cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2697
Views
0
Helpful
3
Replies
mdube
Beginner

FQDN Added to Blacklist still not blocked...

Hello,

I'm adding FQDN in the Blacklist and users are still receiving emails from those FQDN...

For example, I've blocked organisationdutravail.com last week, but here is the message tracking from this week :

Results
Displaying 1 — 16 of 16 items.

1 08 Apr 2010 14:20 (GMT -04:00)  MID: 19670     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED**** 
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19670 to ****REMOVED****  received remote SMTP response '... 

2 08 Apr 2010 14:17 (GMT -04:00)  MID: 19666     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19666 to ****REMOVED****  received remote SMTP response 'ok:... 

3 08 Apr 2010 14:17 (GMT -04:00)  MID: 19665     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED**** 
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19665 to ****REMOVED****  received remote SMTP response '... 

4 08 Apr 2010 14:17 (GMT -04:00)  MID: 19664     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19664 to ****REMOVED****  received remote SMTP response '2.6....

And here is the full tracking of one of those emails :

08 Apr 2010 14:20:20 (GMT -04:00)  Protocol SMTP interface IncomingIP (IP ****REMOVED****) on incoming connection (ICID 175563) from sender IP 205.237.40.104. Reverse DNS host 40-104.cgocable.ca verified no. 
08 Apr 2010 14:20:20 (GMT -04:00)  (ICID 175563) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.8 
08 Apr 2010 14:20:20 (GMT -04:00)  Start message 19670 on incoming connection (ICID 175563). 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 enqueued on incoming connection (ICID 175563) from fichiers@organisationdutravail.com
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 on incoming connection (ICID 175563) added recipient (****REMOVED****). 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 contains message ID header '<6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com>'
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 original subject on injection: Connaitre les nouvelles procedures aux douanes 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 (18352 bytes) from fichiers@organisationdutravail.com ready. 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 matched per-recipient policy DEFAULT for inbound mail policies. 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 encountered CASE down (1/10). Retry scanning in 12 seconds. 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Interim verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Final verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine. Final verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 queued for delivery. 
08 Apr 2010 14:20:38 (GMT -04:00)  SMTP delivery connection (DCID 10816) opened from IronPort interface ****REMOVED**** to IP address ****REMOVED**** on port 25. 
08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery started for message 19670 to ****REMOVED****. 
08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery details: Message 19670 sent to ****REMOVED****
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 to ****REMOVED**** received remote SMTP response '2.6.0 <6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com> Queued mail for delivery'.

We can see that the address is considered as an UNKNOWN sender and not a BLACKLIST... What's up with that?

Thanks for you help!

1 ACCEPTED SOLUTION

Accepted Solutions
dzavasni
Beginner

Looks like you're receiving communication from a different server:

organisationdutravail.com's MX records point to:


organisationdutravail.com. 900  IN      MX      10 q1.netfirms.com.
organisationdutravail.com. 900  IN      MX      10 q0.netfirms.com.

who's IP's point to:

q1.netfirms.com.        1551    IN      A       70.35.17.139
q1.netfirms.com.        1551    IN      A       70.35.17.171
q1.netfirms.com.        1551    IN      A       70.35.17.203
q1.netfirms.com.        1551    IN      A       70.35.17.235
q1.netfirms.com.        1551    IN      A       70.35.17.11
q1.netfirms.com.        1551    IN      A       70.35.17.43
q1.netfirms.com.        1551    IN      A       70.35.17.75
q1.netfirms.com.        1551    IN      A       70.35.17.107


However you're receiving communication from 205.237.40.104 which doesn't match any of the above.
I suspect someone is spoofing organisationdutravail.com's domain. I would suggest blacklisting by IP address instead of FQDN

View solution in original post

3 REPLIES 3
dzavasni
Beginner

Looks like you're receiving communication from a different server:

organisationdutravail.com's MX records point to:


organisationdutravail.com. 900  IN      MX      10 q1.netfirms.com.
organisationdutravail.com. 900  IN      MX      10 q0.netfirms.com.

who's IP's point to:

q1.netfirms.com.        1551    IN      A       70.35.17.139
q1.netfirms.com.        1551    IN      A       70.35.17.171
q1.netfirms.com.        1551    IN      A       70.35.17.203
q1.netfirms.com.        1551    IN      A       70.35.17.235
q1.netfirms.com.        1551    IN      A       70.35.17.11
q1.netfirms.com.        1551    IN      A       70.35.17.43
q1.netfirms.com.        1551    IN      A       70.35.17.75
q1.netfirms.com.        1551    IN      A       70.35.17.107


However you're receiving communication from 205.237.40.104 which doesn't match any of the above.
I suspect someone is spoofing organisationdutravail.com's domain. I would suggest blacklisting by IP address instead of FQDN

View solution in original post

You are right, shame on me for not having looked at the IPs before posting...

Thanks a lot!

No problem. Glad to help!