Wed 2011-11-30 22:47:41: [948:3883] Accepting SMTP connection from [121.101.151.212]
Wed 2011-11-30 22:47:41: [948:3883] Looking up PTR record for 121.101.151.212 (212.151.101.121.IN-ADDR.ARPA)
Wed 2011-11-30 22:47:42: [948:3883] D=212.151.101.121.IN-ADDR.ARPA TTL=(29) PTR=[nm3-vm0.bullet.mail.in.yahoo.com]
Wed 2011-11-30 22:47:42: [948:3883] Gathering A-records for PTR hosts
Wed 2011-11-30 22:47:42: [948:3883] D=nm3-vm0.bullet.mail.in.yahoo.com TTL=(30) A=[121.101.151.212]
Wed 2011-11-30 22:47:42: [948:3883] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 30 Nov 2011 22:47:42 -0500
Wed 2011-11-30 22:47:42: [948:3883] <-- HELO nm3-vm0.bullet.mail.in.yahoo.com
Wed 2011-11-30 22:47:42: [948:3883] Performing reverse lookup on nm3-vm0.bullet.mail.in.yahoo.com (looking for 121.101.151.212)
Wed 2011-11-30 22:47:42: [948:3883] D=nm3-vm0.bullet.mail.in.yahoo.com TTL=(30) A=[121.101.151.212]
Wed 2011-11-30 22:47:42: [948:3883] --> 250 xxx.xxx.xxx Hello nm3-vm0.bullet.mail.in.yahoo.com, pleased to meet you
Wed 2011-11-30 22:47:42: [948:3883] <-- MAIL FROM:
Wed 2011-11-30 22:47:42: [948:3883] Performing reverse lookup on yahoo.com (looking for 121.101.151.212)
Wed 2011-11-30 22:47:43: [948:3883] D=yahoo.com TTL=(60) A=[72.30.2.43]
Wed 2011-11-30 22:47:43: [948:3883] P=001 D=yahoo.com TTL=(30) MX=[mta7.am0.yahoodns.net] {98.139.175.225}
Wed 2011-11-30 22:47:43: [948:3883] P=001 D=yahoo.com TTL=(30) MX=[mta6.am0.yahoodns.net] {74.6.136.244}
Wed 2011-11-30 22:47:43: [948:3883] P=001 D=yahoo.com TTL=(30) MX=[mta5.am0.yahoodns.net] {66.94.237.139}
Wed 2011-11-30 22:47:43: [948:3883] Spam Blocker A-record resolution of [212.151.101.121.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Wed 2011-11-30 22:47:43: [948:3883] Spam Blocker D=212.151.101.121.l2.apews.org TTL=(35) A=[127.0.0.2]
Wed 2011-11-30 22:47:43: [948:3883] APEWS listed, 99.7% certain it is spam
Wed 2011-11-30 22:47:43: [948:3883] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2011-11-30 22:47:43: [948:3883] --> 250
Wed 2011-11-30 22:47:43: [948:3883] <-- RCPT TO:
Wed 2011-11-30 22:47:43: [948:3883] --> 250
Wed 2011-11-30 22:47:44: [948:3883] <-- DATA
Wed 2011-11-30 22:47:44: [948:3883] --> 354 Enter mail, end with
Wed 2011-11-30 22:47:44: [948:3883] --> 250 Ok, message saved
Wed 2011-11-30 22:47:45: [948:3883] <-- QUIT
Wed 2011-11-30 22:47:45: [948:3883] --> 221 See ya in cyberspace
Wed 2011-11-30 22:47:45: [948:3883] SMTP session successful, 2254 bytes transferred.
Wed 2011-11-30 22:47:45: [948:3883] Shuffling message(s) into proper queue(s)
Wed 2011-11-30 22:47:45: [948:3883] Message received from nm3-vm0.bullet.mail.in.yahoo.com [121.101.151.212]
The connecting IP address belongs to Yahoo India and is listed as a CIDR [group of IP addresses] 121.101.150.0/23 within CIDR 121.101.144.0/20. In one of the earlier posts we were talking about setup and that the free webmail providers like Yahoo, Hotmail and Google are not listed in Apews but not to mark their servers as trusted or whitelisted, simply let them connect and go through the full SMTP process on your server including rDNS / PTR lookup as you feel necessary.
This listing is therefore a contradiction and surprises us a little, hmmm... requires some further research. Email delivery involves a dialog between two email servers resulting in some lines of text referred to as the email header. A lot of spam comes from a connecting IP address that sends data showing that it received the email from one or more email servers prior. In most cases this information can not be trusted as spam software is known to deliberately falsify the information in order to mislead the recipient in gaining a more trustworthy reputation. The exceptions to this are the professional email senders referred to in an earlier post and the free webmail providers like Yahoo, Hotmail and Google. Whilst they may hide or omit useful sender identifiable data, to our knowledge they don't deliberately falsify it.
In order to further examine this possible false positive, a copy of the actual email was obtained from the recipient. The email client program revealed further headers;
>from [127.0.0.1] by smtp107.mail.in.yahoo.com with NNFMP; 01 Dec 2011 03:49:03 -0000
>from [121.101.151.237] by nm3.bullet.mail.in.yahoo.com with NNFMP; 01 Dec 2011 03:49:03 -0000
>from [202.86.5.94] by tm2.bullet.mail.in.yahoo.com with NNFMP; 01 Dec 2011 03:49:29 -0000
>from zsdguhzdpyqlnviqt (cwkpaola1972@201.241.150.55 with login) by smtp107.mail.in.yahoo.com with SMTP; 01 Dec 2011 09:19:02 +0530 IST
We are almost certain that the email was passed between the Yahoo email servers as listed above. Working down the list we see that the Yahoo server named smtp107.mail.in.yahoo.com (IP address 202.86.5.94 checks out) was the one that received the email from a computer with IP address 201.241.150.55, which belongs to VTR, an ISP in Chile. At the time of writing, IP address 201.241.150.55 has named pc-55-150-241-201.cm.vtr.net, a format usually used for dynamic IP allocations, certainly not a commercial server.
Now let us look at the content of the email, just one line of text;
ZMLNIGXGCOBMThe_Electronic-Payments-AssociationÄ›
with a link to the following website http :// goo.gl / 5z4hU.
It seems suspicious that an email sender with a Chilean IP address would login to a Yahoo India webmail server to send only one email to the user on our network who does not know the sender. The content of the email is spam and quite rightly ended up in the spam folder.
You will need to judge for yourselves whether the Yahoo India email servers send mostly solicited emails or mostly spam. In recent weeks we have noticed a huge rise in the volume of spam being delivered by the free webail providers especially AOL.
Also delisted is this Yahoo India server, decide for yourselves about the ratio of spam versus genuine email being sent from there to your email server.
ReplyDelete