[UCIMC-Tech] chambana-listing-as-spammer: need reverse DNS for 209.66.96.68! - was Re: att.net and earthlink.net block Chambana e-mail (from 209.66.96.68)

Stuart Levy salevy at illinois.edu
Sun Mar 18 16:27:04 UTC 2012 

Thank you, Josh!  Let's hope that helps!

Re Reverse DNS: it's possible that the old server had a mistaken but 
legit-looking reverse DNS, but that the new one had a bogus-looking address.
Specifically, comcast's rev DNS claims we come from Albany - false but 
plausible.  A sample message from February says

   Received: from mccoy.chambana.net (mail.albanychamber.com [75.145.177.73] (may be forged)) by [...]

while a current message has instead this much more fishy-looking one - 
note that even the numbers don't match:

   Received: from mail0.frost.chambana.net (64.124.106.68.available.above.net [209.66.96.68] (may be forged)) by [...]


Re sending to the imc-tech list:
    The sending-to-imc-tech trouble is a current issue: the two messages 
I sent on 3/15 and 3/16 (included below) didn't make it, and I didn't 
see any held-for-moderation message.  However I did send the 3/15 and 
3/16 messages from my gmail account, which may not be listed as a valid 
sender.  So it may be the only real problem with submitting *to* that 
list is that held-for-moderation responses weren't making it back to me.

What's been happening when:
3/8 was when I first noticed that most/all chambana mail 
(peace/peace-discuss/occupy) to me were being flagged as spam by UIUC CITES.

It was several days later (3/12) when "Bounce action notification" 
messages started showing up on lists I admin -- from at least
      att.net
      sbcglobal.net
      earthlink.net
      umich.edu
each saying that sites were specifically rejecting mail from 
209.66.96.68.  Most messages mentioned "DNSRBL" or "DNSBL".

Looking back now, I see that rebelmike at earthlink.net (Mike Lehman!), 
oltime1 at att.net, and meiosha at sbcglobal.net were kicked off the imc at ucimc 
list on 3/12.  Since then there have been 8 more reported bounces, but 
who-knows how many messages might have just been discarded silently.

I filed we're-not-a-spammer appeals on behalf of 209.66.96.68 with att, 
earthlink, and umich.  But who knows whether they were actually 
effective - they don't tell you.

    Stuart

On 3/18/12 9:39 AM, Josh King wrote:
> Hey Stuart and Jay,
>
> 3/8 would have been when we moved mail services to a different box at
> the new IP. There were a few issues with the migration, so it's
> possible that the maillinglist issues you were experiencing with
> sending to the IMC-Tech list are resolved by now.
>
> As far as the reverse-record thing, I'm surprised that this is just an
> issue now (Comcast would never give us reverse-DNS delegation, I don't
> know why it's now suddenly an issue). I am working with the IT guy at
> the colo facility where the new server is to get upstream delegation,
> he's just moving on it slowly. I'll make sure to push him again to get
> it set up. In the meantime, I'll put SPF records and maybe DKIM into
> our DNS zones, which will maybe help with bumping our spam score up. I
> have verified that we aren't on any blacklists. I'll see if there's
> anything else I can do in the meantime to sidestep the issue.
>
> On Sun 18 Mar 2012 08:39:57 AM EDT, Jay Schubert wrote:
>> Bump. I think tho is happening on the BYP list serves too
>>
>> - Jay
>>
>> On Sunday, March 18, 2012, Stuart Levy<salevy at illinois.edu
>> <mailto:salevy at illinois.edu>>  wrote:
>>> Summary: fairly urgent problem with chambana.net
>> <http://chambana.net>'s outbound mail service: other services (att.net
>> <http://att.net>, sbcglobal, umich.edu<http://umich.edu>, UIUC CITES)
>> are accepting somebody's judgement that chambana.net
>> <http://chambana.net>  is a spam source, and they're auto-rejecting
>> mail from it, or at least flagging it as likely spam (in CITES case).
>> Given what I've seen from CITES, this may have been ongoing since 3/8.
>>> Suspicion: given umich.edu<http://umich.edu>'s helpful info below,
>> it appears that the chambana outbound mail server 209.66.96.68 *has a
>> bogus-looking reverse DNS entry*.    Do we (Josh?) have any control
>> over this???  If not, is there a way to route through a different
>> outbound mailer?
>>> [[Further: some annoying trouble with the IMC mail server ... I'd
>> sent a msg or two to imc-tech about this over last couple days, hadn't
>> heard back from anyone.   Now I see those messages haven't made it
>> into the imc-tech archives, so probably nobody has seen them.  Argh.
>> Hope it will work to send directly like this.]]
>>> Fallout from above problem: lots of people on various chambana lists
>> are being set to "NOMAIL".  Today that included Carol/Aaron, and Rev.
>> Underwood, from CUCPJ Discuss list.   Mailman does this when it gets a
>> fatal bounce, as happens when receiving sites reject mail due to our
>> sender being flagged as a spam source...
>>> Help!
>>>
>>>      Stuart
>>>
>>>
>>> -------- Original Message --------
>>> Subject: chambana-listing-as-spammer: need reverse DNS for
>> 209.66.96.68! - was Re: att.net<http://att.net>  and earthlink.net
>> <http://earthlink.net>  block Chambana e-mail (from 209.66.96.68)
>>> Date: Sat, 17 Mar 2012 10:10:22 -0500
>>> From: Stuart Levy<stuartnlevy at gmail.com<mailto:stuartnlevy at gmail.com>>
>>> To: imc-tech at lists.chambana.net<mailto:imc-tech at lists.chambana.net>
>>>
>>> Found more about why chambana.net/209.66.96.68
>> <http://chambana.net/209.66.96.68>  is *still* being listed as a spam
>> source: there's no reverse DNS for that IP address.  Or maybe there
>> is, but umich.edu<http://umich.edu>  and probably others don't think
>> that "64.124.106.68.available.above.net
>> <http://64.124.106.68.available.above.net>" is legitimate,
>> apparently.  (This would also explain why CITES started classifying
>> 'most all of my *@lists.chambana.net<http://lists.chambana.net>
>> message as spam on March 8th.)
>>> Do any of us have control over reverse DNS for 209.66.96.68?  This
>> seems pretty serious.
>>> (Details, from
>> http://spambusters.mail.umich.edu/troubleshoot/blockstatus/ - Aaron
>> Johnson Ortiz gets his mail at umich.edu<http://umich.edu>, which
>> just sent a fatal bounce in refusing to accept a chambana.net
>> <http://chambana.net>  message, and fortunately explains its reasoning
>> better than earthlink/att.net/CITES<http://att.net/CITES>):
>>> 209.66.96.68
>>> Status:    Blocked
>>> Notes:    This IP appears on the UM Postmaster list of blocked hosts.
>>> No e-mail will be accepted from 209.66.96.68.
>>> Contact:    UM Postmaster
>>> Status:    No Spamhaus SBL blocks detected.
>>> Notes:
>>> Status:    No Spamhaus XBL blocks detected.
>>> Notes:
>>> Status:    No Spamhaus PBL blocks detected.
>>> Notes:
>>> Status:    No Invaluement SIP blocks detected.
>>> Notes:
>>> Status:    No Invaluement SIP/24 blocks detected.
>>> Notes:
>>> Status:    Notice
>>> Notes:    This IP does not have a valid reverse DNS record. Please
>> have this DNS issue fixed to avoid delays in mail delivery.
>>>
>>>
>>>
>>>
>>> On 3/15/12 2:38 PM, Stuart Levy wrote:
>>>
>>> Do we have any way of telling whether spam is being sent through the
>> chambana.net<http://chambana.net>  mail server (from it to elsewhere)?
>>> I'm seeing "bounce" messages from both att.net<http://att.net>  and
>> earthlink.net<http://earthlink.net>  reporting that they're blocking
>> chambana.net<http://chambana.net>  mail from
>>> 209.66.96.68
>>>
>>> (This was for OccupyCU list mail, but I imagine the same would be
>> true for any att/earthlink user receiving chambana.net
>> <http://chambana.net>  email).
>>> I've used the http://earthlink.net/block page's advice on getting
>> our mail server un-blocked.
>>> Att.com (sbcglobal etc.) has a helpful-looking bounce message,
>> referring to "http://att.net/blocks",
>>> but there is no such web page.  Google searching turned up this:
>>>
>>>      http://rbl.att.net/block_inquiry.html
>>>
>>> I'm filling in its please-unblock-us page too,
>>>     http://rbl.att.net/cgi-bin/rbl/block_admin.cgi
>>> which among other things asks "what configuration changes have you
>> made since you were blocked?",
>>> i.e. demonstrate that you have ceased to beat your spouse...
>>>
>>> For reference here's a sample bounce:
>>>
>>> This is a Mailman mailing list bounce action notice:
>>>
>>>      List:       OccupyCU
>>>      Member:     charles.eleanor at sbcglobal.net
>> <mailto:charles.eleanor at sbcglobal.net>
>>>      Action:     Subscription disabled.
>>>      Reason:     Excessive or fatal bounces.
>>>
>>>
>>>
>>> The triggering bounce notice is attached below.
>>>
>>> Questions? Contact the Mailman site administrator at
>>> mailman at lists.chambana.net<mailto:mailman at lists.chambana.net>.
>>>
>>> ForwardedMessage.eml
>>> Subject:
>>> Undelivered Mail Returned to Sender
>>> From:
>>> MAILER-DAEMON at mail0.frost.chambana.net
>> <mailto:MAILER-DAEMON at mail0.frost.chambana.net>  (Mail Delivery System)
>>> Date:
>>> 3/15/12 11:19 AM
>>> To:
>>> occupycu-bounces at lists.chambana.net
>> <mailto:occupycu-bounces at lists.chambana.net>
>>> This is the mail system at host mail0.frost.chambana.net
>> <http://mail0.frost.chambana.net>.
>>> I'm sorry to have to inform you that your message could not
>>> be delivered to one or more recipients. It's attached below.
>>>
>>> For further assistance, please send mail to postmaster.
>>>
>>> If you do so, please include this problem report. You can
>>> delete your own text from the attached returned message.
>>>
>>>                     The mail system
>>>
>>> <charles.eleanor at sbcglobal.net
>> <mailto:charles.eleanor at sbcglobal.net>>: host sbcmx8.prodigy.net
>> <http://sbcmx8.prodigy.net>[207.115.36.22] said:
>>>      553 5.3.0 nlpi107 DNSBL:ATTRBL 521<  209.66.96.68
>>>      >_is_blocked.__For_information_see_http://att.net/blocks (in
>> reply to MAIL
>>>      FROM command)
>>>
>>>
>>> Reporting-MTA: dns; mail0.frost.chambana.net
>> <http://mail0.frost.chambana.net>
>>> X-Postfix-Queue-ID: C0E5A16CE36
>>> X-Postfix-Sender: rfc822; occupycu-bounces at lists.chambana.net
>> <mailto:occupycu-bounces at lists.chambana.net>
>>> Arrival-Date: Thu, 15 Mar 2012 16:19:34 +0000 (UTC)
>>>
>>> Final-Recipient: rfc822; charles.eleanor at sbcglobal.net
>> <mailto:charles.eleanor at sbcglobal.net>
>>> Original-Recipient: rfc822;charles.eleanor at sbcglobal.net
>> <mailto:rfc822%3Bcharles.eleanor at sbcglobal.net>
>>> Action: failed
>>> Status: 5.3.0
>>> Remote-MTA: dns; sbcmx8.prodigy.net<http://sbcmx8.prodigy.net>
>>> Diagnostic-Code: smtp; 553 5.3.0 nlpi107 DNSBL:ATTRBL 521<  209.66.96.68
>>>      >_is_blocked.__For_information_see_http://att.net/blocks
>>>
>>> ForwardedMessage.eml
>>> Subject:
>>> [OccupyCU] General Assembly
>>> From:
>>> Theresa Scott<msscott729 at yahoo.com<mailto:msscott729 at yahoo.com>>
>>> Date:
>>> 3/15/12 11:19 AM
>>> To:
>>> occupycu<occupycu at lists.chambana.net
>> <mailto:occupycu at lists.chambana.net>>
>>> FYI, tomorrow's ocCUpy General Assembly will be held in Room 222 of
>> the Champaign Public Library.  Hope to see you.
>>> Theresa
>>>
>>> _______________________________________________
>>> OccupyCU mailing list
>>> OccupyCU at lists.chambana.net<mailto:OccupyCU at lists.chambana.net>
>>> http://lists.chambana.net/mailman/listinfo/occupycu
>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> IMC-Tech mailing list
>> IMC-Tech at lists.chambana.net
>> http://lists.chambana.net/mailman/listinfo/imc-tech

More information about the IMC-Tech mailing list