L2.APEWS.ORG False Positive #10

Just over a week since the last one, found this which is the tenth in as many weeks, not bad. We know that the email sent by the server was solicited as it was a response to a web purchase, i.e. server generated receipt;

Sat 2011-12-24 06:53:43: [916:2344] Accepting SMTP connection from [83.223.106.9]
Sat 2011-12-24 06:53:43: [916:2344] Looking up PTR record for 83.223.106.9 (9.106.223.83.IN-ADDR.ARPA)
Sat 2011-12-24 06:53:44: [916:2344] D=9.106.223.83.IN-ADDR.ARPA TTL=(1440) PTR=[fusion.bpweb.net]
Sat 2011-12-24 06:53:44: [916:2344] Gathering A-records for PTR hosts
Sat 2011-12-24 06:53:44: [916:2344] D=fusion.bpweb.net TTL=(120) A=[83.223.106.9]
Sat 2011-12-24 06:53:44: [916:2344] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sun, 25 Dec 2011 06:53:44 -0500
Sat 2011-12-24 06:53:44: [916:2344] <-- EHLO fusion.bpweb.net
Sat 2011-12-24 06:53:44: [916:2344] Performing reverse lookup on fusion.bpweb.net (looking for 83.223.106.9)
Sat 2011-12-24 06:53:44: [916:2344] D=fusion.bpweb.net TTL=(120) A=[83.223.106.9]
Sat 2011-12-24 06:53:44: [916:2344] --> 250-xxx.xxx.xxx Hello fusion.bpweb.net, pleased to meet you
Sat 2011-12-24 06:53:44: [916:2344] --> 250-ETRN
Sat 2011-12-24 06:53:44: [916:2344] --> 250-AUTH=LOGIN
Sat 2011-12-24 06:53:44: [916:2344] --> 250-AUTH LOGIN CRAM-MD5
Sat 2011-12-24 06:53:44: [916:2344] --> 250-8BITMIME
Sat 2011-12-24 06:53:44: [916:2344] --> 250 SIZE 0
Sat 2011-12-24 06:53:45: [916:2344] <-- MAIL From: SIZE=112236
Sat 2011-12-24 06:53:45: [916:2344] Performing reverse lookup on londonmagicstore.co.uk (looking for 83.223.106.9)
Sat 2011-12-24 06:53:45: [916:2344] D=londonmagicstore.co.uk TTL=(119) A=[87.117.239.236]
Sat 2011-12-24 06:53:46: [916:2344] P=050 D=londonmagicstore.co.uk TTL=(120) MX=[aspmx3.googlemail.com] {74.125.127.27}
Sat 2011-12-24 06:53:46: [916:2344] P=040 D=londonmagicstore.co.uk TTL=(120) MX=[aspmx2.googlemail.com] {74.125.43.27}
Sat 2011-12-24 06:53:46: [916:2344] P=030 D=londonmagicstore.co.uk TTL=(120) MX=[alt2.aspmx.l.google.com]
Sat 2011-12-24 06:53:46: [916:2344] P=020 D=londonmagicstore.co.uk TTL=(120) MX=[alt1.aspmx.l.google.com]
Sat 2011-12-24 06:53:46: [916:2344] P=010 D=londonmagicstore.co.uk TTL=(120) MX=[aspmx.l.google.com]
Sat 2011-12-24 06:53:46: [916:2344] D=alt2.aspmx.l.google.com TTL=(4) A=[74.125.65.26]
Sat 2011-12-24 06:53:46: [916:2344] D=alt1.aspmx.l.google.com TTL=(4) A=[209.85.225.26]
Sat 2011-12-24 06:53:46: [916:2344] D=aspmx.l.google.com TTL=(4) A=[74.125.127.26]
Sat 2011-12-24 06:53:46: [916:2344] Spam Blocker A-record resolution of [9.106.223.83.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2011-12-24 06:53:46: [916:2344] Spam Blocker D=9.106.223.83.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2011-12-24 06:53:46: [916:2344] L2.APEWS.ORG LISTED
Sat 2011-12-24 06:53:46: [916:2344] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2011-12-24 06:53:46: [916:2344] --> 250 , Sender ok
Sat 2011-12-24 06:53:46: [916:2344] <-- RCPT To:
Sat 2011-12-24 06:53:46: [916:2344] --> 250 , Recipient ok
Sat 2011-12-24 06:53:47: [916:2344] <-- DATA
Sat 2011-12-24 06:53:47: [916:2344] --> 354 Enter mail, end with .
Sat 2011-12-24 06:53:49: [916:2344] --> 250 Ok, message saved
Sat 2011-12-24 06:53:49: [916:2344] <-- QUIT
Sat 2011-12-24 06:53:49: [916:2344] --> 221 See ya in cyberspace
Sat 2011-12-24 06:53:49: [916:2344] SMTP session successful, 113812 bytes transferred.
Sat 2011-12-24 06:53:49: [916:2344] Shuffling message(s) into proper queue(s)
Sat 2011-12-24 06:53:49: [916:2344] Message received from fusion.bpweb.net [83.223.106.9] with SMTP for [Size 113801] {j:\localq\md0000000.msg}

As before, we will report back if this gets de-listed.

Comparison of some DNSBL results

No false positives to report this week, great because email was up to nearly double with all the Xmas communications including contacts so nice that it went smoothly. Use the spare time to put some usage statistics together;

DNSBL	%	Errors
l2.apews.org	95	0.5%
b.barracudacentral.org	94
* uceprotect.net 1,2 & 3	91	<0.2%
zen.spamhaus.org	91	<0.1%
ip.v4bl.org	68
cbl.abuseat.org	68	<0.1%
spam.dnsbl.sorbs.net	65
dnsbl-2.uceprotect.net	63	<0.1%
dnsbl-3.uceprotect.net	63	<0.2%
hostkarma.junkemailfilter.com	62
bl.tiopan.com	61
dnsbl-1.uceprotect.net	51	<0.1%
bl.mailspike.net	45
ix.dnsbl.manitu.net	44	1.5
truncate.gbudb.net	43
bl.spameatingmonkey.net	38
blackholes.five-ten-sg.com	37
bl.spamcop.net	31	<0.1%
psbl.surriel.com	18	<0.1%
db.upbl.info	14	<0.1%
dnsbl.imps.de	8
no-more-funn.moensted.dk	7	<0.1%
bl.spamcannibal.org	3
spam.spamrats.com	2	<0.1%
* does not exist as a single dnsbl, use 3 lists

That accords with our findings too, very respectable error rates before the use of a whitelist. Only Barracuda's system comes close and they require a free registration before you can access their data. You can use a combined result from all 3 lists at UCEProtect.net to achieve similar results though they do have lower error rates.

There are websites that offer a one-stop lookup service, like dnsbl.info, where you can input an IP address and see which blacklists have it listed. In their case, dnsbl.info test 80+ blacklists but do not include l2.apews.org which seems odd when you see the results above. Yet they show the results from other blacklists with more than double the error rate, odd that.

Antihosts.exe trojan

Ended up having to fix a client computer over the weekend, Windows 7 with a failed Messenger and Windows Live problems. The trojan had replaced the "hosts" file and replaced it with this version;

191.164.12.1 zuleica
191.162.91.2 tarantula
19.251.32.13 ariranha
112.158.12.22 leandrino
132.168.7.42 zecurlano
121.91.41.151 cotidiano

121.15.12.137 www.banespa.com.br # GbPluguin
121.15.12.137 banespa.com.br # GbPluguin
121.15.12.137 www.santander.com.br # GbPluguin
121.15.12.137 santander.com.br # GbPluguin
121.15.12.137 caixa.com.br # GbPluguin
121.15.12.137 www.cef.gov.br # GbPluguin
121.15.12.137 cef.gov.br # GbPluguin
121.15.12.137 www.cef.com.br # GbPluguin
121.15.12.137 www.caixa.gov.br # GbPluguin
121.15.12.137 caixa.gov.br # GbPluguin
121.15.12.137 www.caixa.com.br # GbPluguin
209.94.172.28 live.com # GbPluguin
209.94.172.28 www.live.com # GbPluguin
209.94.172.28 www.msn.com # GbPluguin
121.15.12.137 cef.com.br # GbPluguin
121.15.12.137 internetbanking.caixa.gov.br # GbPluguin
121.15.12.137 internetbanking.caixa.com.br # GbPluguin
121.15.12.137 internetbanking.cef.gov.br # GbPluguin
121.15.12.137 internetbanking.cef.com.br # GbPluguin
121.15.12.137 www.e-gold.com.br # GbPluguin
121.15.12.137 e-gold.com.br # GbPluguin
121.15.12.137 www.e-gold.com # GbPluguin
121.15.12.137 e-gold.com # GbPluguin
121.15.12.137 www.bradescoprime.com.br # GbPluguin
121.15.12.137 www.cetelem.com.br # GbPluguin
121.15.12.137 cetelem.com.br # GbPluguin
121.15.12.137 www.cartaoaura.com.br # GbPluguin
209.94.172.28 msn.com # GbPluguin
209.94.172.28 www.msn.com.br # GbPluguin
209.94.172.28 login.live.com # GbPluguin
121.15.12.137 cartaoaura.com.br # GbPluguin
121.15.12.137 bradescoprime.com.br # GbPluguin
121.15.12.137 www.itaupersonnalite.com.br # GbPluguin
121.15.12.137 itaupersonnalite.com.br # GbPluguin
121.15.12.137 americanexpress.com.br # GbPluguin
121.15.12.137 www.sicredi.com.br # GbPluguin
121.15.12.137 sicredi.com.br # GbPluguin
121.15.12.137 portal.sicredi.com.br # GbPluguin
121.15.12.137 www.realsecureweb.com.br # GbPluguin
121.15.12.137 realsecureweb.com.br # GbPluguin
209.94.172.28 www.hotmail.com # GbPluguin
209.94.172.28 hotmail.com # GbPluguin
121.15.12.137 www.americanexpress.com.br # GbPluguin
121.15.12.137 www.americanexpress.com # GbPluguin
121.15.12.137 www.real.com.br # GbPluguin
121.15.12.137 www.bancoreal.com.br # GbPluguin
121.15.12.137 real.com.br # GbPluguin
121.15.12.137 bancoreal.com.br # GbPluguin
209.94.172.28 www.hotmail.com.br # GbPluguin
209.94.172.28 hotmail.com.br # GbPluguin
121.15.12.137 itau.com.br # GbPluguin
121.15.12.137 www.itau.com # GbPluguin
121.15.12.137 itau.com # GbPluguin
121.15.12.137 imagem.caixa.gov.br # GbPluguin
121.15.12.137 imagem.caixa.com.br # GbPluguin
121.15.12.137 imagem.cef.gov.br # GbPluguin
121.15.12.137 imagem.cef.com.br # GbPluguin
121.15.12.137 www.bradesco.com.br # GbPluguin
121.15.12.137 bradesco.com.br # GbPluguin
121.15.12.137 www.bradesco.com # GbPluguin
121.15.12.137 bradesco.com # GbPluguin
121.15.12.137 www.itau.com.br # GbPluguin
121.15.12.137 www.realsecureweb.com.br # GbPluguin
121.15.12.137 santanderempresarial.com.br # GbPluguin
121.15.12.137 www.santanderempresarial.com.br # GbPluguin
121.15.12.137 santanderempresarial.com # GbPluguin
121.15.12.137 www.santanderempresarial.com # GbPluguin
121.15.12.137 www.citibank.com.br # GbPluguin
121.15.12.137 citibank.com.br # GbPluguin
121.15.12.137 www.citibank.com # GbPluguin
121.15.12.137 citibank.com # GbPluguin

32.19.12.1 ezekien.lorena
22.93.11.98 marcos.gladiador
11.12.44.1 zumbi.palmares
81.55.12.4 arthur.erculando

Interesting that some USA Department Of Defense IP addresses are referred to as is a Ford Motor Company one too. The others are in South Korea, France, Australia and China. The trojan is capturing user names and passwords for the above mentioned banks etc.

The infection arrived in a spam email from a known-to-the-user Hotmail email address, probably a compromised account, with a link to a video about pedofilia. Clicking the link caused the trojan to install and make various changes including the above hosts file replacement.

Spammers ignore 550 command

Having written about the effectiveness for blocking, we have a spammer that is still trying to send emails to the same email address, on a different server and after a failed previous attempt where a 550 no suvh user was given;

Sat 2011-12-17 05:43:06: [468:256] Accepting SMTP connection from [67.159.33.100]
Sat 2011-12-17 05:43:06: [468:256] Looking up PTR record for 67.159.33.100 (100.33.159.67.IN-ADDR.ARPA)
Sat 2011-12-17 05:43:21: [468:256] The name server reports that it is having technical problems.
Sat 2011-12-17 05:43:21: [468:256] --> 220 xxx1.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 17 Dec 2011 04:43:21 -0500
Sat 2011-12-17 05:43:21: [468:256] <-- EHLO super.jbcapacitacionempresarial.com
Sat 2011-12-17 05:43:21: [468:256] Performing reverse lookup on super.jbcapacitacionempresarial.com (looking for 67.159.33.100)
Sat 2011-12-17 05:43:22: [468:256] D=super.jbcapacitacionempresarial.com TTL=(240) A=[67.159.33.100]
Sat 2011-12-17 05:43:22: [468:256] --> 250-xxx1.xxx.xxx Hello super.jbcapacitacionempresarial.com, pleased to meet you
Sat 2011-12-17 05:43:22: [468:256] --> 250-ETRN
Sat 2011-12-17 05:43:22: [468:256] --> 250-AUTH=LOGIN
Sat 2011-12-17 05:43:22: [468:256] --> 250-AUTH LOGIN CRAM-MD5
Sat 2011-12-17 05:43:22: [468:256] --> 250-8BITMIME
Sat 2011-12-17 05:43:22: [468:256] --> 250 SIZE 0
Sat 2011-12-17 05:43:22: [468:256] <-- MAIL FROM: SIZE=48915
Sat 2011-12-17 05:43:22: [468:256] Performing reverse lookup on jbcapacitacionempresarial.com (looking for 67.159.33.100)
Sat 2011-12-17 05:43:22: [468:256] D=jbcapacitacionempresarial.com TTL=(240) A=[67.159.33.101]
Sat 2011-12-17 05:43:22: [468:256] P=010 D=jbcapacitacionempresarial.com TTL=(240) MX=[mail.jbcapacitacionempresarial.com] {67.159.33.101}
Sat 2011-12-17 05:43:22: [468:256] Spam Blocker A-record resolution of [100.33.159.67.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.3)...
Sat 2011-12-17 05:43:22: [468:256] Spam Blocker D=100.33.159.67.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2011-12-17 05:43:22: [468:256] L2.APEWS.ORG LISTED
Sat 2011-12-17 05:43:22: [468:256] --> 250 , Sender ok
Sat 2011-12-17 05:43:22: [468:256] <-- RCPT TO:
Sat 2011-12-17 05:43:22: [468:256] 'Recipient unknown' given to divert future spam
Sat 2011-12-17 05:43:22: [468:256] --> 550 , Recipient unknown
Sat 2011-12-17 05:43:23: [468:256] <-- QUIT
Sat 2011-12-17 05:43:23: [468:256] --> 221 See ya in cyberspace
Sat 2011-12-17 05:43:23: [468:256] SMTP session successful, 154 bytes transferred.

L2.APEWS.ORG False Positive #9

For those that are receiving the newsletters from the folks doing the dolphin watch documentary etc, Ocean Preservation Society, this latest false positive would have been serious. OPS have used CreateSend.com for their newsletter and the subscriber user on our network found it in the spam folder. Shame, lets hope that like with the previous ones, putting it here gets the server IP delisted;

Sat 2011-12-10 15:07:33: [968:7309] Accepting SMTP connection from [184.106.86.136]
Sat 2011-12-10 15:07:33: [968:7309] Looking up PTR record for 184.106.86.136 (136.86.106.184.IN-ADDR.ARPA)
Sat 2011-12-10 15:07:33: [968:7309] D=136.86.106.184.IN-ADDR.ARPA TTL=(5) PTR=[mr136.createsend.com]
Sat 2011-12-10 15:07:33: [968:7309] Gathering A-records for PTR hosts
Sat 2011-12-10 15:07:33: [968:7309] D=mr136.createsend.com TTL=(120) A=[184.106.86.136]
Sat 2011-12-10 15:07:33: [968:7309] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 10 Dec 2011 15:07:33 -0500
Sat 2011-12-10 15:07:33: [968:7309] <-- EHLO mr136.createsend.com
Sat 2011-12-10 15:07:33: [968:7309] Performing reverse lookup on mr136.createsend.com (looking for 184.106.86.136)
Sat 2011-12-10 15:07:33: [968:7309] D=mr136.createsend.com TTL=(119) A=[184.106.86.136]
Sat 2011-12-10 15:07:33: [968:7309] --> 250-xxx.xxx.xxx Hello mr136.createsend.com, pleased to meet you
Sat 2011-12-10 15:07:33: [968:7309] --> 250-ETRN
Sat 2011-12-10 15:07:33: [968:7309] --> 250-AUTH=LOGIN
Sat 2011-12-10 15:07:33: [968:7309] --> 250-AUTH LOGIN CRAM-MD5
Sat 2011-12-10 15:07:33: [968:7309] --> 250-8BITMIME
Sat 2011-12-10 15:07:33: [968:7309] --> 250 SIZE 0
Sat 2011-12-10 15:07:33: [968:7309] <-- MAIL FROM: BODY=8BITMIME
Sat 2011-12-10 15:07:33: [968:7309] Performing reverse lookup on createsend3.com (looking for 184.106.86.136)
Sat 2011-12-10 15:07:33: [968:7309] D=createsend3.com TTL=(720) A=[27.126.145.32]
Sat 2011-12-10 15:07:33: [968:7309] P=010 D=createsend3.com TTL=(240) MX=[mx1.createsend3.com] {27.126.144.2}
Sat 2011-12-10 15:07:33: [968:7309] Spam Blocker A-record resolution of [136.86.106.184.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Sat 2011-12-10 15:07:33: [968:7309] Spam Blocker D=136.86.106.184.l2.apews.org TTL=(35) A=[127.0.0.2]
Sat 2011-12-10 15:07:33: [968:7309] APEWS listed, 99.7% certain it is spam
Sat 2011-12-10 15:07:33: [968:7309] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2011-12-10 15:07:33: [968:7309] --> 250 , Sender ok
Sat 2011-12-10 15:07:33: [968:7309] <-- RCPT TO:
Sat 2011-12-10 15:07:33: [968:7309] --> 250 , Recipient ok
Sat 2011-12-10 15:07:33: [968:7309] <-- DATA
Sat 2011-12-10 15:07:33: [968:7309] --> 354 Enter mail, end with .
Sat 2011-12-10 15:07:33: [968:7309] --> 250 Ok, message saved
Sat 2011-12-10 15:07:33: [968:7309] <-- QUIT
Sat 2011-12-10 15:07:33: [968:7309] --> 221 See ya in cyberspace
Sat 2011-12-10 15:07:33: [968:7309] SMTP session successful, 26599 bytes transferred.
Sat 2011-12-10 15:07:33: [968:7309] Shuffling message(s) into proper queue(s)
Sat 2011-12-10 15:07:33: [968:7309] Message received from mr136.createsend.com [184.106.86.136] with SMTP for [Size 26584] {j:\localq\md00000000.msg}

Whois utility SamSpade

Do you often get IP addresses connecting to your email server and you wonder who the **** is that? The answer is that there is a "Whois" of that information, and for Windows users there is a small well-written program that is very helpful. A visit to SamSpage.org shows "back soon" but the program can still be found for download at;

http://majorgeeks.com/Sam_Spade_d594.html

At just over a Mb it certainly isn't bloated with anything! Once installed it can be opened to reveal a simpe gray window. Put the unknown IP address in the top left box, for this example we will use the spammer just referred to, at 67.159.33.100;

The main registers for IP address ranges are;
ARIN, North American continent
RIPE, European continent and Middle East
LACNIC, Central and South America
APNIC, Asia, Pacific, Far East and Oceana
AFRINIC, Africa

Top center of SamSpade you will see a choice box, select whois.arin.net and then look to the left, down a little you will see an icon for "whois". Click on that and you get the following in your SamSpade window;

NetRange: 67.159.0.0 - 67.159.63.255
CIDR: 67.159.0.0/18
OriginAS:
NetName: FDCSERVERS
NetHandle: NET-67-159-0-0-1
Parent: NET-67-0-0-0-0
NetType: Direct Allocation
RegDate: 2004-10-12
Updated: 2006-12-27

OrgName: FDCservers.net
OrgId: FDCSE
Address: 141 w jackson blvd.
Address: suite #1135
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US
RegDate: 2003-05-20
Updated: 2011-03-28

In our experience FDCServers do not have a good reputation and quite often have their IP addresses listed in the top 100 spam senders at any one time. Probably not too caring about the spam problem.

Another test that you can perform is from the top toolbar, the button called "Basics". Click on that and second one down on the list is NSLOOKUP, a test for finding the DNS name recorded for the IP address or domain name. For 67.159.33.100 we get the following result;

"nslookup 67.159.33.100
No reverse DNS (WSANO_DATA)"

Very impressive, there isn't one. FDCServers have an IP address pumping out emails with no reverse DNS set. The spammer therefore can set the HELO/EHLO server name to what ever he likes and change it whenever he likes. FDC should write the server name in their DNS and setup the PTR record so that it accords with the A record, therefore permitting real-time reverse DNS (rDNS) tests to succeed. You will note that our email server timed out trying to get that IP address DNS record. Failing to do so is open to abuse as we have seen, yet it is so easy to do, it literally takes 5 minutes to edit the DNS and only needs doing once.

Email servers can send emails for and on behalf of numerous domain names and this does not affect the name of the server in DNS, it's reverse DNS record or the HELO/EHLO used.

To get another opinion about IP addresses, networks, network providerss and server hosting businesses, try the following;

http://www.senderbase.org/

Over on the right of the home page you will see a box for "reputation lookup", insert 67.159.33.100 and click the button underneath. The window shows results for the IP address and associated email senders of the same domain name and IP addresses (in this case 67.159.33.0/24). Note the results;

67.159.33.33 is shown as "neutral" written in black text
67.159.33.100 is shown as "neutral" written in black text
67.159.33.101 is shown as "good" written in green text but
67.159.33.100 is shown as "poor" written in red text

Now change the address block to be /18 as the Whois tells us, FDCServers have an IP address block of that size, click "Go";

At the time of writing there are nearly 400 detected email senders from that /18 IP block and there is a lot of red! This second opinion of FDC agrees with our own experience.

Top center of the SenderBase.org web page is a button called "Top Senders", choose "Top Spam Senders" to see a recent report and the same old names.

L2.APEWS.ORG for blocking works great

We've seen a lot of comments on the internet, especially in Usenet net-abuse newsgroups, that Apews.org has no users, false positives are huge and that it is unfit for outright blocking. Alterior motives? Who are these people and why aren't they in here filling up the pages with their tons of test results?

We have been showing all the false positives that we receive on some commercial email servers that receive global email flows. The average FP rate is going to be about one, yes one, email per week! None of them were critical, more inconvenient than anything and in a couple of cases, they were possible FP only that were actually correct in identifying spam.

Are email server Administrators so lazy or incapable that they can't sort out one email a week for a user? And why can't they run a whitelist, I mean, no sane email Administrator would run an email server without one, right?

Here is evidence of a spammer having delivery denied, and you are going to ask how do I know it was spam if delivery was denied? Well, we have setup secondary and tertiary MX servers operating the exact same configuration as the primary servers but with blocking in place, not insert an X-Header for listed IP addresses of senders. The spammer delivered a copy of the same spam to an alternate server and was blocked from delivering on another server, so in that way we were able to see and check the spam to confirm.

Sat 2011-12-10 4:29:07: [1234:787] Accepting SMTP connection from [67.159.33.100]
Sat 2011-12-10 4:29:07: [1234:787] Looking up PTR record for 67.159.33.100 (100.33.159.67.IN-ADDR.ARPA)
Sat 2011-12-10 4:29:07: [1234:787] 3 second wait for DNS response exceeded
Sat 2011-12-10 4:29:07: [1234:787] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 10 Dec 2011 4:29:07 -0200
Sat 2011-12-10 4:29:07: [1234:787] <-- EHLO super.jbcapacitacionempresarial.com
Sat 2011-12-10 4:29:07: [1234:787] Performing reverse lookup on super.jbcapacitacionempresarial.com (looking for 67.159.33.100)
Sat 2011-12-10 4:29:07: [1234:787] D=super.jbcapacitacionempresarial.com TTL=(240) A=[67.159.33.100]
Sat 2011-12-10 4:29:07: [1234:787] --> 250-xxx.xxx.xxx Hello super.jbcapacitacionempresarial.com, pleased to meet you
Sat 2011-12-10 4:29:07: [1234:787] --> 250-ETRN
Sat 2011-12-10 4:29:07: [1234:787] --> 250-AUTH=LOGIN
Sat 2011-12-10 4:29:07: [1234:787] --> 250-AUTH LOGIN CRAM-MD5
Sat 2011-12-10 4:29:07: [1234:787] --> 250-8BITMIME
Sat 2011-12-10 4:29:07: [1234:787] --> 250 SIZE 0
Sat 2011-12-10 4:29:07: [1234:787] <-- MAIL FROM: SIZE=38288
Sat 2011-12-10 4:29:07: [1234:787] Performing reverse lookup on jbcapacitacionempresarial.com (looking for 67.159.33.100)
Sat 2011-12-10 4:29:07: [1234:787] D=jbcapacitacionempresarial.com TTL=(240) A=[67.159.33.101]
Sat 2011-12-10 4:29:07: [1234:787] P=010 D=jbcapacitacionempresarial.com TTL=(240) MX=[mail.jbcapacitacionempresarial.com] {67.159.33.101}
Sat 2011-12-10 4:29:07: [1234:787] Spam Blocker A-record resolution of [100.33.159.67.l2.apews.org] in progress (DNS Server: 192.168.1.1)...
Sat 2011-12-10 4:29:07: [1234:787] Spam Blocker D=100.33.159.67.l2.apews.org TTL=(35) A=[127.0.0.2]
Sat 2011-12-10 4:29:07: [1234:787] APEWS.ORG listed, 99.7% certain it is spam
Sat 2011-12-10 4:29:07: [1234:787] --> 250 , Sender ok
Sat 2011-12-10 4:29:07: [1234:787] <-- RCPT TO:
Sat 2011-12-10 4:29:07: [1234:787] 'Recipient unknown' given to divert future spam
Sat 2011-12-10 4:29:07: [1234:787] --> 550 , Recipient unknown
Sat 2011-12-10 4:29:07: [1234:787] <-- QUIT
Sat 2011-12-10 4:29:07: [1234:787] --> 221 See ya in cyberspace
Sat 2011-12-10 4:29:07: [1234:787] SMTP session successful, 154 bytes transferred.

The spammer was given a "550" user unknown reply and that should get the email address removed from the sender's database however, these days 550 get ignored and spammers keep trying to deliver to all email servers that they can get access to.

Email servers that send solicited emails do so by checking their cache or public DNS to find where to deliver an email. They try the first MX listed and only try the second or third if delivery was not possible and the retry period exhausted depending on the configuration chosen by the email Administrator of that server. Outbound email servers are typically not listed in DNS as MX i.e. senders and so even though they listen on TCP port 25, they should never receive emails.

Even domain delivery receipts and recipient display or read receipts use the same MX servers in the order of priority MX1, MX2, MX3 etc as configured in DNS by the Administrator for each domain name. Spammers ignore that and just send to all and any servers listening on TCP port 25. L2.Apews.org is therefore excellent for use in blocking and denying delivery on such servers if not other MX servers depending on the ability of the email Administrator.

Look again at the false positives that we have listed here, had we been blocking from day 1 then each of these would not have been allowed delivery into the network. See anything mission critical there? With a decent whitelist those FP would have been even fewer or zero. Why pay for a spam solution? Surely anyone making money out of spam solutions is part of the problem, they wouldn't want to give up their income. Needless to say, good email Administrators are worth their weight in gold, better to pay them than pay for anti-spam services or "solutions".

L2.APEWS.ORG False Positive #8

This one refers back to L2.APEWS.ORG False Positive #4, if you recall the MTV newsletter was found by our user in his spam folder. Having published that here and checking the IP address a day or two later, it was found to be delisted, so then why is another MTV newsletter again in the spam folder? Well, the MTV newsletter didn't come from the same IP address which means that Apews.org had more than one IP address listed in the previous listing. Here is the false positive;

Thu 2011-12-08 08:10:27: [1112:6566] Accepting SMTP connection from [129.228.5.20]
Thu 2011-12-08 08:10:27: [1112:6566] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Thu, 08 Dec 2011 08:10:27 -0500
Thu 2011-12-08 08:10:27: [1112:6566] <-- EHLO mtv-newsletter1.mms.mtv.com
Thu 2011-12-08 08:10:27: [1112:6566] --> 250-xxx.xxx.xxx Hello mtv-newsletter1.mms.mtv.com, pleased to meet you
Thu 2011-12-08 08:10:27: [1112:6566] --> 250-ETRN
Thu 2011-12-08 08:10:27: [1112:6566] --> 250-AUTH=LOGIN
Thu 2011-12-08 08:10:27: [1112:6566] --> 250-AUTH LOGIN CRAM-MD5
Thu 2011-12-08 08:10:27: [1112:6566] --> 250-8BITMIME
Thu 2011-12-08 08:10:27: [1112:6566] --> 250 SIZE 0
Thu 2011-12-08 08:10:27: [1112:6566] <-- MAIL FROM:
Thu 2011-12-08 08:10:27: [1112:6566] Spam Blocker A-record resolution of [20.5.228.129.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Thu 2011-12-08 08:10:27: [1112:6566] Spam Blocker D=20.5.228.129.l2.apews.org TTL=(35) A=[127.0.0.2]
Thu 2011-12-08 08:10:27: [1112:6566] APEWS listed, 99.7% certain it is spam
Thu 2011-12-08 08:10:27: [1112:6566] Message will be accepted and X-RBL-Warning: header will be inserted.
Thu 2011-12-08 08:10:27: [1112:6566] --> 250 , Sender ok
Thu 2011-12-08 08:10:27: [1112:6566] <-- RCPT TO:
Thu 2011-12-08 08:10:27: [1112:6566] --> 250 , Recipient ok
Thu 2011-12-08 08:10:27: [1112:6566] <-- DATA
Thu 2011-12-08 08:10:27: [1112:6566] --> 354 Enter mail, end with .
Thu 2011-12-08 08:10:28: [1112:6566] --> 250 Ok, message saved
Thu 2011-12-08 08:10:28: [1112:6566] <-- QUIT
Thu 2011-12-08 08:10:28: [1112:6566] --> 221 See ya in cyberspace
Thu 2011-12-08 08:10:28: [1112:6566] SMTP session successful, 20649 bytes transferred.
Thu 2011-12-08 08:10:28: [1112:6566] Shuffling message(s) into proper queue(s)
Thu 2011-12-08 08:10:28: [1112:6566] Message received from mtv-newsletter1.mms.mtv.com [129.228.5.20] with SMTP for [Size 20634] {j:\localq\md00000.msg}

After some further checking, it turns out that MTV have 4 consecutive IP addresses in Viacom address space, namely 129.228.5.20-129.228.5.23 so you might want to whitelist those. We have never had any problem with the MTV servers, check e.g. whitelist DNSWL.org for other trustworthy IP addresses in the same neighborhood as those.

At the time of writing this, none of those 4 IP addresses are showing as listed so it seems that Apews.org have corrected the MTV newsletter issue.

L2.APEWS.ORG False Positive #7

This is another example of a possible false positive because it will depend on your client base and email flow.

Wed 2011-12-07 03:59:15: [1144:6063] Accepting SMTP connection from [61.135.132.132]
Wed 2011-12-07 03:59:15: [1144:6063] Looking up PTR record for 61.135.132.132 (132.132.135.61.IN-ADDR.ARPA)
Wed 2011-12-07 03:59:17: [1144:6063] D=132.132.135.61.IN-ADDR.ARPA TTL=(59) PTR=[websmtp.sohu.com]
Wed 2011-12-07 03:59:17: [1144:6063] Gathering A-records for PTR hosts
Wed 2011-12-07 03:59:18: [1144:6063] D=websmtp.sohu.com TTL=(10) A=[61.135.132.204]
Wed 2011-12-07 03:59:18: [1144:6063] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 07 Dec 2011 03:59:18 -0500
Wed 2011-12-07 03:59:18: [1144:6063] <-- EHLO websmtp.sohu.com
Wed 2011-12-07 03:59:18: [1144:6063] Performing reverse lookup on websmtp.sohu.com (looking for 61.135.132.132)
Wed 2011-12-07 03:59:18: [1144:6063] D=websmtp.sohu.com TTL=(9) A=[61.135.132.204]
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-xxx.xxx.xxx Hello websmtp.sohu.com (may be forged), pleased to meet you
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-ETRN
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-AUTH=LOGIN
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-AUTH LOGIN CRAM-MD5
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-8BITMIME
Wed 2011-12-07 03:59:18: [1144:6063] --> 250 SIZE 0
Wed 2011-12-07 03:59:20: [1144:6063] <-- MAIL FROM: SIZE=574602
Wed 2011-12-07 03:59:20: [1144:6063] Performing reverse lookup on sohu.com (looking for 61.135.132.132)
Wed 2011-12-07 03:59:20: [1144:6063] D=sohu.com TTL=(10) A=[61.135.181.175]
Wed 2011-12-07 03:59:20: [1144:6063] P=010 D=sohu.com TTL=(10) MX=[sohumx.h.a.sohu.com]
Wed 2011-12-07 03:59:20: [1144:6063] P=005 D=sohu.com TTL=(10) MX=[sohumx1.sohu.com] {61.135.132.110}
Wed 2011-12-07 03:59:21: [1144:6063] D=sohumx.h.a.sohu.com TTL=(5) A=[61.135.132.110]
Wed 2011-12-07 03:59:21: [1144:6063] Spam Blocker A-record resolution of [132.132.135.61.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Wed 2011-12-07 03:59:21: [1144:6063] Spam Blocker D=132.132.135.61.l2.apews.org TTL=(35) A=[127.0.0.2]
Wed 2011-12-07 03:59:21: [1144:6063] APEWS listed, 99.7% certain it is spam
Wed 2011-12-07 03:59:21: [1144:6063] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2011-12-07 03:59:21: [1144:6063] --> 250 , Sender ok
Wed 2011-12-07 03:59:22: [1144:6063] <-- RCPT TO:
Wed 2011-12-07 03:59:22: [1144:6063] Can't accept or relay message.
Wed 2011-12-07 03:59:22: [1144:6063] Sender not authenticated or from trusted domain/IP and recipient not a valid local account.
Wed 2011-12-07 03:59:22: [1144:6063] --> 550 , Recipient unknown
Wed 2011-12-07 03:59:22: [1144:6063] <-- RSET
Wed 2011-12-07 03:59:22: [1144:6063] --> 250 RSET? Well, ok.
Wed 2011-12-07 03:59:23: [1144:6063] <-- QUIT
Wed 2011-12-07 03:59:23: [1144:6063] --> 221 See ya in cyberspace
Wed 2011-12-07 03:59:23: [1144:6063] SMTP session successful, 126 bytes transferred.

In this case the sender is a spammer that is using the free webmail service to send crap. The email address that the spammer tried to send to was stolen from a web page that no human being would see. That is what happens spammers use automated software called robots to routinely scan IP addresses for web servers hosting web pages that contain email addresses and scraping them into their databases.

You have decide for yourself on the ratio of spam versus solicited emails via the Sohu servers. Your server, your rules. Looking at the Apews.org website, this is the text that they show for the Sohu IP address;

Entry matching your Query: E-492519
61.135.132.204 CASE: C-1
Compromised or insecure MTA
Criminal abusers have user access
SysAdmin not closing abusive accounts
No or inadequate outbound mail filter
Special Reason: List washing dirty email address database
History: Entry created 2011-09-29

So it seems they are still doing the same more than 2 months after Apews recorded their entry.

L2.APEWS.ORG False Positive #6

This is another possible false positive, as with #5 it depends on your email flow, user requirements etc. Not everyone has the same geographic distribution of email senders, however, let us take a look;

Wed 2011-11-30 22:47:41: [948:3883] Accepting SMTP connection from [121.101.151.212]
Wed 2011-11-30 22:47:41: [948:3883] Looking up PTR record for 121.101.151.212 (212.151.101.121.IN-ADDR.ARPA)
Wed 2011-11-30 22:47:42: [948:3883] D=212.151.101.121.IN-ADDR.ARPA TTL=(29) PTR=[nm3-vm0.bullet.mail.in.yahoo.com]
Wed 2011-11-30 22:47:42: [948:3883] Gathering A-records for PTR hosts
Wed 2011-11-30 22:47:42: [948:3883] D=nm3-vm0.bullet.mail.in.yahoo.com TTL=(30) A=[121.101.151.212]
Wed 2011-11-30 22:47:42: [948:3883] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 30 Nov 2011 22:47:42 -0500
Wed 2011-11-30 22:47:42: [948:3883] <-- HELO nm3-vm0.bullet.mail.in.yahoo.com
Wed 2011-11-30 22:47:42: [948:3883] Performing reverse lookup on nm3-vm0.bullet.mail.in.yahoo.com (looking for 121.101.151.212)
Wed 2011-11-30 22:47:42: [948:3883] D=nm3-vm0.bullet.mail.in.yahoo.com TTL=(30) A=[121.101.151.212]
Wed 2011-11-30 22:47:42: [948:3883] --> 250 xxx.xxx.xxx Hello nm3-vm0.bullet.mail.in.yahoo.com, pleased to meet you
Wed 2011-11-30 22:47:42: [948:3883] <-- MAIL FROM:
Wed 2011-11-30 22:47:42: [948:3883] Performing reverse lookup on yahoo.com (looking for 121.101.151.212)
Wed 2011-11-30 22:47:43: [948:3883] D=yahoo.com TTL=(60) A=[72.30.2.43]
Wed 2011-11-30 22:47:43: [948:3883] P=001 D=yahoo.com TTL=(30) MX=[mta7.am0.yahoodns.net] {98.139.175.225}
Wed 2011-11-30 22:47:43: [948:3883] P=001 D=yahoo.com TTL=(30) MX=[mta6.am0.yahoodns.net] {74.6.136.244}
Wed 2011-11-30 22:47:43: [948:3883] P=001 D=yahoo.com TTL=(30) MX=[mta5.am0.yahoodns.net] {66.94.237.139}
Wed 2011-11-30 22:47:43: [948:3883] Spam Blocker A-record resolution of [212.151.101.121.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Wed 2011-11-30 22:47:43: [948:3883] Spam Blocker D=212.151.101.121.l2.apews.org TTL=(35) A=[127.0.0.2]
Wed 2011-11-30 22:47:43: [948:3883] APEWS listed, 99.7% certain it is spam
Wed 2011-11-30 22:47:43: [948:3883] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2011-11-30 22:47:43: [948:3883] --> 250 , Sender ok
Wed 2011-11-30 22:47:43: [948:3883] <-- RCPT TO:
Wed 2011-11-30 22:47:43: [948:3883] --> 250 , Recipient ok
Wed 2011-11-30 22:47:44: [948:3883] <-- DATA
Wed 2011-11-30 22:47:44: [948:3883] --> 354 Enter mail, end with .
Wed 2011-11-30 22:47:44: [948:3883] --> 250 Ok, message saved
Wed 2011-11-30 22:47:45: [948:3883] <-- QUIT
Wed 2011-11-30 22:47:45: [948:3883] --> 221 See ya in cyberspace
Wed 2011-11-30 22:47:45: [948:3883] SMTP session successful, 2254 bytes transferred.
Wed 2011-11-30 22:47:45: [948:3883] Shuffling message(s) into proper queue(s)
Wed 2011-11-30 22:47:45: [948:3883] Message received from nm3-vm0.bullet.mail.in.yahoo.com [121.101.151.212] with SMTP for [Size 2245] {j:\localq\x00000000000.msg}

The connecting IP address belongs to Yahoo India and is listed as a CIDR [group of IP addresses] 121.101.150.0/23 within CIDR 121.101.144.0/20. In one of the earlier posts we were talking about setup and that the free webmail providers like Yahoo, Hotmail and Google are not listed in Apews but not to mark their servers as trusted or whitelisted, simply let them connect and go through the full SMTP process on your server including rDNS / PTR lookup as you feel necessary.

This listing is therefore a contradiction and surprises us a little, hmmm... requires some further research. Email delivery involves a dialog between two email servers resulting in some lines of text referred to as the email header. A lot of spam comes from a connecting IP address that sends data showing that it received the email from one or more email servers prior. In most cases this information can not be trusted as spam software is known to deliberately falsify the information in order to mislead the recipient in gaining a more trustworthy reputation. The exceptions to this are the professional email senders referred to in an earlier post and the free webmail providers like Yahoo, Hotmail and Google. Whilst they may hide or omit useful sender identifiable data, to our knowledge they don't deliberately falsify it.

In order to further examine this possible false positive, a copy of the actual email was obtained from the recipient. The email client program revealed further headers;

>from [127.0.0.1] by smtp107.mail.in.yahoo.com with NNFMP; 01 Dec 2011 03:49:03 -0000
>from [121.101.151.237] by nm3.bullet.mail.in.yahoo.com with NNFMP; 01 Dec 2011 03:49:03 -0000
>from [202.86.5.94] by tm2.bullet.mail.in.yahoo.com with NNFMP; 01 Dec 2011 03:49:29 -0000
>from zsdguhzdpyqlnviqt (cwkpaola1972@201.241.150.55 with login) by smtp107.mail.in.yahoo.com with SMTP; 01 Dec 2011 09:19:02 +0530 IST

We are almost certain that the email was passed between the Yahoo email servers as listed above. Working down the list we see that the Yahoo server named smtp107.mail.in.yahoo.com (IP address 202.86.5.94 checks out) was the one that received the email from a computer with IP address 201.241.150.55, which belongs to VTR, an ISP in Chile. At the time of writing, IP address 201.241.150.55 has named pc-55-150-241-201.cm.vtr.net, a format usually used for dynamic IP allocations, certainly not a commercial server.

Now let us look at the content of the email, just one line of text;

ZMLNIGXGCOBMThe_Electronic-Payments-Associationě

with a link to the following website http :// goo.gl / 5z4hU.

It seems suspicious that an email sender with a Chilean IP address would login to a Yahoo India webmail server to send only one email to the user on our network who does not know the sender. The content of the email is spam and quite rightly ended up in the spam folder.

You will need to judge for yourselves whether the Yahoo India email servers send mostly solicited emails or mostly spam. In recent weeks we have noticed a huge rise in the volume of spam being delivered by the free webail providers especially AOL.

L2.APEWS.ORG False Positive #5

Found another possible false positive. I say possible because it would depend on your email flow, server policies, user requirements etc. This one is a free email service in China so the probability is that there are mostly Chinese senders which may or may not be necessary to your network and users.

Wed 2011-11-30 22:46:47: [688:3882] Accepting SMTP connection from [60.28.228.177]
Wed 2011-11-30 22:46:47: [688:3882] Looking up PTR record for 60.28.228.177 (177.228.28.60.IN-ADDR.ARPA)
Wed 2011-11-30 22:46:48: [688:3882] D=177.228.28.60.IN-ADDR.ARPA TTL=(1440) PTR=[mail228-177.sinamail.sina.com.cn]
Wed 2011-11-30 22:46:48: [688:3882] Gathering A-records for PTR hosts
Wed 2011-11-30 22:46:49: [688:3882] D=mail228-177.sinamail.sina.com.cn TTL=(1) A=[60.28.228.177]
Wed 2011-11-30 22:46:49: [688:3882] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 30 Nov 2011 22:46:49 -0500
Wed 2011-11-30 22:46:49: [688:3882] <-- EHLO mail228-177.sinamail.sina.com.cn
Wed 2011-11-30 22:46:49: [688:3882] Performing reverse lookup on mail228-177.sinamail.sina.com.cn (looking for 60.28.228.177)
Wed 2011-11-30 22:46:49: [688:3882] D=mail228-177.sinamail.sina.com.cn TTL=(0) A=[60.28.228.177]
Wed 2011-11-30 22:46:49: [688:3882] --> 250-xxx.xxx.xxx Hello mail228-177.sinamail.sina.com.cn, pleased to meet you
Wed 2011-11-30 22:46:49: [688:3882] --> 250-ETRN
Wed 2011-11-30 22:46:49: [688:3882] --> 250-AUTH=LOGIN
Wed 2011-11-30 22:46:49: [688:3882] --> 250-AUTH LOGIN CRAM-MD5
Wed 2011-11-30 22:46:49: [688:3882] --> 250-8BITMIME
Wed 2011-11-30 22:46:49: [688:3882] --> 250 SIZE 0
Wed 2011-11-30 22:46:50: [688:3882] <-- MAIL FROM: SIZE=23421
Wed 2011-11-30 22:46:50: [688:3882] Performing reverse lookup on sina.com (looking for 60.28.228.177)
Wed 2011-11-30 22:46:50: [688:3882] D=sina.com TTL=(1) A=[12.130.132.30]
Wed 2011-11-30 22:46:51: [688:3882] P=010 D=sina.com TTL=(0) MX=[freemx3.sinamail.sina.com.cn]
Wed 2011-11-30 22:46:51: [688:3882] P=010 D=sina.com TTL=(0) MX=[freemx2.sinamail.sina.com.cn] {218.30.115.106}
Wed 2011-11-30 22:46:51: [688:3882] P=010 D=sina.com TTL=(0) MX=[freemx1.sinamail.sina.com.cn]
Wed 2011-11-30 22:46:51: [688:3882] P=005 D=sina.com TTL=(0) MX=[freemx.sinamail.sina.com.cn]
Wed 2011-11-30 22:46:51: [688:3882] D=freemx3.sinamail.sina.com.cn TTL=(30) A=[60.28.2.248]
Wed 2011-11-30 22:46:52: [688:3882] D=freemx1.sinamail.sina.com.cn TTL=(30) A=[202.108.3.242]
Wed 2011-11-30 22:46:52: [688:3882] D=freemx.sinamail.sina.com.cn TTL=(0) A=[202.108.3.242]
Wed 2011-11-30 22:46:52: [688:3882] Spam Blocker A-record resolution of [177.228.28.60.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Wed 2011-11-30 22:46:52: [688:3882] Spam Blocker D=177.228.28.60.l2.apews.org TTL=(35) A=[127.0.0.2]
Wed 2011-11-30 22:46:52: [688:3882] APEWS listed, 99.7% certain it is spam
Wed 2011-11-30 22:46:52: [688:3882] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2011-11-30 22:46:52: [688:3882] --> 250 , Sender ok
Wed 2011-11-30 22:46:53: [688:3882] <-- RCPT TO:
Wed 2011-11-30 22:46:53: [688:3882] --> 250 , Recipient ok
Wed 2011-11-30 22:46:53: [688:3882] <-- DATA
Wed 2011-11-30 22:46:53: [688:3882] --> 354 Enter mail, end with .
Wed 2011-11-30 22:47:05: [688:3882] --> 250 Ok, message saved
Wed 2011-11-30 22:47:05: [688:3882] <-- QUIT
Wed 2011-11-30 22:47:05: [688:3882] --> 221 See ya in cyberspace
Wed 2011-11-30 22:47:05: [688:3882] SMTP session successful, 23613 bytes transferred.
Wed 2011-11-30 22:47:05: [688:3882] Shuffling message(s) into proper queue(s)
Wed 2011-11-30 22:47:05: [688:3882] Message received from mail228-177.sinamail.sina.com.cn [60.28.228.177] with SMTP for [Size 23602] {j:\localq\md00000000000.msg}

As before, any news will be reported here.

L2.APEWS.ORG False Positive #4

This is only the fourth false positive in as many weeks, and it wasn't listed before as the client said it used to be in the inbox;

Mon 2011-11-28 17:33:49: [672:3108] Accepting SMTP connection from [129.228.5.23]
Mon 2011-11-28 17:33:49: [672:3108] Looking up PTR record for 129.228.5.23 (23.5.228.129.IN-ADDR.ARPA)
Mon 2011-11-28 17:33:49: [672:3108] D=23.5.228.129.in-addr.arpa TTL=(60) PTR=[mtv-newsletter4.mms.mtv.com]
Mon 2011-11-28 17:33:49: [672:3108] Gathering A-records for PTR hosts
Mon 2011-11-28 17:33:50: [672:3108] D=mtv-newsletter4.mms.mtv.com TTL=(1440) A=[129.228.5.23]
Mon 2011-11-28 17:33:50: [672:3108] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Mon, 28 Nov 2011 17:33:50 -0500
Mon 2011-11-28 17:33:50: [672:3108] <-- EHLO mtv-newsletter4.mms.mtv.com
Mon 2011-11-28 17:33:50: [672:3108] Performing reverse lookup on mtv-newsletter4.mms.mtv.com (looking for 129.228.5.23)
Mon 2011-11-28 17:33:50: [672:3108] D=mtv-newsletter4.mms.mtv.com TTL=(1440) A=[129.228.5.23]
Mon 2011-11-28 17:33:50: [672:3108] --> 250-xxx.xxx.xxx Hello mtv-newsletter4.mms.mtv.com, pleased to meet you
Mon 2011-11-28 17:33:50: [672:3108] --> 250-ETRN
Mon 2011-11-28 17:33:50: [672:3108] --> 250-AUTH=LOGIN
Mon 2011-11-28 17:33:50: [672:3108] --> 250-AUTH LOGIN CRAM-MD5
Mon 2011-11-28 17:33:50: [672:3108] --> 250-8BITMIME
Mon 2011-11-28 17:33:50: [672:3108] --> 250 SIZE 0
Mon 2011-11-28 17:33:50: [672:3108] <-- MAIL FROM:
Mon 2011-11-28 17:33:50: [672:3108] Performing reverse lookup on mms.mtv.com (looking for 129.228.5.23)
Mon 2011-11-28 17:33:50: [672:3108] D=mms.mtv.com TTL=(1440) A=[129.228.5.22]
Mon 2011-11-28 17:33:50: [672:3108] P=010 D=mms.mtv.com TTL=(1440) MX=[mailin.strongmail.west.mtvi.com] {129.228.1.185}
Mon 2011-11-28 17:33:50: [672:3108] Spam Blocker A-record resolution of [23.5.228.129.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Mon 2011-11-28 17:33:51: [672:3108] Spam Blocker D=23.5.228.129.l2.apews.org TTL=(35) A=[127.0.0.2]
Mon 2011-11-28 17:33:51: [672:3108] APEWS listed, 99.7% certain it is spam
Mon 2011-11-28 17:33:51: [672:3108] Message will be accepted and X-RBL-Warning: header will be inserted.
Mon 2011-11-28 17:33:51: [672:3108] --> 250 , Sender ok
Mon 2011-11-28 17:33:51: [672:3108] <-- RCPT TO:
Mon 2011-11-28 17:33:51: [672:3108] --> 250 , Recipient ok
Mon 2011-11-28 17:33:51: [672:3108] <-- DATA
Mon 2011-11-28 17:33:51: [672:3108] --> 354 Enter mail, end with .
Mon 2011-11-28 17:33:52: [672:3108] --> 250 Ok, message saved
Mon 2011-11-28 17:33:52: [672:3108] <-- QUIT
Mon 2011-11-28 17:33:52: [672:3108] --> 221 See ya in cyberspace
Mon 2011-11-28 17:33:52: [672:3108] SMTP session successful, 10320 bytes transferred.
Mon 2011-11-28 17:33:52: [672:3108] Shuffling message(s) into proper queue(s)
Mon 2011-11-28 17:33:52: [672:3108] Message received from mtv-newsletter4.mms.mtv.com [129.228.5.23] with SMTP for [Size 10309] {j:\localq\md00000000000.msg}
Mon 2011-11-28 17:33:52: ----------

As you can see from the headers, this is MTV's newsletter. Well, watch this space, we'll check in a day or two and report back.

L2.APEWS.ORG False Positive #3

Here is another false positive, nobody else have any then? Strange, so much chat about the amount of errors generated by using Apews yet we're finding very few false positives. These that we have found to date are without using a whitelist and before any client side filtering.

Mon 2011-11-28 07:55:47: [632:2869] Accepting SMTP connection from [176.9.30.45]
Mon 2011-11-28 07:55:47: [632:2869] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Mon, 28 Nov 2011 07:55:47 -0500
Mon 2011-11-28 07:55:47: [632:2869] <-- EHLO mail.enewsletters.travel
Mon 2011-11-28 07:55:47: [632:2869] --> 250-xxx.xxx.xxx Hello mail.enewsletters.travel, pleased to meet you
Mon 2011-11-28 07:55:47: [632:2869] --> 250-ETRN
Mon 2011-11-28 07:55:47: [632:2869] --> 250-AUTH=LOGIN
Mon 2011-11-28 07:55:47: [632:2869] --> 250-AUTH LOGIN CRAM-MD5
Mon 2011-11-28 07:55:47: [632:2869] --> 250-8BITMIME
Mon 2011-11-28 07:55:47: [632:2869] --> 250 SIZE 0
Mon 2011-11-28 07:55:48: [632:2869] <-- MAIL FROM:< bounce @ tma.travel > SIZE=75362 BODY=8BITMIME
Mon 2011-11-28 07:55:48: [632:2869] Spam Blocker A-record resolution of [45.30.9.176.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Mon 2011-11-28 07:55:48: [632:2869] Spam Blocker D=45.30.9.176.l2.apews.org TTL=(35) A=[127.0.0.2]
Mon 2011-11-28 07:55:48: [632:2869] APEWS listed, 99.7% certain it is spam
Mon 2011-11-28 07:55:48: [632:2869] Message will be accepted and X-RBL-Warning: header will be inserted.
Mon 2011-11-28 07:55:48: [632:2869] --> 250 < bounce @ tma.travel >, Sender ok
Mon 2011-11-28 07:55:48: [632:2869] <-- RCPT TO:
Mon 2011-11-28 07:55:48: [632:2869] --> 250 , Recipient ok
Mon 2011-11-28 07:55:48: [632:2869] <-- DATA
Mon 2011-11-28 07:55:48: [632:2869] --> 354 Enter mail, end with .
Mon 2011-11-28 07:55:50: [632:2869] --> 250 Ok, message saved
Mon 2011-11-28 07:55:50: [632:2869] <-- QUIT
Mon 2011-11-28 07:55:50: [632:2869] --> 221 See ya in cyberspace
Mon 2011-11-28 07:55:50: [632:2869] SMTP session successful, 75775 bytes transferred.
Mon 2011-11-28 07:55:50: [632:2869] Shuffling message(s) into proper queue(s)
Mon 2011-11-28 07:55:50: [632:2869] Message received from mail.enewsletters.travel [176.9.30.45] with SMTP for [Size 75762] {j:\localq\md0000000.msg}
Mon 2011-11-28 07:55:50: ----------

Our client said that the email was in the spam folder but is in fact a daily newsletter aimed at folks in the travel business. Looking on the http://www.apews.org website, the IP address itself is not listed but the /24 is suggesting that there is a spammer with an IP address close to that of the newsletter. Further checking of Whois shows this IP address belong to Hetzner, a German hosting business, who in our experience have issues like this quite often.

L2.APEWS.ORG False Positive #2

This is only the second FP that we have seen, and remember folks, we're using the L2.Apews.org balcklist straight "out-of-the-box" by allowing all connections, testing only the connecting IP address, and inserting an X-Header reference for Apews.org listed senders.

Thu 2011-11-24 16:57:53: [632:1914] Accepting SMTP connection from [50.56.45.130]
Thu 2011-11-24 16:57:53: [632:1914] Looking up PTR record for 50.56.45.130 (130.45.56.50.IN-ADDR.ARPA)
Thu 2011-11-24 16:57:53: [632:1914] Name server reports domain name unknown.
Thu 2011-11-24 16:57:53: [632:1914] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Thu, 24 Nov 2011 16:57:53 -0500
Thu 2011-11-24 16:57:54: [632:1914] <-- EHLO 356523-web2.x.com
Thu 2011-11-24 16:57:54: [632:1914] Performing reverse lookup on 356523-web2.x.com (looking for 50.56.45.130)
Thu 2011-11-24 16:57:54: [632:1914] Name server reports domain name unknown.
Thu 2011-11-24 16:57:54: [632:1914] --> 250-xxx.xxx.xxx Hello 356523-web2.x.com (may be forged), pleased to meet you
Thu 2011-11-24 16:57:54: [632:1914] --> 250-ETRN
Thu 2011-11-24 16:57:54: [632:1914] --> 250-AUTH=LOGIN
Thu 2011-11-24 16:57:54: [632:1914] --> 250-AUTH LOGIN CRAM-MD5
Thu 2011-11-24 16:57:54: [632:1914] --> 250-8BITMIME
Thu 2011-11-24 16:57:54: [632:1914] --> 250 SIZE 0
Thu 2011-11-24 16:57:54: [632:1914] <-- MAIL FROM:< admin @ x.com > SIZE=1834 BODY=8BITMIME
Thu 2011-11-24 16:57:54: [632:1914] Performing reverse lookup on x.com (looking for 50.56.45.130)
Thu 2011-11-24 16:57:54: [632:1914] D=x.com TTL=(5) A=[50.56.45.133]
Thu 2011-11-24 16:57:54: [632:1914] P=010 D=x.com TTL=(60) MX=[lore.ebay.com] {216.113.175.103}
Thu 2011-11-24 16:57:54: [632:1914] P=010 D=x.com TTL=(60) MX=[gort.ebay.com] {216.113.167.215}
Thu 2011-11-24 16:57:54: [632:1914] P=010 D=x.com TTL=(60) MX=[data.ebay.com] {66.135.195.180}
Thu 2011-11-24 16:57:54: [632:1914] Spam Blocker A-record resolution of [130.45.56.50.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Thu 2011-11-24 16:57:55: [632:1914] Spam Blocker D=130.45.56.50.l2.apews.org TTL=(35) A=[127.0.0.2]
Thu 2011-11-24 16:57:55: [632:1914] APEWS listed, 99.7% certain it is spam
Thu 2011-11-24 16:57:55: [632:1914] Message will be accepted and X-RBL-Warning: header will be inserted.
Thu 2011-11-24 16:57:55: [632:1914] --> 250 < admin @ x.com >, Sender ok
Thu 2011-11-24 16:57:55: [632:1914] <-- RCPT TO:
Thu 2011-11-24 16:57:55: [632:1914] --> 250 , Recipient ok
Thu 2011-11-24 16:57:55: [632:1914] <-- DATA
Thu 2011-11-24 16:57:55: [632:1914] --> 354 Enter mail, end with .
Thu 2011-11-24 16:57:55: [632:1914] --> 250 Ok, message saved
Thu 2011-11-24 16:57:55: [632:1914] <-- QUIT
Thu 2011-11-24 16:57:55: [632:1914] --> 221 See ya in cyberspace
Thu 2011-11-24 16:57:55: [632:1914] SMTP session successful, 1840 bytes transferred.
Thu 2011-11-24 16:57:55: [632:1914] Shuffling message(s) into proper queue(s)
Thu 2011-11-24 16:57:55: [632:1914] Message received from 356523-web2.x.com [50.56.45.130] < admin @ x.com > with SMTP for [Size 1829] {j:\localq\md00000000.msg}

The client found this email in his spam folder and it should not have been there. The IP address seems to be Ebay developers website using Rackspace web hosting so maybe Rackspace are listed rather than Ebay!

Coincidence or Conspiracy?

I thought it might be interesting to see what data there is on the internet that shows a comparison between blacklists. There is not that much to look at and a search on your favourite search engine will likely yield something like the following;

http://www.sdsc.edu/~jeff/spam/cbc.html is a list of performances but no graph or details of errors. The list is showing the top three as:
1st L2.Apews.org
2nd Zen.Spamhaus.org
3rd b.Barracudacentral.org

Interestingly it has Apews as being the best blacklist and as we know it is free to use for both business and personal. Spamhaus has many years providing antispam solutions but they also have subscription services, not everyone may use their data for free. The same is true for many other antispam solution providers therefore if the spam problem were to cease tomorrow, quite a few folks would be out of a job. In fact, anyone that earns money out of spam wants or even needs spam to continue.

Lets see what else we can find,
http://spamlinks.net/filter-dnsbl-lists.htm#local refers to a long out-dated L2.Apews.org data link namely that of a mirror that was formerly provided by Sorbs.net so the spamlinks.net website is not up to date.

http://www.declude.com/Articles.asp?ID=97 no mention of Apews.org in their list, not even historically, so not very accurate then.

http://www.dnsbl.info/dnsbl-list.php no mention of Apews.org, another not very accurate source.

http://www.spambouncer.org/reference/blocklists.shtml no mention of Apews.org, another not very accurate source.

http://www.nber.org/sys-admin/dnsbl-comparison.html refers to L1.Apews.org but not L2.Apews.org. L1 is a dataset containing domain names only and L2 is all IP addresses. We have found domain name blacklists to be virtually a waste of time for our servers and email flows.

http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists no mention of Apews.org, you would think that wikipedia would at least refer to it.

http://www.intra2net.com/en/support/antispam/ started off showing test data but then stopped after the Apews.org servers were attacked by DDOS stating that the blacklist is no longer available. There is even a special note on the Apews News web page to the websmaster of intra2net.com telling him that they are out of date with their facts.

http://www.techtheft.info/zones/?expand=50 no mention of Apews.org, another inaccurate source.

http://cbl.abuseat.org/faq.html does refer to Apews.org in the part about other blacklists but talks about high false positives which was true a couple years ago and before for not for a long time now. Perhaps the CBL Administrators will start posting their FP details here :-)

http://www.moensted.dk/spam/ does include Apews.org for tests

http://multirbl.valli.org/index.php does include Apews.org for tests

http://wiki.apache.org/spamassassin/DnsBlocklists no mention of Apews.org yet the product SpamAssassin is a scoring solution so it should be even more suited to the use of Apews.org data since the score value for a listing can be adjusted.

http://www.dnsbl.com Al Iverson started testing Apews.org data for a couple of years then just as the catch rate started to surpass existing blacklists, he stopped his testing. Our results show that just after he stopped is when the FP began to gradually reduce until it reached commercially acceptable levels (said to be approx 0.5% or not more than 1%) well over a year ago.

Anyone add to the above? We will keep looking...

RSync for a local copy of a DNSBL

Those email servers that are doing a DNSBL lookup in realtime may sometimes see a DNS timeout or similar. It can happen, reguests don't get answered before the time-out period so in that case the email software will usually ignore the job and continue as if the DNSBL had responded "not listed". The effect of these time-outs is that spam can be either passed for delivery and / or not marked with an X-Header. In short, inboxes see more spam.

Running a local copy of a DNSBL avoids this problem as the lookup requests are entirely on your own network, or even on the same server. That would ensure the continuity of access to the DNSBL data and keep inboxes free of spam. Maintaining local copies of databases, regardless of whether their data is changing frequently or not, can be tedious but not with RSYNC.

Rsync is a nice routine for downloading only changed data from a database host. Most if not all the DNSBL operators offer RSync and have instructions on their website for how to use it to obtain their data. L2.APEWS.ORG is also available by rsync. It is worth adding that many DNSBL data and services are provided totally free to all users.

I won't get into the installation and configuration of Rsync here, there are other places on the internet that adequately explain that. Unix and Linux users have probably already come across it, and Microsoft Windows users could install e.g. Cygwin. Check for compatibility with your particular operating system etc.

Antispam whitelist

There is always plenty of talk about how good or bad a blacklist, or blocklist, is with comments about the false positives generated by that list. These days, with spam at approx 96% of the total daily volume of email sent, no sane email Administrator would operate email servers without first using a whitelist and thereafter possibly filters in addition.

I have had excellent results from these guys;
http://www.whitelisted.org/
You may want to get your own email server listed on their database so that your emails have a better chance of successful delivery, see their website for instructions. The whitelist service seems to be associated with, or run by, http://wwwUCEProtect.net/ , a German blacklist operator.

UCEProtect actually have 3 main blacklists each with it's own listing criteria. Using all 3 blacklists together on your email server will require 3 blacklist entries for DNS lookups but the combined results are very close with those of L2.APEWS.ORG. UCEProtect.net may provide better results for European language based senders and receivers, results here suggest that APEWS.ORG data is particularly good for English.

The use of a whitelist is to exempt the need for blacklist checking, i.e. it is a list of trusted IP addresses. Any sender of an email from a whitelisted IP address can be trusted to connect and deliver their email without any further checking. There can not be any error due to a blacklist since one has not been consulted!

Any connecting IP address that is not whitelisted probably can not be trusted and therefore warrants further checking. Things like PTR records can be useful indicators but as mentioned previously, we see email service providers to governments using badly configured email servers where the reverse DNS does not match. Results here suggest to ignore PTR record checking and just do a blacklist DNS lookup, creating X-Headers for those connecting IP addresses that are blacklisted.

False positives can be seen to be a reflection of the quality of the whitelist being used. If the whitelist maintainer has their data accurate, it would not matter whether trusted email servers were listed in the blacklist or not. Fine tuning of data for both whitelists and blacklists is a coninuous job though once the bulk of the entries are in it is just a matter of adding the odd one at local level.

Blocking spam using APEWS.ORG

Something that is working came about because spammers ignore published procedure. Let me explain that, an email gets sent based on what the DNS records say about the domain name in question. If I have example.com then I may want to have a website that people can find either at example.com or www.example.com. We do that by creating a blank "A" host record and another for www thus creating the desired prefixes.

Email servers can be setup for a domain by creating "MX" records in the DNS and set the priority value for each. One basic system is to have 2 public IP addresses and create an MX record for each but give one a priority value of say 1, and the other a value of 2. The physical email server that is on the IP address corresponding to priority 1 will be the first recipient of domain emails. Only when sending servers find that server & IP address to be unreachable or busy will emails start to be tried at the second server & IP address corresponding to priority value 2. In this way you have published your preference of how sending email servers should attempt to deliver emails to your domain.

What I have found is that spammers send their spam to all MX IP addresses and the root "A" record IP address in addition. Taking the above example you would have a web server on one IP address and 2 email servers on another 2 different IP addresses making 3 external or public IP addresses in total. You expect web traffic to go the www IP address, and the majority of your emails to go MX1, with MX2 acting as backup or failover.

Nice idea but spammers don't follow your preferences since they are only interested in successful delivery. They will attempt to deliver spam to all 3 IP addresses and if your web server should have an email server program listening on port TCP 25, it will receive connections from spam sending bot infested computers etc.

My tip is to separate the traffic by design. Staying with the above simple setup, MX1 is the primary email server on one IP address and MX2 is the secondary. Your web server is on a 3rd IP address and does not handle inbound email therefore it does not have a MX record. That means that it should never receive email and depending on web server traffic, you could choose to have the web server handling outbound emails from the website and / or authorized domain users. It may be that due to high traffic levels you dedicate a 4th server to outbound emails and give it a different IP address to the above. The point is that inbound emails should only ever arrive for delivery at MX 1 or if busy, then MX2.

These days email Administrators must use a whitelist of trusted email server IP addresses. There are some very good databases online and I intend to cover that topic shortly for anyone still unaware or unsure but it is essential in order to avoid false positives. Setup your email server to check the connecting IP address against your whitelist and accept for delivery from all that are listed.

Any IP address that has a server connecting to your server and is not on that whitelist is unknown to you and therefore untrusted. The public whitelists have come about by Administrators sharing their trusted IP address details so if an IP address is not listed there, that means a lot of network Administrators do not trust the IP address either!

Starting with MX1, your primary email server, set that to accept all inbound email even if it comes from IP addresses that are not listed in the whitelist. Now have the email server check the IP address against the L2.APEWS.ORG either in realtime at the online database or your local copy that you obtained via RSYNC (another topic for the near future). If your server finds the connecting IP address to be listed at L2.APEWS.ORG, have the email program create a X-Header which can later be used in filtering. Your server then accepts the email for delivery and transfers all thsuch emails with the X-Header to the recipient's Spam or Junk folder.

You can configure your secondary email server MX2 in exactly the same way if you want to, or if the primary server MX1 is handling the majority of emails, you can set this one to reject emails from IP addresses that are listed in L2.APEWS.ORG. Your outbound email server and web server too, if it has an email program running, should be set to reject inbound emails that come from APEWS.ORG listed IP address space. You will only get a false positive if your whitelist is inadequate, remember that the EWS in APEWS stands for "early warning system". I intend to publish here the false positives that we get in the hope of them being delisted by the APEWS.ORG Administrators which helps everyone, more folks should do the same.

The above is currently working on several commercial servers with excellent results. Due to the whitelist on each email server followed by APEWS, 99% of spam is correctly identified. Spammers are getting the 550 error message (which they always ignore) but more importantly, failed delivery. These results are before any after-receipt filters or client side filters.

Do not put Yahoo, Hotmail, Gmail, and the other web-based email servers in your whitelist as we have found that they get used for list washing and can overwhelm your servers. You will find that APEWS.ORG do not have them listed either so you won't lose any emails from their senders. I recommend an alias list that handles mis-spelled email addresses by routing common errors to the correct user email address, and then reject all emails for unknown user names / email addresses. It's all about reputation now, trusted senders are more easily documented as they are so few.

L2.APEWS.ORG False Positive #1

Here is an example for you APEWS;

1 Wed 2011-10-19 18:28:12: [540:1999] Accepting SMTP connection from [50.28.15.113]
2 Wed 2011-10-19 18:28:12: [540:1999] Looking up PTR record for 50.28.15.113 (113.15.28.50.IN-ADDR.ARPA)
3 Wed 2011-10-19 18:28:13: [540:1999] D=113.15.28.50.IN-ADDR.ARPA TTL=(1200) PTR=[host.mudnworks.com]
4 Wed 2011-10-19 18:28:13: [540:1999] Gathering A-records for PTR hosts
5 Wed 2011-10-19 18:28:13: [540:1999] D=host.mudnworks.com TTL=(240) A=[50.28.15.113]
6 Wed 2011-10-19 18:28:13: [540:1999] --> 220 xxx.xxx.xxx ESMTP; Wed, 19 Oct 2011 18:28:13 -0500
7 Wed 2011-10-19 18:28:13: [540:1999] <-- EHLO host.mudnworks.com
8 Wed 2011-10-19 18:28:13: [540:1999] Performing reverse lookup on host.mudnworks.com (looking for 50.28.15.113)
9 Wed 2011-10-19 18:28:13: [540:1999] D=host.mudnworks.com TTL=(239) A=[50.28.15.113 ]
10 Wed 2011-10-19 18:28:13: [540:1999] --> 250-xxx.xxx.xxx Hello host.mudnworks.com, pleased to meet you
11 Wed 2011-10-19 18:28:13: [540:1999] --> 250-ETRN
12 Wed 2011-10-19 18:28:13: [540:1999] --> 250-AUTH=LOGIN
13 Wed 2011-10-19 18:28:13: [540:1999] --> 250-AUTH LOGIN CRAM-MD5
14 Wed 2011-10-19 18:28:13: [540:1999] --> 250-8BITMIME
15 Wed 2011-10-19 18:28:13: [540:1999] --> 250 SIZE 0
16 Wed 2011-10-19 18:28:13: [540:1999] <-- MAIL FROM: SIZE=6549
17 Wed 2011-10-19 18:28:13: [540:1999] Performing reverse lookup on yyy.yyy (looking for 50.28.15.113)
18 Wed 2011-10-19 18:28:13: [540:1999] D=yyy.yyy TTL=(240) A=[50.28.15.126]
19 Wed 2011-10-19 18:28:14: [540:1999] P=000 D=yyy.yyy TTL=(240) MX=[yyy.yyy] {50.28.15.126}
20 Wed 2011-10-19 18:28:14: [540:1999] Spam Blocker A-record resolution of [113.15.28.50.l2.apews.org] in progress (DNS Server: xxx.xxx.xxx.xxx)...
21 Wed 2011-10-19 18:28:14: [540:1999] Spam Blocker D=113.15.28.50.l2.apews.org TTL=(35) A=[127.0.0.2]
22 Wed 2011-10-19 18:28:14: [540:1999] APEWS listed, 99.7% certain it is spam
23 Wed 2011-10-19 18:28:14: [540:1999] Message will be accepted and X-RBL-Warning: header will be inserted.
24 Wed 2011-10-19 18:28:14: [540:1999] --> 250 , Sender ok
25 Wed 2011-10-19 18:28:14: [540:1999] <-- RCPT TO:
26 Wed 2011-10-19 18:28:14: [540:1999] --> 250 , Recipient ok
27 Wed 2011-10-19 18:28:14: [540:1999] <-- DATA
28 Wed 2011-10-19 18:28:14: [540:1999] --> 354 Enter mail, end with .
29 Wed 2011-10-19 18:28:14: [540:1999] --> 250 Ok, message saved
30 Wed 2011-10-19 18:28:15: [540:1999] <-- QUIT
31 Wed 2011-10-19 18:28:15: [540:1999] --> 221 See ya in cyberspace
32 Wed 2011-10-19 18:28:15: [540:1999] SMTP session successful, 5856 bytes transferred.
33 Wed 2011-10-19 18:28:15: [540:1999] Shuffling message(s) into proper queue(s)
34 Wed 2011-10-19 18:28:15: [540:1999] Message received from host.mudnworks.com [50.28.15.113] with SMTP for [Size 5841] {drive:\folder\localq\50000112311.msg}
Wed 2011-10-19 18:28:15: ----------

Line 1: I know that this email was solicited by the user and was only a single email that came from a website server in response to that user's input. It was found in the user's spam folder due to the use of the X-Header and a script as per my previous post. I have munged the header data but the connecting IP address and host name are real.

Line 2: Note the the use of reverse DNS (rDNS) lookup to establish whether a PTR record exists and matches for the connecting IP address. Advice: do not reject incoming emails based on this this alone because I know of several trusted senders (including government and other large institutions) that are not compliant and would result in false positives.

Line 20: Here is the DNS lookup to the L2.APEWS.ORG database in realtime, the connecting IP address is found to be listed and a comment is made to that effect. The mail server Administrator for the website on that IP address will have exactly that in his log too.

Line 23: The email server creates the X-Header entry which later causes the email to be placed into the user's spam folder.

Checking ARIN whois shows that the connecting IP address belongs to Liquidweb, not the best of reputations in my opinion. It will be interesting to see if anything happens with this listing. I will report back here if/when I see a change.