[SOLVED!] Why Are MessageLabs Blocking My Emails?


Updated - see end of post!
Message labs logo
I am not a happy bunny. Last year, while trying to buy a house, Symantec's MessageLabs decided to block my Estate Agent and my bank from receiving any emails from my personal domain. In the middle of a rather stressful house purchase, I had to swap my email addresses and convince the parties involved to all to use the new one.

This year, they're blocking me from contacting media organisations, potential clients, and the Houses of Parliament. What on Earth is going on?

Rather than run my own mailservers, I use Google Apps for business. I'm grandfathered in to their old, free plan.

Most of the time, my email goes through. Every so often - usually when I want to email a large company - I get the following NDR


Delivery to the following recipient failed permanently:

[email protected]

Technical details of permanent failure:
Google tried to deliver your message, but it was rejected by the server for the
recipient domain example.com by cluster8.us.messagelabs.com. [216.82.249.147].

The error that the other server returned was:
553-Message filtered. Please see the FAQs section on spam
553-at http://www.messagelabs.com/support/ for more
553 information. (#5.7.1)

----- Original message -----

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:date:message-id:subject:from:to
:content-type;
bh=OZZofHmLsEO1Y7KJwhrn2ISGQjQ5QOi8uq3SZTEDPho=;
etc

(Some details obfuscated).

I've tried contacting Symantec - but they refuse to help because I'm not their customer. They're very polite, but as I don't pay for their services, I'm stuck.

Unfortunately I cannot seem to locate your account on our systems. Please could you provide us with your MessageLabs account number or your account name so that we can raise a support ticket for you and address your query? If not, we have only support available for clients here.

Support Centre Administrator
www.symanteccloud.com

I pointed out that I wasn't a customer but that my domain was being blocked by several companies which use their product.

Our best advice at this point would be to refer you back to example.com so that they may investigate and then liaise with Smyantec.cloud where appropriate to log a case with us to have further investigation.

We apologize for any inconvenience caused and feel that this is the best route for resolution.

So, no luck there.

The URL that they give in their bounce message doesn't actually provide any help. I eventually found this FAQ about Symantec's blocking.

Here are their suggestions - none of which apply to me!

I. Check if your sending IP is on any spam lists, search for “spam database lookup”. You are looking for any 3rd party lists that may have received spam from your mail server. If your IP address is on any of these block lists, please make a removal request as soon as possible, once removed please retry sending your mail.

Well, Google manages the IP address - so I suspect I share it with millions of others. Symantec don't actually provide a way to make a removal request.

II. Ensure your mail server is not open relay, search for “Email Open Relay Tester” and choose from any number of testers.

Again, I don't manager the mail server - but all the tests I've run indicate it's fine.

III. If your internet line is provided by DSL or Cable that shares IP’s with residential users, please ensure your mail server sends to your ISP’s smart host instead of direct to the internet. This reduces the potential of your email being detected in error as coming from a Trojan infected home user machine.

A fair suggestion - but this happens whether I send from home, work, or mobile. All on different IPs from different ISPs.

IV. Ensure the email you are sending does not contain any spam content (i.e. forwarded spam or ‘spamvertised’ URL’s).

Nope. I've tried with attachments, without attachments, replying to the original mails I'd been sent, creating new emails, plain text, HTML, no links. Rejected every time.

V. Ensure your mail server is configured correctly.

Ha!

VI. Ensure you have no virus infected machines on your network that are being used to send spam through your mail server.

I run a pretty tight ship here 🙂

VII. Ensure you have no exploitable web scripts on your web servers that could be abused to send spam.

My domain - shkspr.mobi - doesn't appear to be infected with anything nasty.

VIII. Make sure any ‘opt-in’ newsletters contain an ‘opt-out’ link.

I'm not popular enough to send a newsletter 🙂

What Next

I've tried getting in contact with the IT departments where my mail is being blocked - but that's not always possible.
I'm trying to get hold of someone in Symantec to see if they can explain how or why my email address has ended up on their spam lists.

If any of you dear readers can shed any light on the matter - please let me know!

Update!

Ian from MessageLabs got in contact with me. I sent him some sample mails to see if they could shed any light on it.

As mentioned in the comments, I changed my SPF records for my domain name. That didn't resolve the issue.

I then added Google's DKIM information to my DNS. That did solve the problem. Now all my mail goes through correctly.

Remember, if you're using CloudFlare, you'll need to change the details with them - not your normal hosting provider!

In chatting with MessageLabs they've agreed that they need to make their rejection messages clearer so that users can understand why they've been blocked and how to resolve the issue.

28 thoughts on “[SOLVED!] Why Are MessageLabs Blocking My Emails?

  1. My general advice is not to use Message Labs when possible. I know you have no option here, but I have had so much hassle when I was working with the home office I gibe it anyway. My problems revolved around them not following standards and there outgoing mail was often caught by other spam filters as a result. Okay, rant over.

  2. I am alos using Google as Mail Provider with a custom domain. I never had the problem getting through SPAM filters. I see two possible differences:

    a) My SPF settings are different from yours: "v=spf1 include:_spf.google.com ~all"
    b) You are using a still rare top level domain.

    While b) is difficult to evaluate, a) should be easy.

    Yours, Martin

  3. MessageLabs don't have any block lists of their own, which is why they don't have a means to request being removed from it. They use other lists, such as SBL etc. Nor do they maintain lists of blocked email addresses or domains. Their individual customers can choose to block-list your domain or email address, so it's possible that is what is happening here - but unlikely?

    If the people you are trying to send to want to receive your mail, then clearly the best course of action is for them to contact MessageLabs as their customer and complain that your email to them is being blocked. If you are able to provide details of who the message was sent to, when, and what the subject was, MessageLabs should be able to identify very quickly what happened to it (as indeed should the recipient themselves). If the recipient is unwilling to do that then it suggests that they don't want your mail, in which case that's probably why it's being blocked!

    1. Hi Paul,

      That's not quite accurate - at least not from the discussions I've had with MessageLabs. My domain and addresses aren't on any blacklists that I can see.

      The problem I have is that I email a company, it rejects, then I have to contact them via another email address and then somehow convince the person I'm emailing to talk to their IT department, then I have to convince that IT department that my messages aren't problematic. It's time consuming and annoying. In some cases, the IT department (quite rightly) refuse to adjust their filters for me.

      MessageLabs now appear to be looking into this.

      Terence

      1. I am still getting NDR from clients using Symantec:-

        The message was rejected because of Sender Policy Framework violation -> 553 SPF (Sender Policy Framework) domain authentication;fail. Refer to the Troubleshooting page at;http://www.symanteccloud.com/troubleshooting for more;information. (#5.7.1)
        Remote-MTA: dns;server-11.tower-193.messagelabs.com

        Symantec is not talking to me

  4. In addition to my own two mail servers I've been testing out SendGrid and Mandrill as well. Mandrill has been awesome, but I'm finding that MessageLabs is blocking huge amounts of mail coming from SendGrid, leading me to believe that they've grey or black listed SendGrid's Class-C's since no mail from either my own server or via Mandrill is hitting MessageLabs blocks. Just a heads-up for any SendGrid users.

  5. Hi Terence,

    Thanks for posting this.
    I understand your frustration.

    I run several mail servers, none of which are blacklisted on any lists that I can find. I work very hard to keep my servers' reputation positive. I have succeeded at this for many years!

    I now have a client that received a bounce notification when attempting to email one of their own clients.

    "501 Connection rejected by policy [7.7] 3713, please visit
    http://www.messagelabs.com/support for more details about this error message."

    The message was not very helpful so I had to contact Symantec directly.
    They were hardly helpful at all. They acknowledged that my server should not be blocked but they refused to take any action based on contact from me because....... I'M NOT A CLIENT OF THEIRS! An absolutely ludicrous policy, if you ask me.

    So I have attempted to do what they suggested, which is to contact my client and ask them to ask their client if they can contact their IT department, and have them make the request to unblock my server (*takes a breath*). Of course, this has not gone down well with my client, and after several attempts at clarifying the issue with his client, they really don't want to know about it. Can't say I blame them.

    So now I am at the mercy of Symantec's silly policy and there is literally nothing I can do about it. My client is blaming me in part, and can't say I blame them! I'm likely to lose them as a client because of this one incident (the client they are trying to communicate with is very valuable to them).

    I have made several requests to Symantec, but each time I get the same response: "We must adhere to our policy".
    "Well, your policy makes no sense in the real world." They really don't seem to care, although I get the impression from their staff that they know this is insane (from their first response to me): "Unfortunately, according to our records you are not listed as a valid contact that can discuss an account with Symantec so the quickest way to have this issue resolved is to contact the intended recipient (perhaps using a different email address or phone where appropriate for you) and have them raise a case with our support team. *This may sound unhelpful and we really don’t want to be perceived as such however, we take the general security of our service and client data very seriously and need to prove that in this case*."

    It seems that Symantec would like to provide an inconvenience to their clients, rather than a service!

    It's insane, and it will kill small operators like me slowly but surely.

    Thanks for sharing...... glad I'm not the only frustrated admin. I hope you have fewer problems with this in future!

  6. I too have the problem with MessageLabs (Symantec) blocking my email to a customer because of the attachments - "unacceptable attachments" according to Symantec. The attachments are simple PDF files which have been transmitted without a problem each month for several months up to now.
    No satisfaction from Symantec of course and my customer IT dept is not interested.

    Really interesting is that the blocking only occurs when I send from my MAC, not when I send from my PC. Yet the attachments are the same.

    If we all complain to our customers about Symantec maybe they will see a problem and look at using a different company.

  7. I'm currently having this exact same issue, but I already have DKIM on, and have for at least a year. I went ahead and re-generated a new entry, but that hasn't seemed to help at all. I am completely without ideas at this point. I looked at the logs in our Admin console and it looks like not every email to a MessageLabs customer gets blocked, just most of them.

  8. Hello,

    I'm not using Google Apps so unfortunately, the solution doesn't apply to our issue.

    We have already been de-listed as we check at IP Reputation Investigation http://ipremoval.sms.symantec.com/lookup/.

    But we still have issues sending email to some domain emails.

    This concludes that even Symantec de-lists your IP, it doesn't apply it to their clients' system.

    Do you agree?

    If so, I think the issue really is with Symantec to apply the updates onto their clients' system.

    Any comments on this?

    Thanks!

  9. Another SysAdmin here having the same problem, cannot send any email to addresses using MessageLabs/Symantec. Our server IP is completely clean and locked down, not on any blacklists, using DKIM signing and SPF. Very frustrating, what a horrible service Symantec is.

  10. Things we have seen with SYM, are domains using both DNS SPF TXT and the alternative SPF resources records, as the use of the alternative SPF rr is no longer used. RFC 7208 3.1. (superseding RFC 4408) now states that SPF be in DNS TXT only. Having domains drop the alternative SPF rr has helped. But the best solution we have seen helping, is sending in plain text and not in HTML and also dropping signatures in HTML formatting. Albeit not conclusive as it being the direct problem, it has helped many clients.

  11. "In chatting with MessageLabs they've agreed that they need to make their rejection messages clearer so that users can understand why they've been blocked and how to resolve the issue."

    Over a year on and they still haven't bothered fixing the messages.

  12. Hi,
    Same issue here.
    Error transferring to cluster2.eu.messagelabs.COM; SMTP Protocol Returned a Permanent Error 553 information. (#5.7.1)
    No idea why our emails are being blocked.
    BTW, the link to Symantec's FAQ is broken 🙁

    Symantec are as useful as a one armed trapeze artist with an itchy arse.

  13. Same issue here. I've already complained on the Symantec forum, along with a dozen of other (small outfit?) administrators. This is a nightmare and goes directly against what an open an transparent internet should be. Google at least is much more descriptive in their refusal messages. Symantec's servers don't respond at all, they just time out. This is, according to, yet another unhelpful Symantec employee, because the IP address of the sending mailserver has a bad reputation. Which obviously isn't the case, it isn't in their database. This server is being monitored for over a year for several different blacklists and hasn't been listed, ever. Like others in this comment-thread, I enforce very strict security for users on this server, and it's low-traffic anyway. Symantec is doing their clients a disservice, but OTOH: it's the clients themselves that choose Symantec. No, you're not getting a lot of spam, but unfortunately you're missing a lot of legit e-mail in the same run.
    I'm not sure how this messagelabs.com service works, but it might be cool if we could organize to have outgoing messages from messagelabs.com servers rejected at a large scale.

  14. Same issue #5.1.0 SMTP; 553-Message filtered. Problem goes away for few days after speaking to client and then it comes back

  15. I don't know why the photos I've forwarded several times to Insurers, keep being refused. Well, actually the size is mentioned.

    How can I overcome this, as the photos have to do with evidence proving a claim.

    Please can you explain 'very' simply what I have to do, to overcome this problem, short of t or trying ......

    With thanks,

    Betty Shane

    1. Hi Betty,
      You need to contact your insurance company - they're the only ones who can help you.
      Sorry.
      Terence

  16. We have a customer who is reporting the same issues stated in the initial post.
    I would love to get in touch with you, Terence, to discuss further actions.

    Im with a German Mail Service and Security Provider and would like to share more information with you directly.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.