cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13045
Views
0
Helpful
7
Replies

Sending MTA's poor reputation with no contact possibility from client side

Hello I am running an normal MTA on 88.198.2.66,

a few months ago i had problems delivering EMail from this MTA to Iron Port Mail systems running on mxX.dhl.iphmx.com. After lots of struggling with German zone-c management of the international domain behind deutschepost.de it seemed to start working for a few months but only until last week. Now the only contact given is MarkMonitor Inc for deutschepost.de but they seem not responsive.

A snippet from the currently 19 open mail delivery requests from my customers since yesterday:

9B5492A2E5    11094 Wed Mar  9 14:11:57  ==local-client-hidden-due-to@privacy-protection-of-sensitive-information==
(host mx1.dhl.iphmx.com[68.232.130.32] refused to talk to me: 554-esa3.dhl.iphmx.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
                                         ==remote-client-hidden-due-to@privacy-protection-of-sensitive-information==

My last information was that blockage appeared in the Ironport Division due to bad hosts from my network, but i am not responsive for any other machine on 88.198.2.66  /24, and it is possible to contact me as postmaster via alternate means (e.g. by the EMail contact given on this account).

Can someone tell me how to get whitelisted on http://www.senderbase.org?

It is really bad policy not to give ANY information about how to get the block removed, or the postmaster on mx1.dhl.iphmx.com contacted. At least deutschepost.de from german side is unable to act nor give me any information about who to contact on US side.

Guys, let me in, i am a small ISP but a good boy!

Sad greetings from Germany,

postmaster of 88.198.2.66

7 Replies 7

exMSW4319
Level 3
Level 3

Marginally off-topic as I'm not on WSA: When asked about www.strangled.net, my web proxy says it's malware command & control.

PTR:88.198.2.66 cust.strangled.net TTL 24hrs as of time of posting. 

Thats right, i used to use "static.88-198-2-66.clients.your-server.de" until web.de/gmx.de/einsundeins.de MTA servers started blocking me due to "wrong dns name used" the end of of last year. They said reverse resolution it is looking like dynamic enduser. In no way I was able to convince them that there is no RFC proposing blockage due to content of name resolution :-/. Technically everything was and still is ok.

cust.strangled.net is similar to 88.198.2.66/24: In no way i am in control of strangled.net. I just registered up for cust.strangled.net, but at the end its not cust.strangled.net which should count, its still 88.198.2.66.

mx1.dhl.iphmx.com seems to see this similar: MTAs started to block me since a few days, and not since christmas when i started using cust.strangled.net.

If its about name resolution, i can change it if that is the reason -even if the indication doesnt seem to be this case-, but i cannot find anybody who is able to answer this question and i dont want to poke around :-/

What is meant by WSA, and which web proxy do you use?

Mathew Huynh
Cisco Employee
Cisco Employee

Hello,


I am sorry to hear about the issues noted, the senderbase sensory network may have received complaints from the network owner or the subnet block from users reporting those emails as spam thus being blocked as poor SBRS.

I would recommend (unless you have a Cisco TAC contract). To reach out to senderbase support directly with a ticket;

http://www.senderbase.org/support/#problem=other

Then provide the IPs and investigation as to why it's blocked and how it can be improved on your side.

However on looking into this IP block;

http://www.senderbase.org/lookup/?search_string=88.198.2.66

It looks like there is a no forward DNS records set, and possibly a reverse - this would be the first step.

The other IPs within the block (if) managed by you -- i see two listed on a Public Blacklist as well.

Regards.

Matthew

Matthew, my original lookup was via MX Toolbox rather than SenderBase. I now read:

PTR:88.198.2.66 cust.z59.org TTL 24hrs as of time of posting

pir.org gives the registrar of z59.org as Key-Systems Gmbh and the registrant as hidden behind a NZ proxy service. The domain is not new, but MX records point here and are supported by SPF.

Hello Mathew & exMSW4319,

thank you for the reply, i submitted now a ticket to http://www.senderbase.org/support/#problem=other.

IPs: 88.198.2.66

Investigation:
MTA 88.198.2.66 got blocked since 08/03 (no reason given), then unblocked since 10/03 (probably due to my FQDN change but unsure), and now blocked again since 21/03 (reason still unknown).

Reason given why its blocked:
"host mx1.dhl.iphmx.com[68.232.129.11] refused to talk to me: 554-esa1.dhl.iphmx.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."

This reason is not really helpful, thats why i am here :-(

Poking around on my own:
http://multirbl.valli.org/lookup/88.198.2.66.html tells me, something about "0-0=1|1=HETZNER ONLINE AG|2=7.3|3=7.3|4=16646|6=0|7=10|8=208073|9=16972|45=N|46=20|48=24|51=02|53=DE|54=11.5833|55=48.15", so i guess, i am getting blocked due to malicous hosts from my network. I am sad about it, and find blocking should in case of Hosting Server companies (which Hetzner is) only be done by host basis. I am not in control of other hosts in my network. Its other clients of Hetzner Online AG who run those root servers.

I tried to improve on my side by changing of the FQDN to one which i do fully control, so no malware can be run through it.

Probably you were looking in the days while i changed the FQDN. Now cust.z59.org resolves in 88.198.2.66, and also 88.198.2.66 into cust.z59.org.

None of the other IPs in the block is managed by me. I do only manage 88.198.2.66.

yes, i do not like to tell everyone everything about my company. Its about privacy, not about SPAM. Key-Systems Gmbh is my Domain name registrar.

Greetings,

the postmaster behind MTA at 88.198.2.66

Ok guys, support just replied: They say its

To this end, we are seeing reports of HELO strings which do not match the PTR / rDNS of the IP.   

One of the HELO string we are seeing  “static.88-198-2-66.clients.your-server.de”  which is not exact matches to the PTR of the IP 88.198.2.66 (cust.z59.org).

and

Also you are sending mail through generic ISP pool addresses (static.88-198-2-66.clients.your-server.de) which should not be hosting a mailserver.   Mailservers sending mail through generic ISP pool addresses are indicative behaviors of systems which have been spambot compromised and are considered a high risk for spam and malware infection.

The first one, i now hopefully fixed by changing $myhostname = cust.z59.org in the MTA config.

The latter one i now hopefully fixed by changing $myorigin = cust.z59.org in the MTA config.

Sadly this time i take the fault on my side... did not change all entries of the hostname on the server...

And now my answer to them got stuck due to their blockage:

BC39E15BCB     4888 Tue Mar 22 19:58:40  postmaster@static.88-198-2-66.clients.your-server.de
(host vmx.sco.cisco.com[184.94.241.135] refused to talk to me: 554-vmx.sco.cisco.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)
                                         support@senderbase.org

Just because of this case, usually postmasters should use different filtering system then the live system....

Hoping everything is back to normal tomorrow....

Back again. I understand, that it might be a problem that spammers are using parts of the main domain of a FQDN, and this is something i can control. So i changed it to cust.z59.org. 1-2 days later -without any notice or reason given mx1.dhl.iphmx.com[68.232.129.11] startet to accept EMail again. Great i thought,

sometimes problem get resolved by themselfes...

Now my MTA gets blocked again since around Mon Mar 21 18:59:57 (timezone UTC/GMT +1 hour).

Again no reason is given:

(host mx1.dhl.iphmx.com[68.232.142.236] refused to talk to me: 554-esa17.dhl.iphmx.com 554 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means.)

I managed to find out via http://multirbl.valli.org/lookup/88.198.2.66.html

that Senderbase might block be due to problems in the network of HETZNER ONLINE:

88.198.2.66 SenderBase® (for SpamAssassin) sa.senderbase.org Listed
  Query:
66.2.198.88.sa.senderbase.org
  TXT:
  • 0-0=1|1=HETZNER ONLINE AG|2=7.3|3=7.3|4=16646|6=0|7=10|8=208073|9=16972|45=N|46=20|48=24|51=02|53=DE|54=11.5833|55=48.15

Guys, i hope this is not true, is it? I cannot control my neighboorhood ;-(

Please let me know the reason for the blockage, or how or whom i can contact to ask for :-(