• Advertisement

FQDN Added to Blacklist still not blocked...

FQDN Added to Blacklist still not blocked...

Postby Guest » Sat Sep 12, 2009 2:23 am

Hello,

Im adding FQDN in the Blacklist and users are still receiving emails from those FQDN...

 

For example, Ive blocked organisationdutravail.com last week, but here is the message tracking from this week :

 

Results
Displaying 1 — 16 of 16 items.

1 08 Apr 2010 14:20 GMT -04:00  MID: 19670     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED**** 
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19670 to ****REMOVED****  received remote SMTP response ... 

2 08 Apr 2010 14:17 (GMT -04:00)  MID: 19666     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19666 to ****REMOVED****  received remote SMTP response ok:... 

3 08 Apr 2010 14:17 (GMT -04:00)  MID: 19665     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED**** 
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19665 to ****REMOVED****  received remote SMTP response ... 

4 08 Apr 2010 14:17 (GMT -04:00)  MID: 19664     Show Details  
  SENDER: fichiers@organisationdutravail.com 
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19664 to ****REMOVED****  received remote SMTP response 2.6....

 

 

And here is the full tracking of one of those emails :

08 Apr 2010 14:20:20 (GMT -04:00)  Protocol SMTP interface IncomingIP (IP ****REMOVED****) on incoming connection (ICID 175563) from sender IP 205.237.40.104. Reverse DNS host 40-104.cgocable.ca verified no. 
08 Apr 2010 14:20:20 (GMT -04:00)  (ICID 175563) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.8 
08 Apr 2010 14:20:20 (GMT -04:00)  Start message 19670 on incoming connection (ICID 175563). 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 enqueued on incoming connection (ICID 175563) from fichiers@organisationdutravail.com
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 on incoming connection (ICID 175563) added recipient (****REMOVED****). 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 contains message ID header <6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com>
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 original subject on injection: Connaitre les nouvelles procedures aux douanes 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 (18352 bytes) from fichiers@organisationdutravail.com ready. 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 matched per-recipient policy DEFAULT for inbound mail policies. 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 encountered CASE down (1/10). Retry scanning in 12 seconds. 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Interim verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Final verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine. Final verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 queued for delivery. 
08 Apr 2010 14:20:38 (GMT -04:00)  SMTP delivery connection (DCID 10816) opened from IronPort interface ****REMOVED**** to IP address ****REMOVED**** on port 25. 
08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery started for message 19670 to ****REMOVED****. 
08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery details: Message 19670 sent to ****REMOVED****
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 to ****REMOVED**** received remote SMTP response 2.6.0 <6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com> Queued mail for delivery.

 

 

We can see that the address is considered as an UNKNOWN sender and not a BLACKLIST... Whats up with that?

 

Thanks for you help!

Guest
 

Advertisement

Re:FQDN Added to Blacklist still not blocked...

Postby Guest » Sat Sep 12, 2009 2:58 am

Looks like you e receiving communication from a different server:

organisationdutravail.coms MX records point to:


organisationdutravail.com. 900  IN      MX      10 q1.netfirms.com.
organisationdutravail.com. 900  IN      MX      10 q0.netfirms.com.

whos IPs point to:

q1.netfirms.com.        1551    IN      A       70.35.17.139
q1.netfirms.com.        1551    IN      A       70.35.17.171
q1.netfirms.com.        1551    IN      A       70.35.17.203
q1.netfirms.com.        1551    IN      A       70.35.17.235
q1.netfirms.com.        1551    IN      A       70.35.17.11
q1.netfirms.com.        1551    IN      A       70.35.17.43
q1.netfirms.com.        1551    IN      A       70.35.17.75
q1.netfirms.com.        1551    IN      A       70.35.17.107


However you e receiving communication from 205.237.40.104 which doesn match any of the above.
I suspect someone is spoofing organisationdutravail.coms domain. I would suggest blacklisting by IP address instead of FQDN
Guest
 

Re:FQDN Added to Blacklist still not blocked...

Postby Guest » Sat Sep 12, 2009 3:00 am

You are right, shame on me for not having looked at the IPs before posting...

 

Thanks a lot!

Guest
 

Re:FQDN Added to Blacklist still not blocked...

Postby Guest » Sat Sep 12, 2009 3:48 am

No problem. Glad to help!

Guest
 



  • Advertisement


Similar topics


Return to Any Other Topic

Who is online

Users browsing this forum: No registered users and 1 guest