[TriLUG] recent "Poor Reputation Sender" bounces
Matt Flyer via TriLUG
trilug at trilug.org
Tue Jul 9 11:41:52 EDT 2019
On Tue, 2019-07-09 at 17:04 +0200, ac via TriLUG wrote:
>
> this thread makes no sense.
>
> 550 is a "hard bounce" - it is more commonly or generally used to
> indicate that there exists no such recipient....
>
> And, 550 csi.mimecast.org Poor Reputation Sender. -
> https://community.mimecast.com/docs/DOC-1369#550
>
> Has nothing to do with the pvt NAT ip but everything to do with the
> reputation of the public IP.
>
> It also has nothing to do with no reverse of the public IP (That has
> its own "code")
>
I gather that Joe's intended recipient uses mimecast as their mail
receiver from the "au-smtp-inbound-2.mimecast.com"
According to Mimecast, the error code 550 is issued when "Anti-Spoofing
policy - Inbound not allowed" and is triggered by their anti-spoofing
policy. The error code 503 is used for non-existent user.
Consequently, it sounds like they flagged the sender as potentially
spoofed, which could explain Joe's intermittent results. Looking over
one of the trilug messages, I see that my MX received the message from
pilot (Received: from pilot.trilug.org (2098.x.rootbsd.net
[208.79.82.66]) and that it has a valid SPF record. I do see that it
triggered an automatic reverse lookup which does show it being
rootbsd.net, not trillug.org - which is probably the reason it got
flagged.
As a side note, a quick RBL check on MxToolbox for pilot.trilug.org
shows now issues with a large number of RBL services checked, so the
spam reputation of Pilot should not be an issue.
Additionally, I noticed when attempting to SSH in from an IPV6 capable
host, that it wants to use the address: 2001:470:8:11ec::2 which also
shows clear on the RBL front.
You are correct that the NAT issue is immaterial in this regard as it
is the public IP that matters.
In response to Joe's comment, I don't think vm-net is doing a many to
one NAT and using the public IP (208.79.82.66) for multiple hosts. I
think it is dedicated to Pilot which nmap shows the typical ports for
an ssh, web, and email server. A many to one works well for a large
number of outbound connections where the router can assign a random
port number for each connection and receives the corresponding return
traffic to that port. It doesn't work so well for servers that receive
inbound connections at default ports, e.g. HTTP, and SSH. If they were
sharing the IP address with multiple hosts, how would it know which one
to send the inbound traffic to? Even if they're using SNI, it would not
be reliable or work for all services.
Therefore, they should be able to set the reverse lookup in the host
configuration and if they can it is probably wise as more and more
email recipients, such as gmail, will bounce when the reverse DNS
doesn't match, even if you have a valid spf record and DKIM signature.
More information about the TriLUG
mailing list