Tux

...making Linux just a little more fun!

ISP blues (was: iptables configuration in debain)

Rick Moen [rick at linuxmafia.com]


Thu, 9 Oct 2008 15:39:12 -0700

Hi, J.Bakshi. This note is to advise you that your choice of ISP is causing your mail to be interpreted upon receipt as suspect, when automatically parsed by spam-detection software. My SMTP software keeps kicking your mail addressed to this mailing list into an administrative queue, to verify that it's not spam. Even though I've whitelisted _you personally_, your ISP's IP address keeps failing several tests used within Spamassassin. Those are:

RCVD_IN_SORBS: This is fairly serious. Your ISP's SMTP server IP address (63.223.93.2) is in the SORBS (Spam and Open-Relay Blocking System) antispam blocklist, which means it's been extensively used for spamming activity (not by you).

RCVD_IN_SORBS_WEB: This is also fairly serious. That same IP is also in a separate SORBS blocklist of sites that are known to have exploitable vulnerability (e.g., FormMail scripts) that are widely abused by spammers to send mass-mail spam.

FORGED_RCVD_HELO: This refers to the fact that your ISP sends out a mistaken/malformed greeting string during its SMTP delivery attempts. In this case, IP address 63.223.93.2 (firewall.wahju.com) is sending a greeting string claiming it's "icsmail.net". Doing so violates mailing list technical standards and makes your ISP's SMTP host look like a spammer haven.

RCVD_IN_XBL: This is really serious. This means your ISP's SMTP server IP address is also in the Spamhaus XBL blocklist, described as "wholly incorporat[ing] data from two highly-trusted DNSBL sources, with tweaks by Spamhaus to maximise the data efficiency and lower False Positives. The main components are the CBL (Composite Block List) from cbl.abuseat.org, and the NJABL Open Proxy IPs list from www.njabl.org". Essentially, this means your ISP's mail server has been verified to be repeatedly used by spammers to a high degree of certainty.

I cannot really advise you, except to say that, unless/until some of the above facts about your ISP -- not your fault and not under your personal control -- change radically, you are likely to have significant problems with software classifying your mail as probable spam. Some users in similar situations have found it best to change providers.


Top    Back


J.Bakshi [j.bakshi at icmail.net]


Fri, 10 Oct 2008 22:21:16 +0530

On Friday 10 Oct 2008 4:09:12 am Rick Moen wrote:

> Hi, J.Bakshi.  This note is to advise you that your choice of ISP is
> causing your mail to be interpreted upon receipt as suspect, when
> automatically parsed by spam-detection software.  My SMTP software
> keeps kicking your mail addressed to this mailing list into an
> administrative queue, to verify that it's not spam.  Even though
> I've whitelisted _you personally_, your ISP's IP address keeps failing
> several tests used within Spamassassin.  Those are:
>
>
> RCVD_IN_SORBS:  This is fairly serious.  Your ISP's SMTP server IP
> address (63.223.93.2) is in the SORBS (Spam and Open-Relay Blocking
> System) antispam blocklist, which means it's been extensively used for
> spamming activity (not by you).
>
> RCVD_IN_SORBS_WEB:  This is also fairly serious.  That same IP is also
> in a separate SORBS blocklist of sites that are known to have
> exploitable vulnerability (e.g., FormMail scripts) that are widely
> abused by spammers to send mass-mail spam.
>
> FORGED_RCVD_HELO:  This refers to the fact that your ISP sends out a
> mistaken/malformed greeting string during its SMTP delivery attempts.
> In this case, IP address 63.223.93.2 (firewall.wahju.com) is sending a
> greeting string claiming it's "icsmail.net".  Doing so violates mailing
> list technical standards and makes your ISP's SMTP host look like a
> spammer haven.
>
> RCVD_IN_XBL:  This is really serious.  This means your ISP's SMTP
> server IP address is also in the Spamhaus XBL blocklist, described as
> "wholly incorporat[ing] data from two highly-trusted DNSBL sources, with
> tweaks by Spamhaus to maximise the data efficiency and lower False
> Positives. The main components are the CBL (Composite Block List) from
> cbl.abuseat.org, and the NJABL Open Proxy IPs list from www.njabl.org".
> Essentially, this means your ISP's mail server has been verified to be
> repeatedly used by spammers to a high degree of certainty.
>
>
> I cannot really advise you, except to say that, unless/until some of the
> above facts about your ISP -- not your fault and not under your personal
> control -- change radically, you are likely to have significant problems
> with software classifying your mail as probable spam.  Some users in
> similar situations have found it best to change providers.

Hello Rick Moen ,

Thanks a lot to make me familiar with this problem. And also thanks for your effort to add my id in the white list. I am afraid to say that there is no good internet connection available right now in our locality except this one. The provider is actually taken connection from the 24online ISP company and after that he distributes the connection in our area. Some other connections are also available but again they are not so good like this 24online ; more over those connection has limited traffic. So right now I am really helpless.


Top    Back


Rick Moen [rick at linuxmafia.com]


Sat, 11 Oct 2008 03:25:30 -0700

Quoting J.Bakshi (j.bakshi@icmail.net):

> I am afraid to say that there is no good internet connection available
> right now in our locality except this one. 

Let me be really clear about this: At the moment, approving your TAG mail requires ongoing manual work for me. The longer that goes on, the less likely I am going to be to find time to do it, and I suspect the end is imminent: Your mails will pretty soon end up being silently discarded. I will not be giving you further advisories on the matter: With this mail, I will be considering you to have been put on notice of the problem, and will not be dealing with the matter further.

Many people in your situation elect to use webmail (GMail, Yahoo Mail, etc.). You should probably consider the prior sentence a strong hint.

Your course of action is entirely up to you, but basically you'll be the person who'll need to pay the price of inaction; i.e., you're going to find your mail (often) just getting discarded or (if you're lucky) rejected -- not just at the lists.linuxgazette.net machine, but there among other places.


Top    Back


Deividson Okopnik [deivid.okop at gmail.com]


Sun, 12 Oct 2008 11:26:52 -0300

2008/10/11 Rick Moen <rick@linuxmafia.com>:

>
> Many people in your situation elect to use webmail (GMail, Yahoo Mail,
> etc.).  You should probably consider the prior sentence a strong hint.
>

Plus both GMail and Yahoo mail are so good, and you will be able to keep `em even if you switch ISPs - I always used then for that reason - I switch ISPs quite constantly, but I never lose my email :)


Top    Back


Jim Jackson [jj at franjam.org.uk]


Tue, 14 Oct 2008 21:01:49 +0100 (BST)

On Sun, 12 Oct 2008, Deividson Okopnik wrote:

> Plus both GMail and Yahoo mail are so good, and you will be able to
> keep em even if you switch ISPs - I always used then for that reason -
> i switch ISPs quite constantly, but I never loose my email :)

There are other ways of doing that. Register your own domain and use a mail forwarding service (many companies offering name registration, provide email and web redirection for "free"). Change ISP change where your mail gets forwarded to.


Top    Back


Rick Moen [rick at linuxmafia.com]


Tue, 14 Oct 2008 13:31:03 -0700

Quoting Jim Jackson (jj@franjam.org.uk):

> On Sun, 12 Oct 2008, Deividson Okopnik wrote:
> 
> > Plus both GMail and Yahoo mail are so good, and you will be able to
> > keep em even if you switch ISPs - I always used then for that reason -
> > i switch ISPs quite constantly, but I never loose my email :)
> 
> There are other ways of doing that. Register your own domain and use a mail 
> forwarding service (many companies offering name registration, provide 
> email and web redirection for "free"). Change ISP change where your mail 
> gets forwarded to.

FWIW, shortly after I wrote my most recent mail in this thread, I remembered how to unconditionally whitelist J. Bakshi's currently subscribed address in my MTA. (He'd been "autowhitelisted" by SpamAssassin's Bayesian classifier, but that only ameliorated his mail's severely spammy overall SA score on account of the SORBS listing and other things.)

So, J.Bakshi's mail should, for now, come through to TAG without problems. If it doesn't, then I expect I'll have limited time for diagnosis, as my sympathy for those who use spammer-associated ISPs is minimal.


Top    Back