October 22, 2011

L2.APEWS.ORG False Positive #1

Here is an example for you APEWS;

1 Wed 2011-10-19 18:28:12: [540:1999] Accepting SMTP connection from [50.28.15.113]
2 Wed 2011-10-19 18:28:12: [540:1999] Looking up PTR record for 50.28.15.113 (113.15.28.50.IN-ADDR.ARPA)
3 Wed 2011-10-19 18:28:13: [540:1999] D=113.15.28.50.IN-ADDR.ARPA TTL=(1200) PTR=[host.mudnworks.com]
4 Wed 2011-10-19 18:28:13: [540:1999] Gathering A-records for PTR hosts
5 Wed 2011-10-19 18:28:13: [540:1999] D=host.mudnworks.com TTL=(240) A=[50.28.15.113]
6 Wed 2011-10-19 18:28:13: [540:1999] --> 220 xxx.xxx.xxx ESMTP; Wed, 19 Oct 2011 18:28:13 -0500
7 Wed 2011-10-19 18:28:13: [540:1999] <-- EHLO host.mudnworks.com
8 Wed 2011-10-19 18:28:13: [540:1999] Performing reverse lookup on host.mudnworks.com (looking for 50.28.15.113)
9 Wed 2011-10-19 18:28:13: [540:1999] D=host.mudnworks.com TTL=(239) A=[50.28.15.113 ]
10 Wed 2011-10-19 18:28:13: [540:1999] --> 250-xxx.xxx.xxx Hello host.mudnworks.com, pleased to meet you
11 Wed 2011-10-19 18:28:13: [540:1999] --> 250-ETRN
12 Wed 2011-10-19 18:28:13: [540:1999] --> 250-AUTH=LOGIN
13 Wed 2011-10-19 18:28:13: [540:1999] --> 250-AUTH LOGIN CRAM-MD5
14 Wed 2011-10-19 18:28:13: [540:1999] --> 250-8BITMIME
15 Wed 2011-10-19 18:28:13: [540:1999] --> 250 SIZE 0
16 Wed 2011-10-19 18:28:13: [540:1999] <-- MAIL FROM: SIZE=6549
17 Wed 2011-10-19 18:28:13: [540:1999] Performing reverse lookup on yyy.yyy (looking for 50.28.15.113)
18 Wed 2011-10-19 18:28:13: [540:1999] D=yyy.yyy TTL=(240) A=[50.28.15.126]
19 Wed 2011-10-19 18:28:14: [540:1999] P=000 D=yyy.yyy TTL=(240) MX=[yyy.yyy] {50.28.15.126}
20 Wed 2011-10-19 18:28:14: [540:1999] Spam Blocker A-record resolution of [113.15.28.50.l2.apews.org] in progress (DNS Server: xxx.xxx.xxx.xxx)...
21 Wed 2011-10-19 18:28:14: [540:1999] Spam Blocker D=113.15.28.50.l2.apews.org TTL=(35) A=[127.0.0.2]
22 Wed 2011-10-19 18:28:14: [540:1999] APEWS listed, 99.7% certain it is spam
23 Wed 2011-10-19 18:28:14: [540:1999] Message will be accepted and X-RBL-Warning: header will be inserted.
24 Wed 2011-10-19 18:28:14: [540:1999] --> 250 , Sender ok
25 Wed 2011-10-19 18:28:14: [540:1999] <-- RCPT TO:
26 Wed 2011-10-19 18:28:14: [540:1999] --> 250 , Recipient ok
27 Wed 2011-10-19 18:28:14: [540:1999] <-- DATA
28 Wed 2011-10-19 18:28:14: [540:1999] --> 354 Enter mail, end with .
29 Wed 2011-10-19 18:28:14: [540:1999] --> 250 Ok, message saved
30 Wed 2011-10-19 18:28:15: [540:1999] <-- QUIT
31 Wed 2011-10-19 18:28:15: [540:1999] --> 221 See ya in cyberspace
32 Wed 2011-10-19 18:28:15: [540:1999] SMTP session successful, 5856 bytes transferred.
33 Wed 2011-10-19 18:28:15: [540:1999] Shuffling message(s) into proper queue(s)
34 Wed 2011-10-19 18:28:15: [540:1999] Message received from host.mudnworks.com [50.28.15.113] with SMTP for [Size 5841] {drive:\folder\localq\50000112311.msg}
Wed 2011-10-19 18:28:15: ----------

Line 1: I know that this email was solicited by the user and was only a single email that came from a website server in response to that user's input. It was found in the user's spam folder due to the use of the X-Header and a script as per my previous post. I have munged the header data but the connecting IP address and host name are real.

Line 2: Note the the use of reverse DNS (rDNS) lookup to establish whether a PTR record exists and matches for the connecting IP address. Advice: do not reject incoming emails based on this this alone because I know of several trusted senders (including government and other large institutions) that are not compliant and would result in false positives.

Line 20: Here is the DNS lookup to the L2.APEWS.ORG database in realtime, the connecting IP address is found to be listed and a comment is made to that effect. The mail server Administrator for the website on that IP address will have exactly that in his log too.

Line 23: The email server creates the X-Header entry which later causes the email to be placed into the user's spam folder.

Checking ARIN whois shows that the connecting IP address belongs to Liquidweb, not the best of reputations in my opinion. It will be interesting to see if anything happens with this listing. I will report back here if/when I see a change.
Posted by at
Labels: , , , , , , ,

4 comments:

  1. AdministratorOctober 29, 2011 at 2:41 AM

    Update - APEWS have removed the listing!

    Some time during the last few days L2.APEWS.ORG removed the 50.28.15.113 from their database. That's one less false positive here and we haven't had another to report as at the time of writing. Probably a coincidence with this being a new blog so no claim for glory here but it does show that the AOEWS data is changing, and for the better.

    ReplyDelete
  2. AnonymousJanuary 10, 2012 at 9:24 PM

    How do I get off of your list?

    ReplyDelete
    Replies
    1. AdministratorJanuary 21, 2012 at 5:50 PM

      From what I have seen, this is the first public place where you can publish APEWS' errors with a hope of them seeing it and correcting their data. If you feel that you are incorrectly listed, by all means publish the false positive as I have been doing. It is then in plain view for anyone to judge for themselves. Maybe you have a client that is using the APEWS blocklist in which case you would first ask that client to whitelist your mail server IP address, and second you or your client can publish the error here.

      Delete
  3. samrachAugust 12, 2013 at 7:22 PM

    Hello,

    my ip 203.189.137.32 was blocked as spam.
    with apews.org,
    please unblock it for me.

    thanks you so much for your help.

    ReplyDelete

Subscribe to: Post Comments (Atom)