June 20, 2013

L2.APEWS.ORG False Positive #20

One of our users reported an email in the spam folder as an error, saying that it was a subscribed to newsletter about Japan tourism. Full header here;

Wed 2013-06-19 04:27:06: [4181:459] Accepting SMTP connection from [203.191.244.137]
Wed 2013-06-19 04:27:06: [4181:459] Looking up PTR record for 203.191.244.137 (137.244.191.203.IN-ADDR.ARPA)
Wed 2013-06-19 04:27:06: [4181:459] D=137.128-26.244.191.203.IN-ADDR.ARPA TTL=(59) PTR=[mail3-5.webcas.net]
Wed 2013-06-19 04:27:06: [4181:459] Gathering A-records for PTR hosts
Wed 2013-06-19 04:27:06: [4181:459] D=mail3-5.webcas.net TTL=(60) A=[203.191.244.137]
Wed 2013-06-19 04:27:06: [4181:459] --> 220-ns7.methusalah.com ESMTP MDaemon 6.7.9; Wed, 19 Jun 2013 04:27:06 -0500
Wed 2013-06-19 04:27:06: [4181:459] -->
Wed 2013-06-19 04:27:07: [4181:459] <-- EHLO wcasp3-efmta2.webcas.net
Wed 2013-06-19 04:27:07: [4181:459] Performing reverse lookup on wcasp3-efmta2.webcas.net (looking for 203.191.244.137)
Wed 2013-06-19 04:27:07: [4181:459] Name server reports domain name unknown.
Wed 2013-06-19 04:27:07: [4181:459] --> 250-ns7.methusalah.com Hello mail3-5.webcas.net (may be forged), pleased to meet you
Wed 2013-06-19 04:27:07: [4181:459] --> 250-ETRN
Wed 2013-06-19 04:27:07: [4181:459] --> 250-AUTH=LOGIN
Wed 2013-06-19 04:27:07: [4181:459] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-06-19 04:27:07: [4181:459] --> 250-8BITMIME
Wed 2013-06-19 04:27:07: [4181:459] --> 250 SIZE 0
Wed 2013-06-19 04:27:07: [4181:459] <-- MAIL FROM:<errmailxxx @ mail3.webcas.net> SIZE=11707
Wed 2013-06-19 04:27:07: [4181:459] Performing reverse lookup on mail3.webcas.net (looking for 203.191.244.137)
Wed 2013-06-19 04:27:07: [4181:459] D=mail3.webcas.net TTL=(60) A=[203.191.244.132]
Wed 2013-06-19 04:27:08: [4181:459] P=010 D=mail3.webcas.net TTL=(60) MX=[mail3.webcas.net] {203.191.244.132}
Wed 2013-06-19 04:27:08: [4181:459] Spam Blocker A-record resolution of [137.244.191.203.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.3)...
Wed 2013-06-19 04:27:08: [4181:459] L2.APEWS.ORG LISTED
Wed 2013-06-19 04:27:08: [4181:459] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-06-19 04:27:08: [4181:459] --> 250 <errmailxxx @ mail3.webcas.net>, Sender ok
Wed 2013-06-19 04:27:08: [4181:459] <-- RCPT TO:<xxx@xxx.xxx>
Wed 2013-06-19 04:27:08: [4181:459] --> 250 <xxx@xxx.xxx>, Recipient ok
Wed 2013-06-19 04:27:08: [4181:459] <-- DATA
Wed 2013-06-19 04:27:08: [4181:459] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-06-19 04:27:09: [4181:459] --> 250 Ok, message saved <Message-ID: xxx.newsletter @ japantravelinfo.com>
Wed 2013-06-19 04:27:09: [4181:459] <-- QUIT
Wed 2013-06-19 04:27:09: [4181:459] --> 221 See ya in cyberspace
Wed 2013-06-19 04:27:09: [4181:459] SMTP session successful, 11682 bytes transferred.
Wed 2013-06-19 04:27:09: [4181:459] Shuffling message(s) into proper queue(s)
Wed 2013-06-19 04:27:09: [4181:459] Message received from wcasp3-efmta2.webcas.net [203.191.244.137] <errmail4-03@mail3.webcas.net> with SMTP for <xxx@xxx.xxx> [Size 11671] {j:\localq\7000002893.msg}

June 18, 2013

Apews listing only part of the problem, correctly listed IP

Hi APEWS Admins, please remove my IP address from your blacklist : 162.39.36.66

Thanks!


Full headers:

Received: from pusen02 (192.168.16.40) by connect.activedata.ca
(192.168.16.38) with Microsoft SMTP Server (TLS) id 14.2.247.3; Tue, 18 Jun
2013 07:59:31 -0400
Received: from pusen02 ([162.39.36.66] helo=pusen02) by ASSP.nospam with SMTP
(2.3.3); 18 Jun 2013 07:59:31 -0400
From: <***@***.com>
Subject: [SPAM]
To: J*** <***@***.com>
Date: Tue, 18 Jun 2013 07:49:24 -0400
Message-ID: <201306180749242N.DCSML-S000250000.000074FBD545@172.23.40.3>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_41dffd17-33c1-4156-825e-2450e53d5501_"
X-Assp-Version: 2.3.3(13137) on ASSP.nospam
X-Assp-ID: ASSP.nospam m1-56771-09551
X-Assp-Session: 7F329949E7B8 (mail 1)
X-Assp-Server-TLS: yes
X-Assp-Received-SPF: softfail ip=162.39.36.66 mailfrom=***@***.com
helo=pusen02
X-Original-Authentication-Results: ASSP.nospam; spf=softfail
X-Assp-Message-Score: 5 (SPF softfail)
X-Assp-IP-Score: 5 (SPF softfail)
X-Assp-Message-Score: 35 (DNSBLcache: neutral, 162.39.36.66 listed in
l2.apews.org{127.0.0.2})
X-Assp-IP-Score: 35 (DNSBLcache: neutral, 162.39.36.66 listed in
l2.apews.org{127.0.0.2})
X-Assp-DNSBLcache: neutral, 162.39.36.66 listed in l2.apews.org{127.0.0.2}
X-Assp-Message-Score: 10 (invalid HELO: 'pusen02')
X-Assp-IP-Score: 10 (invalid HELO: 'pusen02')
X-Assp-Bayes-Confidence: 0.00040
X-Assp-Tag: MessageLimit
X-Assp-Spam: YES
X-Spam-Status: yes
X-Assp-Spam-Reason: MessageScore passed low limit
X-Assp-Message-Totalscore: 50
X-Assp-Spam-Level: ***********
Return-Path: ***@***.com
X-MS-Exchange-Organization-AuthSource: ExchSrv.activedata.local
X-MS-Exchange-Organization-AuthAs: Anonymous

The delivering server is using an incorrect HELO/EHLO, it should be a FQDN (fully qualified domain name) and to do that you need to contact your ISP, Windstream, and tell them what FQDN you want them to write in their DNS server for a PTR record. Windstream are using generic PTR records which are not satisfactory for email servers, yours is showing as;
h66.36.39.162.static.ip.windstream.net
That alone will cause your emails to fail reverse DNS lookups that many email servers perform automatically in realtime.
Using Windstream IP space probably isn't doing you any favors either. If they won't do that DNS entry for you, you'll have to change ISP or accept a poor delivery rate.
The person that did the setup of your email server does not know enough to do the job, we suggest you contact a professional who should know about things like EHLO/HELO configuration and SMTP per RFCs.

No evidence of Apews listing causing this email delivery failure

Herewith is the header of the bounced email. IP is not blacklisted in other anti-spam portals except with APEWS though it's still a July 07, 2007 record.

Thu 2013-01-31 17:19:22: * Connection established (192.168.0.115:3302 -> 198.80.42.2:25)

Thu 2013-01-31 17:19:22: Waiting for protocol to start...
Thu 2013-01-31 17:19:22: <-- 220 portal1.visa.com - Access is monitored. SMTP Proxy Server Ready

Thu 2013-01-31 17:19:22: --> EHLO mail.ticketworld.com.ph
Thu 2013-01-31 17:19:22: <-- 250-ESMTP Server Ready
Thu 2013-01-31 17:19:22: <-- 250-SIZE 20971520
Thu 2013-01-31 17:19:22: <-- 250-DSN
Thu 2013-01-31 17:19:22: <-- 250-STARTTLS
Thu 2013-01-31 17:19:22: <-- 250 TLS
Thu 2013-01-31 17:19:22: --> MAIL From: SIZE=51304
Thu 2013-01-31 17:19:23: <-- 250 +OK Sender OK
Thu 2013-01-31 17:19:23: --> RCPT To:
Thu 2013-01-31 17:19:23: <-- 250 +OK Recipient OK
Thu 2013-01-31 17:19:23: --> DATA
Thu 2013-01-31 17:19:23: <-- 354 Start mail input, end with '.'
Thu 2013-01-31 17:19:23: Sending to [198.80.42.2]
Thu 2013-01-31 17:19:24: Transfer Complete
Thu 2013-01-31 17:19:25: <-- 554 Transaction Failed Spam Message not queued.

This looks like your connection to the server was authenticated correctly and that the email delivered correctly too. It seems to have failed on possibly content of the email or other parameters that were tested for during/after receipt of the email. I suggest that you contact the server administrator. There is no mention of a failure due to an Apews.org listing.