Get answers from your peers along with millions of IT pros who visit Spiceworks.
Join Now

HI

I have a Hybrid server Exchange 2016.  Mail from E2k16 is routed through M365.  My mails from on-premises mailboxes are getting blocked and my IP is blacklisted.  I have to whitelist in Spamhaus and then mails starts delivering.  But, if I try to send a mail to helocheck@abuseat.org to check, it is being blocked.  But mails are being delivered to other domains.  It seems the HELO is resolving to something as below as returned by Spamhaus.

MX record is set to M365 (mydomain.mail.protection.outlook.com), SPF is protection.outlook.com

193.227.165.206 2021-10-21 14:45:00 206-84-183-104.dsl.net.pk
193.227.165.206 2021-10-20 12:50:00 rain-197-185-113-188.rain.network
193.227.165.206 2021-10-19 20:55:00 static-ip-18156197237.cable.net.co

In the M365 trace, below is what I get:

Reason: [{LED=550 *** The HELO for IP address 40.107.1.127 was 'EUR02-HE1-obe.outbound.protection.outlook.com' (valid syntax) ***};{MSG=};{FQDN=mail.abuseat.org};{IP=54.93.50.35};{LRT=10/22/2021 7:33:40 AM}]. OutboundProxyTargetIP: 54.93.50.35. OutboundProxyTargetHostName: mail.abuseat.org

Appreciate if anyone can assist me.

TIA

Mathew


Troy Jollimore
Habanero
OP
Troy Jollimore This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

If you're routing through E365 servers, why would your external IP address be showing up at all? Unless outbound Email goes direct from your E2016 server, though I never saw anyone able to spoof the DNS lookup for HELO, it's definitely possible.

6 Replies

· · ·
Troy Jollimore
Habanero
OP
Best Answer
Troy Jollimore This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

If you're routing through E365 servers, why would your external IP address be showing up at all? Unless outbound Email goes direct from your E2016 server, though I never saw anyone able to spoof the DNS lookup for HELO, it's definitely possible.

0
· · ·
Liby1968
Sonora
OP
Liby1968

Hi Troy,

Thank you for your assistance.  I am 100 % sure that I am routing my external mail from On-premises mail to E365. I cannot telnet to my Exchange 2016 public IP from external IP. I am also confused. Below is the redacted trace from E365 and masked is my mail address that is on-premises.


 

0
· · ·
Liby1968
Sonora
OP
Liby1968

Figured out.  It was a compromised PC.

1
· · ·
Ivan_Wang
Datil
OP
Ivan_Wang

I'm glad that you've found the culprit to cause this mail flow issue. If there is any issue after that, feel free to post it. If everything works well, you could mark your solution as the best answer to finish this thread.

0
· · ·
Troy Jollimore
Habanero
OP
Troy Jollimore This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Was that spamming PC sending direct? Or was it still routing through your Exchange/E365?

Used to love reading the warning banners at the blocklist providers, "Please make sure you check your network for compromised PCs BEFORE asking us to unblock your IP address for the umpteenth time!" ;)

0
· · ·
Liby1968
Sonora
OP
Liby1968

It was through E365.  I am still wondering how?

On a second thought, what do I look in Exchange 2016 logs for a compromised PC.  My detection was a fluke as it was based on the Spamhaus notification "193.227.165.206 2021-10-21 14:45:00 206-84-183-104.dsl.net.pk" in my first message. I removed the PC's in Pakistan for which relay was allowed and the issue got resolved.

Thanks for the support to all.

0
Oops, something's wrong below.