Hundreds of bounces on balug-announce post; DNSBL troubles - BALUG-Admin

19 Jul 2022


      Here's an excerpt from the barrage that just landed in my mailbox as a
listadmin for balug-announce:
---<begin>---
jprewitt@macromedia.com
    host macromedia-com.mail.protection.outlook.com [104.47.73.10]
    SMTP error from remote mail server after RCPT TO:jprewitt@macromedia.com:
    550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[DM6NAM04FT038.eop-NAM04.prod.protection.outlook.com]
smclean@baynetworks.com
    host baynetworks-com.mail.protection.outlook.com [104.47.58.138]
    SMTP error from remote mail server after RCPT TO:smclean@baynetworks.com:
    550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[BN8NAM11FT019.eop-nam11.prod.protection.outlook.com]
david.thomas@novell.com
    host smtp.ext.microfocus.com [15.124.64.97]
    SMTP error from remote mail server after initial connection:
    554 IP address 96.86.170.229 rejected [IP reputation fail]
  atiq@novell.com
    host smtp.ext.microfocus.com [15.124.64.97]
    SMTP error from remote mail server after initial connection:
    554 IP address 96.86.170.229 rejected [IP reputation fail]
  pozar@lns.com
    host lns.com [107.161.208.1]
    SMTP error from remote mail server after RCPT TO:pozar@lns.com:
    554 5.7.1 Service unavailable; Client host [96.86.170.229] blocked using
+b.barracudacentral.org;
+http://www.barracudanetworks.com/reputation/?pr=1&ip=96.86.170.229
rainer.brendle@sap.com
    host sap-com.mail.protection.outlook.com [104.47.9.36]
    SMTP error from remote mail server after RCPT TO:rainer.brendle@sap.com:
    550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[VE1EUR03FT040.eop-EUR03.prod.protection.outlook.com]
  juergen.schmerder@sap.com
    host sap-com.mail.protection.outlook.com [104.47.9.36]
    SMTP error from remote mail server after RCPT
+TO:juergen.schmerder@sap.com:
    550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[VE1EUR03FT040.eop-EUR03.prod.protection.outlook.com]
mike1martin654@hotmail.com
    host hotmail-com.olc.protection.outlook.com [104.47.51.33]
    SMTP error from remote mail server after RCPT
+TO:mike1martin654@hotmail.com:
    550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
+[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com]
danthonyallen@hotmail.com
    host hotmail-com.olc.protection.outlook.com [104.47.51.33]
    SMTP error from remote mail server after RCPT
+TO:danthonyallen@hotmail.com:
    550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
+[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com]
marie_burnett@hotmail.com
    host hotmail-com.olc.protection.outlook.com [104.47.51.33]
    SMTP error from remote mail server after RCPT
+TO:marie_burnett@hotmail.com:
    550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
+[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com]
  siva_s@hotmail.com
    host hotmail-com.olc.protection.outlook.com [104.47.51.33]
    SMTP error from remote mail server after RCPT TO:siva_s@hotmail.com:
    550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
  nikki@mindsource.com
    host mindsource-com.mail.protection.outlook.com [104.47.66.10]
    SMTP error from remote mail server after RCPT TO:nikki@mindsource.com:
    550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[MW2NAM12FT010.eop-nam12.prod.protection.outlook.com]
aidangcole@btinternet.com
    host mx.lb.btinternet.com [213.120.69.92]
    SMTP error from remote mail server after pipelined MAIL
+FROM:balug-announce-bounces@lists.balug.org SIZE=8949:
    522-email sent from 96.86.170.229 found on industry IP blacklists
+(Spamhaus/Invaluement/ReturnPath) on 2022/07/19 18:45:36 BST.
    522 To protect our customers, we use leading industry providers of
+blacklists to ensure only good senders can send email to us. If believe this is
+a mistake, please contact them directly as there is nothing our Postmaster will
+be able to do.
warren@delsci.com
    host delsci-com.mail.protection.outlook.com [104.47.13.36]
    SMTP error from remote mail server after RCPT TO:warren@delsci.com:
    550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[HE1EUR04FT021.eop-eur04.prod.protection.outlook.com]
---<end>---
Looks like we have some sort of serious problem that has badly injured the 
spam reputation of BALUG MTA IP 96.86.170.229.
Just taking a wild guess, I checked Mailman version.  The host is
running Mailman 2.1.29.  If possible, this should be upgraded to 2.1.39
as a priority task, IMO.  At some point in versions over the last 
decade, Marc Sapiro and the other Mailman coders figured out that 
spammers had figured out how to game Mailman's WebUI subscription 
forms to sign up arbitary addresses to a mailing list without 
3-way handshake -- and added some sort of hash or something (I have 
only a vague recollection of the fix) to the signup process, blocking
that attack mode.  Point is, 2.1.29 _may well_ be one of the old,
vulnerable releases.
Even though I have listadmin credentials for balug-*@lists.balug.org, 
I'll admit that I've gratfully been able to not bother using that in a
long time.  For years, I've just gotten notices of a lot of
held-in-queue spam, and just ignored it in the knowledge that that would 
age out and get deleted.  But in consequence, e.g., I've not looked at
the membership rosters in a long time.
So, just now for the first time in years, I just used listadmin
credentials and am looking at balug-admin's roster.  I paged directly to
"s" to see if the vandals had robo-subscribed a bunch of
"support@[domain]" helpdesk addresses via the aforementioned Web
vulnerability -- and, no, they didn't.  Likewise, no help*@[domain} or 
info@[domain].
_However_, I see some subscriptions like these with just a given name:
Bill info@415digital.com
ilsa ilsa@cryptofreaks.tk
Chris chrismichele91@hotmail.com
Robert ciscomadman@gmail.com
Bud dustyz16@yahoo.com
jack eggshell_bill@hotmail.com
eli eknizley@gmail.com
max enriquethepirate@comcast.net
Farbod farbod.ghiasi@gmail.com
Faraz fffaraz@gmail.com
Sometimes, this is just a real subscriber's preferred way of stating
his/her name.  I've found, though, it is very often a sign of 
scripted forged signups, especially where the domain is a free webmail
provider.
Let's check the DNSBLs for IP 96.86.170.229, to see who doesn't like it,
and roughly why:
http://linuxmafia.com/kb/Mail/ lists the four multi-dnsbl sites:
http://www.dnsbl.info/
http://multirbl.valli.org/
https://mxtoolbox.com/blacklists.aspx
https://whatismyipaddress.com/blacklist-check
1. www.dnsbl.info, shows listings at:
a) all.s5h.net
$ dig 229.170.86.96.all.s5h.net +short
127.0.0.2
$ dig -t txt 229.170.86.96.all.s5h.net +short
"See http://s5h.net/rbl"
$
Web site doesn't elaborate.
b) b.barracudacentral.org
$ dig 229.170.86.96.b.barracudacentral.org +short
127.0.0.2
$ dig -t txt 229.170.86.96.b.barracudacentral.org +short
"http://www.barracudanetworks.com/reputation/?pr=1&ip=96.86.170.229"
$
Web site provides no real further detail; just says 
  the IP's reputation is "poor".
c) dnsbl-1.uceprotect.net
$ dig 229.170.86.96.dnsbl-1.uceprotect.net +short
127.0.0.2
$ dig -t txt 229.170.86.96.dnsbl-1.uceprotect.net +short
"IP 96.86.170.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=96.86.170.229"
$
Web site elaborates:
Status: Listed
   Impacts: 3
   Last Impact: 19.07.2022 21:53 CEST+/- 1min 
   Earliest Expiretime: 26.07.2022 23:00 CEST
d) spam.dnsbl.sorbs.net
$ dig 229.170.86.96.spam.dnsbl.sorbs.net +short
127.0.0.6
$ dig -t txt 229.170.86.96.spam.dnsbl.sorbs.net +short
"Spam Received See: http://www.sorbs.net/lookup.shtml?96.86.170.229"
$
Web site elaborates:
Problem Entries, (listings will cause email problems.)
  4 "Spam" entries [04:30:02 24 Apr 2021 GMT-04].
  96.86.170.229 - 4 entries [04:30:02 24 Apr 2021 GMT-04].
  [RM: This is shown as a _active_ listing.]
Problem hostnames/domains (could cause email problems.)
  2 "Spamvertised" entries [04:30:02 24 Apr 2021 GMT-04].    
  [RM: This is shown as an _inactive_ (historical) listing.
Further detail via the Web site, after logging in:
Description:    Spam Received from this host
  Record Created:    04:30:02 24 Apr 2021 GMT-04
  Message ID (munged):    590**************************9$@******org
  Additional Information:    No Info
  Currently active and flagged to be published in DNS
  The following hostname is found within this spam.
  j.mp    Hostname has been marked as hosting a spamvertised website/URL.
Description:    Spam Received from this host
  Record Created:    04:30:01 24 Apr 2021 GMT-04
  Message ID (munged):    590**************************9$@******org
  Additional Information:    No Info
  Currently active and flagged to be published in DNS
  The following hostname is found within this spam.
  j.mp    Hostname has been marked as hosting a spamvertised website/URL.
Description:    Spam Received from this host
  Record Created:    04:49:44 16 Apr 2021 GMT-04
  Message ID (munged):    C6C*******************************0D@******org
  Additional Information:    No Info
  Currently active and flagged to be published in DNS
Description:    Spam Received from this host
  Record Created:    17:07:50 12 Apr 2021 GMT-04
  Message ID (munged):    6.8***********************.5@******org
  Additional Information:    No Info
  Currently active and flagged to be published in DNS
2.  multirbl.valli.org, test="DNSBL lookups", shows listings as
(uh-oh, 11 blacklistings)
a) Barracuda Reputation Block List, b.barracudacentral.org
b) Barracuda Reputation Block List (for SpamAssassin), bb.barracudacentral.org
RM: I'll assume those already covered.
c) Brukalai.lt DNSBL black, black.dnsbl.brukalai.lt
Query:    229.170.86.96.black.dnsbl.brukalai.lt
A Record:    127.0.0.2
TTL:    3600
TXT:    IP 96.86.170.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=96.86.170.229
RM: already covered.
d) invaluement DNSBL ivmSIP, [hidden FQDN]
Query:    (hidden)
A Record:    127.0.0.2
TTL:    30
TXT:    Blocked by ivmSIP and/or ivmSIP/24 - see
https://www.invaluement.com/lookup/?item=96.86.170.229
RM: Web site doesn't elaborate.
e) invaluement DNSBL ivmSIP-SIP24, [hidden FQDN]
[same as prior]
f) Polspam BL-H1, bl-h1.rbl.polspam.pl
Query:    229.170.86.96.bl-h1.rbl.polspam.pl
A Record:    127.0.2.1
TTL:    300
TXT:    IP 96.86.170.229 listed! [BL-H1] BEFORE you send SPAM,please
read:District Court Warsaw sign.IC3136/17:justification of the
judgment:Even a single SPAM message causes violation of personal rights.
g) RFC-Clueless (RFC²) Metalist RBL, fulldom.rfc-clueless.org
Query:    balug.org.fulldom.rfc-clueless.org
A Record:    127.0.0.1
TTL:    4800
detail is given in:
h) RFC-Clueless (RFC²) postmaster RBL, postmaster.rfc-clueless.org
Query:    balug.org.postmaster.rfc-clueless.org
A Record:    127.0.0.3
TTL:    4800
RM: So, that's an easily fixed own-goal.  The RBL claims lists.balug.org 
fails to accept mail addressed to postmaster@, which along with abuse@, 
is RFC-mandated.  This should be fixed immediately, please.
i) s5h.net RBL, all.s5h.net
RM: skipping detail, already covered.
j) SORBS Spamhost (any time), spam.dnsbl.sorbs.net
RM: skipping detail, already covered.
k) UCEPROTECT Level 1, dnsbl-1.uceprotect.net
RM: skipping detail, already covered.
3 & 4:  You know what?  I'm going to skip
mxtoolbox.com/blacklists.aspx and 
whatismyipaddress.com/blacklist-check, because in my experience 
multirbl.valli.org tells you all you need to know.
Anyway, you and I should talk about this, at dinner.