Hi,

We received an email feedback report from AOL, we started yesterday receiving a lot of these emails that are coming from AOL. It's indicating to us that we either sending a SPAM email from our exchange servers to an AOL user, or we are used as a mail relay (this won't be the case since we close our mail relay to only known servers)

Here is a header of one example if anybody can make any sense of this , it will be very helpful:

Return-Path: <hxinlet@chunghocomnet.com>
Received: from vm-bosta2k3edge.coganltd.priv (smtp.cogan.com [38.127.66.23])
 by mtaiw-aaf01.mx.aol.com (Internet Inbound) with ESMTP id C7ADF70925941 for
 <redacted>; Tue, 30 Jun 2015 13:01:31 -0400 (EDT)
Received: from BOSTA2013-CT-2.coganltd.priv (10.0.0.32) by
 vm-bosta2k3edge.coganltd.priv (10.0.4.6) with Microsoft SMTP Server (TLS) id
 15.0.847.32; Tue, 30 Jun 2015 12:54:55 -0400
Received: from Pickup by BOSTA2013-CT-2.coganltd.priv with Microsoft SMTP
 Server id 15.0.847.32; Tue, 30 Jun 2015 16:54:49 +0000
X-GFI-METKTSID: 39d8131e-45e7-471e-a39c-e00a5d207cca
X-GFI-METKTSIG: Yhsm6/GnBynbvswW3Gdl7t90542j6dps6GhSEp2m7EjtM6HqO11A0+zWJKufXjHuSi6HyMNHtXa2L+YKl8PyCCtTBAL73bJtkZFpploVc75O2aH4qXzEGG1UPNfBc/4hbgbg9UMS79Nep5zFdn9jnS23RxOtcoJ0IW91F4KQobY=
X-GFI-ALK: 28e1eb4d-c825-4dec-97ef-cb27812c0666
Received: from BOSTA2013-CT-2.coganltd.priv (10.0.0.32) by
 BOSTA2013-CT-2.coganltd.priv (10.0.0.32) with Microsoft SMTP Server (TLS) id
 15.0.847.32; Tue, 30 Jun 2015 12:54:47 -0400
Received: from vm-bosta2k3edge.coganltd.priv (10.0.4.6) by
 BOSTA2013-CT-2.coganltd.priv (10.0.0.32) with Microsoft SMTP Server (TLS) id
 15.0.847.32 via Frontend Transport; Tue, 30 Jun 2015 12:54:47 -0400
Received: from chunghocomnet.com (186.91.126.88) by
 vm-bosta2k3edge.coganltd.priv (10.0.4.6) with Microsoft SMTP Server id
 15.0.847.32; Tue, 30 Jun 2015 12:54:17 -0400
Received: from sOt.Uc.NVJVf933SE.com (sOt.Uc.NVJVf933SE.com [97.12.103.181])by
 redacted@ecogan.com
Received: from [12.111.137.160] by 7075334444.qZmEJC.com (via HTTP)
Subject: Alert from financial department
From: hxinlet <hxinlet@chunghocomnet.com>
To: <redacted@ecogan.com>
MIME-Version: 1.0
Message-ID: <8728b5cf-011e-45df-b57b-ba65a99f7c39@chunghocomnet.com>
Date: Tue, 30 Jun 2015 12:25:28 -0400
Content-Type: multipart/alternative;
 boundary="=_------------050905020505060503050808"
Received-SPF: Fail (vm-bosta2k3edge.coganltd.priv: domain of hxinlet@chunghocomnet.com does not
 designate 186.91.126.88 as permitted sender) receiver=vm-bosta2k3edge.coganltd.priv;
 client-ip=186.91.126.88; helo=chunghocomnet.com;
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: vm-bosta2k3edge.coganltd.priv
X-GFI-SMTP-RemoteIP: 10.0.4.6
X-GFIME-MASPAM: SPAM
X-GFI-MOVETOJUNK: 1
Old-Message-ID: <5592CA00.D015B94D@chunghocomnet.com>
x-aol-global-dis
Authentication-Results: mx.aol.com;
 spf=temperror (aol.com: while processing the SPF record for chunghocomnet.com we encountered a temporary error.) smtp.mailfrom=chunghocomnet.com;
x-aol-sid: 3039ac1a7f5b5592cb6a5945
X-AOL-IP: 38.127.66.23
X-AOL-SPF: domain : chunghocomnet.com SPF : tem

I can see your domain does not have an SPF record.
Please contact your ISP and create SPF record inorder to keep good reputation of your connecting IP

Just check if you are able to see this ip on your receive connectors logs
12.111.137.160

Check the default receive connector permissions.
Make sure you dont have relay permission configured on your default receive connector

Hi,

I agree with Sathish. If SPF failed, it mill be reject by Exchange server.

Because SPF record is used by destination email systems, SPF records validate the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain. We can use nslookup to ensure SPF record for chunghocomnet.com contain IP address "186.91.126.88".

Hi,

Thank you for your response.

I added the SPF for our domain.

I am not sure where to check the logs for the receive connectors to find the ip 12.111.137.160

Does the header I've pasted show a mail relay as open? I tried from mxtoolbox to do a test on the domain and it showed mail relay as closed.

Enable protocol logging on receive connectors and check the IP 

What I don't understand here is that from headers it shows that email was sent to : redacted@ecogan.com (this user doesn't exist in our organization, so the email should be rejected as we have rules in place for inexistant users), but this email instead is received by PaulCaimano@cogan.com .

PaulCaimano@cogan.com is a group that has external user from aol.com , so what I think it's happening here is that we receive a spam from outside to group PaulCaimano@cogan.com, and then this email is processed by exchange, and sent back from PaulCaimano@cogan.com to the external contact at AOL.com , the issue here is that it looks like to AOL as if we are sending the SPAM from our servers and this is right since the forward is done from our server. Is there a way to prevent this? Is there a way to forward the email to an external contact and preserving the original headers and not make it look it's coming from us? Because right now, it looks like we are sending the spam from our servers.

Headers are pasted below. Thank you.

Return-Path: <PaulCaimano@cogan.com>
Received: from vm-bosta2k3edge.coganltd.priv (smtp.cogan.com [38.127.66.23])
 by mtaiw-aao07.mx.aol.com (Internet Inbound) with ESMTP id 9EC0F7000008E for
 <redacted>; Thu,  2 Jul 2015 04:37:26 -0400 (EDT)
Received: from BOSTA2013-CT-1.coganltd.priv (10.0.0.20) by
 vm-bosta2k3edge.coganltd.priv (10.0.4.6) with Microsoft SMTP Server (TLS) id
 15.0.847.32; Thu, 2 Jul 2015 04:36:48 -0400
Resent-From: <PaulCaimano@cogan.com>
Received: from Pickup by Bosta2013-CT-1.coganltd.priv with Microsoft SMTP
 Server id 15.0.847.32; Thu, 2 Jul 2015 08:36:37 +0000
X-GFI-METKTSID: bbc96bb5-4814-4583-b41c-3d063b8f0032
X-GFI-METKTSIG: CNlRO8n8Ctk2ktn9SQQW+vdrDwDeh27nxBkTwO6HJNnZU5Nl9/BlNFIYkQ6LFUQtZbUAGjdfcGVU+sx18gJe6UO5CNlgblCJDZUouLhflCC82JTjNMYCz0mePHi14fRqPPaErjCL6g1QpHp14c0nMFFzLG6DOt661NljQWV2odU=
X-GFI-ALK: 135cffea-82e8-4b92-b4d8-46c64b6158ea
Received: from BOSTA2013-CT-1.coganltd.priv (10.0.0.20) by
 Bosta2013-CT-1.coganltd.priv (10.0.0.20) with Microsoft SMTP Server (TLS) id
 15.0.847.32; Thu, 2 Jul 2015 04:36:34 -0400
Received: from vm-bosta2k3edge.coganltd.priv (10.0.4.6) by
 BOSTA2013-CT-1.coganltd.priv (10.0.0.20) with Microsoft SMTP Server (TLS) id
 15.0.847.32 via Frontend Transport; Thu, 2 Jul 2015 04:36:33 -0400
Received: from 38.127.66.23 (166.111.120.164) by vm-bosta2k3edge.coganltd.priv
 (10.0.4.6) with Microsoft SMTP Server id 15.0.847.32; Thu, 2 Jul 2015
 04:35:43 -0400
Message-ID: <8db3e714-d3ab-4951-8ef1-4e364ae6d936@cruisecafe.com>
Received: from 183.226.98.187 by law2-pa37.law2.cathaypacific.com with
 DAV;Thu, 02 Jul 2015 03:34:32 -0600
Reply-To: Katie Mcqueen <Dutton_Jennifer30@cruisecafe.com>
From: Katie Mcqueen <Dutton_Jennifer30@cruisecafe.com>
To: <redacted@ecogan.com>
Subject: [SPAM] - Discounts on Best FDA-made Viagra - Message was found to be spam: (37%)
 BODY: contains text similar to "online pharmacy",(35%) BODY: contains the word
 "softabs",(26%) Sender has spammy reputation,
Date: Thu, 2 Jul 2015 08:27:32 -0100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--69798715603182528"
Received-SPF: Pass (vm-bosta2k3edge.coganltd.priv: domain of Dutton_Jennifer30@cruisecafe.com
 designates 166.111.120.164 as permitted sender) receiver=vm-bosta2k3edge.coganltd.priv;
 client-ip=166.111.120.164; helo=38.127.66.23;
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-Submission: 1
X-GFI-SMTP-HelloDomain: vm-bosta2k3edge.coganltd.priv
X-GFI-SMTP-RemoteIP: 10.0.4.6
X-GFIME-MASPAM: SPAM
X-GFI-MOVETOJUNK: 1
Old-Message-ID: <26637433962999.086trx62406gi@cathaypacific.com>
X-Auto-Response-Suppress: DR, OOF, AutoReply
x-aol-global-dis
Authentication-Results: mx.aol.com;
 spf=pass (aol.com: the domain cogan.com reports 38.127.66.23 as a permitted sender.) smtp.mailfrom=cogan.com;
x-aol-sid: 3039ac1b15045594f84670b5
X-AOL-IP: 38.127.66.23
X-AOL-SPF: domain : cogan.com SPF : pass

Hi,

From header below, it indicate that this message is marked as SPAM with content filter.

"Subject: [SPAM] - Discounts on Best FDA-made Viagra - Message was found to be spam: (37%) BODY: contains text similar to "online pharmacy",(35%) BODY: contains the word "softabs",(26%) Sender has spammy reputation,"

For your last question, please post relevant protocol log or message tracking log for further troubleshooting.