Sounds like you may have a wildcard in your blacklist, something like *@gmail.com that is causing the problem.
You might want to reconsider adding addresses from most spam to your blacklist as the spammers have developed programs that generate random addresses and forge them into the mail headers. They did this to defeat the blacklisting tools and it works for them as they rarely reuse an address. I reserve my blacklist for e-mail addresses that are not forged. Others (usually with multiple accounts) do use the blacklist but set it to only keep addresses for a week.
If you haven't read this on bouncing it is worth your time, it can cause you a lot of problems if you forge a bounce message to an e-mail that has a forged header and somewhere over 90% of them do.
http://wiki.castlecops.com/What_is_Wron ... ncing_Spam
Status is always "blacklisted"
- Ikeb
- Microsoft MVP with a slice of PITA
- Contact:
- Location: Ottawa, Ontario, Canada
Post
Re: Status is always "blacklisted"
Then you would have very few addresses ... unless you want to filter out folks you know.ChickNew wrote:I reserve my blacklist for e-mail addresses that are not forged
It requires a lot of detective leg work. Checking the Received: fields for discontinuous relay chaining is prolly the best way. MWP can be used to some extent but there are limitations, especially WRT regex capabilities. I believe SpamCop checks those fields using reverse DNS to verify IP addresses for example. Stan may be able to offer more details.ChickNew wrote:I would like to know how you determine which email addresses are forged...and which ones are not forged.
That would make too much sense it seems. I know you're thinking "surely someone has thought this through." Unfortunately email standards were developed before the Internet became popular and before there was any motive to deceive. Even more unfortunate is that no one can agree on a replacement set of standards to defeat deception .. or at least make it uneconomical.ChickNew wrote:...(can legitimate return addresses be found in the header portions of the email...somewhere?).
-
stan_qaz
- Omniscient Kiwi
- Location: Gilbert, Arizona
Post
This is a spamcop parse of a spam message, edited to hide my info and the injection point marked for you.
You can play with this by doing a telnet to your mail server on port 25 and typing in any header info you would like to have appear in the message and sending it to your account. Sending it to anyone else is a bad idea and ma get your account closed for abuse.
Re: Status is always "blacklisted"
The best way is to submit your spam to spamcop.net using the tool built into MW. Once spamcop.net has your spam it does an intensive scan of the header data against your mail server's configuration (see mailhosts there) to validate as much of the header as possible (usually just the last couple servers) and traces backwards from there looking for servers with known problems (open relay, insecure web forms and the like) and tags any other data in the header as suspect. The sending address at that point is known to be forged.ChickNew wrote: I would like to know how you determine which email addresses are forged...and which ones are not forged.
This is a spamcop parse of a spam message, edited to hide my info and the injection point marked for you.
Parsing header:
0: Received: from unknown (HELO mx4.xxxxxx.com) (192.168.1.193) by 192.168.1.11 with SMTP; 23 Oct 2008 14:19:26 -0000
Internal handoff or trivial forgery
1: Received: from 201-251-127-107.static.speedy.com.ar (201-251-127-107.static.speedy.com.ar [201.251.127.107]) by mx4.xxxxxx.com (Postfix) with ESMTP id 3140F10AC554 for <x>; Thu, 23 Oct 2008 09:18:55 -0500 (CDT)
Hostname verified: 201-251-127-107.static.speedy.com.ar
xxxxxx.com received mail from sending system 201.251.127.107
2: Received: from [201.251.127.107] by mx.e.telefonica.net; Thu, 23 Oct 2008 11:18:55 -0300
Hostname verified: 201-251-127-107.static.speedy.com.ar
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust anything beyond this header
Tracking message source: 201.251.127.107:
Routing details for 201.251.127.107
[refresh/show] Cached whois for 201.251.127.107 : tasamail@telefonica.com.ar
De-referencing tasamail@telefonica.com.ar
abuse net telefonica.com.ar = abuse.backbone@telefonica-wholesale.com, propiedad.industrial@telefonica.es, tasamail@telefonica.com.ar, postmaster@telefonica.com.ar
Using best contacts abuse.backbone@telefonica-wholesale.com propiedad.industrial@telefonica.es tasamail@telefonica.com.ar postmaster@telefonica.com.ar
tasamail@telefonica.com.ar redirects to telefonica.com.ar@abuse.net
De-referencing tasamail@telefonica.com.ar
abuse net telefonica.com.ar = abuse.backbone@telefonica-wholesale.com, propiedad.industrial@telefonica.es, tasamail@telefonica.com.ar, postmaster@telefonica.com.ar
tasamail@telefonica.com.ar redirects to telefonica.com.ar@abuse.net
De-referencing tasamail@telefonica.com.ar
abuse net telefonica.com.ar = abuse.backbone@telefonica-wholesale.com, propiedad.industrial@telefonica.es, tasamail@telefonica.com.ar, postmaster@telefonica.com.ar
tasamail@telefonica.com.ar redirects to telefonica.com.ar@abuse.net
Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Thu, 23 Oct 2008 09:18:55 -0500
Message is 4.4 days old
201.251.127.107 not listed in dnsbl.njabl.org
201.251.127.107 not listed in dnsbl.njabl.org
201.251.127.107 listed in cbl.abuseat.org ( 127.0.0.2 )
201.251.127.107 is an open proxy <------------------------------------------------------ forgery injection point
201.251.127.107 not listed in accredit.habeas.com
201.251.127.107 not listed in plus.bondedsender.org
201.251.127.107 not listed in iadb.isipp.com
Finding links in message body
Parsing text part
Resolving link obfuscation
http://trans-us.com
Host trans-us.com (checking ip) = 217.107.34.89
host 217.107.34.89 = server10.jino.ru (cached)
Host trans-us.com (checking ip) = 217.107.34.89
host 217.107.34.89 = server10.jino.ru (cached)
Tracking link: http://trans-us.com/
[report history]
ISP does not wish to receive report regarding http://trans-us.com/
Resolves to 217.107.34.89
Routing details for 217.107.34.89
Using smaller IP block (/ 24 vs. / 15 )
Removing 2 larger (> / 24 ) route(s) from cache
[refresh/show] Cached whois for 217.107.34.89 : info@avguro.com
Using abuse net on info@avguro.com
No abuse net record for avguro.com
Using default postmaster contacts postmaster@avguro.com
ISP does not wish to receive reports regarding http://trans-us.com/ - no date available
Finding IP block owner:
Routing details for 201.251.127.107
[refresh/show] Cached whois for 201.251.127.107 : tasamail@telefonica.com.ar
De-referencing tasamail@telefonica.com.ar
abuse net telefonica.com.ar = abuse.backbone@telefonica-wholesale.com, propiedad.industrial@telefonica.es, tasamail@telefonica.com.ar, postmaster@telefonica.com.ar
Using best contacts abuse.backbone@telefonica-wholesale.com propiedad.industrial@telefonica.es tasamail@telefonica.com.ar postmaster@telefonica.com.ar
tasamail@telefonica.com.ar redirects to telefonica.com.ar@abuse.net
De-referencing tasamail@telefonica.com.ar
abuse net telefonica.com.ar = abuse.backbone@telefonica-wholesale.com, propiedad.industrial@telefonica.es, tasamail@telefonica.com.ar, postmaster@telefonica.com.ar
tasamail@telefonica.com.ar redirects to telefonica.com.ar@abuse.net
De-referencing tasamail@telefonica.com.ar
abuse net telefonica.com.ar = abuse.backbone@telefonica-wholesale.com, propiedad.industrial@telefonica.es, tasamail@telefonica.com.ar, postmaster@telefonica.com.ar
tasamail@telefonica.com.ar redirects to telefonica.com.ar@abuse.net
Reports regarding this spam have already been sent:
Re: 201.251.127.107 (Administrator of network where email originates)
Reportid: xxxxxxxxx To: postmaster@telefonica.com.ar
Reportid: xxxxxxxxx To: propiedad.industrial@telefonica.es
Reportid: xxxxxxxxx To: abuse.backbone@telefonica-wholesale.com
If reported today, reports would be sent to:
Re: 201.251.127.107 (Administrator of IP block - statistics only)
postmaster@telefonica.com.ar
propiedad.industrial@telefonica.es
abuse.backbone@telefonica-wholesale.com
You can pretty much trust anything in the mail header set by your mail server, once you are past that point you are relying on the truthfulness of the server you are looking at, in the case above the open proxy is allowing anyone to send anything with any header info ahead of its line.Thank you for that useful information. I clearly did not understand the circuitous route of bounced emails and also the wasted energy blacklisting forged email sender addresses (can legitimate return addresses be found in the header portions of the email...somewhere?).
Chick
You can play with this by doing a telnet to your mail server on port 25 and typing in any header info you would like to have appear in the message and sending it to your account. Sending it to anyone else is a bad idea and ma get your account closed for abuse.
I am not a Firetrust employee just a MW user.
--
First rule of computer consulting: Sell a customer a Linux computer and you'll eat for a day,
sell a customer a Windows computer and you'll eat for a lifetime.
--
First rule of computer consulting: Sell a customer a Linux computer and you'll eat for a day,
sell a customer a Windows computer and you'll eat for a lifetime.