Help - Search - Members - Calendar
Full Version: SORBS blocking mail server: 67.15.36.4
Hostony Board > General Support > Mail
CoolNewMedia
Nov 10 2004, 10:01 PM
Sent an email to my clients address: info@brentwoodbluff.com
Email bounced back with the following error:

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error.
553 sorry, your mailserver [67.15.36.4] is rejected by See http://www.dnsbl.us.sorbs.net/

Run the IP in SORBS database and it comes up as BLOCKED. See the following...
- - -
Database of servers sending to spamtrap addresses

Address: 67.15.36.4
Record Created: Sun Nov 7 23:50:18 2004 GMT
Record Updated: Wed Nov 10 10:20:52 2004 GMT
Additional Information: Received: from server21.fastbighost.com (server21.fastbighost.com [67.15.36.4]) by mailhub1.uq.edu.au (8.12.11/8.12.11) with ESMTP id iA6AeTtn081373 for <[email]>; Sat[email] 06 Nov 2004 20:40:29 +1000 (EST)
Currently active and flagged to be published in DNS
If you wish to request a delisting please do so through the Support System.

Is this related to the SpamCop blocking or do we have a new issue here?
Thanks.
JasonJones
Nov 10 2004, 10:16 PM
Absolutely related...

I used to think RBL's were the answer to all my spam problems, and they did work quite nicely to keep Email from ever even hitting Spamassassin on my mailservers. This was great for my personal and small site use. When you are dealing with tens of thousands of emails a day, from everywhere in the world, RBL's fail, BADLY. Open Relay RBLs are great, refusing email from an "open relay" only helps to solidify security around the internet, as admins are blocked they close their mailservers from being open relays and it helps to cut down some spam.

RBLs would also be OK if they didn't try and share info into different types of systems/setups. So My guess is that sorbs ######ed up the spamcop database, or the otherway around, and once spamcop removed it, now it needs to be removed from sorbs as well... Pretty stupid system if you ask me. Any system that can be tricked into blocking by simply "submitting" an IP is useless.

So, to answer your question whilst I get off my soapbox, yes, its related to spamcop's block, and we need to have it removed from sorbs as well...

Jason
JasonJones
Nov 10 2004, 10:23 PM
I'd like to add... This is from sorb's site...

Spam Database

Delisting if the netblock is expanded, delisting is only performed when the spammer is nolonger using the address space, in which case the netblock will be reduced down to the affected IPs free of charge. The effected IPs (the ones used to send the spam) will only be delisted when US$50 is donated to a SORBS nominated charity or good cause. The charities and good causes SORBS approves will not have any connection with any member of the SORBS administrators either past or present.


Yeah, OK, so to delist your IP you gotta make a donation.. sounds like extortion... Bah

They do say they will delist if the netblock owner emails them, Alec?

Jason
Alexandre
Nov 10 2004, 10:47 PM
This record will expire soon.

Records at Level 3 expire after 7 days.

The server will be unlisted in a few days.

Thank you.
MartinB
Nov 11 2004, 12:23 AM
Jason, i know you are using SpamAssasin.....Q: really work ? do you recomend it to me ?
Im needing some server-side spam blocker but...i am worry of loosing some mail if i use spamassasin... some recommendation?

thanks!
JasonJones
Nov 11 2004, 01:27 AM
Mb, yes... Spamassassin works if you configure it correctly. Here is what to do to fine tune the filters...

Enable it in cpanel.
Edit (by hand) the user_prefs file in .spamassassin folder, remove the lines:

rewrite_subject
subject_tag

Add this line:
rewrite_header Subject *****SPAM SCORE: _SCORE_*****

Now set the score to 10. Watch all your email for a few days (less if you get a LOT of spam like I do [60+pcs a day]) You'll see that there are some Common flags that get tripped for spam. You can find the flags in the headers of the email they will be ALL_CAPS. Start adding those to your user_prefs file like:

score NIGERIAN_BODY1 10.0

etc... so in the email headers you will see it listed as NIGERIAN_BODY1, OFFSHORE_SCAM,etc etc...
So you add them into your prefs file one per line, use Higher scores for things you KNOW are spam, like GAPPY_SUBJECT, DRUGS_ERECTILE etc... Score the ones that are not Immediate spam, but sure could be like NO_REAL_NAME, BIZ_TLD etc a bit lower like 2.0 or 4.0 ... You will then start to see your spam getting tagged as such (by the subject line) and you can fine tune it from there... Lower scores, Raise scores etc... Right now, I'm still getting 60+ emails a day to ONE address that I've had since 1995 (hence the amount of lists its been distributed to) but they are all marked as spam. Since I've been filtering with my current ruleset I've yet to tag one email that wasnt a true spam message, and only 4 have gotten past the filter thats probably close to 10,000 spam messages. The 4 that got past, were VERY skillfully crafted, they looked and were formatted like regular emails, sent from valid email clients, ip's and didn't have any HTML or the common triggers. So yes they were spam, but they scored between 4 and 8, so they were under the cutoff of 10.

When I look at my "legit" email from people, it usually scores between 0-4 depending on what settings they use (html email etc)... I also whitelist people and domains I know I don't get spam from.

If you like I can send you a list of the scores I use and their values... If you need more help, just let me know.

I also forward all email that is tagged by spamassassin to an email "spam@myhost.com" and let it gather up there for a few days at a time. I download it all, and browse over it "just in case" but it never has any legit emails in there anymore...

Jason
JasonJones
Nov 11 2004, 01:36 AM
Some example headers...


A Good Email from a friend, score 3.3 :
CODE
Return-path: <mXXXXX@XXXX.com>
Envelope-to: penn@XXXX.net
Delivery-date: Wed, 10 Nov 2004 12:41:28 +0000
Received: from XXXXX by server25.fastbighost.com with local-bsmtp (Exim 4.42)
    id 1CRXXXXXXXWW-AL
    for penn@XXXX.net; Wed, 10 Nov 2004 12:41:27 +0000
Received: from [64.XX.XX.XX] (helo=wproxy.XXXXX.com)
    by server25.fastbighost.com with esmtp (Exim 4.42)
    id 1CRrXXXXXXn-RL
    for penn@XXXX.net; Wed, 10 Nov 2004 12:41:24 +0000
Received: by wproxy.XXXX.com with SMTP id 65sXXXXX3wri
       for <penn@XXXX.net>; Wed, 10 Nov 2004 04:43:20 -0800 (PST)
Received: by 10.XX.XX.XX with SMTP id c7XXXXX577wra;
       Wed, 10 Nov 2004 04:43:19 -0800 (PST)
Received: by 10.XX.XX.XX with HTTP; Wed, 10 Nov 2004 04:43:19 -0800 (PST)
Message-ID: <ed73XXXXXXXXXXXXXba9b9c1@mail.XXXXX.com>
Date: Wed, 10 Nov 2004 07:43:19 -0500
From: MXXXX FXXXX <mXXXXX@XXXX.com>
Reply-To: MXXXX FXXXX <mXXXX@XXXX.com>
To: "penn@XXXX.net" <penn@XXXX.net>
Subject: Re: For Wifi Keychain
In-Reply-To: <000d01XXXXXX890$3301a8c0@XXXXXX>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <XXXXXX23460@XXXXX.com>
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on
    server25.fastbighost.com
X-Spam-Level: ***
X-Spam-Status: No, score=3.3 required=10.0 tests=AWL,RCVD_BY_IP,
    TO_ADDRESS_EQ_REAL,URIBL_WS_SURBL autolearn=no version=3.0.1


Random Spam Email, score 86!!!:
CODE
Return-path: <Looneyaitp@euroseek.net>
Envelope-to: penn@XXXX.net
Delivery-date: Tue, 09 Nov 2004 14:12:40 +0000
Received: from XXXX by server25.fastbighost.com with local-bsmtp (Exim 4.42)
    id 1CRWjd-00058D-7R
    for penn@XXXX.net; Tue, 09 Nov 2004 14:12:39 +0000
Received: from [24.10.9.109] (helo=c-24-10-9-109.client.comcast.net)
    by server25.fastbighost.com with smtp (Exim 4.42)
    id 1CRWjX-00056a-DL
    for penn@XXXX.net; Tue, 09 Nov 2004 14:12:36 +0000
Received: from 238.187.28.134 by 24.10.9.109; Tue, 09 Nov 2004 19:14:01 +0500
Message-ID: <XMWOKQTRLDFKPBMWKBPH@thedoctorspostoffice.com>
From: "Michel Montes" <Looneyaitp@euroseek.net>
Reply-To: "Michel Montes" <Looneyaitp@euroseek.net>
To: penn@XXXX.net
Subject: *****SPAM SCORE: 86.4***** Don't miss this! Live and Work in the USA!
Date: Tue, 09 Nov 2004 19:13:01 +0500
X-Mailer: QUALCOMM Windows Eudora Version 5.1
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="--1-018794432-8521696775=:72682"
X-Priority: 5
X-MSMail-Priority: Low
X-Spam-Prev-Subject: Don't miss this! Live and Work in the USA!
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on
    server25.fastbighost.com
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=86.4 required=10.0 tests=FORGED_MUA_EUDORA,
    FORGED_QUALCOMM_TAGS,HELO_DYNAMIC_IPADDR,HTML_40_50,
    HTML_IMAGE_ONLY_04,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,
    HTML_SHORT_CENTER,LONGWORDS,MANY_EXCLAMATIONS,MIME_HTML_ONLY,
    MIME_HTML_ONLY_MULTI,MISSING_MIMEOLE,MPART_ALT_DIFF,MSGID_SPAM_CAPS,
    RCVD_BY_IP,RCVD_DOUBLE_IP_SPAM,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,
    RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_XBL,URIBL_OB_SURBL,
    URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=spam version=3.0.1
X-Spam-Report:
    *  2.8 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)
    *  3.2 MSGID_SPAM_CAPS Spam tool Message-Id: (caps variant)
    *  0.0 RCVD_BY_IP Received by mail server with no name
    *  4.0 HTML_40_50 BODY: Message is 40% to 50% HTML
    *  0.5 HTML_MESSAGE BODY: HTML included in message
    *  1.5 MPART_ALT_DIFF BODY: HTML and text parts are different
    *  1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
    *  9.0 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
    *   10 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
    *      [24.10.9.109 listed in dnsbl.sorbs.net]
    *   10 RCVD_IN_DSBL RBL: Received via a relay in list.dsbl.org
    *      [<http://dsbl.org/listing?ip=24.10.9.109>]
    *   10 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
    *      [Blocked - see <http://www.spamcop.net/bl.shtml?24.10.9.109>]
    *   10 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
    *      [24.10.9.109 listed in sbl-xbl.spamhaus.org]
    *   10 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
    *      [24.10.9.109 listed in combined.njabl.org]
    *  0.6 URIBL_SBL Contains an URL listed in the SBL blocklist
    *      [URIs: usa-vista.com]
    *  0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
    *      [URIs: usa-vista.com]
    *  2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
    *      [URIs: usa-vista.com]
    *  3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
    *      [URIs: usa-vista.com]
    *  0.4 HTML_SHORT_CENTER HTML is very short with CENTER tag
    *  4.1 RCVD_DOUBLE_IP_SPAM Bulk email fingerprint (double IP) found
    *  0.1 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
    *  0.2 FORGED_QUALCOMM_TAGS QUALCOMM mailers can't send HTML in this format
    *  0.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts
    *  0.0 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
    *  2.3 LONGWORDS Long string of long words
    *  0.0 MANY_EXCLAMATIONS Subject has many exclamations
    *  0.1 FORGED_MUA_EUDORA Forged mail pretending to be from Eudora
MartinB
Nov 11 2004, 11:30 AM
Jason, thank you VERY MUCH, you really have worked in your post, I will bookmark it, and test spamassasin in the future short time.

thanks in advance
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2025 Invision Power Services, Inc.
IPS Driver Error

IPS Driver Error

There appears to be an error with the database.
You can try to refresh the page by clicking here