OT: Outlook oddities

Tue Mar 9 13:38:45 GMT 2010

Glenn Steen wrote:
> On 9 March 2010 13:47, Steve Campbell <campbell at cnpapers.com> wrote:
>   
>> Glenn Steen wrote:
>>     
>>> On 8 March 2010 18:10, Steve Campbell <campbell at cnpapers.com> wrote:
>>>
>>>       
>>>> Glenn Steen wrote:
>>>>
>>>>         
>>>>> On 8 March 2010 15:53, Steve Campbell <campbell at cnpapers.com> wrote:
>>>>>
>>>>>
>>>>>           
>>>>>> Just wondering if anyone ever experiences email sent by Outlook senders
>>>>>> that
>>>>>> have no "From" in the envelop? The headers seem to have the proper
>>>>>> "From"
>>>>>> entry. These get caught quite often by MS (actually SA) with a "no
>>>>>> watermark
>>>>>> or sender address". They are sent from our users, which normally get
>>>>>> whitelisted by IP address. The problem doesn't always happen even from
>>>>>> the
>>>>>> same sender.
>>>>>>
>>>>>> Thanks and sorry for the OT
>>>>>>
>>>>>> Steve Campbell
>>>>>>
>>>>>>
>>>>>>
>>>>>>             
>>>>> The empty sender (MAIL FROM:<>) is a valid sender reserved for the
>>>>> mail system itself. Typically used for delivery reports (or rather
>>>>> "non-delivery":-). Since all mail coming into your system having an
>>>>> empty sender need be in response to a mail sent from you, MailScanner
>>>>> (not SA) adds a watermark header... The "returning MTA" is supposed to
>>>>> preserve that in the reply/DSN/NDN, so MailScanner checks for that and
>>>>> stamps any mail lacking a watermark, or having a forged one, as spam.
>>>>>
>>>>> So you need look a bit harder on from where you get these, and in what
>>>>> situations;-). It's probably doing just the thing it should:-);-)
>>>>>
>>>>> Cheers
>>>>>
>>>>>
>>>>>           
>>>> Yep, I agree it looks like valid mail and all and that the headers and
>>>> envelop are probably valid for certain types of email. But...
>>>>
>>>> All of our users are NATted to one IP address from our internal network
>>>> to
>>>> the outgoing mailserver. These emails show that they have arrived
>>>> properly
>>>> from that internal network. These are real emails sent from our users.
>>>> They
>>>> just don't have the "From" in them and, as you stated, they don't have
>>>> the
>>>> proper Return-Path (it's blank). They show only one hop to the mailserver
>>>> and it's from the proper NATted IP.
>>>>
>>>> So I guess the question is: Why, if all email from our users takes the
>>>> same
>>>> path, do only Outlook users exhibit this problem and only occasionally?
>>>> It
>>>> never shows up from Thunderbird, OE, or any other mail client.
>>>>
>>>> I'll dig a little deeper, but was just hoping some of you had run across
>>>> this before.
>>>>
>>>> Thanks for the reply.
>>>>
>>>> steve
>>>>
>>>>
>>>>         
>>> It could be some "automatic" thing ... some of the software we use
>>> internally use a "mapisend" utility to send mail via OutLook (The MAPI
>>> interface, of course)... And that software might be ... either through
>>> flawed programming/knowledge or perhaps some type of misconfig,
>>> abusing the "empty sender" feature of SMTP.
>>>
>>> But I'd look at capturing some of them and scrutinizing the actual
>>> content. It might be either "out of office" or "return receipts" you
>>> are seeing. Some MTAs (or MUAs for that matter) just plain don't
>>> preserve the watermark headers as they should.
>>> Capturing a few should be an easy config matter... perhaps you already
>>> have them?
>>>
>>> Cheers
>>>
>>>       
>> Glenn,
>>
>> I think I have them since MS quarantined them. Another strange thing about
>> all this is that I whitelist our senders by IP address, the email is sent
>> through that IP, and yet, MS has decided to block it anyway - sort of not
>> honoring the whitelisted IP. I'm guessing this is due to the watermark not
>> being inserted somewhere.
>>
>> Thanks for the help. If I find out anymore, I'll post it.
>>
>> steve
>>
>>     
> Depends on how you whitelist, on what settings you apply the whitelist
> ruleset(s). You'd need apply one for the watermark setting (sorry, to
> busy/lazy to look it up for you;-)
>
> Cheers
>   

OK, I'm not following you on this last one. Since there isn't a 
watermark, I don't think that would matter. I'll do the looking up 
since, after all, this is my problem. But I do whitelist the IP that the 
email came from, and that was not honored.

My thoughts were that a whitelist is a whitelist, and other than some 
"virus" problem, it would be whitelisted, and since it wasn't 
blacklisted for any reason, and no virus was detected, I'm failing to 
see why the From IP was not causing the email to be whitelisted.

I'm certainly not seeing something here. I'll look at what's available 
on the server, as most of this is based on what MailWatch is providing. 
Maybel there will be a clue from the df/qf files.

Again, thanks for the time and effort, Glenn

steve