Here is another false positive, definitely shouldn't be in the spam folder as it is from a whitelist operator, full email header follows;
Tue 2013-11-12 08:40:07: [816:5036] Accepting SMTP connection from [217.23.49.178]
Tue 2013-11-12 08:40:07: [816:5036] --> 220 xxx.xxx.xxx ESMTP MDaemon; Tue, 12 Nov 2013 08:40:07 -0500
Tue 2013-11-12 08:40:07: [816:5036] <-- EHLO webone.hostedserver.eu
Tue 2013-11-12 08:40:07: [816:5036] --> 250-xxx.xxx.xxx Hello webone.hostedserver.eu, pleased to meet you
Tue 2013-11-12 08:40:07: [816:5036] --> 250-ETRN
Tue 2013-11-12 08:40:07: [816:5036] --> 250-AUTH=LOGIN
Tue 2013-11-12 08:40:07: [816:5036] --> 250-AUTH LOGIN CRAM-MD5
Tue 2013-11-12 08:40:07: [816:5036] --> 250-8BITMIME
Tue 2013-11-12 08:40:07: [816:5036] --> 250 SIZE 0
Tue 2013-11-12 08:40:08: [816:5036] <-- MAIL FROM:<xxx @ xxx.xxx> SIZE=841
Tue 2013-11-12 08:40:08: [816:5036] Spam Blocker A-record resolution of [178.49.23.217.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Tue 2013-11-12 08:40:08: [816:5036] Spam Blocker D=178.49.23.217.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Tue 2013-11-12 08:40:08: [816:5036] L2.APEWS.ORG LISTED
Tue 2013-11-12 08:40:08: [816:5036] Message will be accepted and X-RBL-Warning: header will be inserted.
Tue 2013-11-12 08:40:08: [816:5036] --> 250 <root @ webone.hostedserver.eu>, Sender ok
Tue 2013-11-12 08:40:08: [816:5036] <-- RCPT TO:<xxx @ xxx.xxx>
Tue 2013-11-12 08:40:08: [816:5036] --> 250 <xxx @ xxx.xxx>, Recipient ok
Tue 2013-11-12 08:40:08: [816:5036] <-- DATA
Tue 2013-11-12 08:40:08: [816:5036] --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-11-12 08:40:09: [816:5036] --> 250 Ok, message saved <Message-ID: 20131112133949.7115C1B35CB1 @ webone.hostedserver.eu>
Tue 2013-11-12 08:40:09: [816:5036] <-- QUIT
Tue 2013-11-12 08:40:09: [816:5036] --> 221 See ya in cyberspace
Tue 2013-11-12 08:40:09: [816:5036] SMTP session successful, 850 bytes transferred.
Tue 2013-11-12 08:40:09: [816:5036] Shuffling message(s) into proper queue(s)
Tue 2013-11-12 08:40:09: [816:5036] Message received from webone.hostedserver.eu [217.23.49.178] <xxx @ xxx.xxx> with SMTP for <xxx @ xxx.xxx> [Size 839] {k:\localq\0000369111.msg}
November 12, 2013
October 3, 2013
L2.APEWS.ORG False Positive #24
Another user reported a newsletter in the junk folder however on checking the IP address appears to have already been delisted, publishing this false positive for the record (full email header munged where appropriate);
Wed 2013-10-02 18.13:20: [1768:723] Accepting SMTP connection from [159.220.9.56]
Wed 2013-10-02 18.13:20: [1768:723] Looking up PTR record for 159.220.9.56 (56.9.220.159.IN-ADDR.ARPA)
Wed 2013-10-02 18.13:21: [1768:723] D=56.9.220.159.IN-ADDR.ARPA TTL=(0) PTR=[mailout2-trm.thomsonreuters.com]
Wed 2013-10-02 18.13:21: [1768:723] Gathering A-records for PTR hosts
Wed 2013-10-02 18.13:21: [1768:723] D=mailout2-trm.thomsonreuters.com TTL=(60) A=[159.220.9.56]
Wed 2013-10-02 18.13:21: [1768:723] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 02 Oct 2013 18.13:21 -0500
Wed 2013-10-02 18.13:21: [1768:723] <-- EHLO mailout2-trm.thomsonreuters.com
Wed 2013-10-02 18.13:21: [1768:723] Performing reverse lookup on mailout2-trm.thomsonreuters.com (looking for 159.220.9.56)
Wed 2013-10-02 18.13:21: [1768:723] D=mailout2-trm.thomsonreuters.com TTL=(59) A=[159.220.9.56]
Wed 2013-10-02 18.13:21: [1768:723] --> 250-xxx.xxx.xxx Hello mailout2-trm.thomsonreuters.com, pleased to meet you
Wed 2013-10-02 18.13:21: [1768:723] --> 250-ETRN
Wed 2013-10-02 18.13:21: [1768:723] --> 250-AUTH=LOGIN
Wed 2013-10-02 18.13:21: [1768:723] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-10-02 18.13:21: [1768:723] --> 250-8BITMIME
Wed 2013-10-02 18.13:21: [1768:723] --> 250 SIZE 0
Wed 2013-10-02 18.13:21: [1768:723] <-- MAIL From:<x@ thomsonreuters.com> SIZE=45939
Wed 2013-10-02 18.13:21: [1768:723] Performing reverse lookup on thomsonreuters.com (looking for 159.220.9.56)
Wed 2013-10-02 18.13:22: [1768:723] D=thomsonreuters.com TTL=(0) A=[163.231.4.79]
Wed 2013-10-02 18.13:22: [1768:723] P=020 D=thomsonreuters.com TTL=(0) MX=[mailin2-tr.thomsonreuters.com] {59.144.10.241}
Wed 2013-10-02 18.13:22: [1768:723] P=020 D=thomsonreuters.com TTL=(0) MX=[mailin1-tr.thomsonreuters.com] {199.224.149.51}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin7-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin6-tr.thomsonreuters.com] {159.220.48.8}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin5-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin4-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin3-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin2-trp.thomsonreuters.com] {163.231.6.25}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin2-trm.thomsonreuters.com] {159.220.9.53}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin1-trp.thomsonreuters.com] {163.231.6.5}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin1-trm.thomsonreuters.com] {159.220.28.53}
Wed 2013-10-02 18.13:22: [1768:723] D=mailin7-tr.thomsonreuters.com TTL=(0) A=[159.220.48.10]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin5-tr.thomsonreuters.com TTL=(0) A=[159.220.38.28]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin4-tr.thomsonreuters.com TTL=(0) A=[159.220.20.196]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin3-tr.thomsonreuters.com TTL=(0) A=[159.220.16.156]
Wed 2013-10-02 18.13:22: [1768:723] Spam Blocker A-record resolution of [56.9.220.159.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-10-02 18.13:22: [1768:723] Spam Blocker D=56.9.220.159.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-10-02 18.13:22: [1768:723] L2.APEWS.ORG LISTED
Wed 2013-10-02 18.13:22: [1768:723] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-10-02 18.13:22: [1768:723] --> 250 <x@ thomsonreuters.com>, Sender ok
Wed 2013-10-02 18.13:23: [1768:723] <-- RCPT To:<xxx@ xxx.xxx>
Wed 2013-10-02 18.13:23: [1768:723] --> 250 <xxx@ xxx.xxx>, Recipient ok
Wed 2013-10-02 18.13:23: [1768:723] <-- DATA
Wed 2013-10-02 18.13:23: [1768:723] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-10-02 18.13:24: [1768:723] --> 250 Ok, message saved <Message-ID: 11D276E588427@ ERFMMBX12.ERF.thomson.com>
Wed 2013-10-02 18.13:26: [1768:723] <-- QUIT
Wed 2013-10-02 18.13:26: [1768:723] --> 221 See ya in cyberspace
Wed 2013-10-02 18.13:26: [1768:723] SMTP session successful, 46875 bytes transferred.
Wed 2013-10-02 18.13:26: [1768:723] Shuffling message(s) into proper queue(s)
Wed 2013-10-02 18.13:26: [1768:723] Message received from mailout2-trm.thomsonreuters.com [159.220.9.56] <x@ thomsonreuters.com> with SMTP for <xxx@ xxx.xxx> [Size 4859] {i:\localq\000351496.msg}
Wed 2013-10-02 18.13:20: [1768:723] Accepting SMTP connection from [159.220.9.56]
Wed 2013-10-02 18.13:20: [1768:723] Looking up PTR record for 159.220.9.56 (56.9.220.159.IN-ADDR.ARPA)
Wed 2013-10-02 18.13:21: [1768:723] D=56.9.220.159.IN-ADDR.ARPA TTL=(0) PTR=[mailout2-trm.thomsonreuters.com]
Wed 2013-10-02 18.13:21: [1768:723] Gathering A-records for PTR hosts
Wed 2013-10-02 18.13:21: [1768:723] D=mailout2-trm.thomsonreuters.com TTL=(60) A=[159.220.9.56]
Wed 2013-10-02 18.13:21: [1768:723] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 02 Oct 2013 18.13:21 -0500
Wed 2013-10-02 18.13:21: [1768:723] <-- EHLO mailout2-trm.thomsonreuters.com
Wed 2013-10-02 18.13:21: [1768:723] Performing reverse lookup on mailout2-trm.thomsonreuters.com (looking for 159.220.9.56)
Wed 2013-10-02 18.13:21: [1768:723] D=mailout2-trm.thomsonreuters.com TTL=(59) A=[159.220.9.56]
Wed 2013-10-02 18.13:21: [1768:723] --> 250-xxx.xxx.xxx Hello mailout2-trm.thomsonreuters.com, pleased to meet you
Wed 2013-10-02 18.13:21: [1768:723] --> 250-ETRN
Wed 2013-10-02 18.13:21: [1768:723] --> 250-AUTH=LOGIN
Wed 2013-10-02 18.13:21: [1768:723] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-10-02 18.13:21: [1768:723] --> 250-8BITMIME
Wed 2013-10-02 18.13:21: [1768:723] --> 250 SIZE 0
Wed 2013-10-02 18.13:21: [1768:723] <-- MAIL From:<x@ thomsonreuters.com> SIZE=45939
Wed 2013-10-02 18.13:21: [1768:723] Performing reverse lookup on thomsonreuters.com (looking for 159.220.9.56)
Wed 2013-10-02 18.13:22: [1768:723] D=thomsonreuters.com TTL=(0) A=[163.231.4.79]
Wed 2013-10-02 18.13:22: [1768:723] P=020 D=thomsonreuters.com TTL=(0) MX=[mailin2-tr.thomsonreuters.com] {59.144.10.241}
Wed 2013-10-02 18.13:22: [1768:723] P=020 D=thomsonreuters.com TTL=(0) MX=[mailin1-tr.thomsonreuters.com] {199.224.149.51}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin7-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin6-tr.thomsonreuters.com] {159.220.48.8}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin5-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin4-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin3-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin2-trp.thomsonreuters.com] {163.231.6.25}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin2-trm.thomsonreuters.com] {159.220.9.53}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin1-trp.thomsonreuters.com] {163.231.6.5}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin1-trm.thomsonreuters.com] {159.220.28.53}
Wed 2013-10-02 18.13:22: [1768:723] D=mailin7-tr.thomsonreuters.com TTL=(0) A=[159.220.48.10]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin5-tr.thomsonreuters.com TTL=(0) A=[159.220.38.28]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin4-tr.thomsonreuters.com TTL=(0) A=[159.220.20.196]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin3-tr.thomsonreuters.com TTL=(0) A=[159.220.16.156]
Wed 2013-10-02 18.13:22: [1768:723] Spam Blocker A-record resolution of [56.9.220.159.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-10-02 18.13:22: [1768:723] Spam Blocker D=56.9.220.159.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-10-02 18.13:22: [1768:723] L2.APEWS.ORG LISTED
Wed 2013-10-02 18.13:22: [1768:723] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-10-02 18.13:22: [1768:723] --> 250 <x@ thomsonreuters.com>, Sender ok
Wed 2013-10-02 18.13:23: [1768:723] <-- RCPT To:<xxx@ xxx.xxx>
Wed 2013-10-02 18.13:23: [1768:723] --> 250 <xxx@ xxx.xxx>, Recipient ok
Wed 2013-10-02 18.13:23: [1768:723] <-- DATA
Wed 2013-10-02 18.13:23: [1768:723] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-10-02 18.13:24: [1768:723] --> 250 Ok, message saved <Message-ID: 11D276E588427@ ERFMMBX12.ERF.thomson.com>
Wed 2013-10-02 18.13:26: [1768:723] <-- QUIT
Wed 2013-10-02 18.13:26: [1768:723] --> 221 See ya in cyberspace
Wed 2013-10-02 18.13:26: [1768:723] SMTP session successful, 46875 bytes transferred.
Wed 2013-10-02 18.13:26: [1768:723] Shuffling message(s) into proper queue(s)
Wed 2013-10-02 18.13:26: [1768:723] Message received from mailout2-trm.thomsonreuters.com [159.220.9.56] <x@ thomsonreuters.com> with SMTP for <xxx@ xxx.xxx> [Size 4859] {i:\localq\000351496.msg}
August 30, 2013
SPEWS Memorial Day
Every August 30th the APEWS.org website changes it's home page to show the following;
Today our website and our mail-servers are not available, because it is 30 August - SPEWS MEMORIAL DAY
Our beloved SPEWS operator got hit by a truck and died 30 August 2006. One of his dreams was to make the world a spam free place.
As long as spam exists we therefore recommend all of you to shutdown all mail-servers at every 30. August for 24 hours.
Be creative to make today a black day for all spammers and spam supporters and a day without mail and spam.
It is just one day in the year so it will not hurt you nor your company, but it will set a widely visible sign if enough people do so.
Our blacklists are online, but we will not display reasons for listings nor do any removals by today.
We will be back by tomorrow. APEWS - Anonymous Postmasters Early Warning System.
The man behind the former blacklist known as SPEWS was visionary in that he recognized that playing with dynamic listings was mot a solution, just prolonging the problem and in fact permitting both spammers and anti-spammers to continue to profit from the problem at the expenses of the general public internet users.
Instead he designed a fixed listing system that prevented the internet service providers (ISP) from recycling their IP space for profit, listing them as having a bad reputation. The SPEWS blacklist database was known to be fairly aggressive with the ISPs that ignored the spam problem whilst making money from it.
From what we know, the founder of SPEWS was not only an experienced driver but had additional training possibly as a driving instructor. He also liked to drive one of the safest cars manufactured yet, despite this, whilst driving his usual cross-country route between home and office, a truck appeared and there was a crash that left the SPEWS founder dead. That was August 30th 2006. Was there foul play?
We think that if the SPEWS founder was still alive today, he would be pleased with the progress that APEWS.org has made using his ideology and advancing it further to cover all ISPs and IPv4 space.
**************************************
Today our website and our mail-servers are not available, because it is 30 August - SPEWS MEMORIAL DAY
Our beloved SPEWS operator got hit by a truck and died 30 August 2006. One of his dreams was to make the world a spam free place.
As long as spam exists we therefore recommend all of you to shutdown all mail-servers at every 30. August for 24 hours.
Be creative to make today a black day for all spammers and spam supporters and a day without mail and spam.
It is just one day in the year so it will not hurt you nor your company, but it will set a widely visible sign if enough people do so.
Our blacklists are online, but we will not display reasons for listings nor do any removals by today.
We will be back by tomorrow. APEWS - Anonymous Postmasters Early Warning System.
**************************************
The man behind the former blacklist known as SPEWS was visionary in that he recognized that playing with dynamic listings was mot a solution, just prolonging the problem and in fact permitting both spammers and anti-spammers to continue to profit from the problem at the expenses of the general public internet users.
Instead he designed a fixed listing system that prevented the internet service providers (ISP) from recycling their IP space for profit, listing them as having a bad reputation. The SPEWS blacklist database was known to be fairly aggressive with the ISPs that ignored the spam problem whilst making money from it.
From what we know, the founder of SPEWS was not only an experienced driver but had additional training possibly as a driving instructor. He also liked to drive one of the safest cars manufactured yet, despite this, whilst driving his usual cross-country route between home and office, a truck appeared and there was a crash that left the SPEWS founder dead. That was August 30th 2006. Was there foul play?
We think that if the SPEWS founder was still alive today, he would be pleased with the progress that APEWS.org has made using his ideology and advancing it further to cover all ISPs and IPv4 space.
August 28, 2013
L2.APEWS.ORG False Positive #23
Another reported false positive, few and far between as you have seen. This is the full header munged where appropriate;
Wed 2013-08-28 01:14:38: [6404:8081] Accepting SMTP connection from [98.130.1.134]
Wed 2013-08-28 01:14:38: [6404:8081] Looking up PTR record for 98.130.1.134 (134.1.130.98.IN-ADDR.ARPA)
Wed 2013-08-28 01:14:39: [6404:8081] D=134.1.130.98.IN-ADDR.ARPA TTL=(1440) PTR=[mail404.opentransfer.com]
Wed 2013-08-28 01:14:39: [6404:8081] Gathering A-records for PTR hosts
Wed 2013-08-28 01:14:39: [6404:8081] D=mail404.opentransfer.com TTL=(1440) A=[98.130.1.134]
Wed 2013-08-28 01:14:39: [6404:8081] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.8; Wed, 28 Aug 2013 01:14:39 -0400
Wed 2013-08-28 01:14:39: [6404:8081] <-- HELO mail404.opentransfer.com
Wed 2013-08-28 01:14:39: [6404:8081] Performing reverse lookup on mail404.opentransfer.com (looking for 98.130.1.134)
Wed 2013-08-28 01:14:39: [6404:8081] D=mail404.opentransfer.com TTL=(1439) A=[98.130.1.134]
Wed 2013-08-28 01:14:39: [6404:8081] --> 250 xxx.xxx.xxx Hello mail404.opentransfer.com, pleased to meet you
Wed 2013-08-28 01:14:39: [6404:8081] <-- MAIL FROM:<xxx@xxx.xxx>
Wed 2013-08-28 01:14:39: [6404:8081] Performing reverse lookup on xxx.xxx (looking for 98.130.1.134)
Wed 2013-08-28 01:14:40: [6404:8081] D=xxx.xxx TTL=(360) A=[98.130.139.194]
Wed 2013-08-28 01:14:40: [6404:8081] P=010 D=xxx.xxx TTL=(359) MX=[mail404.ixwebhosting.com] {76.162.254.110}
Wed 2013-08-28 01:14:40: [6404:8081] Spam Blocker A-record resolution of [134.1.130.98.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-08-28 01:14:40: [6404:8081] Spam Blocker D=134.1.130.98.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-08-28 01:14:40: [6404:8081] L2.APEWS.ORG LISTED
Wed 2013-08-28 01:14:40: [6404:8081] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-08-28 01:14:40: [6404:8081] --> 250 <xxx@xxx.xxx>, Sender ok
Wed 2013-08-28 01:14:40: [6404:8081] <-- RCPT TO:<xxx@xxx.xxx>
Wed 2013-08-28 01:14:40: [6404:8081] --> 250 <xxx@xxx.xxx>, Recipient ok
Wed 2013-08-28 01:14:40: [6404:8081] <-- DATA
Wed 2013-08-28 01:14:40: [6404:8081] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-08-28 01:14:41: [6404:8081] --> 250 Ok, message saved <Message-ID: !&!AAzWLFEsxmkTAAA==@xxx.xxx>
Wed 2013-08-28 01:14:41: [6404:8081] <-- QUIT
Wed 2013-08-28 01:14:41: [6404:8081] --> 221 See ya in cyberspace
Wed 2013-08-28 01:14:41: [6404:8081] SMTP session successful, 1273 bytes transferred.
Wed 2013-08-28 01:14:41: [6404:8081] Shuffling message(s) into proper queue(s)
Wed 2013-08-28 01:14:41: [6404:8081] Message received from mail404.opentransfer.com [98.130.1.134] <xxx@xxx.xxx> with SMTP for <xxx@xxx.xxx> [Size 1260] {j:\localq\000330.msg}
Wed 2013-08-28 01:14:38: [6404:8081] Accepting SMTP connection from [98.130.1.134]
Wed 2013-08-28 01:14:38: [6404:8081] Looking up PTR record for 98.130.1.134 (134.1.130.98.IN-ADDR.ARPA)
Wed 2013-08-28 01:14:39: [6404:8081] D=134.1.130.98.IN-ADDR.ARPA TTL=(1440) PTR=[mail404.opentransfer.com]
Wed 2013-08-28 01:14:39: [6404:8081] Gathering A-records for PTR hosts
Wed 2013-08-28 01:14:39: [6404:8081] D=mail404.opentransfer.com TTL=(1440) A=[98.130.1.134]
Wed 2013-08-28 01:14:39: [6404:8081] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.8; Wed, 28 Aug 2013 01:14:39 -0400
Wed 2013-08-28 01:14:39: [6404:8081] <-- HELO mail404.opentransfer.com
Wed 2013-08-28 01:14:39: [6404:8081] Performing reverse lookup on mail404.opentransfer.com (looking for 98.130.1.134)
Wed 2013-08-28 01:14:39: [6404:8081] D=mail404.opentransfer.com TTL=(1439) A=[98.130.1.134]
Wed 2013-08-28 01:14:39: [6404:8081] --> 250 xxx.xxx.xxx Hello mail404.opentransfer.com, pleased to meet you
Wed 2013-08-28 01:14:39: [6404:8081] <-- MAIL FROM:<xxx@xxx.xxx>
Wed 2013-08-28 01:14:39: [6404:8081] Performing reverse lookup on xxx.xxx (looking for 98.130.1.134)
Wed 2013-08-28 01:14:40: [6404:8081] D=xxx.xxx TTL=(360) A=[98.130.139.194]
Wed 2013-08-28 01:14:40: [6404:8081] P=010 D=xxx.xxx TTL=(359) MX=[mail404.ixwebhosting.com] {76.162.254.110}
Wed 2013-08-28 01:14:40: [6404:8081] Spam Blocker A-record resolution of [134.1.130.98.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-08-28 01:14:40: [6404:8081] Spam Blocker D=134.1.130.98.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-08-28 01:14:40: [6404:8081] L2.APEWS.ORG LISTED
Wed 2013-08-28 01:14:40: [6404:8081] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-08-28 01:14:40: [6404:8081] --> 250 <xxx@xxx.xxx>, Sender ok
Wed 2013-08-28 01:14:40: [6404:8081] <-- RCPT TO:<xxx@xxx.xxx>
Wed 2013-08-28 01:14:40: [6404:8081] --> 250 <xxx@xxx.xxx>, Recipient ok
Wed 2013-08-28 01:14:40: [6404:8081] <-- DATA
Wed 2013-08-28 01:14:40: [6404:8081] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-08-28 01:14:41: [6404:8081] --> 250 Ok, message saved <Message-ID: !&!AAzWLFEsxmkTAAA==@xxx.xxx>
Wed 2013-08-28 01:14:41: [6404:8081] <-- QUIT
Wed 2013-08-28 01:14:41: [6404:8081] --> 221 See ya in cyberspace
Wed 2013-08-28 01:14:41: [6404:8081] SMTP session successful, 1273 bytes transferred.
Wed 2013-08-28 01:14:41: [6404:8081] Shuffling message(s) into proper queue(s)
Wed 2013-08-28 01:14:41: [6404:8081] Message received from mail404.opentransfer.com [98.130.1.134] <xxx@xxx.xxx> with SMTP for <xxx@xxx.xxx> [Size 1260] {j:\localq\000330.msg}
July 22, 2013
L2.APEWS.ORG False Positive #22
This is another newsletter that was reported by a user to be in the spam folder when it had been properly subscribed to. Checking the IP address of the sending server we find that it is no longer listed, so this is being published for information only;
Fri 2013-07-19 01:05:11: [9010:4232] Accepting SMTP connection from [72.232.93.13]
Fri 2013-07-19 01:05:11: [9010:4232] Looking up PTR record for 72.232.93.13 (13.93.232.72.IN-ADDR.ARPA)
Fri 2013-07-19 01:05:12: [9010:4232] D=13.93.232.72.IN-ADDR.ARPA TTL=(179) PTR=[nlserv14.123greetings.info]
Fri 2013-07-19 01:05:12: [9010:4232] Gathering A-records for PTR hosts
Fri 2013-07-19 01:05:13: [9010:4232] Name server reports domain name unknown.
Fri 2013-07-19 01:05:13: [9010:4232] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Fri, 19 Jul 2013 21:00:13 -0100
Fri 2013-07-19 01:05:13: [9010:4232] <-- EHLO 123greetings.info
Fri 2013-07-19 01:05:13: [9010:4232] Performing reverse lookup on 123greetings.info (looking for 72.232.93.13)
Fri 2013-07-19 01:05:13: [9010:4232] D=123greetings.info TTL=(60) A=[216.104.165.71]
Fri 2013-07-19 01:05:14: [9010:4232] P=010 D=123greetings.info TTL=(60) MX=[mx1.emailsrvr.com] {98.129.184.131}
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-xxx.xxx.xxx Hello nlserv14.123greetings.info (may be forged), pleased to meet you
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-ETRN
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-AUTH=LOGIN
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-AUTH LOGIN CRAM-MD5
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-8BITMIME
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 SIZE 0
Fri 2013-07-19 01:05:14: [9010:4232] <-- MAIL FROM:<newsletter @ 123greetings.info> BODY=8BITMIME
Fri 2013-07-19 01:05:14: [9010:4232] Performing reverse lookup on 123greetings.info (looking for 72.232.93.13)
Fri 2013-07-19 01:05:14: [9010:4232] D=123greetings.info TTL=(59) A=[216.104.165.71]
Fri 2013-07-19 01:05:14: [9010:4232] P=010 D=123greetings.info TTL=(59) MX=[mx1.emailsrvr.com] {98.129.184.131}
Fri 2013-07-19 01:05:14: [9010:4232] Spam Blocker A-record resolution of [13.93.232.72.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Fri 2013-07-19 01:05:14: [9010:4232] Spam Blocker D=13.93.232.72.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Fri 2013-07-19 01:05:14: [9010:4232] L2.APEWS.ORG LISTED
Fri 2013-07-19 01:05:14: [9010:4232] Message will be accepted and X-RBL-Warning: header will be inserted.
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 <newsletter @ 123greetings.info>, Sender ok
Fri 2013-07-19 01:05:14: [9010:4232] <-- RCPT TO:<xxx @ xxx.xxx>
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 <xxx @ xxx.xxx>, Recipient ok
Fri 2013-07-19 01:05:14: [9010:4232] <-- DATA
Fri 2013-07-19 01:05:14: [9010:4232] --> 354 Enter mail, end with <CRLF>.<CRLF>
Fri 2013-07-19 01:05:15: [9010:4232] --> 250 Ok, message saved <Message-ID: 2013.newsletter @ 123greetings.info>
Fri 2013-07-19 01:05:15: [9010:4232] <-- QUIT
Fri 2013-07-19 01:05:15: [9010:4232] --> 221 See ya in cyberspace
Fri 2013-07-19 01:05:15: [9001:4232] SMTP session successful, 14619 bytes transferred.
Fri 2013-07-19 01:05:15: [9010:4232] Shuffling message(s) into proper queue(s)
Fri 2013-07-19 01:05:15: [9010:4232] Message received from 123greetings.info [72.232.93.13] <newsletter @ 123greetings.info> with SMTP for <xxx @ xxx.xxx> [Size 0] {j:\localq\0003197.msg}
Fri 2013-07-19 01:05:11: [9010:4232] Accepting SMTP connection from [72.232.93.13]
Fri 2013-07-19 01:05:11: [9010:4232] Looking up PTR record for 72.232.93.13 (13.93.232.72.IN-ADDR.ARPA)
Fri 2013-07-19 01:05:12: [9010:4232] D=13.93.232.72.IN-ADDR.ARPA TTL=(179) PTR=[nlserv14.123greetings.info]
Fri 2013-07-19 01:05:12: [9010:4232] Gathering A-records for PTR hosts
Fri 2013-07-19 01:05:13: [9010:4232] Name server reports domain name unknown.
Fri 2013-07-19 01:05:13: [9010:4232] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Fri, 19 Jul 2013 21:00:13 -0100
Fri 2013-07-19 01:05:13: [9010:4232] <-- EHLO 123greetings.info
Fri 2013-07-19 01:05:13: [9010:4232] Performing reverse lookup on 123greetings.info (looking for 72.232.93.13)
Fri 2013-07-19 01:05:13: [9010:4232] D=123greetings.info TTL=(60) A=[216.104.165.71]
Fri 2013-07-19 01:05:14: [9010:4232] P=010 D=123greetings.info TTL=(60) MX=[mx1.emailsrvr.com] {98.129.184.131}
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-xxx.xxx.xxx Hello nlserv14.123greetings.info (may be forged), pleased to meet you
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-ETRN
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-AUTH=LOGIN
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-AUTH LOGIN CRAM-MD5
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-8BITMIME
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 SIZE 0
Fri 2013-07-19 01:05:14: [9010:4232] <-- MAIL FROM:<newsletter @ 123greetings.info> BODY=8BITMIME
Fri 2013-07-19 01:05:14: [9010:4232] Performing reverse lookup on 123greetings.info (looking for 72.232.93.13)
Fri 2013-07-19 01:05:14: [9010:4232] D=123greetings.info TTL=(59) A=[216.104.165.71]
Fri 2013-07-19 01:05:14: [9010:4232] P=010 D=123greetings.info TTL=(59) MX=[mx1.emailsrvr.com] {98.129.184.131}
Fri 2013-07-19 01:05:14: [9010:4232] Spam Blocker A-record resolution of [13.93.232.72.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Fri 2013-07-19 01:05:14: [9010:4232] Spam Blocker D=13.93.232.72.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Fri 2013-07-19 01:05:14: [9010:4232] L2.APEWS.ORG LISTED
Fri 2013-07-19 01:05:14: [9010:4232] Message will be accepted and X-RBL-Warning: header will be inserted.
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 <newsletter @ 123greetings.info>, Sender ok
Fri 2013-07-19 01:05:14: [9010:4232] <-- RCPT TO:<xxx @ xxx.xxx>
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 <xxx @ xxx.xxx>, Recipient ok
Fri 2013-07-19 01:05:14: [9010:4232] <-- DATA
Fri 2013-07-19 01:05:14: [9010:4232] --> 354 Enter mail, end with <CRLF>.<CRLF>
Fri 2013-07-19 01:05:15: [9010:4232] --> 250 Ok, message saved <Message-ID: 2013.newsletter @ 123greetings.info>
Fri 2013-07-19 01:05:15: [9010:4232] <-- QUIT
Fri 2013-07-19 01:05:15: [9010:4232] --> 221 See ya in cyberspace
Fri 2013-07-19 01:05:15: [9001:4232] SMTP session successful, 14619 bytes transferred.
Fri 2013-07-19 01:05:15: [9010:4232] Shuffling message(s) into proper queue(s)
Fri 2013-07-19 01:05:15: [9010:4232] Message received from 123greetings.info [72.232.93.13] <newsletter @ 123greetings.info> with SMTP for <xxx @ xxx.xxx> [Size 0] {j:\localq\0003197.msg}
July 18, 2013
L2.APEWS.ORG False Positive #21
We're publishing this one for the record, the newsletter was found in the junk folder by the user but was in fact subscribed to. The IP address has already been de-listed so this is just for information;
Tue 2013-07-16 05:49:33: [6716:1620] Accepting SMTP connection from [63.121.28.41]
Tue 2013-07-16 05:49:33: [6716:1620] Looking up PTR record for 63.121.28.41 (41.28.121.63.IN-ADDR.ARPA)
Tue 2013-07-16 05:49:34: [6716:1620] D=41.28.121.63.IN-ADDR.ARPA TTL=(59) PTR=[unicamailman301-q1.sb.monster.com]
Tue 2013-07-16 05:49:34: [6716:1620] Gathering A-records for PTR hosts
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Tue, 16 Jul 2013 05:49:34 -0500
Tue 2013-07-16 05:49:34: [6716:1620] <-- HELO unicamailman301-q1.sb.monster.com
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on unicamailman301-q1.sb.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 250 xxx.xxx.xxx Hello unicamailman301-q1.sb.monster.com, pleased to meet you
Tue 2013-07-16 05:49:34: [6716:1620] <-- MAIL FROM:<smas.30-230433_448550_3@e0.monster.com>
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on e0.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=e0.monster.com TTL=(10) A=[63.112.169.1]
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.sb.monster.com] {63.121.30.235}
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.be.tmpw.net] {208.71.195.235}
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker A-record resolution of [41.28.121.63.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker D=41.28.121.63.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Tue 2013-07-16 05:49:35: [6716:1620] L2.APEWS.ORG LISTED
Tue 2013-07-16 05:49:35: [6716:1620] Message will be accepted and X-RBL-Warning: header will be inserted.
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <smas.30-230433_4 @ .monster.com>, Sender ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- RCPT TO:<xxx@xxx.xxx>
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <xxx@xxx.xxx>, Recipient ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- DATA
Tue 2013-07-16 05:49:35: [6716:1620] --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-07-16 05:49:36: [6716:1620] --> 250 Ok, message saved <Message-ID: emsg.826.7140f20 @ unica7emsg201.be.monster.com>
Tue 2013-07-16 05:49:36: [6716:1620] <-- QUIT
Tue 2013-07-16 05:49:36: [6716:1620] --> 221 See ya in cyberspace
Tue 2013-07-16 05:49:36: [6716:1620] SMTP session successful, 13598 bytes transferred.
Tue 2013-07-16 05:49:36: [6716:1620] Shuffling message(s) into proper queue(s)
Tue 2013-07-16 05:49:36: [6716:1620] Message received from unicamailman301-q1.sb.monster.com [63.121.28.41] <smas.30-230433_448550_3 @ .monster.com> with SMTP for <xxx@xxx.xxx> [Size 0] {j:\localq\1150000318214.msg}
Tue 2013-07-16 05:49:33: [6716:1620] Accepting SMTP connection from [63.121.28.41]
Tue 2013-07-16 05:49:33: [6716:1620] Looking up PTR record for 63.121.28.41 (41.28.121.63.IN-ADDR.ARPA)
Tue 2013-07-16 05:49:34: [6716:1620] D=41.28.121.63.IN-ADDR.ARPA TTL=(59) PTR=[unicamailman301-q1.sb.monster.com]
Tue 2013-07-16 05:49:34: [6716:1620] Gathering A-records for PTR hosts
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Tue, 16 Jul 2013 05:49:34 -0500
Tue 2013-07-16 05:49:34: [6716:1620] <-- HELO unicamailman301-q1.sb.monster.com
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on unicamailman301-q1.sb.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 250 xxx.xxx.xxx Hello unicamailman301-q1.sb.monster.com, pleased to meet you
Tue 2013-07-16 05:49:34: [6716:1620] <-- MAIL FROM:<smas.30-230433_448550_3@e0.monster.com>
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on e0.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=e0.monster.com TTL=(10) A=[63.112.169.1]
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.sb.monster.com] {63.121.30.235}
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.be.tmpw.net] {208.71.195.235}
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker A-record resolution of [41.28.121.63.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker D=41.28.121.63.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Tue 2013-07-16 05:49:35: [6716:1620] L2.APEWS.ORG LISTED
Tue 2013-07-16 05:49:35: [6716:1620] Message will be accepted and X-RBL-Warning: header will be inserted.
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <smas.30-230433_4 @ .monster.com>, Sender ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- RCPT TO:<xxx@xxx.xxx>
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <xxx@xxx.xxx>, Recipient ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- DATA
Tue 2013-07-16 05:49:35: [6716:1620] --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-07-16 05:49:36: [6716:1620] --> 250 Ok, message saved <Message-ID: emsg.826.7140f20 @ unica7emsg201.be.monster.com>
Tue 2013-07-16 05:49:36: [6716:1620] <-- QUIT
Tue 2013-07-16 05:49:36: [6716:1620] --> 221 See ya in cyberspace
Tue 2013-07-16 05:49:36: [6716:1620] SMTP session successful, 13598 bytes transferred.
Tue 2013-07-16 05:49:36: [6716:1620] Shuffling message(s) into proper queue(s)
Tue 2013-07-16 05:49:36: [6716:1620] Message received from unicamailman301-q1.sb.monster.com [63.121.28.41] <smas.30-230433_448550_3 @ .monster.com> with SMTP for <xxx@xxx.xxx> [Size 0] {j:\localq\1150000318214.msg}
June 20, 2013
L2.APEWS.ORG False Positive #20
One of our users reported an email in the spam folder as an error, saying that it was a subscribed to newsletter about Japan tourism. Full header here;
Wed 2013-06-19 04:27:06: [4181:459] Accepting SMTP connection from [203.191.244.137]
Wed 2013-06-19 04:27:06: [4181:459] Looking up PTR record for 203.191.244.137 (137.244.191.203.IN-ADDR.ARPA)
Wed 2013-06-19 04:27:06: [4181:459] D=137.128-26.244.191.203.IN-ADDR.ARPA TTL=(59) PTR=[mail3-5.webcas.net]
Wed 2013-06-19 04:27:06: [4181:459] Gathering A-records for PTR hosts
Wed 2013-06-19 04:27:06: [4181:459] D=mail3-5.webcas.net TTL=(60) A=[203.191.244.137]
Wed 2013-06-19 04:27:06: [4181:459] --> 220-ns7.methusalah.com ESMTP MDaemon 6.7.9; Wed, 19 Jun 2013 04:27:06 -0500
Wed 2013-06-19 04:27:06: [4181:459] -->
Wed 2013-06-19 04:27:07: [4181:459] <-- EHLO wcasp3-efmta2.webcas.net
Wed 2013-06-19 04:27:07: [4181:459] Performing reverse lookup on wcasp3-efmta2.webcas.net (looking for 203.191.244.137)
Wed 2013-06-19 04:27:07: [4181:459] Name server reports domain name unknown.
Wed 2013-06-19 04:27:07: [4181:459] --> 250-ns7.methusalah.com Hello mail3-5.webcas.net (may be forged), pleased to meet you
Wed 2013-06-19 04:27:07: [4181:459] --> 250-ETRN
Wed 2013-06-19 04:27:07: [4181:459] --> 250-AUTH=LOGIN
Wed 2013-06-19 04:27:07: [4181:459] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-06-19 04:27:07: [4181:459] --> 250-8BITMIME
Wed 2013-06-19 04:27:07: [4181:459] --> 250 SIZE 0
Wed 2013-06-19 04:27:07: [4181:459] <-- MAIL FROM:<errmailxxx @ mail3.webcas.net> SIZE=11707
Wed 2013-06-19 04:27:07: [4181:459] Performing reverse lookup on mail3.webcas.net (looking for 203.191.244.137)
Wed 2013-06-19 04:27:07: [4181:459] D=mail3.webcas.net TTL=(60) A=[203.191.244.132]
Wed 2013-06-19 04:27:08: [4181:459] P=010 D=mail3.webcas.net TTL=(60) MX=[mail3.webcas.net] {203.191.244.132}
Wed 2013-06-19 04:27:08: [4181:459] Spam Blocker A-record resolution of [137.244.191.203.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.3)...
Wed 2013-06-19 04:27:08: [4181:459] L2.APEWS.ORG LISTED
Wed 2013-06-19 04:27:08: [4181:459] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-06-19 04:27:08: [4181:459] --> 250 <errmailxxx @ mail3.webcas.net>, Sender ok
Wed 2013-06-19 04:27:08: [4181:459] <-- RCPT TO:<xxx@xxx.xxx>
Wed 2013-06-19 04:27:08: [4181:459] --> 250 <xxx@xxx.xxx>, Recipient ok
Wed 2013-06-19 04:27:08: [4181:459] <-- DATA
Wed 2013-06-19 04:27:08: [4181:459] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-06-19 04:27:09: [4181:459] --> 250 Ok, message saved <Message-ID: xxx.newsletter @ japantravelinfo.com>
Wed 2013-06-19 04:27:09: [4181:459] <-- QUIT
Wed 2013-06-19 04:27:09: [4181:459] --> 221 See ya in cyberspace
Wed 2013-06-19 04:27:09: [4181:459] SMTP session successful, 11682 bytes transferred.
Wed 2013-06-19 04:27:09: [4181:459] Shuffling message(s) into proper queue(s)
Wed 2013-06-19 04:27:09: [4181:459] Message received from wcasp3-efmta2.webcas.net [203.191.244.137] <errmail4-03@mail3.webcas.net> with SMTP for <xxx@xxx.xxx> [Size 11671] {j:\localq\7000002893.msg}
Wed 2013-06-19 04:27:06: [4181:459] Accepting SMTP connection from [203.191.244.137]
Wed 2013-06-19 04:27:06: [4181:459] Looking up PTR record for 203.191.244.137 (137.244.191.203.IN-ADDR.ARPA)
Wed 2013-06-19 04:27:06: [4181:459] D=137.128-26.244.191.203.IN-ADDR.ARPA TTL=(59) PTR=[mail3-5.webcas.net]
Wed 2013-06-19 04:27:06: [4181:459] Gathering A-records for PTR hosts
Wed 2013-06-19 04:27:06: [4181:459] D=mail3-5.webcas.net TTL=(60) A=[203.191.244.137]
Wed 2013-06-19 04:27:06: [4181:459] --> 220-ns7.methusalah.com ESMTP MDaemon 6.7.9; Wed, 19 Jun 2013 04:27:06 -0500
Wed 2013-06-19 04:27:06: [4181:459] -->
Wed 2013-06-19 04:27:07: [4181:459] <-- EHLO wcasp3-efmta2.webcas.net
Wed 2013-06-19 04:27:07: [4181:459] Performing reverse lookup on wcasp3-efmta2.webcas.net (looking for 203.191.244.137)
Wed 2013-06-19 04:27:07: [4181:459] Name server reports domain name unknown.
Wed 2013-06-19 04:27:07: [4181:459] --> 250-ns7.methusalah.com Hello mail3-5.webcas.net (may be forged), pleased to meet you
Wed 2013-06-19 04:27:07: [4181:459] --> 250-ETRN
Wed 2013-06-19 04:27:07: [4181:459] --> 250-AUTH=LOGIN
Wed 2013-06-19 04:27:07: [4181:459] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-06-19 04:27:07: [4181:459] --> 250-8BITMIME
Wed 2013-06-19 04:27:07: [4181:459] --> 250 SIZE 0
Wed 2013-06-19 04:27:07: [4181:459] <-- MAIL FROM:<errmailxxx @ mail3.webcas.net> SIZE=11707
Wed 2013-06-19 04:27:07: [4181:459] Performing reverse lookup on mail3.webcas.net (looking for 203.191.244.137)
Wed 2013-06-19 04:27:07: [4181:459] D=mail3.webcas.net TTL=(60) A=[203.191.244.132]
Wed 2013-06-19 04:27:08: [4181:459] P=010 D=mail3.webcas.net TTL=(60) MX=[mail3.webcas.net] {203.191.244.132}
Wed 2013-06-19 04:27:08: [4181:459] Spam Blocker A-record resolution of [137.244.191.203.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.3)...
Wed 2013-06-19 04:27:08: [4181:459] L2.APEWS.ORG LISTED
Wed 2013-06-19 04:27:08: [4181:459] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-06-19 04:27:08: [4181:459] --> 250 <errmailxxx @ mail3.webcas.net>, Sender ok
Wed 2013-06-19 04:27:08: [4181:459] <-- RCPT TO:<xxx@xxx.xxx>
Wed 2013-06-19 04:27:08: [4181:459] --> 250 <xxx@xxx.xxx>, Recipient ok
Wed 2013-06-19 04:27:08: [4181:459] <-- DATA
Wed 2013-06-19 04:27:08: [4181:459] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-06-19 04:27:09: [4181:459] --> 250 Ok, message saved <Message-ID: xxx.newsletter @ japantravelinfo.com>
Wed 2013-06-19 04:27:09: [4181:459] <-- QUIT
Wed 2013-06-19 04:27:09: [4181:459] --> 221 See ya in cyberspace
Wed 2013-06-19 04:27:09: [4181:459] SMTP session successful, 11682 bytes transferred.
Wed 2013-06-19 04:27:09: [4181:459] Shuffling message(s) into proper queue(s)
Wed 2013-06-19 04:27:09: [4181:459] Message received from wcasp3-efmta2.webcas.net [203.191.244.137] <errmail4-03@mail3.webcas.net> with SMTP for <xxx@xxx.xxx> [Size 11671] {j:\localq\7000002893.msg}
June 18, 2013
Apews listing only part of the problem, correctly listed IP
Hi APEWS Admins, please remove my IP address from your blacklist : 162.39.36.66
Thanks!
Full headers:
Received: from pusen02 (192.168.16.40) by connect.activedata.ca
(192.168.16.38) with Microsoft SMTP Server (TLS) id 14.2.247.3; Tue, 18 Jun
2013 07:59:31 -0400
Received: from pusen02 ([162.39.36.66] helo=pusen02) by ASSP.nospam with SMTP
(2.3.3); 18 Jun 2013 07:59:31 -0400
From: <***@***.com>
Subject: [SPAM]
To: J*** <***@***.com>
Date: Tue, 18 Jun 2013 07:49:24 -0400
Message-ID: <201306180749242N.DCSML-S000250000.000074FBD545@172.23.40.3>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_41dffd17-33c1-4156-825e-2450e53d5501_"
X-Assp-Version: 2.3.3(13137) on ASSP.nospam
X-Assp-ID: ASSP.nospam m1-56771-09551
X-Assp-Session: 7F329949E7B8 (mail 1)
X-Assp-Server-TLS: yes
X-Assp-Received-SPF: softfail ip=162.39.36.66 mailfrom=***@***.com
helo=pusen02
X-Original-Authentication-Results: ASSP.nospam; spf=softfail
X-Assp-Message-Score: 5 (SPF softfail)
X-Assp-IP-Score: 5 (SPF softfail)
X-Assp-Message-Score: 35 (DNSBLcache: neutral, 162.39.36.66 listed in
l2.apews.org{127.0.0.2})
X-Assp-IP-Score: 35 (DNSBLcache: neutral, 162.39.36.66 listed in
l2.apews.org{127.0.0.2})
X-Assp-DNSBLcache: neutral, 162.39.36.66 listed in l2.apews.org{127.0.0.2}
X-Assp-Message-Score: 10 (invalid HELO: 'pusen02')
X-Assp-IP-Score: 10 (invalid HELO: 'pusen02')
X-Assp-Bayes-Confidence: 0.00040
X-Assp-Tag: MessageLimit
X-Assp-Spam: YES
X-Spam-Status: yes
X-Assp-Spam-Reason: MessageScore passed low limit
X-Assp-Message-Totalscore: 50
X-Assp-Spam-Level: ***********
Return-Path: ***@***.com
X-MS-Exchange-Organization-AuthSource: ExchSrv.activedata.local
X-MS-Exchange-Organization-AuthAs: Anonymous
The delivering server is using an incorrect HELO/EHLO, it should be a FQDN (fully qualified domain name) and to do that you need to contact your ISP, Windstream, and tell them what FQDN you want them to write in their DNS server for a PTR record. Windstream are using generic PTR records which are not satisfactory for email servers, yours is showing as;
h66.36.39.162.static.ip.windstream.net
That alone will cause your emails to fail reverse DNS lookups that many email servers perform automatically in realtime.
Using Windstream IP space probably isn't doing you any favors either. If they won't do that DNS entry for you, you'll have to change ISP or accept a poor delivery rate.
The person that did the setup of your email server does not know enough to do the job, we suggest you contact a professional who should know about things like EHLO/HELO configuration and SMTP per RFCs.
Thanks!
Full headers:
Received: from pusen02 (192.168.16.40) by connect.activedata.ca
(192.168.16.38) with Microsoft SMTP Server (TLS) id 14.2.247.3; Tue, 18 Jun
2013 07:59:31 -0400
Received: from pusen02 ([162.39.36.66] helo=pusen02) by ASSP.nospam with SMTP
(2.3.3); 18 Jun 2013 07:59:31 -0400
From: <***@***.com>
Subject: [SPAM]
To: J*** <***@***.com>
Date: Tue, 18 Jun 2013 07:49:24 -0400
Message-ID: <201306180749242N.DCSML-S000250000.000074FBD545@172.23.40.3>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_41dffd17-33c1-4156-825e-2450e53d5501_"
X-Assp-Version: 2.3.3(13137) on ASSP.nospam
X-Assp-ID: ASSP.nospam m1-56771-09551
X-Assp-Session: 7F329949E7B8 (mail 1)
X-Assp-Server-TLS: yes
X-Assp-Received-SPF: softfail ip=162.39.36.66 mailfrom=***@***.com
helo=pusen02
X-Original-Authentication-Results: ASSP.nospam; spf=softfail
X-Assp-Message-Score: 5 (SPF softfail)
X-Assp-IP-Score: 5 (SPF softfail)
X-Assp-Message-Score: 35 (DNSBLcache: neutral, 162.39.36.66 listed in
l2.apews.org{127.0.0.2})
X-Assp-IP-Score: 35 (DNSBLcache: neutral, 162.39.36.66 listed in
l2.apews.org{127.0.0.2})
X-Assp-DNSBLcache: neutral, 162.39.36.66 listed in l2.apews.org{127.0.0.2}
X-Assp-Message-Score: 10 (invalid HELO: 'pusen02')
X-Assp-IP-Score: 10 (invalid HELO: 'pusen02')
X-Assp-Bayes-Confidence: 0.00040
X-Assp-Tag: MessageLimit
X-Assp-Spam: YES
X-Spam-Status: yes
X-Assp-Spam-Reason: MessageScore passed low limit
X-Assp-Message-Totalscore: 50
X-Assp-Spam-Level: ***********
Return-Path: ***@***.com
X-MS-Exchange-Organization-AuthSource: ExchSrv.activedata.local
X-MS-Exchange-Organization-AuthAs: Anonymous
The delivering server is using an incorrect HELO/EHLO, it should be a FQDN (fully qualified domain name) and to do that you need to contact your ISP, Windstream, and tell them what FQDN you want them to write in their DNS server for a PTR record. Windstream are using generic PTR records which are not satisfactory for email servers, yours is showing as;
h66.36.39.162.static.ip.windstream.net
That alone will cause your emails to fail reverse DNS lookups that many email servers perform automatically in realtime.
Using Windstream IP space probably isn't doing you any favors either. If they won't do that DNS entry for you, you'll have to change ISP or accept a poor delivery rate.
The person that did the setup of your email server does not know enough to do the job, we suggest you contact a professional who should know about things like EHLO/HELO configuration and SMTP per RFCs.
No evidence of Apews listing causing this email delivery failure
Herewith is the header of the
bounced email. IP is not blacklisted in other anti-spam portals except
with APEWS though it's still a July 07, 2007 record.
Thu 2013-01-31 17:19:22: * Connection established (192.168.0.115:3302 -> 198.80.42.2:25)
Thu 2013-01-31 17:19:22: Waiting for protocol to start...
Thu 2013-01-31 17:19:22: <-- 220 portal1.visa.com - Access is monitored. SMTP Proxy Server Ready
Thu 2013-01-31 17:19:22: --> EHLO mail.ticketworld.com.ph
Thu 2013-01-31 17:19:22: <-- 250-ESMTP Server Ready
Thu 2013-01-31 17:19:22: <-- 250-SIZE 20971520
Thu 2013-01-31 17:19:22: <-- 250-DSN
Thu 2013-01-31 17:19:22: <-- 250-STARTTLS
Thu 2013-01-31 17:19:22: <-- 250 TLS
Thu 2013-01-31 17:19:22: --> MAIL From: SIZE=51304
Thu 2013-01-31 17:19:23: <-- 250 +OK Sender OK
Thu 2013-01-31 17:19:23: --> RCPT To:
Thu 2013-01-31 17:19:23: <-- 250 +OK Recipient OK
Thu 2013-01-31 17:19:23: --> DATA
Thu 2013-01-31 17:19:23: <-- 354 Start mail input, end with '.'
Thu 2013-01-31 17:19:23: Sending to [198.80.42.2]
Thu 2013-01-31 17:19:24: Transfer Complete
Thu 2013-01-31 17:19:25: <-- 554 Transaction Failed Spam Message not queued.
This looks like your connection to the server was authenticated correctly and that the email delivered correctly too. It seems to have failed on possibly content of the email or other parameters that were tested for during/after receipt of the email. I suggest that you contact the server administrator. There is no mention of a failure due to an Apews.org listing.
Thu 2013-01-31 17:19:22: * Connection established (192.168.0.115:3302 -> 198.80.42.2:25)
Thu 2013-01-31 17:19:22: Waiting for protocol to start...
Thu 2013-01-31 17:19:22: <-- 220 portal1.visa.com - Access is monitored. SMTP Proxy Server Ready
Thu 2013-01-31 17:19:22: --> EHLO mail.ticketworld.com.ph
Thu 2013-01-31 17:19:22: <-- 250-ESMTP Server Ready
Thu 2013-01-31 17:19:22: <-- 250-SIZE 20971520
Thu 2013-01-31 17:19:22: <-- 250-DSN
Thu 2013-01-31 17:19:22: <-- 250-STARTTLS
Thu 2013-01-31 17:19:22: <-- 250 TLS
Thu 2013-01-31 17:19:22: --> MAIL From: SIZE=51304
Thu 2013-01-31 17:19:23: <-- 250 +OK Sender OK
Thu 2013-01-31 17:19:23: --> RCPT To:
Thu 2013-01-31 17:19:23: <-- 250 +OK Recipient OK
Thu 2013-01-31 17:19:23: --> DATA
Thu 2013-01-31 17:19:23: <-- 354 Start mail input, end with '.'
Thu 2013-01-31 17:19:23: Sending to [198.80.42.2]
Thu 2013-01-31 17:19:24: Transfer Complete
Thu 2013-01-31 17:19:25: <-- 554 Transaction Failed Spam Message not queued.
This looks like your connection to the server was authenticated correctly and that the email delivered correctly too. It seems to have failed on possibly content of the email or other parameters that were tested for during/after receipt of the email. I suggest that you contact the server administrator. There is no mention of a failure due to an Apews.org listing.
February 6, 2013
L2.APEWS.ORG False Positive #19
This is the latest false positive that we have, been quite a while now. The user subscribed to a newsletter and found this edition in the spam folder;
Wed 2013-02-06 04:24:19: [710:3560] Accepting SMTP connection from [208.73.5.67]
Wed 2013-02-06 04:24:19: [710:3560] Looking up PTR record for 208.73.5.67 (67.5.73.208.IN-ADDR.ARPA)
Wed 2013-02-06 04:24:20: [710:3560] D=67.5.73.208.IN-ADDR.ARPA TTL=(59) PTR=[mail4598.outdoorhub.mkt5196.com]
Wed 2013-02-06 04:24:20: [710:3560] Gathering A-records for PTR hosts
Wed 2013-02-06 04:24:20: [710:3560] D=mail4598.outdoorhub.mkt5196.com TTL=(60) A=[208.73.5.67]
Wed 2013-02-06 04:24:20: [710:3560] --> 220 xxx.xxx.xxx ESMTP MDaemon; Wed, 06 Feb 2013 04:24:20
Wed 2013-02-06 04:24:20: [710:3560] <-- EHLO mail4598.outdoorhub.mkt5196.com
Wed 2013-02-06 04:24:20: [710:3560] Performing reverse lookup on mail4598.outdoorhub.mkt5196.com (looking for 208.73.5.67)
Wed 2013-02-06 04:24:20: [710:3560] D=mail4598.outdoorhub.mkt5196.com TTL=(60) A=[208.73.5.67]
Wed 2013-02-06 04:24:20: [710:3560] --> 250-xxx.xxx.xxx Hello mail4598.outdoorhub.mkt5196.com, pleased to meet you
Wed 2013-02-06 04:24:20: [710:3560] --> 250-ETRN
Wed 2013-02-06 04:24:20: [710:3560] --> 250-AUTH=LOGIN
Wed 2013-02-06 04:24:20: [710:3560] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-02-06 04:24:20: [710:3560] --> 250-8BITMIME
Wed 2013-02-06 04:24:20: [710:3560] --> 250 SIZE 0
Wed 2013-02-06 04:24:21: [710:3560] <-- MAIL FROM:<xxx @ bounce.outdoorhub.mkt5196.com> BODY=8BITMIME
Wed 2013-02-06 04:24:21: [710:3560] Performing reverse lookup on bounce.outdoorhub.mkt5196.com (looking for 208.73.5.67)
Wed 2013-02-06 04:24:21: [710:3560] D=bounce.outdoorhub.mkt5196.com TTL=(60) A=[74.121.50.42]
Wed 2013-02-06 04:24:21: [710:3560] P=005 D=bounce.outdoorhub.mkt5196.com TTL=(60) MX=[bounce.outdoorhub.mkt5196.com] {74.121.50.42}
Wed 2013-02-06 04:24:21: [710:3560] Spam Blocker A-record resolution of [67.5.73.208.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-02-06 04:24:21: [710:3560] Spam Blocker D=67.5.73.208.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-02-06 04:24:21: [710:3560] L2.APEWS.ORG LISTED
Wed 2013-02-06 04:24:21: [710:3560] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-02-06 04:24:21: [710:3560] --> 250 <xxx @ bounce.outdoorhub.mkt5196.com>, Sender ok
Wed 2013-02-06 04:24:21: [710:3560] <-- RCPT TO:<xxx @ xxx.xxx>
Wed 2013-02-06 04:24:21: [710:3560] --> 250 <xxx @ xxx.xxx>, Recipient ok
Wed 2013-02-06 04:24:21: [710:3560] <-- DATA
Wed 2013-02-06 04:24:21: [710:3560] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-02-06 04:24:22: [710:3560] --> 250 Ok, message saved <Message-ID: 00000000000000000.JavaMail.app @ xxxx.xxx>
Wed 2013-02-06 04:24:22: [710:3560] <-- QUIT
Wed 2013-02-06 04:24:22: [710:3560] --> 221 See ya in cyberspace
Wed 2013-02-06 04:24:22: [710:3560] SMTP session successful, 36340 bytes transferred.
Wed 2013-02-06 04:24:22: [710:3560] Shuffling message(s) into proper queue(s)
Wed 2013-02-06 04:24:22: [710:3560] Message received from mail4598.outdoorhub.mkt5196.com [208.73.5.67] <xxx @ bounce.outdoorhub.mkt5196.com> with SMTP for <xxx @ xxx.xxx> [Size 36326] {j:\mdaemon\localq\md0000000.msg}
Wed 2013-02-06 04:24:19: [710:3560] Accepting SMTP connection from [208.73.5.67]
Wed 2013-02-06 04:24:19: [710:3560] Looking up PTR record for 208.73.5.67 (67.5.73.208.IN-ADDR.ARPA)
Wed 2013-02-06 04:24:20: [710:3560] D=67.5.73.208.IN-ADDR.ARPA TTL=(59) PTR=[mail4598.outdoorhub.mkt5196.com]
Wed 2013-02-06 04:24:20: [710:3560] Gathering A-records for PTR hosts
Wed 2013-02-06 04:24:20: [710:3560] D=mail4598.outdoorhub.mkt5196.com TTL=(60) A=[208.73.5.67]
Wed 2013-02-06 04:24:20: [710:3560] --> 220 xxx.xxx.xxx ESMTP MDaemon; Wed, 06 Feb 2013 04:24:20
Wed 2013-02-06 04:24:20: [710:3560] <-- EHLO mail4598.outdoorhub.mkt5196.com
Wed 2013-02-06 04:24:20: [710:3560] Performing reverse lookup on mail4598.outdoorhub.mkt5196.com (looking for 208.73.5.67)
Wed 2013-02-06 04:24:20: [710:3560] D=mail4598.outdoorhub.mkt5196.com TTL=(60) A=[208.73.5.67]
Wed 2013-02-06 04:24:20: [710:3560] --> 250-xxx.xxx.xxx Hello mail4598.outdoorhub.mkt5196.com, pleased to meet you
Wed 2013-02-06 04:24:20: [710:3560] --> 250-ETRN
Wed 2013-02-06 04:24:20: [710:3560] --> 250-AUTH=LOGIN
Wed 2013-02-06 04:24:20: [710:3560] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-02-06 04:24:20: [710:3560] --> 250-8BITMIME
Wed 2013-02-06 04:24:20: [710:3560] --> 250 SIZE 0
Wed 2013-02-06 04:24:21: [710:3560] <-- MAIL FROM:<xxx @ bounce.outdoorhub.mkt5196.com> BODY=8BITMIME
Wed 2013-02-06 04:24:21: [710:3560] Performing reverse lookup on bounce.outdoorhub.mkt5196.com (looking for 208.73.5.67)
Wed 2013-02-06 04:24:21: [710:3560] D=bounce.outdoorhub.mkt5196.com TTL=(60) A=[74.121.50.42]
Wed 2013-02-06 04:24:21: [710:3560] P=005 D=bounce.outdoorhub.mkt5196.com TTL=(60) MX=[bounce.outdoorhub.mkt5196.com] {74.121.50.42}
Wed 2013-02-06 04:24:21: [710:3560] Spam Blocker A-record resolution of [67.5.73.208.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-02-06 04:24:21: [710:3560] Spam Blocker D=67.5.73.208.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-02-06 04:24:21: [710:3560] L2.APEWS.ORG LISTED
Wed 2013-02-06 04:24:21: [710:3560] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-02-06 04:24:21: [710:3560] --> 250 <xxx @ bounce.outdoorhub.mkt5196.com>, Sender ok
Wed 2013-02-06 04:24:21: [710:3560] <-- RCPT TO:<xxx @ xxx.xxx>
Wed 2013-02-06 04:24:21: [710:3560] --> 250 <xxx @ xxx.xxx>, Recipient ok
Wed 2013-02-06 04:24:21: [710:3560] <-- DATA
Wed 2013-02-06 04:24:21: [710:3560] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-02-06 04:24:22: [710:3560] --> 250 Ok, message saved <Message-ID: 00000000000000000.JavaMail.app @ xxxx.xxx>
Wed 2013-02-06 04:24:22: [710:3560] <-- QUIT
Wed 2013-02-06 04:24:22: [710:3560] --> 221 See ya in cyberspace
Wed 2013-02-06 04:24:22: [710:3560] SMTP session successful, 36340 bytes transferred.
Wed 2013-02-06 04:24:22: [710:3560] Shuffling message(s) into proper queue(s)
Wed 2013-02-06 04:24:22: [710:3560] Message received from mail4598.outdoorhub.mkt5196.com [208.73.5.67] <xxx @ bounce.outdoorhub.mkt5196.com> with SMTP for <xxx @ xxx.xxx> [Size 36326] {j:\mdaemon\localq\md0000000.msg}
Subscribe to:
Posts (Atom)