0
Ok, so this has me stumped. I have also spoken with our ISP (comcast) and mail provider (GoDaddy), both are not only no help, but also stumped. Problem is only with outgoing email, incoming continues to work.
Bullet points of issue-
outgoing will work up until about 10 am approximately, then will stop sending. Will then seem to start working again at 4:35 pm until the next day around 10 am. This has happened 3 days in a row.
Happens only on network inside of our building on any connected device.
Outgoing works when connected to cellular and for offsite employees.
Happens across all email clients and computer type (windows, mac)
Bullet points of troubleshooting- Confirmed email settings in client email programs. Confirmed Passwords and User names (remember works, then stops, then works) Godaddy webmail client works Confirmed no ports blocked on router or through firewall pinged GoDaddy server via telnet -
telnet smtpout.secureserver.net 465 Trying 173.201.192.229... Connected to smtpout.secureserver.net. Escape character is '^]'. Connection closed by foreign host.
We had a hacking issue recently which got into the email server at GoDaddy, however it appears that most of the infiltration was external. That being said, not sure how they got onto the GoDaddy server to begin with. Have run virus scans on computers and appear to be clean...
Router is set up properly with no ports blocked, comcast confirmed. Comcast confirmed they are not blocking us through their security department. Port 25 not blocked. HOWEVER, during the process not our Static IP, but the IP of the gateway, which randomly gets a new lease from Comcast, did show up on 2 blacklist sites...
Initially, I assumed this was the problem and am in the process of trying to resolve, however when getting details, it shows up as the blacklist site stating they can't fix it and it is an ISP level issue. Though comcast says they don't have a block. In addition, it seems to be only during certain times of the day, which makes no sense whatsoever.
Any ideas, I fear I am beginning to run in circles that is closing off my thinking of possible resolutions. Also important to note, I know some networking stuff via necessity, so speak slowly. Thank you for any assistance!
adhoc it guy
Posted 2019-01-07T22:49:55.830
Reputation: 1
You have a device in / on your network which is doing time-of-day filtering. How big is the business, and who set up the connection? – davidgo – 2019-01-07T22:57:42.450
That's what i had thought, but the business is not big, and I set up the network along with one of my other guys. We didn't include any time of day filtering. This also started happening all of a sudden with no changes to the network. Also, just to clarify, I am obviously suspicious of the time of day issue, but entirely sure if that has anything to do with it, or if it is just intermittent and happens to be morning'ish and afternoon'ish – adhoc it guy – 2019-01-07T23:00:46.603
My next step would be to use
tcpdumpor Wireshark to watch a failed connection, and see how far it gets/how it fails. If it's working at the TCP/IP level, and you have a Mac client using Apple's Mail app, use its Connection Doctor (Window menu > Connection Doctor > click Show Detail and then Check Again). BTW, yourtelnettest suggests you're using SMTPS on port 465; what happens if you switch to submission on port 587? – Gordon Davisson – 2019-01-08T01:58:58.873I will check the tcpdump as well as run the connection doctor. The outgoing email is currently working at 8:30 am and yesterday began working again around 4 pm. I just ran the telnet string with 587 and it is timing out. However, I should note that the GoDaddy server doesn't include 587 as one of their mail client ports. – adhoc it guy – 2019-01-08T16:27:51.520
It is currently after 11:30 am and outgoing email is still working, which is good but frustrating because a few of the things to test I can't really test until it stops working, and I haven't done anything to cause it to work. I would rather know what is going on than it just magically work! – adhoc it guy – 2019-01-08T19:41:06.380
ok, we are back offline again, this time we went down around 1:30 pm. I downloaded and am attempting to run wireshark, but I have no idea what I am doing or what I should be looking for. Here is where my networking knowledge buffers... – adhoc it guy – 2019-01-08T22:22:33.547
I just saw this pop up highlighted in yellow on wireshark. Ethernet II, Src: Spanning-tree-(for-bridges)_01 (01:80:c2:00:00:01), Dst: Broadcast (ff:ff:ff:ff:ff:ff) [Expert Info (Warning/Protocol): Source MAC must not be a group address: IEEE 802.3-2002, Section 3.2.3(b)] [Severity level: Warning] [Group: Protocol] – adhoc it guy – 2019-01-08T22:49:13.497
Here is something I found in the connection doctor- CONNECTED Jan 08 14:43:31.718 [kCFStreamSocketSecurityLevelTLSv1_2] -- host:smtpout.secureserver.net -- port:465 -- socket:0x600002492400 -- thread:0x600001717f00
READ Jan 08 14:43:31.728 [kCFStreamSocketSecurityLevelTLSv1_2] -- host:smtpout.secureserver.net -- port:465 -- socket:0x600002492400 -- thread:0x600001717f00 421 p3plsmtpa08-06.prod.phx3.secureserver.net :SMTPAUTH: IP xx.xxx.xx.xx rejected for too many failed logins. Please check any clients or devices that may be misconfigured, and try again later. – adhoc it guy – 2019-01-09T00:26:20.450
Also, if I run a port scan from whatsmyip all of my ports time out – adhoc it guy – 2019-01-09T00:32:20.913
started working again at 4:06.... – adhoc it guy – 2019-01-09T00:41:55.900
off again today around 12 pm... still can't find any culprit. I think I am beginning to lose my mind – adhoc it guy – 2019-01-10T22:54:45.500
That message in the connection doctor trace -- "SMTPAUTH: IP xx.xxx.xx.xx rejected for too many failed logins. Please check any clients or devices that may be misconfigured, and try again later." -- seems to indicate that something's trying to authenticate to your mail account with the wrong password, and getting the account locked out. Could it be whoever hacked your account is trying to get back in (or blindly retrying an old password) and that's locking it out? You might have to contact GoDaddy support and try to trace the source of the lockout. – Gordon Davisson – 2019-01-12T19:16:43.837
Thanks for replying. I have tried GoDaddy, but they are literally no help. Just wanted to have me change passwords and sell me a new service. However, my comment was, clearly the password is working, and we have already done that. – adhoc it guy – 2019-01-18T22:12:44.767
Got a new static IP and Gateway, but that didn't work either. But did find a firewall log that showed some IPv6 issues, though no information to figure out how to resolve it. – adhoc it guy – 2019-01-18T22:19:55.387
I ended up putting the gateway in pass through mode and bought a new router. We have been up since and now have further clarity on the firewall issues. There are several things going on, including ip spoofing and login issues. Good news, those are being blocked and we are still staying operational. The comcast router was just swinging a big stick and shutting everything down. Now that we are operational and I have more information on my symptoms, I need to try to hunt down and resolve whatever issues I can that are hitting the network. – adhoc it guy – 2019-01-18T22:20:04.103