April 18, 2014

Dataset rebuild frequency

We've noticed something unusual with the dataset, when querying the database for an IP address, the result sometimes shows an IP address listing that was "set inactiv" a few days earlier. This would suggest that the database has been edited in order to de-list certain IP addresses but that the edits have not been incorporated into the live dataset yet. There seems to be a delay in this process for some reason, in the past the edits have been transparent i.e. we have never seen an edited record before. Previously any changes to the dataset were either immediately committed to live or at least once per day but now we can see several days delay in this dataset rebuild. We have also noticed that the size of the database has increased a lot in recent months which may have something to do with it. We can't be sure that the live dataset actually reflects the recent edits, probably not.

February 12, 2014

Whitelist included

Whilst checking the dataset of l2.APEWS.org (using the dnsbl editor), we found that there are now exclude records in the dataset, lots of them. When email servers use a dnsbl they send a lookup query but if the IP address exists as an exclude record, the lookup query will return "unlisted". It looks like thousands of IP addresses from whitelists have been included in this way so the chance of errors now is greatly reduced. Certainly we've had none to report for a while as you will have noticed. Checking some of those whitelisted IP addresses and they are those of trusted senders.

November 12, 2013

L2.APEWS.ORG False Positive #25

Here is another false positive, definitely shouldn't be in the spam folder as it is from a whitelist operator, full email header follows;

Tue 2013-11-12 08:40:07: [816:5036] Accepting SMTP connection from [217.23.49.178]
Tue 2013-11-12 08:40:07: [816:5036] --> 220 xxx.xxx.xxx ESMTP MDaemon; Tue, 12 Nov 2013 08:40:07 -0500
Tue 2013-11-12 08:40:07: [816:5036] <-- EHLO webone.hostedserver.eu
Tue 2013-11-12 08:40:07: [816:5036] --> 250-xxx.xxx.xxx Hello webone.hostedserver.eu, pleased to meet you
Tue 2013-11-12 08:40:07: [816:5036] --> 250-ETRN
Tue 2013-11-12 08:40:07: [816:5036] --> 250-AUTH=LOGIN
Tue 2013-11-12 08:40:07: [816:5036] --> 250-AUTH LOGIN CRAM-MD5
Tue 2013-11-12 08:40:07: [816:5036] --> 250-8BITMIME
Tue 2013-11-12 08:40:07: [816:5036] --> 250 SIZE 0
Tue 2013-11-12 08:40:08: [816:5036] <-- MAIL FROM:<xxx @ xxx.xxx> SIZE=841
Tue 2013-11-12 08:40:08: [816:5036] Spam Blocker A-record resolution of [178.49.23.217.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Tue 2013-11-12 08:40:08: [816:5036] Spam Blocker D=178.49.23.217.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Tue 2013-11-12 08:40:08: [816:5036] L2.APEWS.ORG LISTED
Tue 2013-11-12 08:40:08: [816:5036] Message will be accepted and X-RBL-Warning: header will be inserted.
Tue 2013-11-12 08:40:08: [816:5036] --> 250 <root @ webone.hostedserver.eu>, Sender ok
Tue 2013-11-12 08:40:08: [816:5036] <-- RCPT TO:<xxx @ xxx.xxx>
Tue 2013-11-12 08:40:08: [816:5036] --> 250 <xxx @ xxx.xxx>, Recipient ok
Tue 2013-11-12 08:40:08: [816:5036] <-- DATA
Tue 2013-11-12 08:40:08: [816:5036] --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-11-12 08:40:09: [816:5036] --> 250 Ok, message saved <Message-ID: 20131112133949.7115C1B35CB1 @ webone.hostedserver.eu>
Tue 2013-11-12 08:40:09: [816:5036] <-- QUIT
Tue 2013-11-12 08:40:09: [816:5036] --> 221 See ya in cyberspace
Tue 2013-11-12 08:40:09: [816:5036] SMTP session successful, 850 bytes transferred.
Tue 2013-11-12 08:40:09: [816:5036] Shuffling message(s) into proper queue(s)
Tue 2013-11-12 08:40:09: [816:5036] Message received from webone.hostedserver.eu [217.23.49.178] <xxx @ xxx.xxx> with SMTP for <xxx @ xxx.xxx> [Size 839] {k:\localq\0000369111.msg}

October 3, 2013

L2.APEWS.ORG False Positive #24

Another user reported a newsletter in the junk folder however on checking the IP address appears to have already been delisted, publishing this false positive for the record (full email header munged where appropriate);

Wed 2013-10-02 18.13:20: [1768:723] Accepting SMTP connection from [159.220.9.56]
Wed 2013-10-02 18.13:20: [1768:723] Looking up PTR record for 159.220.9.56 (56.9.220.159.IN-ADDR.ARPA)
Wed 2013-10-02 18.13:21: [1768:723] D=56.9.220.159.IN-ADDR.ARPA TTL=(0) PTR=[mailout2-trm.thomsonreuters.com]
Wed 2013-10-02 18.13:21: [1768:723] Gathering A-records for PTR hosts
Wed 2013-10-02 18.13:21: [1768:723] D=mailout2-trm.thomsonreuters.com TTL=(60) A=[159.220.9.56]
Wed 2013-10-02 18.13:21: [1768:723] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 02 Oct 2013 18.13:21 -0500
Wed 2013-10-02 18.13:21: [1768:723] <-- EHLO mailout2-trm.thomsonreuters.com
Wed 2013-10-02 18.13:21: [1768:723] Performing reverse lookup on mailout2-trm.thomsonreuters.com (looking for 159.220.9.56)
Wed 2013-10-02 18.13:21: [1768:723] D=mailout2-trm.thomsonreuters.com TTL=(59) A=[159.220.9.56]
Wed 2013-10-02 18.13:21: [1768:723] --> 250-xxx.xxx.xxx Hello mailout2-trm.thomsonreuters.com, pleased to meet you
Wed 2013-10-02 18.13:21: [1768:723] --> 250-ETRN
Wed 2013-10-02 18.13:21: [1768:723] --> 250-AUTH=LOGIN
Wed 2013-10-02 18.13:21: [1768:723] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-10-02 18.13:21: [1768:723] --> 250-8BITMIME
Wed 2013-10-02 18.13:21: [1768:723] --> 250 SIZE 0
Wed 2013-10-02 18.13:21: [1768:723] <-- MAIL From:<x@ thomsonreuters.com> SIZE=45939
Wed 2013-10-02 18.13:21: [1768:723] Performing reverse lookup on thomsonreuters.com (looking for 159.220.9.56)
Wed 2013-10-02 18.13:22: [1768:723] D=thomsonreuters.com TTL=(0) A=[163.231.4.79]
Wed 2013-10-02 18.13:22: [1768:723] P=020 D=thomsonreuters.com TTL=(0) MX=[mailin2-tr.thomsonreuters.com] {59.144.10.241}
Wed 2013-10-02 18.13:22: [1768:723] P=020 D=thomsonreuters.com TTL=(0) MX=[mailin1-tr.thomsonreuters.com] {199.224.149.51}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin7-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin6-tr.thomsonreuters.com] {159.220.48.8}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin5-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin4-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin3-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin2-trp.thomsonreuters.com] {163.231.6.25}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin2-trm.thomsonreuters.com] {159.220.9.53}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin1-trp.thomsonreuters.com] {163.231.6.5}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin1-trm.thomsonreuters.com] {159.220.28.53}
Wed 2013-10-02 18.13:22: [1768:723] D=mailin7-tr.thomsonreuters.com TTL=(0) A=[159.220.48.10]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin5-tr.thomsonreuters.com TTL=(0) A=[159.220.38.28]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin4-tr.thomsonreuters.com TTL=(0) A=[159.220.20.196]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin3-tr.thomsonreuters.com TTL=(0) A=[159.220.16.156]
Wed 2013-10-02 18.13:22: [1768:723] Spam Blocker A-record resolution of [56.9.220.159.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-10-02 18.13:22: [1768:723] Spam Blocker D=56.9.220.159.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-10-02 18.13:22: [1768:723] L2.APEWS.ORG LISTED
Wed 2013-10-02 18.13:22: [1768:723] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-10-02 18.13:22: [1768:723] --> 250 <x@ thomsonreuters.com>, Sender ok
Wed 2013-10-02 18.13:23: [1768:723] <-- RCPT To:<xxx@ xxx.xxx>
Wed 2013-10-02 18.13:23: [1768:723] --> 250 <xxx@ xxx.xxx>, Recipient ok
Wed 2013-10-02 18.13:23: [1768:723] <-- DATA
Wed 2013-10-02 18.13:23: [1768:723] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-10-02 18.13:24: [1768:723] --> 250 Ok, message saved <Message-ID: 11D276E588427@ ERFMMBX12.ERF.thomson.com>
Wed 2013-10-02 18.13:26: [1768:723] <-- QUIT
Wed 2013-10-02 18.13:26: [1768:723] --> 221 See ya in cyberspace
Wed 2013-10-02 18.13:26: [1768:723] SMTP session successful, 46875 bytes transferred.
Wed 2013-10-02 18.13:26: [1768:723] Shuffling message(s) into proper queue(s)
Wed 2013-10-02 18.13:26: [1768:723] Message received from mailout2-trm.thomsonreuters.com [159.220.9.56] <x@ thomsonreuters.com> with SMTP for <xxx@ xxx.xxx> [Size 4859] {i:\localq\000351496.msg}

August 30, 2013

SPEWS Memorial Day

Every August 30th the APEWS.org website changes it's home page to show the following;

 **************************************

Today our website and our mail-servers are not available, because it is 30 August - SPEWS MEMORIAL DAY

Our beloved SPEWS operator got hit by a truck and died 30 August 2006. One of his dreams was to make the world a spam free place.
As long as spam exists we therefore recommend all of you to shutdown all mail-servers at every 30. August for 24 hours.
Be creative to make today a black day for all spammers and spam supporters and a day without mail and spam.
It is just one day in the year so it will not hurt you nor your company, but it will set a widely visible sign if enough people do so.
Our blacklists are online, but we will not display reasons for listings nor do any removals by today.
We will be back by tomorrow. APEWS - Anonymous Postmasters Early Warning System.

 **************************************

The man behind the former blacklist known as SPEWS was visionary in that he recognized that playing with dynamic listings was mot a solution, just prolonging the problem and in fact permitting both spammers and anti-spammers to continue to profit from the problem at the expenses of the general public internet users.

Instead he designed a fixed listing system that prevented the internet service providers (ISP) from recycling their IP space for profit, listing them as having a bad reputation. The SPEWS blacklist database was known to be fairly aggressive with the ISPs that ignored the spam problem whilst making money from it.

From what we know, the founder of SPEWS was not only an experienced driver but had additional training possibly as a driving instructor. He also liked to drive one of the safest cars manufactured yet, despite this, whilst driving his usual cross-country route between home and office, a truck appeared and there was a crash that left the SPEWS founder dead. That was August 30th 2006. Was there foul play?

We think that if the SPEWS founder was still alive today, he would be pleased with the progress that APEWS.org has made using his ideology and advancing it further to cover all ISPs and IPv4 space.

August 28, 2013

L2.APEWS.ORG False Positive #23

Another reported false positive, few and far between as you have seen. This is the full header munged where appropriate;

Wed 2013-08-28 01:14:38: [6404:8081] Accepting SMTP connection from [98.130.1.134]
Wed 2013-08-28 01:14:38: [6404:8081] Looking up PTR record for 98.130.1.134 (134.1.130.98.IN-ADDR.ARPA)
Wed 2013-08-28 01:14:39: [6404:8081] D=134.1.130.98.IN-ADDR.ARPA TTL=(1440) PTR=[mail404.opentransfer.com]
Wed 2013-08-28 01:14:39: [6404:8081] Gathering A-records for PTR hosts
Wed 2013-08-28 01:14:39: [6404:8081] D=mail404.opentransfer.com TTL=(1440) A=[98.130.1.134]
Wed 2013-08-28 01:14:39: [6404:8081] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.8; Wed, 28 Aug 2013 01:14:39 -0400
Wed 2013-08-28 01:14:39: [6404:8081] <-- HELO mail404.opentransfer.com
Wed 2013-08-28 01:14:39: [6404:8081] Performing reverse lookup on mail404.opentransfer.com (looking for 98.130.1.134)
Wed 2013-08-28 01:14:39: [6404:8081] D=mail404.opentransfer.com TTL=(1439) A=[98.130.1.134]
Wed 2013-08-28 01:14:39: [6404:8081] --> 250 xxx.xxx.xxx Hello mail404.opentransfer.com, pleased to meet you
Wed 2013-08-28 01:14:39: [6404:8081] <-- MAIL FROM:<xxx@xxx.xxx>
Wed 2013-08-28 01:14:39: [6404:8081] Performing reverse lookup on xxx.xxx (looking for 98.130.1.134)
Wed 2013-08-28 01:14:40: [6404:8081] D=xxx.xxx TTL=(360) A=[98.130.139.194]
Wed 2013-08-28 01:14:40: [6404:8081] P=010 D=xxx.xxx TTL=(359) MX=[mail404.ixwebhosting.com] {76.162.254.110}
Wed 2013-08-28 01:14:40: [6404:8081] Spam Blocker A-record resolution of [134.1.130.98.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-08-28 01:14:40: [6404:8081] Spam Blocker D=134.1.130.98.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-08-28 01:14:40: [6404:8081] L2.APEWS.ORG LISTED
Wed 2013-08-28 01:14:40: [6404:8081] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-08-28 01:14:40: [6404:8081] --> 250 <xxx@xxx.xxx>, Sender ok
Wed 2013-08-28 01:14:40: [6404:8081] <-- RCPT TO:<xxx@xxx.xxx>
Wed 2013-08-28 01:14:40: [6404:8081] --> 250 <xxx@xxx.xxx>, Recipient ok
Wed 2013-08-28 01:14:40: [6404:8081] <-- DATA
Wed 2013-08-28 01:14:40: [6404:8081] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-08-28 01:14:41: [6404:8081] --> 250 Ok, message saved <Message-ID: !&!AAzWLFEsxmkTAAA==@xxx.xxx>
Wed 2013-08-28 01:14:41: [6404:8081] <-- QUIT
Wed 2013-08-28 01:14:41: [6404:8081] --> 221 See ya in cyberspace
Wed 2013-08-28 01:14:41: [6404:8081] SMTP session successful, 1273 bytes transferred.
Wed 2013-08-28 01:14:41: [6404:8081] Shuffling message(s) into proper queue(s)
Wed 2013-08-28 01:14:41: [6404:8081] Message received from mail404.opentransfer.com [98.130.1.134] <xxx@xxx.xxx> with SMTP for <xxx@xxx.xxx> [Size 1260] {j:\localq\000330.msg}

July 22, 2013

L2.APEWS.ORG False Positive #22

This is another newsletter that was reported by a user to be in the spam folder when it had been properly subscribed to. Checking the IP address of the sending server we find that it is no longer listed, so this is being published for information only;

Fri 2013-07-19 01:05:11: [9010:4232] Accepting SMTP connection from [72.232.93.13]
Fri 2013-07-19 01:05:11: [9010:4232] Looking up PTR record for 72.232.93.13 (13.93.232.72.IN-ADDR.ARPA)
Fri 2013-07-19 01:05:12: [9010:4232] D=13.93.232.72.IN-ADDR.ARPA TTL=(179) PTR=[nlserv14.123greetings.info]
Fri 2013-07-19 01:05:12: [9010:4232] Gathering A-records for PTR hosts
Fri 2013-07-19 01:05:13: [9010:4232] Name server reports domain name unknown.
Fri 2013-07-19 01:05:13: [9010:4232] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Fri, 19 Jul 2013 21:00:13 -0100
Fri 2013-07-19 01:05:13: [9010:4232] <-- EHLO 123greetings.info
Fri 2013-07-19 01:05:13: [9010:4232] Performing reverse lookup on 123greetings.info (looking for 72.232.93.13)
Fri 2013-07-19 01:05:13: [9010:4232] D=123greetings.info TTL=(60) A=[216.104.165.71]
Fri 2013-07-19 01:05:14: [9010:4232] P=010 D=123greetings.info TTL=(60) MX=[mx1.emailsrvr.com] {98.129.184.131}
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-xxx.xxx.xxx Hello nlserv14.123greetings.info (may be forged), pleased to meet you
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-ETRN
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-AUTH=LOGIN
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-AUTH LOGIN CRAM-MD5
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-8BITMIME
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 SIZE 0
Fri 2013-07-19 01:05:14: [9010:4232] <-- MAIL FROM:<newsletter @ 123greetings.info> BODY=8BITMIME
Fri 2013-07-19 01:05:14: [9010:4232] Performing reverse lookup on 123greetings.info (looking for 72.232.93.13)
Fri 2013-07-19 01:05:14: [9010:4232] D=123greetings.info TTL=(59) A=[216.104.165.71]
Fri 2013-07-19 01:05:14: [9010:4232] P=010 D=123greetings.info TTL=(59) MX=[mx1.emailsrvr.com] {98.129.184.131}
Fri 2013-07-19 01:05:14: [9010:4232] Spam Blocker A-record resolution of [13.93.232.72.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Fri 2013-07-19 01:05:14: [9010:4232] Spam Blocker D=13.93.232.72.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Fri 2013-07-19 01:05:14: [9010:4232] L2.APEWS.ORG LISTED
Fri 2013-07-19 01:05:14: [9010:4232] Message will be accepted and X-RBL-Warning: header will be inserted.
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 <newsletter @ 123greetings.info>, Sender ok
Fri 2013-07-19 01:05:14: [9010:4232] <-- RCPT TO:<xxx @ xxx.xxx>
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 <xxx @ xxx.xxx>, Recipient ok
Fri 2013-07-19 01:05:14: [9010:4232] <-- DATA
Fri 2013-07-19 01:05:14: [9010:4232] --> 354 Enter mail, end with <CRLF>.<CRLF>
Fri 2013-07-19 01:05:15: [9010:4232] --> 250 Ok, message saved <Message-ID: 2013.newsletter @ 123greetings.info>
Fri 2013-07-19 01:05:15: [9010:4232] <-- QUIT
Fri 2013-07-19 01:05:15: [9010:4232] --> 221 See ya in cyberspace
Fri 2013-07-19 01:05:15: [9001:4232] SMTP session successful, 14619 bytes transferred.
Fri 2013-07-19 01:05:15: [9010:4232] Shuffling message(s) into proper queue(s)
Fri 2013-07-19 01:05:15: [9010:4232] Message received from 123greetings.info [72.232.93.13] <newsletter @ 123greetings.info> with SMTP for <xxx @ xxx.xxx> [Size 0] {j:\localq\0003197.msg}

July 18, 2013

L2.APEWS.ORG False Positive #21

We're publishing this one for the record, the newsletter was found in the junk folder by the user but was in fact subscribed to. The IP address has already been de-listed so this is just for information;

Tue 2013-07-16 05:49:33: [6716:1620] Accepting SMTP connection from [63.121.28.41]
Tue 2013-07-16 05:49:33: [6716:1620] Looking up PTR record for 63.121.28.41 (41.28.121.63.IN-ADDR.ARPA)
Tue 2013-07-16 05:49:34: [6716:1620] D=41.28.121.63.IN-ADDR.ARPA TTL=(59) PTR=[unicamailman301-q1.sb.monster.com]
Tue 2013-07-16 05:49:34: [6716:1620] Gathering A-records for PTR hosts
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Tue, 16 Jul 2013 05:49:34 -0500
Tue 2013-07-16 05:49:34: [6716:1620] <-- HELO unicamailman301-q1.sb.monster.com
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on unicamailman301-q1.sb.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 250 xxx.xxx.xxx Hello unicamailman301-q1.sb.monster.com, pleased to meet you
Tue 2013-07-16 05:49:34: [6716:1620] <-- MAIL FROM:<smas.30-230433_448550_3@e0.monster.com>
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on e0.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=e0.monster.com TTL=(10) A=[63.112.169.1]
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.sb.monster.com] {63.121.30.235}
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.be.tmpw.net] {208.71.195.235}
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker A-record resolution of [41.28.121.63.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker D=41.28.121.63.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Tue 2013-07-16 05:49:35: [6716:1620] L2.APEWS.ORG LISTED
Tue 2013-07-16 05:49:35: [6716:1620] Message will be accepted and X-RBL-Warning: header will be inserted.
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <smas.30-230433_4 @ .monster.com>, Sender ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- RCPT TO:<xxx@xxx.xxx>
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <xxx@xxx.xxx>, Recipient ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- DATA
Tue 2013-07-16 05:49:35: [6716:1620] --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-07-16 05:49:36: [6716:1620] --> 250 Ok, message saved <Message-ID: emsg.826.7140f20 @ unica7emsg201.be.monster.com>
Tue 2013-07-16 05:49:36: [6716:1620] <-- QUIT
Tue 2013-07-16 05:49:36: [6716:1620] --> 221 See ya in cyberspace
Tue 2013-07-16 05:49:36: [6716:1620] SMTP session successful, 13598 bytes transferred.
Tue 2013-07-16 05:49:36: [6716:1620] Shuffling message(s) into proper queue(s)
Tue 2013-07-16 05:49:36: [6716:1620] Message received from unicamailman301-q1.sb.monster.com [63.121.28.41] <smas.30-230433_448550_3 @ .monster.com> with SMTP for <xxx@xxx.xxx> [Size 0] {j:\localq\1150000318214.msg}

June 20, 2013

L2.APEWS.ORG False Positive #20

One of our users reported an email in the spam folder as an error, saying that it was a subscribed to newsletter about Japan tourism. Full header here;

Wed 2013-06-19 04:27:06: [4181:459] Accepting SMTP connection from [203.191.244.137]
Wed 2013-06-19 04:27:06: [4181:459] Looking up PTR record for 203.191.244.137 (137.244.191.203.IN-ADDR.ARPA)
Wed 2013-06-19 04:27:06: [4181:459] D=137.128-26.244.191.203.IN-ADDR.ARPA TTL=(59) PTR=[mail3-5.webcas.net]
Wed 2013-06-19 04:27:06: [4181:459] Gathering A-records for PTR hosts
Wed 2013-06-19 04:27:06: [4181:459] D=mail3-5.webcas.net TTL=(60) A=[203.191.244.137]
Wed 2013-06-19 04:27:06: [4181:459] --> 220-ns7.methusalah.com ESMTP MDaemon 6.7.9; Wed, 19 Jun 2013 04:27:06 -0500
Wed 2013-06-19 04:27:06: [4181:459] -->
Wed 2013-06-19 04:27:07: [4181:459] <-- EHLO wcasp3-efmta2.webcas.net
Wed 2013-06-19 04:27:07: [4181:459] Performing reverse lookup on wcasp3-efmta2.webcas.net (looking for 203.191.244.137)
Wed 2013-06-19 04:27:07: [4181:459] Name server reports domain name unknown.
Wed 2013-06-19 04:27:07: [4181:459] --> 250-ns7.methusalah.com Hello mail3-5.webcas.net (may be forged), pleased to meet you
Wed 2013-06-19 04:27:07: [4181:459] --> 250-ETRN
Wed 2013-06-19 04:27:07: [4181:459] --> 250-AUTH=LOGIN
Wed 2013-06-19 04:27:07: [4181:459] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-06-19 04:27:07: [4181:459] --> 250-8BITMIME
Wed 2013-06-19 04:27:07: [4181:459] --> 250 SIZE 0
Wed 2013-06-19 04:27:07: [4181:459] <-- MAIL FROM:<errmailxxx @ mail3.webcas.net> SIZE=11707
Wed 2013-06-19 04:27:07: [4181:459] Performing reverse lookup on mail3.webcas.net (looking for 203.191.244.137)
Wed 2013-06-19 04:27:07: [4181:459] D=mail3.webcas.net TTL=(60) A=[203.191.244.132]
Wed 2013-06-19 04:27:08: [4181:459] P=010 D=mail3.webcas.net TTL=(60) MX=[mail3.webcas.net] {203.191.244.132}
Wed 2013-06-19 04:27:08: [4181:459] Spam Blocker A-record resolution of [137.244.191.203.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.3)...
Wed 2013-06-19 04:27:08: [4181:459] L2.APEWS.ORG LISTED
Wed 2013-06-19 04:27:08: [4181:459] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-06-19 04:27:08: [4181:459] --> 250 <errmailxxx @ mail3.webcas.net>, Sender ok
Wed 2013-06-19 04:27:08: [4181:459] <-- RCPT TO:<xxx@xxx.xxx>
Wed 2013-06-19 04:27:08: [4181:459] --> 250 <xxx@xxx.xxx>, Recipient ok
Wed 2013-06-19 04:27:08: [4181:459] <-- DATA
Wed 2013-06-19 04:27:08: [4181:459] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-06-19 04:27:09: [4181:459] --> 250 Ok, message saved <Message-ID: xxx.newsletter @ japantravelinfo.com>
Wed 2013-06-19 04:27:09: [4181:459] <-- QUIT
Wed 2013-06-19 04:27:09: [4181:459] --> 221 See ya in cyberspace
Wed 2013-06-19 04:27:09: [4181:459] SMTP session successful, 11682 bytes transferred.
Wed 2013-06-19 04:27:09: [4181:459] Shuffling message(s) into proper queue(s)
Wed 2013-06-19 04:27:09: [4181:459] Message received from wcasp3-efmta2.webcas.net [203.191.244.137] <errmail4-03@mail3.webcas.net> with SMTP for <xxx@xxx.xxx> [Size 11671] {j:\localq\7000002893.msg}

June 18, 2013

Apews listing only part of the problem, correctly listed IP

Hi APEWS Admins, please remove my IP address from your blacklist : 162.39.36.66

Thanks!


Full headers:

Received: from pusen02 (192.168.16.40) by connect.activedata.ca
(192.168.16.38) with Microsoft SMTP Server (TLS) id 14.2.247.3; Tue, 18 Jun
2013 07:59:31 -0400
Received: from pusen02 ([162.39.36.66] helo=pusen02) by ASSP.nospam with SMTP
(2.3.3); 18 Jun 2013 07:59:31 -0400
From: <***@***.com>
Subject: [SPAM]
To: J*** <***@***.com>
Date: Tue, 18 Jun 2013 07:49:24 -0400
Message-ID: <201306180749242N.DCSML-S000250000.000074FBD545@172.23.40.3>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_41dffd17-33c1-4156-825e-2450e53d5501_"
X-Assp-Version: 2.3.3(13137) on ASSP.nospam
X-Assp-ID: ASSP.nospam m1-56771-09551
X-Assp-Session: 7F329949E7B8 (mail 1)
X-Assp-Server-TLS: yes
X-Assp-Received-SPF: softfail ip=162.39.36.66 mailfrom=***@***.com
helo=pusen02
X-Original-Authentication-Results: ASSP.nospam; spf=softfail
X-Assp-Message-Score: 5 (SPF softfail)
X-Assp-IP-Score: 5 (SPF softfail)
X-Assp-Message-Score: 35 (DNSBLcache: neutral, 162.39.36.66 listed in
l2.apews.org{127.0.0.2})
X-Assp-IP-Score: 35 (DNSBLcache: neutral, 162.39.36.66 listed in
l2.apews.org{127.0.0.2})
X-Assp-DNSBLcache: neutral, 162.39.36.66 listed in l2.apews.org{127.0.0.2}
X-Assp-Message-Score: 10 (invalid HELO: 'pusen02')
X-Assp-IP-Score: 10 (invalid HELO: 'pusen02')
X-Assp-Bayes-Confidence: 0.00040
X-Assp-Tag: MessageLimit
X-Assp-Spam: YES
X-Spam-Status: yes
X-Assp-Spam-Reason: MessageScore passed low limit
X-Assp-Message-Totalscore: 50
X-Assp-Spam-Level: ***********
Return-Path: ***@***.com
X-MS-Exchange-Organization-AuthSource: ExchSrv.activedata.local
X-MS-Exchange-Organization-AuthAs: Anonymous

The delivering server is using an incorrect HELO/EHLO, it should be a FQDN (fully qualified domain name) and to do that you need to contact your ISP, Windstream, and tell them what FQDN you want them to write in their DNS server for a PTR record. Windstream are using generic PTR records which are not satisfactory for email servers, yours is showing as;
h66.36.39.162.static.ip.windstream.net
That alone will cause your emails to fail reverse DNS lookups that many email servers perform automatically in realtime.
Using Windstream IP space probably isn't doing you any favors either. If they won't do that DNS entry for you, you'll have to change ISP or accept a poor delivery rate.
The person that did the setup of your email server does not know enough to do the job, we suggest you contact a professional who should know about things like EHLO/HELO configuration and SMTP per RFCs.

No evidence of Apews listing causing this email delivery failure

Herewith is the header of the bounced email. IP is not blacklisted in other anti-spam portals except with APEWS though it's still a July 07, 2007 record.

Thu 2013-01-31 17:19:22: * Connection established (192.168.0.115:3302 -> 198.80.42.2:25)

Thu 2013-01-31 17:19:22: Waiting for protocol to start...
Thu 2013-01-31 17:19:22: <-- 220 portal1.visa.com - Access is monitored. SMTP Proxy Server Ready

Thu 2013-01-31 17:19:22: --> EHLO mail.ticketworld.com.ph
Thu 2013-01-31 17:19:22: <-- 250-ESMTP Server Ready
Thu 2013-01-31 17:19:22: <-- 250-SIZE 20971520
Thu 2013-01-31 17:19:22: <-- 250-DSN
Thu 2013-01-31 17:19:22: <-- 250-STARTTLS
Thu 2013-01-31 17:19:22: <-- 250 TLS
Thu 2013-01-31 17:19:22: --> MAIL From: SIZE=51304
Thu 2013-01-31 17:19:23: <-- 250 +OK Sender OK
Thu 2013-01-31 17:19:23: --> RCPT To:
Thu 2013-01-31 17:19:23: <-- 250 +OK Recipient OK
Thu 2013-01-31 17:19:23: --> DATA
Thu 2013-01-31 17:19:23: <-- 354 Start mail input, end with '.'
Thu 2013-01-31 17:19:23: Sending to [198.80.42.2]
Thu 2013-01-31 17:19:24: Transfer Complete
Thu 2013-01-31 17:19:25: <-- 554 Transaction Failed Spam Message not queued.

This looks like your connection to the server was authenticated correctly and that the email delivered correctly too. It seems to have failed on possibly content of the email or other parameters that were tested for during/after receipt of the email. I suggest that you contact the server administrator. There is no mention of a failure due to an Apews.org listing.

February 6, 2013

L2.APEWS.ORG False Positive #19

This is the latest false positive that we have, been quite a while now. The user subscribed to a newsletter and found this edition in the spam folder;

Wed 2013-02-06 04:24:19: [710:3560] Accepting SMTP connection from [208.73.5.67]
Wed 2013-02-06 04:24:19: [710:3560] Looking up PTR record for 208.73.5.67 (67.5.73.208.IN-ADDR.ARPA)
Wed 2013-02-06 04:24:20: [710:3560] D=67.5.73.208.IN-ADDR.ARPA TTL=(59) PTR=[mail4598.outdoorhub.mkt5196.com]
Wed 2013-02-06 04:24:20: [710:3560] Gathering A-records for PTR hosts
Wed 2013-02-06 04:24:20: [710:3560] D=mail4598.outdoorhub.mkt5196.com TTL=(60) A=[208.73.5.67]
Wed 2013-02-06 04:24:20: [710:3560] --> 220 xxx.xxx.xxx ESMTP MDaemon; Wed, 06 Feb 2013 04:24:20
Wed 2013-02-06 04:24:20: [710:3560] <-- EHLO mail4598.outdoorhub.mkt5196.com
Wed 2013-02-06 04:24:20: [710:3560] Performing reverse lookup on mail4598.outdoorhub.mkt5196.com (looking for 208.73.5.67)
Wed 2013-02-06 04:24:20: [710:3560] D=mail4598.outdoorhub.mkt5196.com TTL=(60) A=[208.73.5.67]
Wed 2013-02-06 04:24:20: [710:3560] --> 250-xxx.xxx.xxx Hello mail4598.outdoorhub.mkt5196.com, pleased to meet you
Wed 2013-02-06 04:24:20: [710:3560] --> 250-ETRN
Wed 2013-02-06 04:24:20: [710:3560] --> 250-AUTH=LOGIN
Wed 2013-02-06 04:24:20: [710:3560] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-02-06 04:24:20: [710:3560] --> 250-8BITMIME
Wed 2013-02-06 04:24:20: [710:3560] --> 250 SIZE 0
Wed 2013-02-06 04:24:21: [710:3560] <-- MAIL FROM:<xxx @ bounce.outdoorhub.mkt5196.com> BODY=8BITMIME
Wed 2013-02-06 04:24:21: [710:3560] Performing reverse lookup on bounce.outdoorhub.mkt5196.com (looking for 208.73.5.67)
Wed 2013-02-06 04:24:21: [710:3560] D=bounce.outdoorhub.mkt5196.com TTL=(60) A=[74.121.50.42]
Wed 2013-02-06 04:24:21: [710:3560] P=005 D=bounce.outdoorhub.mkt5196.com TTL=(60) MX=[bounce.outdoorhub.mkt5196.com] {74.121.50.42}
Wed 2013-02-06 04:24:21: [710:3560] Spam Blocker A-record resolution of [67.5.73.208.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-02-06 04:24:21: [710:3560] Spam Blocker D=67.5.73.208.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-02-06 04:24:21: [710:3560] L2.APEWS.ORG LISTED
Wed 2013-02-06 04:24:21: [710:3560] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-02-06 04:24:21: [710:3560] --> 250 <xxx @ bounce.outdoorhub.mkt5196.com>, Sender ok
Wed 2013-02-06 04:24:21: [710:3560] <-- RCPT TO:<xxx @ xxx.xxx>
Wed 2013-02-06 04:24:21: [710:3560] --> 250 <xxx @ xxx.xxx>, Recipient ok
Wed 2013-02-06 04:24:21: [710:3560] <-- DATA
Wed 2013-02-06 04:24:21: [710:3560] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-02-06 04:24:22: [710:3560] --> 250 Ok, message saved <Message-ID: 00000000000000000.JavaMail.app @ xxxx.xxx>
Wed 2013-02-06 04:24:22: [710:3560] <-- QUIT
Wed 2013-02-06 04:24:22: [710:3560] --> 221 See ya in cyberspace
Wed 2013-02-06 04:24:22: [710:3560] SMTP session successful, 36340 bytes transferred.
Wed 2013-02-06 04:24:22: [710:3560] Shuffling message(s) into proper queue(s)
Wed 2013-02-06 04:24:22: [710:3560] Message received from mail4598.outdoorhub.mkt5196.com [208.73.5.67] <xxx @ bounce.outdoorhub.mkt5196.com> with SMTP for <xxx @ xxx.xxx> [Size 36326] {j:\mdaemon\localq\md0000000.msg}

December 13, 2012

L2.APEWS.ORG False Positive #18

Here is the full email header for a newsletter that was found in the junk folder but that the recipient subscribed to;

Thu 2012-12-13 03:14:01: [7552:543] Accepting SMTP connection from [89.31.209.89]
Thu 2012-12-13 03:14:01: [7552:543] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Thu, 13 Dec 2012 03:14:01 -0100
Thu 2012-12-13 03:14:01: [7552:543] <-- HELO newsletter.gan.co.za
Thu 2012-12-13 03:14:01: [7552:543] --> 250 xxx.xxx.xxx Hello newsletter.gan.co.za, pleased to meet you
Thu 2012-12-13 03:14:01: [7552:543] <-- MAIL FROM:<bounce-00000000-00000000@ newsletter.gan.co.za>
Thu 2012-12-13 03:14:01: [7552:543] Spam Blocker A-record resolution of [89.209.31.89.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Thu 2012-12-13 03:14:01: [7552:543] Spam Blocker D=89.209.31.89.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Thu 2012-12-13 03:14:01: [7552:543] L2.APEWS.ORG LISTED
Thu 2012-12-13 03:14:01: [7552:543] Message will be accepted and X-RBL-Warning: header will be inserted.
Thu 2012-12-13 03:14:01: [7552:543] --> 250 <bounce-00000000-00000000@ newsletter.gan.co.za>, Sender ok
Thu 2012-12-13 03:14:01: [7552:543] <-- RCPT TO:<xxx@ xxx.xxx>
Thu 2012-12-13 03:14:01: [7552:543] --> 250 <xxx@ xxx.xxx>, Recipient ok
Thu 2012-12-13 03:14:02: [7552:543] <-- DATA
Thu 2012-12-13 03:14:02: [7552:543] --> 354 Enter mail, end with <CRLF>.<CRLF>
Thu 2012-12-13 03:14:03: [7552:543] --> 250 Ok, message saved <Message-ID: SUPPORT-00000000-00000000-2012.12.13-00.00.00--xxx#xxx.xxx@ newsletter.gan.co.za>
Thu 2012-12-13 03:14:03: [7552:543] <-- RSET
Thu 2012-12-13 03:14:03: [7552:543] Shuffling message(s) into proper queue(s)
Thu 2012-12-13 03:14:03: [7552:543] Message received from newsletter.gan.co.za [89.31.209.89] <bounce-00000000-00000000@ newsletter.gan.co.za> with SMTP for <xxx@ xxx.xxx> [Size 55311] {j:\localq\0000231504.msg}
Thu 2012-12-13 03:14:03: [7552:543] SMTP session successful, 55322 bytes transferred.
Thu 2012-12-13 03:14:03: [7552:543] --> 250 RSET? Well, ok.
Thu 2012-12-13 03:14:08: [7552:543] <-- QUIT
Thu 2012-12-13 03:14:08: [7552:543] --> 221 See ya in cyberspace
Thu 2012-12-13 03:14:08: [7552:543] SMTP session successful, 55328 bytes transferred.

September 28, 2012

L2.APEWS.ORG False Positive #17

Here is a newsletter that our user subscribed to but that ended up in the spam folder. User confirmed consent to receive this so the full email header is provided here for APEWS.org Admins to see and correct if they want to;

Wed 2012-09-26 11:55:27: [180:366] Accepting SMTP connection from [67.222.55.9]
Wed 2012-09-26 11:55:27: [180:366] Looking up PTR record for 67.222.55.9 (9.55.222.67.IN-ADDR.ARPA)
Wed 2012-09-26 11:55:28: [180:366] D=9.55.222.67.IN-ADDR.ARPA TTL=(1440) PTR=[oproxy7-pub.bluehost.com]
Wed 2012-09-26 11:55:28: [180:366] Gathering A-records for PTR hosts
Wed 2012-09-26 11:55:29: [180:366] D=oproxy7-pub.bluehost.com TTL=(240) A=[67.222.55.9]
Wed 2012-09-26 11:55:29: [180:366] --> 220 xxx.xxx.xxx ESMTP ; Wed, 26 Sep 2012 11:55:27 -0100
Wed 2012-09-26 11:55:29: [180:366] <-- HELO oproxy7-pub.bluehost.com
Wed 2012-09-26 11:55:29: [180:366] Performing reverse lookup on oproxy7-pub.bluehost.com (looking for 67.222.55.9)
Wed 2012-09-26 11:55:29: [180:366] D=oproxy7-pub.bluehost.com TTL=(239) A=[67.222.55.9]
Wed 2012-09-26 11:55:29: [180:366] --> 250 xxx.xxx.xxx Hello oproxy7-pub.bluehost.com, pleased to meet you
Wed 2012-09-26 11:55:29: [180:366] <-- MAIL FROM:<xxx@ box731.bluehost.com>
Wed 2012-09-26 11:55:29: [180:366] Performing reverse lookup on box731.bluehost.com (looking for 67.222.55.9)
Wed 2012-09-26 11:55:29: [180:366] D=box731.bluehost.com TTL=(240) A=[66.147.244.231]
Wed 2012-09-26 11:55:29: [180:366] Spam Blocker A-record resolution of [9.55.222.67.L2.APEWS.ORG] in progress...
Wed 2012-09-26 11:55:29: [180:366] Spam Blocker D=9.55.222.67.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-09-26 11:55:29: [180:366] L2.APEWS.ORG LISTED
Wed 2012-09-26 11:55:29: [180:366] --> 250 <xxx@ box731.bluehost.com>, Sender ok
Wed 2012-09-26 11:55:29: [180:366] <-- RCPT TO:<xxx@ xxx.xxx>
Wed 2012-09-26 11:55:29: [180:366] 'Recipient unknown' given to divert future spam
Wed 2012-09-26 11:55:29: [180:366] --> 550 <xxx@ xxx.xxx>, Recipient unknown
Wed 2012-09-26 11:55:29: [180:366] <-- QUIT
Wed 2012-09-26 11:55:29: [180:366] --> 221 See ya in cyberspace
Wed 2012-09-26 11:55:29: [180:366] SMTP session successful, 124 bytes transferred.

Note for other posters here, we operate email servers that receive emails for our users, one has complained to us about this false positive, we are publishing it.

September 20, 2012

Still no False Positives

There simply haven't been any false positives to write about. A lot of people are requesting delisting and removal from Apews.org here but they are all email senders whereas this blog is aimed at receivers of email that use the apews.org data for filtering or blocking.

Anyone wanting a removal would do better to publish the email header from a receiver as we have done.

These days it's all about reputation and permission, even new allocations to existing ISPs that have a bad rep can expect to remain listed. Folks have had enough of snowshoe spamming out of newly acquired IP blocks.

IPv4 address space is nearly all allocated and most of it has been assessed by the apews.org team to great effect. Consistently trapping 95% or more of spam sent with less then 0.5% false positives is a great statistic so there can't be much wrong with the apews.org data. We encourage email receivers to publish errors here, prove the error with the full email headers, munge them for privacy if you want to. That way there is a public record of the error in your view, shame apews.org into fixing that error.

We can see that soon there will be no more IPv4 addresses for spammers to pollute, old existing allocations will have to be cleaned up in order to regain a good rep or stay listed. No residential IP address space needs to send email so outbound connections to port TCP 25 should be disallowed at the ISP firewall and it's so easy to do.

Right now there needs to be a 2 tier tariff for IP addresses, the price for apews.org listed IP address space should be dirt cheap to rent or even free since there is ad revenue from the http traffic. That is the usual business model, give free access with commercials which cover the costs incurred. ISPs are running all their user traffic through http proxy servers for ad tracking etc, try blocking their http server addresses at your firewall and you will lose your internet connection.

Clean IP address space that never gets listed by blacklists is obviously run professionally and volume email senders do so with the permission of the recipient. Their IP address space should command a premium in value and they deserve to earn more out of their email sending services e.g. providing smart hosts for clients. They won't take dirty email databases though :-) If you're really serious about inboxing then pay for a service from one of these guys.

Nice to see more email servers using the l2.apews.org for blocking as published on NANAE usenet newsgroup recently. Spam is no longer problem. We've had a lot of extra spare time for server maintenance and monitoring the whitelists, user complaints have stopped and the techs are up to date. In our server logs we've seen subscriptions to newsletter being honored, not bounced by using the apews dataset, what more can I say. Once we see the subscription process followed by an acceptance email we whitelist that enews server.

June 14, 2012

Some analysis of Apews data

This has taken a while since there is a lot of it! By comparing our own records with listings that exist in the Apews dataset we have been able to conclude the following;

Single IP addresses that have made a direct connection to our servers in order to send spam email have also been found in C-1, C-2, C-12, C-35C-52, C-53, C-66, C-67, C-73 and C-630.

Mostly /24 listings can mostly be found in C-3, C-11, C-13, C-21, C-36, C-41, C-130, C-1375 and C-1402. These /24 generally include the above single IP addresses suggesting that they are maybe escalations.

Single IP addresses that have done port scanning, SSH probes, attempted PHP or SQL injection, password guessing, hosting landing pages that contain virus, trojan etc have only been found in C-16 and C-86.

CIDR that contain residential customers, typically have no reverse DNS and generic host names (as noted in some records by Apews) have been found in C-22, C-1010 and C-1403. These are often referred to as dynamic since they can be large DHCP pools too. These CIDR would not be RFC compliant for the sending of emails.

Other CIDR, usually larger than /24, can be found in C-14, C-15, C-17, C-18, C-20, C-79, C-258 and C-813.

June 7, 2012

L2.APEWS.ORG False Positive #16

A /19 that was listed back in April caught this recently, definitely a user subscribed newsletter;

Wed 2012-06-06 08:55:21: [140:457] Accepting SMTP connection from [109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Looking up PTR record for 109.123.106.210 (210.106.123.109.IN-ADDR.ARPA)
Wed 2012-06-06 08:55:21: [140:457] D=210.106.123.109.IN-ADDR.ARPA TTL=(1439) PTR=[srv-eight.clevercherry.net]
Wed 2012-06-06 08:55:21: [140:457] Gathering A-records for PTR hosts
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 06 Jun 2012 08:55:21 -0100
Wed 2012-06-06 08:55:21: [140:457] <-- EHLO srv-eight.clevercherry.net
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on srv-eight.clevercherry.net (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=srv-eight.clevercherry.net TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] --> 250-xxx.xxx.xxx Hello srv-eight.clevercherry.net, pleased to meet you
Wed 2012-06-06 08:55:21: [140:457] --> 250-ETRN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH=LOGIN
Wed 2012-06-06 08:55:21: [140:457] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-06-06 08:55:21: [140:457] --> 250-8BITMIME
Wed 2012-06-06 08:55:21: [140:457] --> 250 SIZE 0
Wed 2012-06-06 08:55:21: [140:457] <-- MAIL FROM:<xxx @ xxx.xxx> SIZE=16289
Wed 2012-06-06 08:55:21: [140:457] Performing reverse lookup on xxx.clevercherry.com (looking for 109.123.106.210)
Wed 2012-06-06 08:55:21: [140:457] D=xxx.clevercherry.com TTL=(240) A=[109.123.106.210]
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker A-record resolution of [210.106.123.109.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-06-06 08:55:21: [140:457] Spam Blocker D=210.106.123.109.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-06-06 08:55:21: [140:457] L2.APEWS.ORG LISTED
Wed 2012-06-06 08:55:21: [140:457] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Sender ok
Wed 2012-06-06 08:55:21: [140:457] <-- RCPT TO:<xxx @ xxx.xxx>
Wed 2012-06-06 08:55:21: [140:457] --> 250 <xxx @ xxx.xxx>, Recipient ok
Wed 2012-06-06 08:55:21: [140:457] <-- DATA
Wed 2012-06-06 08:55:21: [140:457] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2012-06-06 08:55:21: [140:457] --> 250 Ok, message saved <Message-ID: E1ScCvc-0005YX-27@srv-eight.clevercherry.net>
Wed 2012-06-06 08:55:21: [140:457] <-- QUIT
Wed 2012-06-06 08:55:21: [140:457] --> 221 See ya in cyberspace
Wed 2012-06-06 08:55:21: [140:457] SMTP session successful, 15603 bytes transferred.
Wed 2012-06-06 08:55:21: [140:457] Shuffling message(s) into proper queue(s)
Wed 2012-06-06 08:55:21: [140:457] Message received from srv-eight.clevercherry.net [109.123.106.210] <xxx @ xxx.xxx> with SMTP for <xxx @ xxx.xxx> [Size 10502] {j:\localq\6443522.msg}

May 16, 2012

DNS Blacklist Editor

I came across a useful tool (freeware) at http://www.jhsoft.com/ which is for editing a DNS blacklist. By using RSYNC we got a copy of the APEWS dataset and opened it up using the above tool, great. For some people it might be easier to edit APEWS data for their own purposes in order to reduce false positives or blacklist more IPv4 than APEWS currently covers. There are reports of L2.APEWS.ORG dataset catching between 95% and 99% of all spam so that shouldn't take much editing to tailor it for any one system.

Some DNS blacklist databases separate the type of blacklisting by using a code number in the dns record of the listed IP address e.g. an email spam sender IP might get a DNSBL response of 127.0.0.3, a spam relay IP could show as 127.0.0.4 but a trojan hosting website IP come back with 127.0.0.5. Those different 127.0.0.* IP addresses can be used for filtering email or other traffic by e.g. using the "3" and "4" for an inbound email stream but the "5" for outbound HTTP traffic i.e. preventing users getting to the trojan host. However it looks like APEWS dataset returns just one reply to queries "L2.APEWS.ORG TTL=(35) A=[127.0.0.2]".

Looking through the listings and reviewing the comments that used to be written in the earlier records, we can see some groups of "Cases" that may be useful to some people if C number can be obtained. It should even be possible to extract the relevant data to build smaller datasets specific to a need. The groups of Cases and their text descriptors etc will be published shortly.

April 4, 2012

L2.APEWS.ORG False Positive #15

This one is a newsletter and although the listing was showing as /24, it has already been corrected at the time of writing. Posting the error here for archive purposes;

Wed 2012-04-03 07:50:58: [448:627] Accepting SMTP connection from [24.38.56.81]
Wed 2012-04-03 07:50:58: [448:627] Looking up PTR record for 24.38.56.81 (81.56.38.24.IN-ADDR.ARPA)
Wed 2012-04-03 07:50:59: [448:627] D=81.56.38.24.IN-ADDR.ARPA TTL=(1439) PTR=[mailb.info.humanevents.com]
Wed 2012-04-03 07:50:59: [448:627] Gathering A-records for PTR hosts
Wed 2012-04-03 07:50:59: [448:627] D=mailb.info.humanevents.com TTL=(1440) A=[24.38.56.81]
Wed 2012-04-03 07:50:59: [448:627] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 04 Apr 2012 08:50:59 -0500
Wed 2012-04-03 07:50:59: [448:627] <-- EHLO mailb.info.humanevents.com
Wed 2012-04-03 07:50:59: [448:627] Performing reverse lookup on mailb.info.humanevents.com (looking for 24.38.56.81)
Wed 2012-04-03 07:50:59: [448:627] D=mailb.info.humanevents.com TTL=(1440) A=[24.38.56.81]
Wed 2012-04-03 07:50:59: [448:627] --> 250-xxx.xxx.xxx Hello mailb.info.humanevents.com, pleased to meet you
Wed 2012-04-03 07:50:59: [448:627] --> 250-ETRN
Wed 2012-04-03 07:50:59: [448:627] --> 250-AUTH=LOGIN
Wed 2012-04-03 07:50:59: [448:627] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-04-03 07:50:59: [448:627] --> 250-8BITMIME
Wed 2012-04-03 07:50:59: [448:627] --> 250 SIZE 0
Wed 2012-04-03 07:50:59: [448:627] <-- MAIL FROM: BODY=8BITMIME
Wed 2012-04-03 07:50:59: [448:627] Performing reverse lookup on info.humanevents.com (looking for 24.38.56.81)
Wed 2012-04-03 07:50:59: [448:627] D=info.humanevents.com TTL=(1440) A=[74.201.50.22]
Wed 2012-04-03 07:51:00: [448:627] P=030 D=info.humanevents.com TTL=(1439) MX=[mx2.info.humanevents.com] {74.201.50.6}
Wed 2012-04-03 07:51:00: [448:627] P=010 D=info.humanevents.com TTL=(1439) MX=[mx1.info.humanevents.com] {74.201.50.4}
Wed 2012-04-03 07:51:00: [448:627] Spam Blocker A-record resolution of [81.56.38.24.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-04-03 07:51:00: [448:627] Spam Blocker D=81.56.38.24.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-04-03 07:51:00: [448:627] L2.APEWS.ORG LISTED
Wed 2012-04-03 07:51:00: [448:627] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-04-03 07:51:00: [448:627] --> 250 , Sender ok
Wed 2012-04-03 07:51:00: [448:627] <-- RCPT TO:
Wed 2012-04-03 07:51:00: [448:627] --> 250 , Recipient ok
Wed 2012-04-03 07:51:00: [448:627] <-- DATA
Wed 2012-04-03 07:51:00: [448:627] --> 354 Enter mail, end with .
Wed 2012-04-03 07:51:01: [448:627] --> 250 Ok, message saved
Wed 2012-04-03 07:51:01: [448:627] <-- QUIT
Wed 2012-04-03 07:51:01: [448:627] --> 221 See ya in cyberspace
Wed 2012-04-03 07:51:01: [448:627] SMTP session successful, 34147 bytes transferred.
Wed 2012-04-03 07:51:01: [448:627] Shuffling message(s) into proper queue(s)
Wed 2012-04-03 07:51:01: [448:627] Message received from mailb.info.humanevents.com [24.38.56.81] with SMTP for [Size 3412] {j:\localq\0000000.msg}
Wed 2012-04-03 07:51:01: ----------

The sending server itself was not listed but the small group listing affected it causing a false positive for us. Resolved already.

April 2, 2012

L2.APEWS.ORG False Positive #14

This one came in over the weekend but has already been delisted by the APEWS Administrators. Just posting the email here for archive etc;

Sat 2012-03-31 12:30:29: [520:540] Accepting SMTP connection from [178.33.45.10]
Sat 2012-03-31 12:30:29: [520:540] Looking up PTR record for 178.33.45.10 (10.45.33.178.IN-ADDR.ARPA)
Sat 2012-03-31 12:30:30: [520:540] D=10.45.33.178.IN-ADDR.ARPA TTL=(1440) PTR=[18.mo5.mail-out.ovh.net]
Sat 2012-03-31 12:30:30: [520:540] Gathering A-records for PTR hosts
Sat 2012-03-31 12:30:30: [520:540] D=18.mo5.mail-out.ovh.net TTL=(1440) A=[178.33.45.10]
Sat 2012-03-31 12:30:30: [520:540] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 30 Mar 2012 22:30:30 -0500
Sat 2012-03-31 12:30:30: [520:540] <-- EHLO mo5.mail-out.ovh.net
Sat 2012-03-31 12:30:30: [520:540] Performing reverse lookup on mo5.mail-out.ovh.net (looking for 178.33.45.10)
Sat 2012-03-31 12:30:31: [520:540] D=mo5.mail-out.ovh.net TTL=(1440) A=[178.32.228.5]
Sat 2012-03-31 12:30:31: [520:540] --> 250-xxx.xxx.xxx Hello 18.mo5.mail-out.ovh.net (may be forged), pleased to meet you
Sat 2012-03-31 12:30:31: [520:540] --> 250-ETRN
Sat 2012-03-31 12:30:31: [520:540] --> 250-AUTH=LOGIN
Sat 2012-03-31 12:30:31: [520:540] --> 250-AUTH LOGIN CRAM-MD5
Sat 2012-03-31 12:30:31: [520:540] --> 250-8BITMIME
Sat 2012-03-31 12:30:31: [520:540] --> 250 SIZE 0
Sat 2012-03-31 12:30:31: [520:540] <-- MAIL FROM: SIZE=6970
Sat 2012-03-31 12:30:31: [520:540] Performing reverse lookup on yyy.yyy (looking for 178.33.45.10)
Sat 2012-03-31 12:30:32: [520:540] D=yyy.yyy TTL=(1439) A=[213.186.33.5]
Sat 2012-03-31 12:30:32: [520:540] P=100 D=webster.fr TTL=(1440) MX=[mxb.ovh.net]
Sat 2012-03-31 12:30:32: [520:540] P=001 D=webster.fr TTL=(1440) MX=[mx0.ovh.net] {213.186.33.32}
Sat 2012-03-31 12:30:33: [520:540] D=mxb.ovh.net TTL=(1440) A=[213.186.39.173]
Sat 2012-03-31 12:30:33: [520:540] Spam Blocker A-record resolution of [10.45.33.178.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2012-03-31 12:30:33: [520:540] Spam Blocker D=10.45.33.178.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2012-03-31 12:30:33: [520:540] L2.APEWS.ORG LISTED
Sat 2012-03-31 12:30:33: [520:540] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2012-03-31 12:30:33: [520:540] --> 250 , Sender ok
Sat 2012-03-31 12:30:33: [520:540] <-- RCPT TO:
Sat 2012-03-31 12:30:33: [520:540] --> 250 , Recipient ok
Sat 2012-03-31 12:30:33: [520:540] <-- DATA
Sat 2012-03-31 12:30:33: [520:540] --> 354 Enter mail, end with .
Sat 2012-03-31 12:30:33: [520:540] --> 250 Ok, message saved
Sat 2012-03-31 12:30:34: [520:540] <-- QUIT
Sat 2012-03-31 12:30:34: [520:540] --> 221 See ya in cyberspace
Sat 2012-03-31 12:30:34: [520:540] SMTP session successful, 7307 bytes transferred.
Sat 2012-03-31 12:30:34: [520:540] Shuffling message(s) into proper queue(s)
Sat 2012-03-31 12:30:34: [520:540] Message received from mo5.mail-out.ovh.net [178.33.45.10] with SMTP for [Size 796] {j:\localq\md00000000.msg}

OVH often have mail servers in the top 100 spam sources so no surprise that it was listed.

March 18, 2012

L2.APEWS.ORG False Positive #13

Typical eh, spoke too soon! Got a user claiming the following shouldn't have been in his junk folder and on further checking we find the IP address to be that of a website offering a newsletter. CIDR seems OK too, here is the email header;

Sat 2012-03-17 03:26:37: [7708:766] Accepting SMTP connection from [71.19.224.98]
Sat 2012-03-17 03:26:37: [7708:766] Looking up PTR record for 71.19.224.98 (98.224.19.71.IN-ADDR.ARPA)
Sat 2012-03-17 03:26:37: [7708:766] D=98.224.19.71.IN-ADDR.ARPA TTL=(59) PTR=[www3.tiltedpixel.com]
Sat 2012-03-17 03:26:37: [7708:766] Gathering A-records for PTR hosts
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(240) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 16 Mar 2012 13:06:38 -0500
Sat 2012-03-17 03:26:38: [7708:766] <-- EHLO www3.tiltedpixel.com
Sat 2012-03-17 03:26:38: [7708:766] Performing reverse lookup on www3.tiltedpixel.com (looking for 71.19.224.98)
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(240) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] --> 250-xxx.xxx.xxx Hello www3.tiltedpixel.com, pleased to meet you
Sat 2012-03-17 03:26:38: [7708:766] --> 250-ETRN
Sat 2012-03-17 03:26:38: [7708:766] --> 250-AUTH=LOGIN
Sat 2012-03-17 03:26:38: [7708:766] --> 250-AUTH LOGIN CRAM-MD5
Sat 2012-03-17 03:26:38: [7708:766] --> 250-8BITMIME
Sat 2012-03-17 03:26:38: [7708:766] --> 250 SIZE 0
Sat 2012-03-17 03:26:38: [7708:766] <-- MAIL FROM: SIZE=1656
Sat 2012-03-17 03:26:38: [7708:766] Performing reverse lookup on www3.tiltedpixel.com (looking for 71.19.224.98)
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(239) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] Spam Blocker A-record resolution of [98.224.19.71.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2012-03-17 03:26:38: [7708:766] Spam Blocker D=98.224.19.71.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2012-03-17 03:26:38: [7708:766] L2.APEWS.ORG LISTED
Sat 2012-03-17 03:26:38: [7708:766] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2012-03-17 03:26:38: [7708:766] --> 250 , Sender ok
Sat 2012-03-17 03:26:38: [7708:766] <-- RCPT TO:
Sat 2012-03-17 03:26:38: [7708:766] --> 250 , Recipient ok
Sat 2012-03-17 03:26:38: [7708:766] <-- DATA
Sat 2012-03-17 03:26:38: [7708:766] --> 354 Enter mail, end with .
Sat 2012-03-17 03:26:38: [7708:766] --> 250 Ok, message saved
Sat 2012-03-17 03:26:38: [7708:766] <-- QUIT
Sat 2012-03-17 03:26:38: [7708:766] --> 221 See ya in cyberspace
Sat 2012-03-17 03:26:38: [7708:766] SMTP session successful, 959 bytes transferred.
Sat 2012-03-17 03:26:38: [7708:766] Shuffling message(s) into proper queue(s)
Sat 2012-03-17 03:26:38: [7708:766] Message received from www3.tiltedpixel.com [71.19.224.98] with SMTP for [Size 948] {j:\localq\md000000.msg}

Hopefully this one will get resolved shortly too.

March 16, 2012

Over 1 month without any FP

As you can see, the last false positive that we found was on Feb 9 and nothing since. We are the only ones to have published email headers in support of those false positives and each one has been delisted by the APEWS.org Administrators. The folks you have seen posting removal requests here are people that believe that their IP addresses should not be listed. We have seen that most, but not all, have been delisted.

The SPEWS listing model was to use whole CIDR blocks in order to pressure the ISP. It involved listing the entire block without regard for individual IP addresses and therefore there was collateral damage which was not favored by many. In order for that method to work it requires that users tolerate the collateral damage until such time as the ISP cleaned up the CIDR. That method was flawed because users, network Administrators etc, would rather tolerate spam than collateral damage.

After analysing the APEWS.org data over a period of time we can see that they are no longer following the same model as SPEWS. A few years ago when they first became a replacement for SPEWS, it could have been said that their method was very close if not the same. However, the fact that false positives have reduced dramatically and having probed the listed CIDR, APEWS.org seem to be cutting holes in CIDR for trusted senders and accordingly reducing collateral damage leaving a binary reputation index.

February 10, 2012

L2.APEWS.ORG False Positive #12

This is another from the travel and tourism newsletters, not sure yet if the listing is tied to the recent "infomercials". We will check the listing, and delisting if it occurs, in due course. The email header follows;

Thur 2012-02-09 16:47:29: [60:170] Accepting SMTP connection from [98.158.230.106]
Thur 2012-02-09 16:47:29: [60:170] Looking up PTR record for 98.158.230.106 (106.230.158.98.IN-ADDR.ARPA)
Thur 2012-02-09 16:47:30: [60:170] D=106.230.158.98.IN-ADDR.ARPA TTL=(59) PTR=[business-travelupdate.com]
Thur 2012-02-09 16:47:30: [60:170] Gathering A-records for PTR hosts
Thur 2012-02-09 16:47:30: [60:170] D=business-travelupdate.com TTL=(1440) A=[98.158.230.106]
Thur 2012-02-09 16:47:30: [60:170] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Thur, 09 Feb 2012 16:47:30 -0500
Thur 2012-02-09 16:47:30: [60:170] <-- EHLO business-travelupdate.com
Thur 2012-02-09 16:47:30: [60:170] Performing reverse lookup on business-travelupdate.com (looking for 98.158.230.106)
Thur 2012-02-09 16:47:30: [60:170] D=business-travelupdate.com TTL=(1440) A=[98.158.230.106]
Thur 2012-02-09 16:47:30: [60:170] --> 250-xxx.xxx.xxx Hello business-travelupdate.com, pleased to meet you
Thur 2012-02-09 16:47:30: [60:170] --> 250-ETRN
Thur 2012-02-09 16:47:30: [60:170] --> 250-AUTH=LOGIN
Thur 2012-02-09 16:47:30: [60:170] --> 250-AUTH LOGIN CRAM-MD5
Thur 2012-02-09 16:47:30: [60:170] --> 250-8BITMIME
Thur 2012-02-09 16:47:30: [60:170] --> 250 SIZE 0
Thur 2012-02-09 16:47:31: [60:170] <-- MAIL FROM:
Thur 2012-02-09 16:47:31: [60:170] Performing reverse lookup on business-travelupdate.com (looking for 98.158.230.106)
Thur 2012-02-09 16:47:31: [60:170] D=business-travelupdate.com TTL=(1439) A=[98.158.230.106]
Thur 2012-02-09 16:47:31: [60:170] Spam Blocker A-record resolution of [106.230.158.98.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Thur 2012-02-09 16:47:31: [60:170] Spam Blocker D=106.230.158.98.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Thur 2012-02-09 16:47:31: [60:170] L2.APEWS.ORG LISTED
Thur 2012-02-09 16:47:31: [60:170] Message will be accepted and X-RBL-Warning: header will be inserted.
Thur 2012-02-09 16:47:31: [60:170] --> 250 , Sender ok
Thur 2012-02-09 16:47:31: [60:170] <-- RCPT TO:
Thur 2012-02-09 16:47:31: [60:170] --> 250 , Recipient ok
Thur 2012-02-09 16:47:31: [60:170] <-- DATA
Thur 2012-02-09 16:47:31: [60:170] --> 354 Enter mail, end with .
Thur 2012-02-09 16:47:31: [60:170] --> 250 Ok, message saved
Thur 2012-02-09 16:47:31: [60:170] <-- QUIT
Thur 2012-02-09 16:47:31: [60:170] --> 221 See ya in cyberspace
Thur 2012-02-09 16:47:31: [60:170] SMTP session successful, 1453 bytes transferred.
Thur 2012-02-09 16:47:31: [60:170] Shuffling message(s) into proper queue(s)
Thur 2012-02-09 16:47:31: [60:170] Message received from business-travelupdate.com [98.158.230.106] with SMTP for [Size 1419] {j:\localq\500019.msg}

You may see fluctuations in your statistics which could be due to the rotation between IP addresses that some newsletter senders do. Where one IP address is listed and another is not, the newsletter will alternate between the spam folder and the inbox unless you have the IP address in your whitelist and/or a filter to move mis-placed emails.

January 28, 2012

L2.APEWS.ORG False Positive #11

First one this month so far, not bad going. This is another of the sending servers for the travel industry, some of our users found this in their spam folder, incorrectly. It must have been recently listed, I haven't checked as yet what the listing says but as far as we are concerned here, the IP is a trusted source. Here is the email header;

Fri 2012-01-27 16:33:25: [6810:112] Accepting SMTP connection from [205.201.136.59]
Fri 2012-01-27 16:33:25: [6810:112] Looking up PTR record for 205.201.136.59 (59.136.201.205.IN-ADDR.ARPA)
Fri 2012-01-27 16:33:25: [6810:112] D=59.136.201.205.in-addr.arpa TTL=(1440) PTR=[mail59.us4.mandrillapp.com]
Fri 2012-01-27 16:33:25: [6810:112] Gathering A-records for PTR hosts
Fri 2012-01-27 16:33:25: [6810:112] D=mail59.us4.mandrillapp.com TTL=(1440) A=[205.201.136.59]
Fri 2012-01-27 16:33:25: [6810:112] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Fri, 27 Jan 2012 16:33:25 -0500
Fri 2012-01-27 16:33:25: [6810:112] <-- EHLO mail59.us4.mandrillapp.com
Fri 2012-01-27 16:33:25: [6810:112] Performing reverse lookup on mail59.us4.mandrillapp.com (looking for 205.201.136.59)
Fri 2012-01-27 16:33:26: [6810:112] D=mail59.us4.mandrillapp.com TTL=(1440) A=[205.201.136.59]
Fri 2012-01-27 16:33:26: [6810:112] --> 250-xxx.xxx.xxx Hello mail59.us4.mandrillapp.com, pleased to meet you
Fri 2012-01-27 16:33:26: [6810:112] --> 250-ETRN
Fri 2012-01-27 16:33:26: [6810:112] --> 250-AUTH=LOGIN
Fri 2012-01-27 16:33:26: [6810:112] --> 250-AUTH LOGIN CRAM-MD5
Fri 2012-01-27 16:33:26: [6810:112] --> 250-8BITMIME
Fri 2012-01-27 16:33:26: [6810:112] --> 250 SIZE 0
Fri 2012-01-27 16:33:26: [6810:112] <-- MAIL FROM: BODY=8BITMIME
Fri 2012-01-27 16:33:26: [6810:112] Performing reverse lookup on mail59.us4.mandrillapp.com (looking for 205.201.136.59)
Fri 2012-01-27 16:33:26: [6810:112] D=mail59.us4.mandrillapp.com TTL=(1439) A=[205.201.136.59]
Fri 2012-01-27 16:33:26: [6810:112] Spam Blocker A-record resolution of [59.136.201.205.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Fri 2012-01-27 16:33:26: [6810:112] Spam Blocker D=59.136.201.205.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Fri 2012-01-27 16:33:26: [6810:112] L2.APEWS.ORG LISTED
Fri 2012-01-27 16:33:26: [6810:112] Message will be accepted and X-RBL-Warning: header will be inserted.
Fri 2012-01-27 16:33:26: [6810:112] --> 250 , Sender ok
Fri 2012-01-27 16:33:26: [6810:112] <-- RCPT TO:
Fri 2012-01-27 16:33:26: [6810:112] --> 250 , Recipient ok
Fri 2012-01-27 16:33:26: [6810:112] <-- DATA
Fri 2012-01-27 16:33:26: [6810:112] --> 354 Enter mail, end with .
Fri 2012-01-27 16:33:27: [6810:112] --> 250 Ok, message saved
Fri 2012-01-27 16:33:27: [6810:112] <-- QUIT
Fri 2012-01-27 16:33:27: [6810:112] --> 221 See ya in cyberspace
Fri 2012-01-27 16:33:27: [6810:112] SMTP session successful, 30303 bytes transferred.
Fri 2012-01-27 16:33:27: [6810:112] Shuffling message(s) into proper queue(s)
Fri 2012-01-27 16:33:27: [6810:112] Message received from mail59.us4.mandrillapp.com [205.201.136.59] with SMTP for [Size 32292] {j:\localq\0005140404.msg}

We will check this and report back in due course.

December 25, 2011

L2.APEWS.ORG False Positive #10

Just over a week since the last one, found this which is the tenth in as many weeks, not bad. We know that the email sent by the server was solicited as it was a response to a web purchase, i.e. server generated receipt;

Sat 2011-12-24 06:53:43: [916:2344] Accepting SMTP connection from [83.223.106.9]
Sat 2011-12-24 06:53:43: [916:2344] Looking up PTR record for 83.223.106.9 (9.106.223.83.IN-ADDR.ARPA)
Sat 2011-12-24 06:53:44: [916:2344] D=9.106.223.83.IN-ADDR.ARPA TTL=(1440) PTR=[fusion.bpweb.net]
Sat 2011-12-24 06:53:44: [916:2344] Gathering A-records for PTR hosts
Sat 2011-12-24 06:53:44: [916:2344] D=fusion.bpweb.net TTL=(120) A=[83.223.106.9]
Sat 2011-12-24 06:53:44: [916:2344] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sun, 25 Dec 2011 06:53:44 -0500
Sat 2011-12-24 06:53:44: [916:2344] <-- EHLO fusion.bpweb.net
Sat 2011-12-24 06:53:44: [916:2344] Performing reverse lookup on fusion.bpweb.net (looking for 83.223.106.9)
Sat 2011-12-24 06:53:44: [916:2344] D=fusion.bpweb.net TTL=(120) A=[83.223.106.9]
Sat 2011-12-24 06:53:44: [916:2344] --> 250-xxx.xxx.xxx Hello fusion.bpweb.net, pleased to meet you
Sat 2011-12-24 06:53:44: [916:2344] --> 250-ETRN
Sat 2011-12-24 06:53:44: [916:2344] --> 250-AUTH=LOGIN
Sat 2011-12-24 06:53:44: [916:2344] --> 250-AUTH LOGIN CRAM-MD5
Sat 2011-12-24 06:53:44: [916:2344] --> 250-8BITMIME
Sat 2011-12-24 06:53:44: [916:2344] --> 250 SIZE 0
Sat 2011-12-24 06:53:45: [916:2344] <-- MAIL From: SIZE=112236
Sat 2011-12-24 06:53:45: [916:2344] Performing reverse lookup on londonmagicstore.co.uk (looking for 83.223.106.9)
Sat 2011-12-24 06:53:45: [916:2344] D=londonmagicstore.co.uk TTL=(119) A=[87.117.239.236]
Sat 2011-12-24 06:53:46: [916:2344] P=050 D=londonmagicstore.co.uk TTL=(120) MX=[aspmx3.googlemail.com] {74.125.127.27}
Sat 2011-12-24 06:53:46: [916:2344] P=040 D=londonmagicstore.co.uk TTL=(120) MX=[aspmx2.googlemail.com] {74.125.43.27}
Sat 2011-12-24 06:53:46: [916:2344] P=030 D=londonmagicstore.co.uk TTL=(120) MX=[alt2.aspmx.l.google.com]
Sat 2011-12-24 06:53:46: [916:2344] P=020 D=londonmagicstore.co.uk TTL=(120) MX=[alt1.aspmx.l.google.com]
Sat 2011-12-24 06:53:46: [916:2344] P=010 D=londonmagicstore.co.uk TTL=(120) MX=[aspmx.l.google.com]
Sat 2011-12-24 06:53:46: [916:2344] D=alt2.aspmx.l.google.com TTL=(4) A=[74.125.65.26]
Sat 2011-12-24 06:53:46: [916:2344] D=alt1.aspmx.l.google.com TTL=(4) A=[209.85.225.26]
Sat 2011-12-24 06:53:46: [916:2344] D=aspmx.l.google.com TTL=(4) A=[74.125.127.26]
Sat 2011-12-24 06:53:46: [916:2344] Spam Blocker A-record resolution of [9.106.223.83.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2011-12-24 06:53:46: [916:2344] Spam Blocker D=9.106.223.83.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2011-12-24 06:53:46: [916:2344] L2.APEWS.ORG LISTED
Sat 2011-12-24 06:53:46: [916:2344] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2011-12-24 06:53:46: [916:2344] --> 250 , Sender ok
Sat 2011-12-24 06:53:46: [916:2344] <-- RCPT To:
Sat 2011-12-24 06:53:46: [916:2344] --> 250 , Recipient ok
Sat 2011-12-24 06:53:47: [916:2344] <-- DATA
Sat 2011-12-24 06:53:47: [916:2344] --> 354 Enter mail, end with .
Sat 2011-12-24 06:53:49: [916:2344] --> 250 Ok, message saved
Sat 2011-12-24 06:53:49: [916:2344] <-- QUIT
Sat 2011-12-24 06:53:49: [916:2344] --> 221 See ya in cyberspace
Sat 2011-12-24 06:53:49: [916:2344] SMTP session successful, 113812 bytes transferred.
Sat 2011-12-24 06:53:49: [916:2344] Shuffling message(s) into proper queue(s)
Sat 2011-12-24 06:53:49: [916:2344] Message received from fusion.bpweb.net [83.223.106.9] with SMTP for [Size 113801] {j:\localq\md0000000.msg}

As before, we will report back if this gets de-listed.

December 24, 2011

Comparison of some DNSBL results

No false positives to report this week, great because email was up to nearly double with all the Xmas communications including contacts so nice that it went smoothly. Use the spare time to put some usage statistics together;

DNSBL

%

Errors

l2.apews.org

95

0.5%

b.barracudacentral.org

94

* uceprotect.net 1,2 & 3

91

<0.2%

zen.spamhaus.org

91

<0.1%

ip.v4bl.org

68

cbl.abuseat.org

68

<0.1%

spam.dnsbl.sorbs.net

65

dnsbl-2.uceprotect.net

63

<0.1%

dnsbl-3.uceprotect.net

63

<0.2%

hostkarma.junkemailfilter.com

62

bl.tiopan.com

61

dnsbl-1.uceprotect.net

51

<0.1%

bl.mailspike.net

45

ix.dnsbl.manitu.net

44

1.5

truncate.gbudb.net

43

bl.spameatingmonkey.net

38

blackholes.five-ten-sg.com

37

bl.spamcop.net

31

<0.1%

psbl.surriel.com

18

<0.1%

db.upbl.info

14

<0.1%

dnsbl.imps.de

8

no-more-funn.moensted.dk

7

<0.1%

bl.spamcannibal.org

3

spam.spamrats.com

2

<0.1%

* does not exist as a single dnsbl, use 3 lists


That accords with our findings too, very respectable error rates before the use of a whitelist. Only Barracuda's system comes close and they require a free registration before you can access their data. You can use a combined result from all 3 lists at UCEProtect.net to achieve similar results though they do have lower error rates.

There are websites that offer a one-stop lookup service, like dnsbl.info, where you can input an IP address and see which blacklists have it listed. In their case, dnsbl.info test 80+ blacklists but do not include l2.apews.org which seems odd when you see the results above. Yet they show the results from other blacklists with more than double the error rate, odd that.