04-09-2010 08:35 AM
Hello,
I'm adding FQDN in the Blacklist and users are still receiving emails from those FQDN...
For example, I've blocked organisationdutravail.com last week, but here is the message tracking from this week :
Results
Displaying 1 — 16 of 16 items.
1 08 Apr 2010 14:20 (GMT -04:00) MID: 19670 Show Details
SENDER: fichiers@organisationdutravail.com
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes
LAST STATE: Message 19670 to ****REMOVED**** received remote SMTP response '...
2 08 Apr 2010 14:17 (GMT -04:00) MID: 19666 Show Details
SENDER: fichiers@organisationdutravail.com
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes
LAST STATE: Message 19666 to ****REMOVED**** received remote SMTP response 'ok:...
3 08 Apr 2010 14:17 (GMT -04:00) MID: 19665 Show Details
SENDER: fichiers@organisationdutravail.com
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes
LAST STATE: Message 19665 to ****REMOVED**** received remote SMTP response '...
4 08 Apr 2010 14:17 (GMT -04:00) MID: 19664 Show Details
SENDER: fichiers@organisationdutravail.com
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes
LAST STATE: Message 19664 to ****REMOVED**** received remote SMTP response '2.6....
And here is the full tracking of one of those emails :
08 Apr 2010 14:20:20 (GMT -04:00) Protocol SMTP interface IncomingIP (IP ****REMOVED****) on incoming connection (ICID 175563) from sender IP 205.237.40.104. Reverse DNS host 40-104.cgocable.ca verified no.
08 Apr 2010 14:20:20 (GMT -04:00) (ICID 175563) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.8
08 Apr 2010 14:20:20 (GMT -04:00) Start message 19670 on incoming connection (ICID 175563).
08 Apr 2010 14:20:20 (GMT -04:00) Message 19670 enqueued on incoming connection (ICID 175563) from fichiers@organisationdutravail.com.
08 Apr 2010 14:20:20 (GMT -04:00) Message 19670 on incoming connection (ICID 175563) added recipient (****REMOVED****).
08 Apr 2010 14:20:20 (GMT -04:00) Message 19670 contains message ID header '<6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com>'.
08 Apr 2010 14:20:20 (GMT -04:00) Message 19670 original subject on injection: Connaitre les nouvelles procedures aux douanes
08 Apr 2010 14:20:20 (GMT -04:00) Message 19670 (18352 bytes) from fichiers@organisationdutravail.com ready.
08 Apr 2010 14:20:20 (GMT -04:00) Message 19670 matched per-recipient policy DEFAULT for inbound mail policies.
08 Apr 2010 14:20:20 (GMT -04:00) Message 19670 encountered CASE down (1/10). Retry scanning in 12 seconds.
08 Apr 2010 14:20:38 (GMT -04:00) Message 19670 scanned by Anti-Spam engine: CASE. Interim verdict: Negative
08 Apr 2010 14:20:38 (GMT -04:00) Message 19670 scanned by Anti-Spam engine: CASE. Final verdict: Negative
08 Apr 2010 14:20:38 (GMT -04:00) Message 19670 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN
08 Apr 2010 14:20:38 (GMT -04:00) Message 19670 scanned by Anti-Virus engine. Final verdict: Negative
08 Apr 2010 14:20:38 (GMT -04:00) Message 19670 queued for delivery.
08 Apr 2010 14:20:38 (GMT -04:00) SMTP delivery connection (DCID 10816) opened from IronPort interface ****REMOVED**** to IP address ****REMOVED**** on port 25.
08 Apr 2010 14:20:38 (GMT -04:00) (DCID 10816) Delivery started for message 19670 to ****REMOVED****.
08 Apr 2010 14:20:38 (GMT -04:00) (DCID 10816) Delivery details: Message 19670 sent to ****REMOVED****
08 Apr 2010 14:20:38 (GMT -04:00) Message 19670 to ****REMOVED**** received remote SMTP response '2.6.0 <6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com> Queued mail for delivery'.
We can see that the address is considered as an UNKNOWN sender and not a BLACKLIST... What's up with that?
Thanks for you help!
Solved! Go to Solution.
04-09-2010 08:57 AM
Looks like you're receiving communication from a different server:
organisationdutravail.com's MX records point to:
organisationdutravail.com. 900 IN MX 10 q1.netfirms.com.
organisationdutravail.com. 900 IN MX 10 q0.netfirms.com.
who's IP's point to:
q1.netfirms.com. 1551 IN A 70.35.17.139
q1.netfirms.com. 1551 IN A 70.35.17.171
q1.netfirms.com. 1551 IN A 70.35.17.203
q1.netfirms.com. 1551 IN A 70.35.17.235
q1.netfirms.com. 1551 IN A 70.35.17.11
q1.netfirms.com. 1551 IN A 70.35.17.43
q1.netfirms.com. 1551 IN A 70.35.17.75
q1.netfirms.com. 1551 IN A 70.35.17.107
However you're receiving communication from 205.237.40.104 which doesn't match any of the above.
I suspect someone is spoofing organisationdutravail.com's domain. I would suggest blacklisting by IP address instead of FQDN
04-09-2010 08:57 AM
Looks like you're receiving communication from a different server:
organisationdutravail.com's MX records point to:
organisationdutravail.com. 900 IN MX 10 q1.netfirms.com.
organisationdutravail.com. 900 IN MX 10 q0.netfirms.com.
who's IP's point to:
q1.netfirms.com. 1551 IN A 70.35.17.139
q1.netfirms.com. 1551 IN A 70.35.17.171
q1.netfirms.com. 1551 IN A 70.35.17.203
q1.netfirms.com. 1551 IN A 70.35.17.235
q1.netfirms.com. 1551 IN A 70.35.17.11
q1.netfirms.com. 1551 IN A 70.35.17.43
q1.netfirms.com. 1551 IN A 70.35.17.75
q1.netfirms.com. 1551 IN A 70.35.17.107
However you're receiving communication from 205.237.40.104 which doesn't match any of the above.
I suspect someone is spoofing organisationdutravail.com's domain. I would suggest blacklisting by IP address instead of FQDN
04-09-2010 11:07 AM
You are right, shame on me for not having looked at the IPs before posting...
Thanks a lot!
04-09-2010 01:26 PM
No problem. Glad to help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide