November 29, 2011

L2.APEWS.ORG False Positive #3

Here is another false positive, nobody else have any then? Strange, so much chat about the amount of errors generated by using Apews yet we're finding very few false positives. These that we have found to date are without using a whitelist and before any client side filtering.

Mon 2011-11-28 07:55:47: [632:2869] Accepting SMTP connection from [176.9.30.45]
Mon 2011-11-28 07:55:47: [632:2869] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Mon, 28 Nov 2011 07:55:47 -0500
Mon 2011-11-28 07:55:47: [632:2869] <-- EHLO mail.enewsletters.travel
Mon 2011-11-28 07:55:47: [632:2869] --> 250-xxx.xxx.xxx Hello mail.enewsletters.travel, pleased to meet you
Mon 2011-11-28 07:55:47: [632:2869] --> 250-ETRN
Mon 2011-11-28 07:55:47: [632:2869] --> 250-AUTH=LOGIN
Mon 2011-11-28 07:55:47: [632:2869] --> 250-AUTH LOGIN CRAM-MD5
Mon 2011-11-28 07:55:47: [632:2869] --> 250-8BITMIME
Mon 2011-11-28 07:55:47: [632:2869] --> 250 SIZE 0
Mon 2011-11-28 07:55:48: [632:2869] <-- MAIL FROM:< bounce @ tma.travel > SIZE=75362 BODY=8BITMIME
Mon 2011-11-28 07:55:48: [632:2869] Spam Blocker A-record resolution of [45.30.9.176.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Mon 2011-11-28 07:55:48: [632:2869] Spam Blocker D=45.30.9.176.l2.apews.org TTL=(35) A=[127.0.0.2]
Mon 2011-11-28 07:55:48: [632:2869] APEWS listed, 99.7% certain it is spam
Mon 2011-11-28 07:55:48: [632:2869] Message will be accepted and X-RBL-Warning: header will be inserted.
Mon 2011-11-28 07:55:48: [632:2869] --> 250 < bounce @ tma.travel >, Sender ok
Mon 2011-11-28 07:55:48: [632:2869] <-- RCPT TO:
Mon 2011-11-28 07:55:48: [632:2869] --> 250 , Recipient ok
Mon 2011-11-28 07:55:48: [632:2869] <-- DATA
Mon 2011-11-28 07:55:48: [632:2869] --> 354 Enter mail, end with .
Mon 2011-11-28 07:55:50: [632:2869] --> 250 Ok, message saved
Mon 2011-11-28 07:55:50: [632:2869] <-- QUIT
Mon 2011-11-28 07:55:50: [632:2869] --> 221 See ya in cyberspace
Mon 2011-11-28 07:55:50: [632:2869] SMTP session successful, 75775 bytes transferred.
Mon 2011-11-28 07:55:50: [632:2869] Shuffling message(s) into proper queue(s)
Mon 2011-11-28 07:55:50: [632:2869] Message received from mail.enewsletters.travel [176.9.30.45] with SMTP for [Size 75762] {j:\localq\md0000000.msg}
Mon 2011-11-28 07:55:50: ----------

Our client said that the email was in the spam folder but is in fact a daily newsletter aimed at folks in the travel business. Looking on the http://www.apews.org website, the IP address itself is not listed but the /24 is suggesting that there is a spammer with an IP address close to that of the newsletter. Further checking of Whois shows this IP address belong to Hetzner, a German hosting business, who in our experience have issues like this quite often.
Posted by at
Labels: , , , , , , ,

1 comment:

  1. AdministratorDecember 1, 2011 at 3:14 PM

    Good news, this IP address is no longer listed so that is one less false positive for the Admins to deal with.

    ReplyDelete

Subscribe to: Post Comments (Atom)