July 22, 2013

L2.APEWS.ORG False Positive #22

This is another newsletter that was reported by a user to be in the spam folder when it had been properly subscribed to. Checking the IP address of the sending server we find that it is no longer listed, so this is being published for information only;

Fri 2013-07-19 01:05:11: [9010:4232] Accepting SMTP connection from [72.232.93.13]
Fri 2013-07-19 01:05:11: [9010:4232] Looking up PTR record for 72.232.93.13 (13.93.232.72.IN-ADDR.ARPA)
Fri 2013-07-19 01:05:12: [9010:4232] D=13.93.232.72.IN-ADDR.ARPA TTL=(179) PTR=[nlserv14.123greetings.info]
Fri 2013-07-19 01:05:12: [9010:4232] Gathering A-records for PTR hosts
Fri 2013-07-19 01:05:13: [9010:4232] Name server reports domain name unknown.
Fri 2013-07-19 01:05:13: [9010:4232] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Fri, 19 Jul 2013 21:00:13 -0100
Fri 2013-07-19 01:05:13: [9010:4232] <-- EHLO 123greetings.info
Fri 2013-07-19 01:05:13: [9010:4232] Performing reverse lookup on 123greetings.info (looking for 72.232.93.13)
Fri 2013-07-19 01:05:13: [9010:4232] D=123greetings.info TTL=(60) A=[216.104.165.71]
Fri 2013-07-19 01:05:14: [9010:4232] P=010 D=123greetings.info TTL=(60) MX=[mx1.emailsrvr.com] {98.129.184.131}
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-xxx.xxx.xxx Hello nlserv14.123greetings.info (may be forged), pleased to meet you
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-ETRN
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-AUTH=LOGIN
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-AUTH LOGIN CRAM-MD5
Fri 2013-07-19 01:05:14: [9010:4232] --> 250-8BITMIME
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 SIZE 0
Fri 2013-07-19 01:05:14: [9010:4232] <-- MAIL FROM:<newsletter @ 123greetings.info> BODY=8BITMIME
Fri 2013-07-19 01:05:14: [9010:4232] Performing reverse lookup on 123greetings.info (looking for 72.232.93.13)
Fri 2013-07-19 01:05:14: [9010:4232] D=123greetings.info TTL=(59) A=[216.104.165.71]
Fri 2013-07-19 01:05:14: [9010:4232] P=010 D=123greetings.info TTL=(59) MX=[mx1.emailsrvr.com] {98.129.184.131}
Fri 2013-07-19 01:05:14: [9010:4232] Spam Blocker A-record resolution of [13.93.232.72.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Fri 2013-07-19 01:05:14: [9010:4232] Spam Blocker D=13.93.232.72.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Fri 2013-07-19 01:05:14: [9010:4232] L2.APEWS.ORG LISTED
Fri 2013-07-19 01:05:14: [9010:4232] Message will be accepted and X-RBL-Warning: header will be inserted.
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 <newsletter @ 123greetings.info>, Sender ok
Fri 2013-07-19 01:05:14: [9010:4232] <-- RCPT TO:<xxx @ xxx.xxx>
Fri 2013-07-19 01:05:14: [9010:4232] --> 250 <xxx @ xxx.xxx>, Recipient ok
Fri 2013-07-19 01:05:14: [9010:4232] <-- DATA
Fri 2013-07-19 01:05:14: [9010:4232] --> 354 Enter mail, end with <CRLF>.<CRLF>
Fri 2013-07-19 01:05:15: [9010:4232] --> 250 Ok, message saved <Message-ID: 2013.newsletter @ 123greetings.info>
Fri 2013-07-19 01:05:15: [9010:4232] <-- QUIT
Fri 2013-07-19 01:05:15: [9010:4232] --> 221 See ya in cyberspace
Fri 2013-07-19 01:05:15: [9001:4232] SMTP session successful, 14619 bytes transferred.
Fri 2013-07-19 01:05:15: [9010:4232] Shuffling message(s) into proper queue(s)
Fri 2013-07-19 01:05:15: [9010:4232] Message received from 123greetings.info [72.232.93.13] <newsletter @ 123greetings.info> with SMTP for <xxx @ xxx.xxx> [Size 0] {j:\localq\0003197.msg}

July 18, 2013

L2.APEWS.ORG False Positive #21

We're publishing this one for the record, the newsletter was found in the junk folder by the user but was in fact subscribed to. The IP address has already been de-listed so this is just for information;

Tue 2013-07-16 05:49:33: [6716:1620] Accepting SMTP connection from [63.121.28.41]
Tue 2013-07-16 05:49:33: [6716:1620] Looking up PTR record for 63.121.28.41 (41.28.121.63.IN-ADDR.ARPA)
Tue 2013-07-16 05:49:34: [6716:1620] D=41.28.121.63.IN-ADDR.ARPA TTL=(59) PTR=[unicamailman301-q1.sb.monster.com]
Tue 2013-07-16 05:49:34: [6716:1620] Gathering A-records for PTR hosts
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Tue, 16 Jul 2013 05:49:34 -0500
Tue 2013-07-16 05:49:34: [6716:1620] <-- HELO unicamailman301-q1.sb.monster.com
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on unicamailman301-q1.sb.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=unicamailman301-q1.sb.monster.com TTL=(60) A=[63.121.28.41]
Tue 2013-07-16 05:49:34: [6716:1620] --> 250 xxx.xxx.xxx Hello unicamailman301-q1.sb.monster.com, pleased to meet you
Tue 2013-07-16 05:49:34: [6716:1620] <-- MAIL FROM:<smas.30-230433_448550_3@e0.monster.com>
Tue 2013-07-16 05:49:34: [6716:1620] Performing reverse lookup on e0.monster.com (looking for 63.121.28.41)
Tue 2013-07-16 05:49:34: [6716:1620] D=e0.monster.com TTL=(10) A=[63.112.169.1]
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.sb.monster.com] {63.121.30.235}
Tue 2013-07-16 05:49:35: [6716:1620] P=020 D=e0.monster.com TTL=(10) MX=[mailsorter.be.tmpw.net] {208.71.195.235}
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker A-record resolution of [41.28.121.63.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Tue 2013-07-16 05:49:35: [6716:1620] Spam Blocker D=41.28.121.63.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Tue 2013-07-16 05:49:35: [6716:1620] L2.APEWS.ORG LISTED
Tue 2013-07-16 05:49:35: [6716:1620] Message will be accepted and X-RBL-Warning: header will be inserted.
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <smas.30-230433_4 @ .monster.com>, Sender ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- RCPT TO:<xxx@xxx.xxx>
Tue 2013-07-16 05:49:35: [6716:1620] --> 250 <xxx@xxx.xxx>, Recipient ok
Tue 2013-07-16 05:49:35: [6716:1620] <-- DATA
Tue 2013-07-16 05:49:35: [6716:1620] --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2013-07-16 05:49:36: [6716:1620] --> 250 Ok, message saved <Message-ID: emsg.826.7140f20 @ unica7emsg201.be.monster.com>
Tue 2013-07-16 05:49:36: [6716:1620] <-- QUIT
Tue 2013-07-16 05:49:36: [6716:1620] --> 221 See ya in cyberspace
Tue 2013-07-16 05:49:36: [6716:1620] SMTP session successful, 13598 bytes transferred.
Tue 2013-07-16 05:49:36: [6716:1620] Shuffling message(s) into proper queue(s)
Tue 2013-07-16 05:49:36: [6716:1620] Message received from unicamailman301-q1.sb.monster.com [63.121.28.41] <smas.30-230433_448550_3 @ .monster.com> with SMTP for <xxx@xxx.xxx> [Size 0] {j:\localq\1150000318214.msg}