a few days. If you don’t receive another bounce back it usually indicates that your message was able to be sent after a few tries and/or the issue was resolved. If you receive a fatal bounce back (500 error), it does mean that the message failed.

Fatal Bounce Back (500)
If the issue could not be resolved or there is another type of problem you may receive a 500 error. If the bounce back includes a 500 number, this means that the message was not delivered due to an error. The errors can vary across the board but typically it is an issue with one of the following: the email itself (misspelling, mailbox is full, etc.), your rDNS is not configured correctly, your server may be Blacklisted, or the message was blocked by the recipient spam filters due to content, attachment or a virus.

Remember that knowledge is power!  We at MxToolBox are constantly educating ourselves about all the different bounce backs that exist.  Also keep in mind that with some Vendors and ISPs you have the ability to create custom bounce back errors…so you always have to be on your toes!

If you are concerned about mail delays or other performance issues with your server we would highly recommend trying our Premium MailFlow Monitoring. This service sends a message through your server and back to our datacenter. This unique method allows us to provide complete mail flow visibility on your server. This can help uncover issues that might be creating delays as well as detecting both inbound or outbound mailflow failures.

In addition to alerts for failure, you can login to see daily, weekly and/or monthly historical statistics. This method allows you to get a true picture of the performance of your mail server.

Footnotes:
http://en.wikipedia.org/wiki/Non_delivery_report
http://tools.ietf.org/html/rfc821#page-35 – List of Reply Codes
http://tools.ietf.org/html/rfc821#page-48 – Theory of Reply Codes

550-”5.7.1 Message rejected as spam by Content Filtering.” – Intelligent Mail Filtering with Exchange

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these mysteries. To read all of the blogs in this series, go here.

This is an error that our customers run into pretty often here are MxToolBox so we thought we would help explain the cause and provide some solutions to remedy it. By default Microsoft either installs/or recommends that the Intelligent Message Filtering (IMF) service be enabled on all installations of Exchange.

While the IMF can be somewhat helpful, it can be a detriment if you as the administrator don’t remember or even realize that it was installed on the server in the first place.  This can be especially troublesome when you have an additional 3rd party filtering service in place.  If you have IMF installed it essentially means you are double filtering your mail, once at the 3rd party spam filter and once at the Exchange Server. In cases that a 3rd Party Filtering is in place we typically recommend disabling the IMF feature. This is of course just a recommendation and you should do whatever you feel is best for your network environment.

How Does the IMF Identify Messages as Spam?
When a message reaches an Exchange Server with IMF installed, IMF will evaluate the textual content of the messages and then assign the message a Spam Confidence Level (SCL) rating from 1-9 based on the probability the message is Unsolicited Commercial Email (UCE).  This rating is then compared to the threshold set under Message Delivery Properties > Intelligent Message Filter in the Exchange System Manager.

How Do I Find Messages in the IMF?
Theoretically the IMF is supposed to place messages that it found as spam in your Outlook Junk Folder. Unfortunately, this doesn’t always tend to be the case.  If you have reports that messages are “missing” on your server and you can’t find them, check the IMF! To check this service, you will need to make sure that you have the Archiving option enabled. You can view the *Archived folder location here: C:program files[YOUR SERVER]mailroot[SMTP VIRTUAL SERVER]ucearchive.

*To view these archived messages you will need to download and install a 3rd-party tool.  If you have any recommendations regarding these tools, please leave them in the comments below.

Where is IMF installed?
When IMF is installed a new tab is added to the Exchange System Manager. For Exchange 2003, the tab is under Message Delivery > Properties under Global Settings.

There is also a new Intelligent Message Filtering node under Protocols > SMTP – This is where you enable IMF.

For Exchange 2007, it is under Exchange Management Console Server Configuration > Hub Transport > Anti – Spam.

As you may be aware, the native spam-filtering features in Exchange are typically too basic for most organizations.  While there is no question that IMF can improve Exchange’s ability to catch spam, you shouldn’t rely solely on this feature.  The IMF feature in Exchange simply cannot live up to the advanced heuristic spam, virus and phishing protection and controls featured in modern anti-spam and anti-virus products and services such as our own Spam and Virus Business Email Protection. We also include these services in our Email Hosting services.

Additional Sources:
http://technet.microsoft.com/en-us/library/bb266926(EXCHG.65).aspx
http://www.msexchange.org/tutorials/microsoft-exchange-intelligent-message-filter.html
http://support.microsoft.com/kb/867633

’4.3.1 Insufficient system resources’ – Back Pressure Feature Exchange 2007

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these mysteries. To read all of the blogs in this series, go here.

We see this type of error pretty often here at MxToolbox and so we wanted to post about it here. Customers Exchange servers can mistakenly react to normal mail flow and cause a disruption in service. The error that is posed is ’4.3.1 Insufficient system resources’.

A feature called Back Pressure in Exchange 2007 can sometimes cause this error to be received when we try to deliver messages to the customer server. When Back Pressure detects overused resources the Exchange Server controls system resources to prevent them from being overwhelmed and it allows the delivery process for current messages to be worked out. All these processes are part of the Back Pressure feature which is responsible for monitoring certain Exchange Server 2007 resources.

The drive on which the Queue DB and logs are stored must have 4GB or more free space otherwise the server will apply back pressure and start slowing the flow of messages! The main database file is called mail.que and by default can be found here:

C:Program FilesMicrosoftExchange ServerTransportRolesdataQueue

Other helpful articles:
http://www.msexchange.org/articles_tutorials/exchange-server-2007/management-administration/understanding-back-pressure-feature-exchange-server-2007.html
http://exchangepedia.com/blog/2007/03/exchange-server-2007-transport-452-431.html

How to Read Email Bounce Backs and Errors

Bounce backs and error codes for email can be very mysterious and misleading. To help with that we have started a new series on the blog dedicated to demystifying these occurrences. To read all of the blogs in this series, go here.

To kick off our series on demystifying and understanding email bounce backs and errors, we thought it would benefit everyone to go over how to read a bounce back. Some bounce backs are very cryptic and full of codes and numbers. How are you supposed to figure it out? Let’s break down a typical bounce back:

  1. The top part of this message is the actual bounce back. This is the “meat” of what you need to identify.  Sometimes bounces include lots of numbers and codes; ignore all that and find the string that references the 400 or 500 number.  (What’s the difference between a 400 and a 500 error?).  In this case the error is ‘550 No such user’. Since this account doesn’t exist at mxtoolbox.com the message was bounced by the recipient server.
  2. The second half of the bounce is the email headers. Keep in mind that not all bounce backs include this information, however, most do. This information is really helpful as it contains the Sender, Recipient, Date, Time and Subject, as well as server hops. If you are unable to figure out the issue, make sure you send the complete bounce back including the email headers to your IT administrator.  All of this information is critical in understanding a bounce back. If you need help reading headers, try our free tool, the Header Analyzer. It makes the email header a bit easier to read.

Microsoft Exchange
As with all things Exchange, they have their own way of doing things. Exchange bounces include a top header section; however, we tend to ignore that section as it has very little helpful information.  Remember to focus on the “Technical details” or the “Diagnostic Information for administrators;” as this is the “meat” of the data you need to analyze.   You may also notice that Exchange bounces include two conflicting “who rejected your message” statements. The second one labeled “Generating Server” is generally the server that issued the bounce.

Remember that knowledge is power!  We at MxToolBox are constantly educating ourselves about all the different bounce backs that exist.  Also keep in mind that with some Vendors and ISPs you have the ability to create custom bounce back errors…so you always have to be on your toes!

If this is a bit overwhelming or you don’t want to mess with understanding bounce backs or error codes, don’t worry.  It can take years of experience to feel comfortable reading and deciphering this information. We understand that you just want your email to work!  Implementing one of our Managed Business Email Products such as Spam and Virus Filtering or Hosted Email can help alleviate these issues and put someone in your back pocket to help understand when these problems occur.

Blocking Non-Delivery Report (NDR) spam with HTML Attachments

We have posted a few helpful hints for users that are experiencing problems with Password Reset requests, UPS, Western Union, Youtube and other forms of spam. However, it looks like the spammers are altering the message to adapt to the changes that Postini and other vendors are making, so more updates to the filters are expected.
We are recommending that a temporary custom attachment filter to block all messages with a .html attachment is enabled within Postini. NOTE: If this filter is applied, it will block any legitimate message with that type of attachment. See below for the steps to enable the filter and the recommended settings:

Attachment Manager Filter Steps
  1. Access the customer’s Postini User Org and enable the Inbound Attachment Manager.
  2. To build a custom filter for blocking .html attachments, select Filter and follow the image below:

  3. We highly recommend enabling ‘Scan inside compressed file types’ and ‘Enable binary scanning’ as this may also help with any future evolutions.
  4. Be sure to add ‘html’ under 2. Custom Filter Types to either User Quarantine (in case of false positives) or under Quarantine Redirect.
  5. Click Save and the filter is applied.

MxToolbox has partnered with WebRoot to offer Web Filtering to protect your network from attacks through the web browser. For more details on the protection that this program can offer, go here.

What does the Bounce Message – “Unable to Relay” Mean?

If your customers are receiving an error message like below, there are 2 settings that may need to be adjusted.

‘name@domain.com’ on 9/15/2006 11:11 AM
550 5.7.1 Unable to relay for name@domain.com

Configure your Exchange Server to accept mail anonymously for your domain

The directions below are for Exchange 2007, but most mail servers should have similar settings.
  1. Please confirm that your Send Connector has Anonymous Users allowed under Permission Groups.
  2. Open your Exchange Management Console and access Server Configuration > Hub Transport > Receive Connectors

  3. Right Click on the Default (or any other Receive Connector your company uses) and choose Properties.
  4. Select the Permission Groups tab and ensure that Anonymous Users is checked.

    NOTE: This does NOT allow anonymous users to send mail through your server, this would configure the server as an Open Relay; that would be bad. This allows anonymous users to  have access to the Receive Connector so they can send mail addressed to your domain(s).
Configure your Email Client to authenticate when it connects to your SMTP server
To resolve this issue please adjust their email client to require ‘My Outgoing Server SMTP Requires Authentication’. The directions below are for Outlook 2007, but most mail clients should have similar settings.
  1. Open Outlook
  2. Go to Tools > Email Account > Change
  3. Click More Settings > Select Outgoing Server tab and ensure that check box next to My Outgoing Server SMTP Requires authentication is enabled.
  4. Click Ok and Next and Finish.