Here's an excerpt from the barrage that just landed in my mailbox as a listadmin for balug-announce: ---<begin>--- jprewitt@macromedia.com host macromedia-com.mail.protection.outlook.com [104.47.73.10] SMTP error from remote mail server after RCPT TO:<jprewitt@macromedia.com>: 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) +[DM6NAM04FT038.eop-NAM04.prod.protection.outlook.com] smclean@baynetworks.com host baynetworks-com.mail.protection.outlook.com [104.47.58.138] SMTP error from remote mail server after RCPT TO:<smclean@baynetworks.com>: 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) +[BN8NAM11FT019.eop-nam11.prod.protection.outlook.com] david.thomas@novell.com host smtp.ext.microfocus.com [15.124.64.97] SMTP error from remote mail server after initial connection: 554 IP address 96.86.170.229 rejected [IP reputation fail] atiq@novell.com host smtp.ext.microfocus.com [15.124.64.97] SMTP error from remote mail server after initial connection: 554 IP address 96.86.170.229 rejected [IP reputation fail] pozar@lns.com host lns.com [107.161.208.1] SMTP error from remote mail server after RCPT TO:<pozar@lns.com>: 554 5.7.1 Service unavailable; Client host [96.86.170.229] blocked using +b.barracudacentral.org; +http://www.barracudanetworks.com/reputation/?pr=1&ip=96.86.170.229 rainer.brendle@sap.com host sap-com.mail.protection.outlook.com [104.47.9.36] SMTP error from remote mail server after RCPT TO:<rainer.brendle@sap.com>: 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) +[VE1EUR03FT040.eop-EUR03.prod.protection.outlook.com] juergen.schmerder@sap.com host sap-com.mail.protection.outlook.com [104.47.9.36] SMTP error from remote mail server after RCPT +TO:<juergen.schmerder@sap.com>: 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) +[VE1EUR03FT040.eop-EUR03.prod.protection.outlook.com] mike1martin654@hotmail.com host hotmail-com.olc.protection.outlook.com [104.47.51.33] SMTP error from remote mail server after RCPT +TO:<mike1martin654@hotmail.com>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). +[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com] danthonyallen@hotmail.com host hotmail-com.olc.protection.outlook.com [104.47.51.33] SMTP error from remote mail server after RCPT +TO:<danthonyallen@hotmail.com>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). +[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com] marie_burnett@hotmail.com host hotmail-com.olc.protection.outlook.com [104.47.51.33] SMTP error from remote mail server after RCPT +TO:<marie_burnett@hotmail.com>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). +[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com] siva_s@hotmail.com host hotmail-com.olc.protection.outlook.com [104.47.51.33] SMTP error from remote mail server after RCPT TO:<siva_s@hotmail.com>: 550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302). nikki@mindsource.com host mindsource-com.mail.protection.outlook.com [104.47.66.10] SMTP error from remote mail server after RCPT TO:<nikki@mindsource.com>: 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) +[MW2NAM12FT010.eop-nam12.prod.protection.outlook.com] aidangcole@btinternet.com host mx.lb.btinternet.com [213.120.69.92] SMTP error from remote mail server after pipelined MAIL +FROM:<balug-announce-bounces@lists.balug.org> SIZE=8949: 522-email sent from 96.86.170.229 found on industry IP blacklists +(Spamhaus/Invaluement/ReturnPath) on 2022/07/19 18:45:36 BST. 522 To protect our customers, we use leading industry providers of +blacklists to ensure only good senders can send email to us. If believe this is +a mistake, please contact them directly as there is nothing our Postmaster will +be able to do. warren@delsci.com host delsci-com.mail.protection.outlook.com [104.47.13.36] SMTP error from remote mail server after RCPT TO:<warren@delsci.com>: 550 5.4.1 Recipient address rejected: Access denied. AS(201806281) +[HE1EUR04FT021.eop-eur04.prod.protection.outlook.com] ---<end>--- Looks like we have some sort of serious problem that has badly injured the spam reputation of BALUG MTA IP 96.86.170.229. Just taking a wild guess, I checked Mailman version. The host is running Mailman 2.1.29. If possible, this should be upgraded to 2.1.39 as a priority task, IMO. At some point in versions over the last decade, Marc Sapiro and the other Mailman coders figured out that spammers had figured out how to game Mailman's WebUI subscription forms to sign up arbitary addresses to a mailing list without 3-way handshake -- and added some sort of hash or something (I have only a vague recollection of the fix) to the signup process, blocking that attack mode. Point is, 2.1.29 _may well_ be one of the old, vulnerable releases. Even though I have listadmin credentials for balug-*@lists.balug.org, I'll admit that I've gratfully been able to not bother using that in a long time. For years, I've just gotten notices of a lot of held-in-queue spam, and just ignored it in the knowledge that that would age out and get deleted. But in consequence, e.g., I've not looked at the membership rosters in a long time. So, just now for the first time in years, I just used listadmin credentials and am looking at balug-admin's roster. I paged directly to "s" to see if the vandals had robo-subscribed a bunch of "support@[domain]" helpdesk addresses via the aforementioned Web vulnerability -- and, no, they didn't. Likewise, no help*@[domain} or info@[domain]. _However_, I see some subscriptions like these with just a given name: Bill <info@415digital.com> ilsa <ilsa@cryptofreaks.tk> Chris <chrismichele91@hotmail.com> Robert <ciscomadman@gmail.com> Bud <dustyz16@yahoo.com> jack <eggshell_bill@hotmail.com> eli <eknizley@gmail.com> max <enriquethepirate@comcast.net> Farbod <farbod.ghiasi@gmail.com> Faraz <fffaraz@gmail.com> Sometimes, this is just a real subscriber's preferred way of stating his/her name. I've found, though, it is very often a sign of scripted forged signups, especially where the domain is a free webmail provider. Let's check the DNSBLs for IP 96.86.170.229, to see who doesn't like it, and roughly why: http://linuxmafia.com/kb/Mail/ lists the four multi-dnsbl sites: http://www.dnsbl.info/ http://multirbl.valli.org/ https://mxtoolbox.com/blacklists.aspx https://whatismyipaddress.com/blacklist-check 1. www.dnsbl.info, shows listings at: a) all.s5h.net $ dig 229.170.86.96.all.s5h.net +short 127.0.0.2 $ dig -t txt 229.170.86.96.all.s5h.net +short "See http://s5h.net/rbl" $ Web site doesn't elaborate. b) b.barracudacentral.org $ dig 229.170.86.96.b.barracudacentral.org +short 127.0.0.2 $ dig -t txt 229.170.86.96.b.barracudacentral.org +short "http://www.barracudanetworks.com/reputation/?pr=1&ip=96.86.170.229" $ Web site provides no real further detail; just says the IP's reputation is "poor". c) dnsbl-1.uceprotect.net $ dig 229.170.86.96.dnsbl-1.uceprotect.net +short 127.0.0.2 $ dig -t txt 229.170.86.96.dnsbl-1.uceprotect.net +short "IP 96.86.170.229 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=96.86.170.229" $ Web site elaborates: Status: Listed Impacts: 3 Last Impact: 19.07.2022 21:53 CEST+/- 1min Earliest Expiretime: 26.07.2022 23:00 CEST d) spam.dnsbl.sorbs.net $ dig 229.170.86.96.spam.dnsbl.sorbs.net +short 127.0.0.6 $ dig -t txt 229.170.86.96.spam.dnsbl.sorbs.net +short "Spam Received See: http://www.sorbs.net/lookup.shtml?96.86.170.229" $ Web site elaborates: Problem Entries, (listings will cause email problems.) 4 "Spam" entries [04:30:02 24 Apr 2021 GMT-04]. 96.86.170.229 - 4 entries [04:30:02 24 Apr 2021 GMT-04]. [RM: This is shown as a _active_ listing.] Problem hostnames/domains (could cause email problems.) 2 "Spamvertised" entries [04:30:02 24 Apr 2021 GMT-04]. [RM: This is shown as an _inactive_ (historical) listing. Further detail via the Web site, after logging in: Description: Spam Received from this host Record Created: 04:30:02 24 Apr 2021 GMT-04 Message ID (munged): 590**************************9$@******org Additional Information: No Info Currently active and flagged to be published in DNS The following hostname is found within this spam. j.mp Hostname has been marked as hosting a spamvertised website/URL. Description: Spam Received from this host Record Created: 04:30:01 24 Apr 2021 GMT-04 Message ID (munged): 590**************************9$@******org Additional Information: No Info Currently active and flagged to be published in DNS The following hostname is found within this spam. j.mp Hostname has been marked as hosting a spamvertised website/URL. Description: Spam Received from this host Record Created: 04:49:44 16 Apr 2021 GMT-04 Message ID (munged): C6C*******************************0D@******org Additional Information: No Info Currently active and flagged to be published in DNS Description: Spam Received from this host Record Created: 17:07:50 12 Apr 2021 GMT-04 Message ID (munged): 6.8***********************.5@******org Additional Information: No Info Currently active and flagged to be published in DNS 2. multirbl.valli.org, test="DNSBL lookups", shows listings as (uh-oh, 11 blacklistings) a) Barracuda Reputation Block List, b.barracudacentral.org b) Barracuda Reputation Block List (for SpamAssassin), bb.barracudacentral.org RM: I'll assume those already covered. c) Brukalai.lt DNSBL black, black.dnsbl.brukalai.lt Query: 229.170.86.96.black.dnsbl.brukalai.lt A Record: 127.0.0.2 TTL: 3600 TXT: IP 96.86.170.229 is UCEPROTECT-Level 1 listed. See http://www.uceprotect.net/rblcheck.php?ipr=96.86.170.229 RM: already covered. d) invaluement DNSBL ivmSIP, [hidden FQDN] Query: (hidden) A Record: 127.0.0.2 TTL: 30 TXT: Blocked by ivmSIP and/or ivmSIP/24 - see https://www.invaluement.com/lookup/?item=96.86.170.229 RM: Web site doesn't elaborate. e) invaluement DNSBL ivmSIP-SIP24, [hidden FQDN] [same as prior] f) Polspam BL-H1, bl-h1.rbl.polspam.pl Query: 229.170.86.96.bl-h1.rbl.polspam.pl A Record: 127.0.2.1 TTL: 300 TXT: IP 96.86.170.229 listed! [BL-H1] BEFORE you send SPAM,please read:District Court Warsaw sign.IC3136/17:justification of the judgment:Even a single SPAM message causes violation of personal rights. g) RFC-Clueless (RFC²) Metalist RBL, fulldom.rfc-clueless.org Query: balug.org.fulldom.rfc-clueless.org A Record: 127.0.0.1 TTL: 4800 detail is given in: h) RFC-Clueless (RFC²) postmaster RBL, postmaster.rfc-clueless.org Query: balug.org.postmaster.rfc-clueless.org A Record: 127.0.0.3 TTL: 4800 RM: So, that's an easily fixed own-goal. The RBL claims lists.balug.org fails to accept mail addressed to postmaster@, which along with abuse@, is RFC-mandated. This should be fixed immediately, please. i) s5h.net RBL, all.s5h.net RM: skipping detail, already covered. j) SORBS Spamhost (any time), spam.dnsbl.sorbs.net RM: skipping detail, already covered. k) UCEPROTECT Level 1, dnsbl-1.uceprotect.net RM: skipping detail, already covered. 3 & 4: You know what? I'm going to skip mxtoolbox.com/blacklists.aspx and whatismyipaddress.com/blacklist-check, because in my experience multirbl.valli.org tells you all you need to know. Anyway, you and I should talk about this, at dinner.