This seems to be a similar problem to one in another thread active recently, but that discusses multiple issues so I felt it better to start a new one.
An email I sent yesteday bounced back with a message that it had been blocked because "Messages from your IP have been determined to be suspicious as a device on your current network may have malware." Virgin media help weren't that helpful and just wanted to change my email client (T'bird) configuration settings, but I don't think that's the problem as other messages have gone through without problems. Can anybody tell me what's going on and whether there's a real problem?
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed permanently:
Reason: This is the mail system at host know-smtprelay-1-imp.
I am sorry to have to inform you that your message, "AC Marriott at The Banks, Cincinnati", could not be delivered to *.*@marriott.com.
Messages from your IP have been determined to be suspicious as a device on your current network may have malware. Please refer to the spamhaus listing below for further infomation;
Please be aware that if you are not sending mail from your own broadband connection that the listing may have been caused by a previous user The remote server returned the below error when attempting delivery:
554:554-hdqncvmmailin16.marriott.com 554 The IP address was identified as potential Spam Source. Please see http://senderbase.org for additional details.
Thanks for the reply: the messages were from my PC over a wired Ethernet connection, so no WiFi involved, and no VPN. I've since sent messages to other email addresses with no problems, although I haven't yet re-tried the ones that failed (it was getting very late): I'll do that and report back.
There's a whole lot of strange about the error message. Not least that Virgin Media appear to be making things harder on themselves than they need to be in terms of error reporting.
Let's look at a mail my mail server received that was sent via Virgin Media's relays. My own server runs Spamassassin checks on inbound mail. Here's part of it.
* -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at
* https://www.dnswl.org/, no trust
* [188.8.131.52 listed in list.dnswl.org]
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
* author's domain
* -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
Note that the IP address being checked actually belongs to one of Virgin Media's outbound mail relays. I actually created a setup that signs mail for my domain with DKIM and then passes it on to those relays (Set up just to demonstrate it's possible).
Now were I sending to the Marriott this is the IP address the Marriott should be checking (there's actually up to 32 IP addresses that the mail could go out on - so yours may have been different) and certainly that IP does not appear on any major blacklists.
So I personally am very confused as to where this line comes from:
Considering you say there's no VPN involved.
Digital Ocean are a hosting company who among other things host Virtual Private servers (they call them Droplets - no doubt a play on the company name). I use a similar thing myself albeit from a different company.
Looking at the actual mail headers in your case:
Received: from [10.102.39.42] ([184.108.40.206])
by cmsmtp with ESMTPA
id LtcOhCF40ixsKLtcPhWbRS; Wed, 01 May 2019 19:06:09 +0100
X-Authority: v=2.3 cv=XtvUx2N9 c=1 sm=1 tr=0 a=LmXD0kQIzC+1HxvJ9qEyzg==:117
a=LmXD0kQIzC+1HxvJ9qEyzg==:17 a=IkcTkHD0fZMA:10 a=kBeRHAJh8_rPCveJCjQA:9
a=ovha_tOfMh9y64Lr:21 a=LL5jCU2Mt3T7vafF:21 a=QEXdDO2ut3YA:10
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virgin.net;
From: * * <*.*@virgin.net>
Subject: AC Marriott at The Banks, Cincinnati
Everything in blue is added by Virgin Media's server prior to sending it on to the Marriott. This tells me that the mail client sending the message was connected "directly" to that IP address. The mail client sees the RFC1913 address and announces itself using that, whereas Virgin Media's server sees the Public IP address making the connection as well.
Received: from [10.102.39.42] ([220.127.116.11])
That's what made me think you are on a VPN - you confirmed that you sent this mail and certainly the Superhubs all use RFC1918 IP's from the 192.168.0.x range.
Either way - while the public IP is definitely blacklisted - The Marriott wouldn't check that IP address itself when deciding whether or not to accept the mail.
Using blacklists on originating IP's is unwise IMHO anyway. I can see why Virgin Media might see it as a good idea, but the principle is that outbound relays SHOULD be protected by some form of authentication (usually email address and password) whereas inbound mail servers can't be. So they check the address they are talking to directly to see if it can be trusted.
As a Very Insightful Person, I'm here to share my knowledge. I don't work for Virgin Media.
Thanks for the further exploration - it's interesting to get a further insight into how it should work.
I re-sent the message to one of the addresses, as I discovered that the other wasn't active anyway, and it clearly got through without a problem as there was no error message and I had a reply back yesterday. I don't see how including an invalid address could cause this - I'd just expect the standard 'could not deliver' message from their end. It's all a bit bizarre as I had sent two messages sucessfully within the 40 minutes prior to the one that failed, and several Test messages the next morning that also got through without problems. As far as I can tell, no-one else would have been using the wifi (Hub 3.0) at that point.
I guess that it will just have to go down as 'one of those things', but thanks to those who took time to look into it for me.