L2.APEWS.ORG False Positive #13

Typical eh, spoke too soon! Got a user claiming the following shouldn't have been in his junk folder and on further checking we find the IP address to be that of a website offering a newsletter. CIDR seems OK too, here is the email header;

Sat 2012-03-17 03:26:37: [7708:766] Accepting SMTP connection from [71.19.224.98]
Sat 2012-03-17 03:26:37: [7708:766] Looking up PTR record for 71.19.224.98 (98.224.19.71.IN-ADDR.ARPA)
Sat 2012-03-17 03:26:37: [7708:766] D=98.224.19.71.IN-ADDR.ARPA TTL=(59) PTR=[www3.tiltedpixel.com]
Sat 2012-03-17 03:26:37: [7708:766] Gathering A-records for PTR hosts
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(240) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 16 Mar 2012 13:06:38 -0500
Sat 2012-03-17 03:26:38: [7708:766] <-- EHLO www3.tiltedpixel.com
Sat 2012-03-17 03:26:38: [7708:766] Performing reverse lookup on www3.tiltedpixel.com (looking for 71.19.224.98)
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(240) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] --> 250-xxx.xxx.xxx Hello www3.tiltedpixel.com, pleased to meet you
Sat 2012-03-17 03:26:38: [7708:766] --> 250-ETRN
Sat 2012-03-17 03:26:38: [7708:766] --> 250-AUTH=LOGIN
Sat 2012-03-17 03:26:38: [7708:766] --> 250-AUTH LOGIN CRAM-MD5
Sat 2012-03-17 03:26:38: [7708:766] --> 250-8BITMIME
Sat 2012-03-17 03:26:38: [7708:766] --> 250 SIZE 0
Sat 2012-03-17 03:26:38: [7708:766] <-- MAIL FROM: SIZE=1656
Sat 2012-03-17 03:26:38: [7708:766] Performing reverse lookup on www3.tiltedpixel.com (looking for 71.19.224.98)
Sat 2012-03-17 03:26:38: [7708:766] D=www3.tiltedpixel.com TTL=(239) A=[71.19.224.98]
Sat 2012-03-17 03:26:38: [7708:766] Spam Blocker A-record resolution of [98.224.19.71.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2012-03-17 03:26:38: [7708:766] Spam Blocker D=98.224.19.71.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2012-03-17 03:26:38: [7708:766] L2.APEWS.ORG LISTED
Sat 2012-03-17 03:26:38: [7708:766] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2012-03-17 03:26:38: [7708:766] --> 250 , Sender ok
Sat 2012-03-17 03:26:38: [7708:766] <-- RCPT TO:
Sat 2012-03-17 03:26:38: [7708:766] --> 250 , Recipient ok
Sat 2012-03-17 03:26:38: [7708:766] <-- DATA
Sat 2012-03-17 03:26:38: [7708:766] --> 354 Enter mail, end with .
Sat 2012-03-17 03:26:38: [7708:766] --> 250 Ok, message saved
Sat 2012-03-17 03:26:38: [7708:766] <-- QUIT
Sat 2012-03-17 03:26:38: [7708:766] --> 221 See ya in cyberspace
Sat 2012-03-17 03:26:38: [7708:766] SMTP session successful, 959 bytes transferred.
Sat 2012-03-17 03:26:38: [7708:766] Shuffling message(s) into proper queue(s)
Sat 2012-03-17 03:26:38: [7708:766] Message received from www3.tiltedpixel.com [71.19.224.98] with SMTP for [Size 948] {j:\localq\md000000.msg}

Hopefully this one will get resolved shortly too.

Over 1 month without any FP

As you can see, the last false positive that we found was on Feb 9 and nothing since. We are the only ones to have published email headers in support of those false positives and each one has been delisted by the APEWS.org Administrators. The folks you have seen posting removal requests here are people that believe that their IP addresses should not be listed. We have seen that most, but not all, have been delisted.

The SPEWS listing model was to use whole CIDR blocks in order to pressure the ISP. It involved listing the entire block without regard for individual IP addresses and therefore there was collateral damage which was not favored by many. In order for that method to work it requires that users tolerate the collateral damage until such time as the ISP cleaned up the CIDR. That method was flawed because users, network Administrators etc, would rather tolerate spam than collateral damage.

After analysing the APEWS.org data over a period of time we can see that they are no longer following the same model as SPEWS. A few years ago when they first became a replacement for SPEWS, it could have been said that their method was very close if not the same. However, the fact that false positives have reduced dramatically and having probed the listed CIDR, APEWS.org seem to be cutting holes in CIDR for trusted senders and accordingly reducing collateral damage leaving a binary reputation index.