We use Exchange 2007 Enterprise edition. I have a user that receives this message: "This message has been blocked because it contains a banned word". She has been able to email this user in the past, and it occurs even when there is no subject, and no message in the email body. It looks as though it is happening on our server. I cannot see where it leaves our server.
Issue description: User got NDR when attempting to send message to external recipient
1. Please describe the exchange topology
2. Does the issue only happen to single user? Will other users encounter the same symptom when attempting to send message to that external recipient?
3. Does the issue only happen when user tries to send message to that specific external recipient? Does the issue reoccur when attempting to send messages to any other external recipients?
1. Please disable all the 3rd party on your exchange server, including the anti-virus software, and see if the issue can be reproduced
2. Please try to telnet the domain that the external recipient and send a test message, and see if there’s any related error info
3. Please use Mail Flow Troubleshooter to check the mail flow
4. Please run ExBPA against the exchange server for a health check
Is there a FortiGate firewall device in the network between your user and that external recipient? This is a document from FortiGate, if you open it and look for the error message we get it has the following section in it:
Banned word "This message has been blocked because it contains a banned word."
FortiShield URL block
The user only has the issue when sending to a particular domain. She was able to send to this domain until last week, when this message began to appear. If she logs into a different computer she has no issues. My question is: where is the message generated. Is it an Exchange message, antivirus message, etc?
I did as you suggested and used the Microsoft Exhange Troubleshooting Assistant, and the Message Tracking Center. The results are:
SMTP: Non-Delivered Report (NDR) Generated - Message Tracking Center
5.7.1 smtp;554 5.7.1 - from the returned email.
Am I correct in assuming the issue is with the recipient's email server? I receive the error message so fast I'm questioning my assumption.
The receiving server is breaking the SMTP conversation with that 5.7.1 error and your server is reporting it back to the end user. Thats why it happens so fast.
To confirm for sure, you can do a couple of things:
From your SMTP gateway, telnet on port 25 to theirs and send a test message as the sender and see what response you get, or enable SMTP Protocol logging on the send connector, send a test message from Outlook and then check the logs.
I would enable SMTP logging and then send a test message from that same client. Checking the SMTP logs will tell you which server is generating that message. If there is no information in the SMTP logs, then you'll know that either your server or the client is generating it.