December 1, 2011

L2.APEWS.ORG False Positive #5

Found another possible false positive. I say possible because it would depend on your email flow, server policies, user requirements etc. This one is a free email service in China so the probability is that there are mostly Chinese senders which may or may not be necessary to your network and users.

Wed 2011-11-30 22:46:47: [688:3882] Accepting SMTP connection from [60.28.228.177]
Wed 2011-11-30 22:46:47: [688:3882] Looking up PTR record for 60.28.228.177 (177.228.28.60.IN-ADDR.ARPA)
Wed 2011-11-30 22:46:48: [688:3882] D=177.228.28.60.IN-ADDR.ARPA TTL=(1440) PTR=[mail228-177.sinamail.sina.com.cn]
Wed 2011-11-30 22:46:48: [688:3882] Gathering A-records for PTR hosts
Wed 2011-11-30 22:46:49: [688:3882] D=mail228-177.sinamail.sina.com.cn TTL=(1) A=[60.28.228.177]
Wed 2011-11-30 22:46:49: [688:3882] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 30 Nov 2011 22:46:49 -0500
Wed 2011-11-30 22:46:49: [688:3882] <-- EHLO mail228-177.sinamail.sina.com.cn
Wed 2011-11-30 22:46:49: [688:3882] Performing reverse lookup on mail228-177.sinamail.sina.com.cn (looking for 60.28.228.177)
Wed 2011-11-30 22:46:49: [688:3882] D=mail228-177.sinamail.sina.com.cn TTL=(0) A=[60.28.228.177]
Wed 2011-11-30 22:46:49: [688:3882] --> 250-xxx.xxx.xxx Hello mail228-177.sinamail.sina.com.cn, pleased to meet you
Wed 2011-11-30 22:46:49: [688:3882] --> 250-ETRN
Wed 2011-11-30 22:46:49: [688:3882] --> 250-AUTH=LOGIN
Wed 2011-11-30 22:46:49: [688:3882] --> 250-AUTH LOGIN CRAM-MD5
Wed 2011-11-30 22:46:49: [688:3882] --> 250-8BITMIME
Wed 2011-11-30 22:46:49: [688:3882] --> 250 SIZE 0
Wed 2011-11-30 22:46:50: [688:3882] <-- MAIL FROM: SIZE=23421
Wed 2011-11-30 22:46:50: [688:3882] Performing reverse lookup on sina.com (looking for 60.28.228.177)
Wed 2011-11-30 22:46:50: [688:3882] D=sina.com TTL=(1) A=[12.130.132.30]
Wed 2011-11-30 22:46:51: [688:3882] P=010 D=sina.com TTL=(0) MX=[freemx3.sinamail.sina.com.cn]
Wed 2011-11-30 22:46:51: [688:3882] P=010 D=sina.com TTL=(0) MX=[freemx2.sinamail.sina.com.cn] {218.30.115.106}
Wed 2011-11-30 22:46:51: [688:3882] P=010 D=sina.com TTL=(0) MX=[freemx1.sinamail.sina.com.cn]
Wed 2011-11-30 22:46:51: [688:3882] P=005 D=sina.com TTL=(0) MX=[freemx.sinamail.sina.com.cn]
Wed 2011-11-30 22:46:51: [688:3882] D=freemx3.sinamail.sina.com.cn TTL=(30) A=[60.28.2.248]
Wed 2011-11-30 22:46:52: [688:3882] D=freemx1.sinamail.sina.com.cn TTL=(30) A=[202.108.3.242]
Wed 2011-11-30 22:46:52: [688:3882] D=freemx.sinamail.sina.com.cn TTL=(0) A=[202.108.3.242]
Wed 2011-11-30 22:46:52: [688:3882] Spam Blocker A-record resolution of [177.228.28.60.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Wed 2011-11-30 22:46:52: [688:3882] Spam Blocker D=177.228.28.60.l2.apews.org TTL=(35) A=[127.0.0.2]
Wed 2011-11-30 22:46:52: [688:3882] APEWS listed, 99.7% certain it is spam
Wed 2011-11-30 22:46:52: [688:3882] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2011-11-30 22:46:52: [688:3882] --> 250 , Sender ok
Wed 2011-11-30 22:46:53: [688:3882] <-- RCPT TO:
Wed 2011-11-30 22:46:53: [688:3882] --> 250 , Recipient ok
Wed 2011-11-30 22:46:53: [688:3882] <-- DATA
Wed 2011-11-30 22:46:53: [688:3882] --> 354 Enter mail, end with .
Wed 2011-11-30 22:47:05: [688:3882] --> 250 Ok, message saved
Wed 2011-11-30 22:47:05: [688:3882] <-- QUIT
Wed 2011-11-30 22:47:05: [688:3882] --> 221 See ya in cyberspace
Wed 2011-11-30 22:47:05: [688:3882] SMTP session successful, 23613 bytes transferred.
Wed 2011-11-30 22:47:05: [688:3882] Shuffling message(s) into proper queue(s)
Wed 2011-11-30 22:47:05: [688:3882] Message received from mail228-177.sinamail.sina.com.cn [60.28.228.177] with SMTP for [Size 23602] {j:\localq\md00000000000.msg}

As before, any news will be reported here.

1 comment:

  1. Checked this IP address too, it also is no longer listed. You decide for yourselves if the ratio between spam and genuine emails is right, for us we're not finding spam from the sina.com.cn email servers. If and when we do it will be reported here.

    ReplyDelete