Hi All,
Got a read odd one here that I just can't get my head around and hoping someone here can.
I have an email here which has originally been sent to 'Samantha' and 'AllStaff distribution group' - the email goes through fine and the DL includes some external contacts such as gmail/yahoo accounts, these also receive the email fine.
Someone (marked as user1 in the headers below) has hit reply to all, which has sent it back to Samantha and AllStaff DL - now the AllStaff DL has sent it to everyone in it which has included a yahoo account. This Yahoo account has rejected the message and sent an NDR back to the AllStaff group, which means everyone gets the NDR! This is what I need to figure out.
Can anyone understand or explain to me why this NDR has been sent to the AllStaff group and not the original sender?
My theories are is that it has something to do with the return-path and resent-from header fields, but I can't figure out why it's happening or where the actual fault/issue is.
The NDR is actually because of a SPF record issue which I can fix but for reasons I can't really go into prevents me from doing this for a while, but for other reasons I really need to understand why it's sending the NDR to allstaff!
Original headers of the NDR are below minus the body plus for security I've had to change a few things:
Internal exchange server name (MAIL-SERVER.DOMAIN.LOCAL)
Exchange external IP (1.1.1.1)
Exchange domain (exchangedomain.com)
Other companies domain (externaldomain.com)
The yahoo persons email address (user1@yahoo.com)
Smtproutes is our external mail filtering.
Other technical info - exchange 2013, cu1 - not sure what else you need. I can install SP1 but again I can't do that for a while.
Can anyone assist or explain why this is happening?
Cheers
Ian
----------------------------------------------
------ This is a copy of the message, including all the headers. ------
------ The body of the message is 9173 characters long; only the first
------ 8192 or so are included here.
Return-path: <AllStaff@exchangedomain.com>
Received: from [94.186.192.132] (helo=gmy2-mh803.smtproutes.com)
by mail.externaldomain.com with esmtp (Exim 4.63)
(envelope-from <AllStaff@exchangedomain.com>)
id 1WwYUL-00014A-Nc; Mon, 16 Jun 2014 18:06:26 +0300
X-Katharion-ID: 1402933338.60197.gmy2-mh803 (unfiltered-unk)
Received: from mail.exchangedomain.com ([1.1.1.1]) by
gmy2-mh803.smtproutes.com [(94.186.192.132)] with ESMTP via TCP
(TLSv1/SSL_RSA_WITH_RC4_128_SHA); 16 Jun 2014 15:42:18 +0000
Resent-From: <AllStaff@exchangedomain.com>
Received: from MAIL-SERVER.DOMAIN.LOCAL (192.168.16.6) by MAIL-SERVER.DOMAIN.LOCAL
(192.168.16.6) with Microsoft SMTP Server (TLS) id 15.0.620.29; Mon, 16 Jun
2014 16:41:53 +0100
Received: from ams1-mh584.smtproutes.com (5.10.67.98) by MAIL-SERVER.DOMAIN.LOCAL
(192.168.16.6) with Microsoft SMTP Server id 15.0.620.29 via Frontend Transport; Mon, 16 Jun 2014 16:41:53 +0100
X-Katharion-ID: 1402933261.28796.ams1-mh584 (unfiltered-unk) (unfiltered-unk)
Received: from nm44.bullet.mail.ne1.yahoo.com ([98.138.120.51]) by
ams1-mh584.smtproutes.com [(5.10.67.98)] with ESMTP via TCP
(TLSv1/TLS_DHE_RSA_WITH_AES_256_CBC_SHA); 16 Jun 2014 15:41:01 +0000
Received: from [127.0.0.1] by nm44.bullet.mail.ne1.yahoo.com with NNFMP; 16 Jun 2014 15:41:00 -0000
Received: from [98.138.101.129] by nm44.bullet.mail.ne1.yahoo.com with NNFMP;
16 Jun 2014 15:38:04 -0000
Received: from [98.138.87.4] by tm17.bullet.mail.ne1.yahoo.com with NNFMP; 16 Jun 2014 15:38:04 -0000
Received: from [127.0.0.1] by omp1004.mail.ne1.yahoo.com with NNFMP; 16 Jun
2014 15:38:04 -0000
X-Yahoo-Newman-Property: ymail-4
X-Yahoo-Newman-Id: 72495.37688.bm@omp1004.mail.ne1.yahoo.com
Received: (qmail 39556 invoked by uid 60001); 16 Jun 2014 15:38:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1402933084; bh=seApv1nZpPFggpI4RjLhGufcfbLeGZvKjh9QCVUe7u0=; h=References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=2Yj/POrJQU5ObU3oizxhH0vuk+rWKrtfVm/5mR7UmnXa+zXLR/CHtg358uoZ+ju5KMH3vSOY0LHpS9wZ/vW+9iN6rZzL5yTCE0sAxTa51rKz1x9816sCnMZiCAQ8i9ezQUmf61DLiH7kHEq7jZXJLg5wgHCiEIfZJRDBR0H7N/A=
X-YMail-OSG: d1kF4qsVM1nYfUa0APPqu6qqPnBoXnzkc24HvquNDamMNLD
dzgbsgolsY9r6rDFr463zIvNqc9l6p6YH4HV1vj90qxFl5MFE0Shdx6UU44b
y8P48z6BVq_HbIxKsImca81Cco3zuQKPTBUXc8TWTpLoPMdn68rYrv4_anqT
73qEGFveIt8djt9kisltcDSMv7d2yrFfG12O04IFLoQ0TS4Vk5ZJ.EgcWWhl
Mh2SQN5cNJ2rFxRrd1diMxxfZ25ivzrGLlpuV9pJqVurXACaUz.7KiFXeFUX
zKYqM_Lt7EmN2bH0EzXcvqu69GDJzRzXA4U8sofXb0ZBk.sicpVzCsgLqmFN
2I.ZjpcH7D9NQm8_fQRmwQFdECEMjUZgVTBzpgTS_8RbA0v79q5ycN_2Cv75
VOi0uH_HvRHBO2VNWcuIShzD7QJsXK_KFfugIihlhoEbf9PWzpLHgim.fJfs
f8ir_jO0FH574QV5bXPNpi41cB5MnzxjK4IMuShdJkYCu4FznQhbuF_jMOZW
8mRn.klx6aZ5_veAi_5jOSNjGPCwn0.ErWAj3TEbDwpCT9KVws9arLjaxA2Y
BUvkZrn.Dw5043ji7piZkwBpM0QYw.ppB15Lc6EH64v9by_h4uxZD0Mm_.Fx
J4Wwk9lgN1BNQe8eWfHGn1OwTAXQDuTzw4fVvj3eKmh5Og47bqOso9ghtaui
dnd8.6_goDcuYkcHM6Du2oHvU9uyh8xJKMNuFzuibvViNH8REbV7HlsrWj6n
txJPibx1sOKJX9YW4jgxpokvB66tsqHvYJxs1i9b4c_RwJwkdB.gLH7Ad3ZE
LsWILdeTKUfxXHeEw1gbUTkWSw4KsL.O6BLTSCRNEVgkhFU5dC6l4RQ--
Received: from [41.191.231.206] by web120102.mail.ne1.yahoo.com via HTTP; Mon,
16 Jun 2014 08:38:03 PDT
X-Rocket-MIMEInfo: 002.001,VGhpcyBpcyBncmVhdCBhcyBpdCBicmluZ3Mgb3V0IHRoZSB0aGVtZSBvZiB0b2RheWBzIGNlbGVicmF0aW9uIHdoaWNoIHdhcyBgYEEgY2hpbGQgZnJpZW5kbHkgcXVhbGl0eSBmcmVlIGFuZCBjb21wdWxzb3J5IGVkdWNhdGlvbiBmb3IgYWxsIGNoaWxkcmVuIGluIEFmcmljYScnLiBJbmZvcm1hdGlvbiBpcyBpbmRlZWQgcG93ZXIgYW5kIGV2ZXJ5b25lIG9mIHVzIGhhcyBhIHJvbGUgdG8gcGxheSB0byBoYXZlIGFsbCBjaGlsZHJlbiBlbmpveSBhbmQgYWNjZXNzIGVkdWNhdGlvbiBhdCBhbGwgbGV2ZWxzIG8BMAEBAQE-
X-Mailer: YahooMailWebService/0.8.190.668
References: <783482227b244985a3b12245ec49b22d@DBXPR07MB461.eurprd07.prod.outlook.com>
Message-ID: <1402933083.67256.YahooMailNeo@web120102.mail.ne1.yahoo.com>
Date: Mon, 16 Jun 2014 08:38:03 -0700
From: USER 1 <user1@yahoo.com>
Reply-To: USER 1 <user1@yahoo.com>
Subject: Re: SUBJECT LINE GOES HERE
To: Samantha <Samantha@exchangedomain.com>, AllStaff
<AllStaff@exchangedomain.com>
In-Reply-To: <783482227b244985a3b12245ec49b22d@DBXPR07MB461.eurprd07.prod.outlook.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="-1658718958-168695060-1402933083=:67256"
X-Auto-Response-Suppress: DR, OOF, AutoReply