December 8, 2011

L2.APEWS.ORG False Positive #7

This is another example of a possible false positive because it will depend on your client base and email flow.

Wed 2011-12-07 03:59:15: [1144:6063] Accepting SMTP connection from [61.135.132.132]
Wed 2011-12-07 03:59:15: [1144:6063] Looking up PTR record for 61.135.132.132 (132.132.135.61.IN-ADDR.ARPA)
Wed 2011-12-07 03:59:17: [1144:6063] D=132.132.135.61.IN-ADDR.ARPA TTL=(59) PTR=[websmtp.sohu.com]
Wed 2011-12-07 03:59:17: [1144:6063] Gathering A-records for PTR hosts
Wed 2011-12-07 03:59:18: [1144:6063] D=websmtp.sohu.com TTL=(10) A=[61.135.132.204]
Wed 2011-12-07 03:59:18: [1144:6063] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 07 Dec 2011 03:59:18 -0500
Wed 2011-12-07 03:59:18: [1144:6063] <-- EHLO websmtp.sohu.com
Wed 2011-12-07 03:59:18: [1144:6063] Performing reverse lookup on websmtp.sohu.com (looking for 61.135.132.132)
Wed 2011-12-07 03:59:18: [1144:6063] D=websmtp.sohu.com TTL=(9) A=[61.135.132.204]
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-xxx.xxx.xxx Hello websmtp.sohu.com (may be forged), pleased to meet you
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-ETRN
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-AUTH=LOGIN
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-AUTH LOGIN CRAM-MD5
Wed 2011-12-07 03:59:18: [1144:6063] --> 250-8BITMIME
Wed 2011-12-07 03:59:18: [1144:6063] --> 250 SIZE 0
Wed 2011-12-07 03:59:20: [1144:6063] <-- MAIL FROM: SIZE=574602
Wed 2011-12-07 03:59:20: [1144:6063] Performing reverse lookup on sohu.com (looking for 61.135.132.132)
Wed 2011-12-07 03:59:20: [1144:6063] D=sohu.com TTL=(10) A=[61.135.181.175]
Wed 2011-12-07 03:59:20: [1144:6063] P=010 D=sohu.com TTL=(10) MX=[sohumx.h.a.sohu.com]
Wed 2011-12-07 03:59:20: [1144:6063] P=005 D=sohu.com TTL=(10) MX=[sohumx1.sohu.com] {61.135.132.110}
Wed 2011-12-07 03:59:21: [1144:6063] D=sohumx.h.a.sohu.com TTL=(5) A=[61.135.132.110]
Wed 2011-12-07 03:59:21: [1144:6063] Spam Blocker A-record resolution of [132.132.135.61.l2.apews.org] in progress (DNS Server: 192.168.1.2)...
Wed 2011-12-07 03:59:21: [1144:6063] Spam Blocker D=132.132.135.61.l2.apews.org TTL=(35) A=[127.0.0.2]
Wed 2011-12-07 03:59:21: [1144:6063] APEWS listed, 99.7% certain it is spam
Wed 2011-12-07 03:59:21: [1144:6063] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2011-12-07 03:59:21: [1144:6063] --> 250 , Sender ok
Wed 2011-12-07 03:59:22: [1144:6063] <-- RCPT TO:
Wed 2011-12-07 03:59:22: [1144:6063] Can't accept or relay message.
Wed 2011-12-07 03:59:22: [1144:6063] Sender not authenticated or from trusted domain/IP and recipient not a valid local account.
Wed 2011-12-07 03:59:22: [1144:6063] --> 550 , Recipient unknown
Wed 2011-12-07 03:59:22: [1144:6063] <-- RSET
Wed 2011-12-07 03:59:22: [1144:6063] --> 250 RSET? Well, ok.
Wed 2011-12-07 03:59:23: [1144:6063] <-- QUIT
Wed 2011-12-07 03:59:23: [1144:6063] --> 221 See ya in cyberspace
Wed 2011-12-07 03:59:23: [1144:6063] SMTP session successful, 126 bytes transferred.

In this case the sender is a spammer that is using the free webmail service to send crap. The email address that the spammer tried to send to was stolen from a web page that no human being would see. That is what happens spammers use automated software called robots to routinely scan IP addresses for web servers hosting web pages that contain email addresses and scraping them into their databases.

You have decide for yourself on the ratio of spam versus solicited emails via the Sohu servers. Your server, your rules. Looking at the Apews.org website, this is the text that they show for the Sohu IP address;

Entry matching your Query: E-492519
61.135.132.204 CASE: C-1
Compromised or insecure MTA
Criminal abusers have user access
SysAdmin not closing abusive accounts
No or inadequate outbound mail filter
Special Reason: List washing dirty email address database
History: Entry created 2011-09-29

So it seems they are still doing the same more than 2 months after Apews recorded their entry.

No comments:

Post a Comment