April 4, 2012

L2.APEWS.ORG False Positive #15

This one is a newsletter and although the listing was showing as /24, it has already been corrected at the time of writing. Posting the error here for archive purposes;

Wed 2012-04-03 07:50:58: [448:627] Accepting SMTP connection from [24.38.56.81]
Wed 2012-04-03 07:50:58: [448:627] Looking up PTR record for 24.38.56.81 (81.56.38.24.IN-ADDR.ARPA)
Wed 2012-04-03 07:50:59: [448:627] D=81.56.38.24.IN-ADDR.ARPA TTL=(1439) PTR=[mailb.info.humanevents.com]
Wed 2012-04-03 07:50:59: [448:627] Gathering A-records for PTR hosts
Wed 2012-04-03 07:50:59: [448:627] D=mailb.info.humanevents.com TTL=(1440) A=[24.38.56.81]
Wed 2012-04-03 07:50:59: [448:627] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 04 Apr 2012 08:50:59 -0500
Wed 2012-04-03 07:50:59: [448:627] <-- EHLO mailb.info.humanevents.com
Wed 2012-04-03 07:50:59: [448:627] Performing reverse lookup on mailb.info.humanevents.com (looking for 24.38.56.81)
Wed 2012-04-03 07:50:59: [448:627] D=mailb.info.humanevents.com TTL=(1440) A=[24.38.56.81]
Wed 2012-04-03 07:50:59: [448:627] --> 250-xxx.xxx.xxx Hello mailb.info.humanevents.com, pleased to meet you
Wed 2012-04-03 07:50:59: [448:627] --> 250-ETRN
Wed 2012-04-03 07:50:59: [448:627] --> 250-AUTH=LOGIN
Wed 2012-04-03 07:50:59: [448:627] --> 250-AUTH LOGIN CRAM-MD5
Wed 2012-04-03 07:50:59: [448:627] --> 250-8BITMIME
Wed 2012-04-03 07:50:59: [448:627] --> 250 SIZE 0
Wed 2012-04-03 07:50:59: [448:627] <-- MAIL FROM: BODY=8BITMIME
Wed 2012-04-03 07:50:59: [448:627] Performing reverse lookup on info.humanevents.com (looking for 24.38.56.81)
Wed 2012-04-03 07:50:59: [448:627] D=info.humanevents.com TTL=(1440) A=[74.201.50.22]
Wed 2012-04-03 07:51:00: [448:627] P=030 D=info.humanevents.com TTL=(1439) MX=[mx2.info.humanevents.com] {74.201.50.6}
Wed 2012-04-03 07:51:00: [448:627] P=010 D=info.humanevents.com TTL=(1439) MX=[mx1.info.humanevents.com] {74.201.50.4}
Wed 2012-04-03 07:51:00: [448:627] Spam Blocker A-record resolution of [81.56.38.24.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2012-04-03 07:51:00: [448:627] Spam Blocker D=81.56.38.24.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2012-04-03 07:51:00: [448:627] L2.APEWS.ORG LISTED
Wed 2012-04-03 07:51:00: [448:627] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2012-04-03 07:51:00: [448:627] --> 250 , Sender ok
Wed 2012-04-03 07:51:00: [448:627] <-- RCPT TO:
Wed 2012-04-03 07:51:00: [448:627] --> 250 , Recipient ok
Wed 2012-04-03 07:51:00: [448:627] <-- DATA
Wed 2012-04-03 07:51:00: [448:627] --> 354 Enter mail, end with .
Wed 2012-04-03 07:51:01: [448:627] --> 250 Ok, message saved
Wed 2012-04-03 07:51:01: [448:627] <-- QUIT
Wed 2012-04-03 07:51:01: [448:627] --> 221 See ya in cyberspace
Wed 2012-04-03 07:51:01: [448:627] SMTP session successful, 34147 bytes transferred.
Wed 2012-04-03 07:51:01: [448:627] Shuffling message(s) into proper queue(s)
Wed 2012-04-03 07:51:01: [448:627] Message received from mailb.info.humanevents.com [24.38.56.81] with SMTP for [Size 3412] {j:\localq\0000000.msg}
Wed 2012-04-03 07:51:01: ----------

The sending server itself was not listed but the small group listing affected it causing a false positive for us. Resolved already.
Posted by at 93 comments:
Labels: , , , , , , ,

April 2, 2012

L2.APEWS.ORG False Positive #14

This one came in over the weekend but has already been delisted by the APEWS Administrators. Just posting the email here for archive etc;

Sat 2012-03-31 12:30:29: [520:540] Accepting SMTP connection from [178.33.45.10]
Sat 2012-03-31 12:30:29: [520:540] Looking up PTR record for 178.33.45.10 (10.45.33.178.IN-ADDR.ARPA)
Sat 2012-03-31 12:30:30: [520:540] D=10.45.33.178.IN-ADDR.ARPA TTL=(1440) PTR=[18.mo5.mail-out.ovh.net]
Sat 2012-03-31 12:30:30: [520:540] Gathering A-records for PTR hosts
Sat 2012-03-31 12:30:30: [520:540] D=18.mo5.mail-out.ovh.net TTL=(1440) A=[178.33.45.10]
Sat 2012-03-31 12:30:30: [520:540] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Sat, 30 Mar 2012 22:30:30 -0500
Sat 2012-03-31 12:30:30: [520:540] <-- EHLO mo5.mail-out.ovh.net
Sat 2012-03-31 12:30:30: [520:540] Performing reverse lookup on mo5.mail-out.ovh.net (looking for 178.33.45.10)
Sat 2012-03-31 12:30:31: [520:540] D=mo5.mail-out.ovh.net TTL=(1440) A=[178.32.228.5]
Sat 2012-03-31 12:30:31: [520:540] --> 250-xxx.xxx.xxx Hello 18.mo5.mail-out.ovh.net (may be forged), pleased to meet you
Sat 2012-03-31 12:30:31: [520:540] --> 250-ETRN
Sat 2012-03-31 12:30:31: [520:540] --> 250-AUTH=LOGIN
Sat 2012-03-31 12:30:31: [520:540] --> 250-AUTH LOGIN CRAM-MD5
Sat 2012-03-31 12:30:31: [520:540] --> 250-8BITMIME
Sat 2012-03-31 12:30:31: [520:540] --> 250 SIZE 0
Sat 2012-03-31 12:30:31: [520:540] <-- MAIL FROM: SIZE=6970
Sat 2012-03-31 12:30:31: [520:540] Performing reverse lookup on yyy.yyy (looking for 178.33.45.10)
Sat 2012-03-31 12:30:32: [520:540] D=yyy.yyy TTL=(1439) A=[213.186.33.5]
Sat 2012-03-31 12:30:32: [520:540] P=100 D=webster.fr TTL=(1440) MX=[mxb.ovh.net]
Sat 2012-03-31 12:30:32: [520:540] P=001 D=webster.fr TTL=(1440) MX=[mx0.ovh.net] {213.186.33.32}
Sat 2012-03-31 12:30:33: [520:540] D=mxb.ovh.net TTL=(1440) A=[213.186.39.173]
Sat 2012-03-31 12:30:33: [520:540] Spam Blocker A-record resolution of [10.45.33.178.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Sat 2012-03-31 12:30:33: [520:540] Spam Blocker D=10.45.33.178.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Sat 2012-03-31 12:30:33: [520:540] L2.APEWS.ORG LISTED
Sat 2012-03-31 12:30:33: [520:540] Message will be accepted and X-RBL-Warning: header will be inserted.
Sat 2012-03-31 12:30:33: [520:540] --> 250 , Sender ok
Sat 2012-03-31 12:30:33: [520:540] <-- RCPT TO:
Sat 2012-03-31 12:30:33: [520:540] --> 250 , Recipient ok
Sat 2012-03-31 12:30:33: [520:540] <-- DATA
Sat 2012-03-31 12:30:33: [520:540] --> 354 Enter mail, end with .
Sat 2012-03-31 12:30:33: [520:540] --> 250 Ok, message saved
Sat 2012-03-31 12:30:34: [520:540] <-- QUIT
Sat 2012-03-31 12:30:34: [520:540] --> 221 See ya in cyberspace
Sat 2012-03-31 12:30:34: [520:540] SMTP session successful, 7307 bytes transferred.
Sat 2012-03-31 12:30:34: [520:540] Shuffling message(s) into proper queue(s)
Sat 2012-03-31 12:30:34: [520:540] Message received from mo5.mail-out.ovh.net [178.33.45.10] with SMTP for [Size 796] {j:\localq\md00000000.msg}

OVH often have mail servers in the top 100 spam sources so no surprise that it was listed.
Posted by at 69 comments:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)