[BALUG-Admin] Hundreds of bounces on balug-announce post; DNSBL troubles
Rick Moen
rick@linuxmafia.com
Tue Jul 19 23:34:52 UTC 2022
Here's an excerpt from the barrage that just landed in my mailbox as a
listadmin for balug-announce:
---<begin>---
jprewitt@macromedia.com
host macromedia-com.mail.protection.outlook.com [104.47.73.10]
SMTP error from remote mail server after RCPT TO:<jprewitt@macromedia.com>:
550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[DM6NAM04FT038.eop-NAM04.prod.protection.outlook.com]
smclean@baynetworks.com
host baynetworks-com.mail.protection.outlook.com [104.47.58.138]
SMTP error from remote mail server after RCPT TO:<smclean@baynetworks.com>:
550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[BN8NAM11FT019.eop-nam11.prod.protection.outlook.com]
david.thomas@novell.com
host smtp.ext.microfocus.com [15.124.64.97]
SMTP error from remote mail server after initial connection:
554 IP address 96.86.170.229 rejected [IP reputation fail]
atiq@novell.com
host smtp.ext.microfocus.com [15.124.64.97]
SMTP error from remote mail server after initial connection:
554 IP address 96.86.170.229 rejected [IP reputation fail]
pozar@lns.com
host lns.com [107.161.208.1]
SMTP error from remote mail server after RCPT TO:<pozar@lns.com>:
554 5.7.1 Service unavailable; Client host [96.86.170.229] blocked using
+b.barracudacentral.org;
+http://www.barracudanetworks.com/reputation/?pr=1&ip=96.86.170.229
rainer.brendle@sap.com
host sap-com.mail.protection.outlook.com [104.47.9.36]
SMTP error from remote mail server after RCPT TO:<rainer.brendle@sap.com>:
550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[VE1EUR03FT040.eop-EUR03.prod.protection.outlook.com]
juergen.schmerder@sap.com
host sap-com.mail.protection.outlook.com [104.47.9.36]
SMTP error from remote mail server after RCPT
+TO:<juergen.schmerder@sap.com>:
550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[VE1EUR03FT040.eop-EUR03.prod.protection.outlook.com]
mike1martin654@hotmail.com
host hotmail-com.olc.protection.outlook.com [104.47.51.33]
SMTP error from remote mail server after RCPT
+TO:<mike1martin654@hotmail.com>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
+[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com]
danthonyallen@hotmail.com
host hotmail-com.olc.protection.outlook.com [104.47.51.33]
SMTP error from remote mail server after RCPT
+TO:<danthonyallen@hotmail.com>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
+[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com]
marie_burnett@hotmail.com
host hotmail-com.olc.protection.outlook.com [104.47.51.33]
SMTP error from remote mail server after RCPT
+TO:<marie_burnett@hotmail.com>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
+[BN1NAM02FT017.eop-nam02.prod.protection.outlook.com]
siva_s@hotmail.com
host hotmail-com.olc.protection.outlook.com [104.47.51.33]
SMTP error from remote mail server after RCPT TO:<siva_s@hotmail.com>:
550 5.5.0 Requested action not taken: mailbox unavailable (S2017062302).
nikki@mindsource.com
host mindsource-com.mail.protection.outlook.com [104.47.66.10]
SMTP error from remote mail server after RCPT TO:<nikki@mindsource.com>:
550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[MW2NAM12FT010.eop-nam12.prod.protection.outlook.com]
aidangcole@btinternet.com
host mx.lb.btinternet.com [213.120.69.92]
SMTP error from remote mail server after pipelined MAIL
+FROM:<balug-announce-bounces@lists.balug.org> SIZE=8949:
522-email sent from 96.86.170.229 found on industry IP blacklists
+(Spamhaus/Invaluement/ReturnPath) on 2022/07/19 18:45:36 BST.
522 To protect our customers, we use leading industry providers of
+blacklists to ensure only good senders can send email to us. If believe this is
+a mistake, please contact them directly as there is nothing our Postmaster will
+be able to do.
warren@delsci.com
host delsci-com.mail.protection.outlook.com [104.47.13.36]
SMTP error from remote mail server after RCPT TO:<warren@delsci.com>:
550 5.4.1 Recipient address rejected: Access denied. AS(201806281)
+[HE1EUR04FT021.eop-eur04.prod.protection.outlook.com]
---<end>---
Looks like we have some sort of serious problem that has badly injured the
spam reputation of BALUG MTA IP 96.86.170.229.
Just taking a wild guess, I checked Mailman version. The host is
running Mailman 2.1.29. If possible, this should be upgraded to 2.1.39
as a priority task, IMO. At some point in versions over the last
decade, Marc Sapiro and the other Mailman coders figured out that
spammers had figured out how to game Mailman's WebUI subscription
forms to sign up arbitary addresses to a mailing list without
3-way handshake -- and added some sort of hash or something (I have
only a vague recollection of the fix) to the signup process, blocking
that attack mode. Point is, 2.1.29 _may well_ be one of the old,
vulnerable releases.
Even though I have listadmin credentials for balug-*@lists.balug.org,
I'll admit that I've gratfully been able to not bother using that in a
long time. For years, I've just gotten notices of a lot of
held-in-queue spam, and just ignored it in the knowledge that that would
age out and get deleted. But in consequence, e.g., I've not looked at
the membership rosters in a long time.
So, just now for the first time in years, I just used listadmin
credentials and am looking at balug-admin's roster. I paged directly to
"s" to see if the vandals had robo-subscribed a bunch of
"support@[domain]" helpdesk addresses via the aforementioned Web
vulnerability -- and, no, they didn't. Likewise, no help*@[domain} or
info@[domain].
_However_, I see some subscriptions like these with just a given name:
Bill <info@415digital.com>
ilsa <ilsa@cryptofreaks.tk>
Chris <chrismichele91@hotmail.com>
Robert <ciscomadman@gmail.com>
Bud <dustyz16@yahoo.com>
jack <eggshell_bill@hotmail.com>
eli <eknizley@gmail.com>
max <enriquethepirate@comcast.net>
Farbod <farbod.ghiasi@gmail.com>
Faraz <fffaraz@gmail.com>
Sometimes, this is just a real subscriber's preferred way of stating
his/her name. I've found, though, it is very often a sign of
scripted forged signups, especially where the domain is a free webmail
provider.
Let's check the DNSBLs for IP 96.86.170.229, to see who doesn't like it,
and roughly why:
http://linuxmafia.com/kb/Mail/ lists the four multi-dnsbl sites:
http://www.dnsbl.info/
http://multirbl.valli.org/
https://mxtoolbox.com/blacklists.aspx
https://whatismyipaddress.com/blacklist-check
1. www.dnsbl.info, shows listings at:
a) all.s5h.net
$ dig 229.170.86.96.all.s5h.net +short
127.0.0.2
$ dig -t txt 229.170.86.96.all.s5h.net +short
"See http://s5h.net/rbl"
$
Web site doesn't elaborate.
b) b.barracudacentral.org
$ dig 229.170.86.96.b.barracudacentral.org +short
127.0.0.2
$ dig -t txt 229.170.86.96.b.barracudacentral.org +short
"http://www.barracudanetworks.com/reputation/?pr=1&ip=96.86.170.229"
$
Web site provides no real further detail; just says
the IP's reputation is "poor".
c) dnsbl-1.uceprotect.net
$ dig 229.170.86.96.dnsbl-1.uceprotect.net +short
127.0.0.2
$ dig -t txt 229.170.86.96.dnsbl-1.uceprotect.net +short
"IP 96.86.170.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=96.86.170.229"
$
Web site elaborates:
Status: Listed
Impacts: 3
Last Impact: 19.07.2022 21:53 CEST+/- 1min
Earliest Expiretime: 26.07.2022 23:00 CEST
d) spam.dnsbl.sorbs.net
$ dig 229.170.86.96.spam.dnsbl.sorbs.net +short
127.0.0.6
$ dig -t txt 229.170.86.96.spam.dnsbl.sorbs.net +short
"Spam Received See: http://www.sorbs.net/lookup.shtml?96.86.170.229"
$
Web site elaborates:
Problem Entries, (listings will cause email problems.)
4 "Spam" entries [04:30:02 24 Apr 2021 GMT-04].
96.86.170.229 - 4 entries [04:30:02 24 Apr 2021 GMT-04].
[RM: This is shown as a _active_ listing.]
Problem hostnames/domains (could cause email problems.)
2 "Spamvertised" entries [04:30:02 24 Apr 2021 GMT-04].
[RM: This is shown as an _inactive_ (historical) listing.
Further detail via the Web site, after logging in:
Description: Spam Received from this host
Record Created: 04:30:02 24 Apr 2021 GMT-04
Message ID (munged): 590**************************9$@******org
Additional Information: No Info
Currently active and flagged to be published in DNS
The following hostname is found within this spam.
j.mp Hostname has been marked as hosting a spamvertised website/URL.
Description: Spam Received from this host
Record Created: 04:30:01 24 Apr 2021 GMT-04
Message ID (munged): 590**************************9$@******org
Additional Information: No Info
Currently active and flagged to be published in DNS
The following hostname is found within this spam.
j.mp Hostname has been marked as hosting a spamvertised website/URL.
Description: Spam Received from this host
Record Created: 04:49:44 16 Apr 2021 GMT-04
Message ID (munged): C6C*******************************0D@******org
Additional Information: No Info
Currently active and flagged to be published in DNS
Description: Spam Received from this host
Record Created: 17:07:50 12 Apr 2021 GMT-04
Message ID (munged): 6.8***********************.5@******org
Additional Information: No Info
Currently active and flagged to be published in DNS
2. multirbl.valli.org, test="DNSBL lookups", shows listings as
(uh-oh, 11 blacklistings)
a) Barracuda Reputation Block List, b.barracudacentral.org
b) Barracuda Reputation Block List (for SpamAssassin), bb.barracudacentral.org
RM: I'll assume those already covered.
c) Brukalai.lt DNSBL black, black.dnsbl.brukalai.lt
Query: 229.170.86.96.black.dnsbl.brukalai.lt
A Record: 127.0.0.2
TTL: 3600
TXT: IP 96.86.170.229 is UCEPROTECT-Level 1 listed. See
http://www.uceprotect.net/rblcheck.php?ipr=96.86.170.229
RM: already covered.
d) invaluement DNSBL ivmSIP, [hidden FQDN]
Query: (hidden)
A Record: 127.0.0.2
TTL: 30
TXT: Blocked by ivmSIP and/or ivmSIP/24 - see
https://www.invaluement.com/lookup/?item=96.86.170.229
RM: Web site doesn't elaborate.
e) invaluement DNSBL ivmSIP-SIP24, [hidden FQDN]
[same as prior]
f) Polspam BL-H1, bl-h1.rbl.polspam.pl
Query: 229.170.86.96.bl-h1.rbl.polspam.pl
A Record: 127.0.2.1
TTL: 300
TXT: IP 96.86.170.229 listed! [BL-H1] BEFORE you send SPAM,please
read:District Court Warsaw sign.IC3136/17:justification of the
judgment:Even a single SPAM message causes violation of personal rights.
g) RFC-Clueless (RFC²) Metalist RBL, fulldom.rfc-clueless.org
Query: balug.org.fulldom.rfc-clueless.org
A Record: 127.0.0.1
TTL: 4800
detail is given in:
h) RFC-Clueless (RFC²) postmaster RBL, postmaster.rfc-clueless.org
Query: balug.org.postmaster.rfc-clueless.org
A Record: 127.0.0.3
TTL: 4800
RM: So, that's an easily fixed own-goal. The RBL claims lists.balug.org
fails to accept mail addressed to postmaster@, which along with abuse@,
is RFC-mandated. This should be fixed immediately, please.
i) s5h.net RBL, all.s5h.net
RM: skipping detail, already covered.
j) SORBS Spamhost (any time), spam.dnsbl.sorbs.net
RM: skipping detail, already covered.
k) UCEPROTECT Level 1, dnsbl-1.uceprotect.net
RM: skipping detail, already covered.
3 & 4: You know what? I'm going to skip
mxtoolbox.com/blacklists.aspx and
whatismyipaddress.com/blacklist-check, because in my experience
multirbl.valli.org tells you all you need to know.
Anyway, you and I should talk about this, at dinner.
More information about the BALUG-Admin
mailing list