October 3, 2013

L2.APEWS.ORG False Positive #24

Another user reported a newsletter in the junk folder however on checking the IP address appears to have already been delisted, publishing this false positive for the record (full email header munged where appropriate);

Wed 2013-10-02 18.13:20: [1768:723] Accepting SMTP connection from [159.220.9.56]
Wed 2013-10-02 18.13:20: [1768:723] Looking up PTR record for 159.220.9.56 (56.9.220.159.IN-ADDR.ARPA)
Wed 2013-10-02 18.13:21: [1768:723] D=56.9.220.159.IN-ADDR.ARPA TTL=(0) PTR=[mailout2-trm.thomsonreuters.com]
Wed 2013-10-02 18.13:21: [1768:723] Gathering A-records for PTR hosts
Wed 2013-10-02 18.13:21: [1768:723] D=mailout2-trm.thomsonreuters.com TTL=(60) A=[159.220.9.56]
Wed 2013-10-02 18.13:21: [1768:723] --> 220 xxx.xxx.xxx ESMTP MDaemon 6.7.9; Wed, 02 Oct 2013 18.13:21 -0500
Wed 2013-10-02 18.13:21: [1768:723] <-- EHLO mailout2-trm.thomsonreuters.com
Wed 2013-10-02 18.13:21: [1768:723] Performing reverse lookup on mailout2-trm.thomsonreuters.com (looking for 159.220.9.56)
Wed 2013-10-02 18.13:21: [1768:723] D=mailout2-trm.thomsonreuters.com TTL=(59) A=[159.220.9.56]
Wed 2013-10-02 18.13:21: [1768:723] --> 250-xxx.xxx.xxx Hello mailout2-trm.thomsonreuters.com, pleased to meet you
Wed 2013-10-02 18.13:21: [1768:723] --> 250-ETRN
Wed 2013-10-02 18.13:21: [1768:723] --> 250-AUTH=LOGIN
Wed 2013-10-02 18.13:21: [1768:723] --> 250-AUTH LOGIN CRAM-MD5
Wed 2013-10-02 18.13:21: [1768:723] --> 250-8BITMIME
Wed 2013-10-02 18.13:21: [1768:723] --> 250 SIZE 0
Wed 2013-10-02 18.13:21: [1768:723] <-- MAIL From:<x@ thomsonreuters.com> SIZE=45939
Wed 2013-10-02 18.13:21: [1768:723] Performing reverse lookup on thomsonreuters.com (looking for 159.220.9.56)
Wed 2013-10-02 18.13:22: [1768:723] D=thomsonreuters.com TTL=(0) A=[163.231.4.79]
Wed 2013-10-02 18.13:22: [1768:723] P=020 D=thomsonreuters.com TTL=(0) MX=[mailin2-tr.thomsonreuters.com] {59.144.10.241}
Wed 2013-10-02 18.13:22: [1768:723] P=020 D=thomsonreuters.com TTL=(0) MX=[mailin1-tr.thomsonreuters.com] {199.224.149.51}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin7-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin6-tr.thomsonreuters.com] {159.220.48.8}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin5-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin4-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin3-tr.thomsonreuters.com]
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin2-trp.thomsonreuters.com] {163.231.6.25}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin2-trm.thomsonreuters.com] {159.220.9.53}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin1-trp.thomsonreuters.com] {163.231.6.5}
Wed 2013-10-02 18.13:22: [1768:723] P=010 D=thomsonreuters.com TTL=(0) MX=[mailin1-trm.thomsonreuters.com] {159.220.28.53}
Wed 2013-10-02 18.13:22: [1768:723] D=mailin7-tr.thomsonreuters.com TTL=(0) A=[159.220.48.10]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin5-tr.thomsonreuters.com TTL=(0) A=[159.220.38.28]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin4-tr.thomsonreuters.com TTL=(0) A=[159.220.20.196]
Wed 2013-10-02 18.13:22: [1768:723] D=mailin3-tr.thomsonreuters.com TTL=(0) A=[159.220.16.156]
Wed 2013-10-02 18.13:22: [1768:723] Spam Blocker A-record resolution of [56.9.220.159.L2.APEWS.ORG] in progress (DNS Server: 192.168.1.2)...
Wed 2013-10-02 18.13:22: [1768:723] Spam Blocker D=56.9.220.159.L2.APEWS.ORG TTL=(35) A=[127.0.0.2]
Wed 2013-10-02 18.13:22: [1768:723] L2.APEWS.ORG LISTED
Wed 2013-10-02 18.13:22: [1768:723] Message will be accepted and X-RBL-Warning: header will be inserted.
Wed 2013-10-02 18.13:22: [1768:723] --> 250 <x@ thomsonreuters.com>, Sender ok
Wed 2013-10-02 18.13:23: [1768:723] <-- RCPT To:<xxx@ xxx.xxx>
Wed 2013-10-02 18.13:23: [1768:723] --> 250 <xxx@ xxx.xxx>, Recipient ok
Wed 2013-10-02 18.13:23: [1768:723] <-- DATA
Wed 2013-10-02 18.13:23: [1768:723] --> 354 Enter mail, end with <CRLF>.<CRLF>
Wed 2013-10-02 18.13:24: [1768:723] --> 250 Ok, message saved <Message-ID: 11D276E588427@ ERFMMBX12.ERF.thomson.com>
Wed 2013-10-02 18.13:26: [1768:723] <-- QUIT
Wed 2013-10-02 18.13:26: [1768:723] --> 221 See ya in cyberspace
Wed 2013-10-02 18.13:26: [1768:723] SMTP session successful, 46875 bytes transferred.
Wed 2013-10-02 18.13:26: [1768:723] Shuffling message(s) into proper queue(s)
Wed 2013-10-02 18.13:26: [1768:723] Message received from mailout2-trm.thomsonreuters.com [159.220.9.56] <x@ thomsonreuters.com> with SMTP for <xxx@ xxx.xxx> [Size 4859] {i:\localq\000351496.msg}
Posted by at 73 comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)