can't figure out why this is rejected

[KKadow]

thank you for all of the responses to my post.  i apologize for my lack of information.  let me tell the whole story.

i run a mail server in the building (mail.cummingsprinting.com = 208.32.228.22) using mail server software entitled 602 LAN Suite http://www.software602.com/products/ls/.

i have the option to check messages against different spam filters, spamcop being one of them.

31064[/snapback]

If your vendor offers the option to create "whitelists" which are exempt from DNSBL checks, you may wish to take advantage of this feature and whitelist the server addresses of all your major companies.

There are many reasons why a DNSBL might choose to blacklist a server, not always because the address being targeted has anything to do with "spam" in the traditional sense.

[KKadow]

"This is the qmail-send program at queue1.tribune.com" .. and it's apparently rejecting e-mail from the e-mail server that you say you run ...????  (Which again is currently showing "208.32.228.22 not listed in bl.spamcop.net")

31071[/snapback]

That message is what the OP's internal contact at courant.com is receiving when a message sent cummings is rejected by the cummings mail server -- the Tribune server can't deliver it, so it returns a failure notice to the internal originator.

The machine "queue1.tribune.com" primarily services outbound email from internal Tribune users (including courant.com) towards Internet destinations.

The published MX servers for tribune.com and courant.com are the SMTP[1-4] hosts shown earlier, these are the path for inbound email from the Internet.

It is common for large orgs to separate their servers in this manner. This also explains the unusual received headers visible -- qmail isn't desgined to actively munge received headers, so the RFC1918 addresses are not obfuscated. Within Tribune, three disjoint teams based in three different cities run the inbound servers, the outbound servers, and the "courant.com" local delivery server(s).

[turetzsr]

Even using white lists, I still get the occasional message that gets filtered into HeldMail due to the SpamCop BL

The following is a quote from the SpamCop.net FAQSpamCop Blocking List

31117[/snapback]

...Still, were I an e-mail admin and/or the business owner paying for the e-mail system, I would seriously consider using the SCBL to block, rather than filter, especially if false positives were rare. I understand the hesitation to block e-mail that may interrupt business but I am also aware that spam is very expensive to handle; I'd rather have my customer's e-mail provider handle it.

[cummings]

The external IP Address for queue1.tribune.com is 163.192.21.6, but it's not listed.  However, the external IP Address for mail-la1.tribune.com [198.187.230.11] was listed yesterday, probably due to having sent email to spam Traps three days ago.

31076[/snapback]

hmm.. i just did a check at bl.shtml and got this:

198.187.230.11 not listed in bl.spamcop.net

That message is what the OP's internal contact at courant.com is receiving when a message sent cummings is rejected by the cummings mail server  -- the Tribune server can't deliver it, so it returns a failure notice to the internal originator.

The machine "queue1.tribune.com" primarily services outbound email from internal Tribune users (including courant.com) towards Internet destinations. 

The published MX servers for tribune.com and courant.com are the SMTP[1-4] hosts shown earlier, these are the path for inbound email from the Internet.

It is common for large orgs to separate their servers in this manner.  This also explains the unusual received headers visible -- qmail isn't desgined to actively munge received headers, so the RFC1918 addresses are not obfuscated.  Within Tribune, three disjoint teams based in three different cities run the inbound servers, the outbound servers, and the "courant.com" local delivery server(s).

31122[/snapback]

i think KKadow has it right. i am not super-savvy when it comes to a lot of the posts on here and am doing my best to understand them. however, when reading this post, i feel KKadow understands what happened. the line "That message is what the OP's internal contact at courant.com is receiving when a message sent (to) cummings is rejected by the cummings mail server -- the Tribune server can't deliver it, so it returns a failure notice to the internal originator" is completely accurate. 208.32.228.22 is my server (which rejected the email from courant.com, which is supposedly on the blacklist at spamcop).

i still don't know why the email from courant.com was rejected by my mail server while i had spamcop checked off in the anti-spam settings of my email server software because i can't find anything in bl.shtml here that indicates they are blacklisted. anyone able to figure out why the email was rejected? thank you for your help so far.

[Jeff G.]

Actually, by not displaying the "official name", all four of Tribune's inbound mail servers are in violation of Section 4.3 of Internet Standard 10 and RFC821 "Simple Mail Transfer Protocol"

4.3.  SEQUENCING OF COMMANDS AND REPLIES

      One important reply is the connection greeting.  Normally, a

      receiver will send a 220 "Service ready" reply when the connection

      is completed.  The sender should wait for this greeting message

      before sending any commands.

      Note: all the greeting type replies have the official name of

      the server host as the first word following the reply code.

            For example,

            220 <SP> USC-ISIF.ARPA <SP> Service ready <CRLF>

and Section 4.3.1 of RFC2821 "Simple Mail Transfer Protocol"

4.3 Sequencing of Commands and Replies

4.3.1 Sequencing Overview

The communication between the sender and receiver is an alternating

dialogue, controlled by the sender.  As such, the sender issues a

command and the receiver responds with a reply.  Unless other

arrangements are negotiated through service extensions, the sender

MUST wait for this response before sending further commands.

One important reply is the connection greeting.  Normally, a receiver

will send a 220 "Service ready" reply when the connection is

completed.  The sender SHOULD wait for this greeting message before

sending any commands.

Note: all the greeting-type replies have the official name (the

fully-qualified primary domain name) of the server host as the first

word following the reply code.  Sometimes the host will have no

meaningful name.  See 4.1.3 for a discussion of alternatives in these

situations.

...

For example,

      220 ISIF.USC.EDU Service ready

or

      220 mail.foo.com SuperSMTP v 6.1.2 Service ready

or

      220 [10.0.0.1] Clueless host service ready

This situation is described by DNS Report - tribune.com as follows:

Mail server host name in greeting

WARNING: One or more of your mailservers is claiming to be a host other than what it really is (the SMTP greeting should be a 3-digit code, followed by a space or a dash, then the host name). This probably won't cause any harm, but is a technical violation of RFC821 4.3 (and RFC2821 4.3.1). Note that the hostname given in the SMTP greeting should have an A record pointing back to the same server.

smtp3.tribune.com claims to be non-existent host smtp3.tt.xnet.trb:

220 smtp3.tt.xnet.trb ESMTP Sendmail 8.12.10/8.12.7; Tue, 2 Aug 2005 11:17:54 -0500 (CDT)

smtp1.tribune.com claims to be non-existent host smtp1.tt.xnet.trb:

220 smtp1.tt.xnet.trb ESMTP Sendmail 8.12.10/8.12.7; Tue, 2 Aug 2005 11:16:08 -0500 (CDT)

smtp4.tribune.com claims to be invalid hostname '************************************2**0****2*********2*****200************0*00':

220 ************************************2**0****2*********2*****200************0*00 *****

smtp2.tribune.com claims to be invalid hostname '****2*******************************2**0****2*********2*****200******2*****0*00':

220 ****2*******************************2**0****2*********2*****200******2*****0*00 *****

[StevenUnderwood]

i still don't know why the email from courant.com was rejected by my mail server while i had spamcop checked off in the anti-spam settings of my email server software because i can't find anything in bl.shtml here that indicates they are blacklisted.  anyone able to figure out why the email was rejected?  thank you for your help so far.

31138[/snapback]

Addresses in tribune.com used to send email

Showing 1 - 5 out of 5

address hostname DNSVerified DailyMagnitude MonthlyMagnitude

163.192.21.6 queue1.tribune.com Y 4.5 5.0

198.187.230.11 mail-la1.tribune.com Y 4.1 4.6

163.192.2.12 smtp1.tribune.com Y 3.2 3.6

163.192.2.14 smtp3.tribune.com Y 3.0 3.6

163.192.4.179 ciswap.chicago.tribune.com Y 2.4 2.7

As seen here, senderbase has seen SMTP traffic coming from the following 5 servers in the tribune.com network. The rejection your system gave does not indicate which host actually attempted to connect to your system. The IP's 198.187.230.11 and 163.192.2.12 both appear to have had recent reports of some kind. Tribune would need to contact the deputies<at>spamcop.net to find out the history of being on the BL. At least one report about 163.192.2.12 was sent to postmaster<at>tribune.com on 12-jun-2005:17:11:38.

Have you re-enabled the SCBL and retested? Have you contacted 602 about modifying the reject message to indicate the connecting IP address?

[dbiel]

...Still, were I an e-mail admin and/or the business owner paying for the e-mail system, I would seriously consider using the SCBL to block, rather than filter, especially if false positives were rare.  I understand the hesitation to block e-mail that may interrupt business but I am also aware that spam is very expensive to handle; I'd rather have my customer's e-mail provider handle it.

31135[/snapback]

Without using white lists (not an option available to a mail server admin) false positives will not be a rare event. They may be sporatic. But when mail servers from Earthlink, Yahoo and other large ISP's get on the SpamCop BL (and they do) there will be plenty of false postives if you are accepting mail from the public in general.

I would refuse to use any ISP that does outright blocking.

I'd rather have my customer's e-mail provider handle it.

That translates to I will refuse to accept any mail from any customer who is stupid enough to use an ISP who gets listed on the SpamCop BL (at least during the time period that the ISP is listed). Not a practical option from my point of view.

[turetzsr]

...Still, were I an e-mail admin and/or the business owner paying for the e-mail system, I would seriously consider using the SCBL to block, rather than filter, especially if false positives were rare. <snip>

Without using white lists (not an option available to a mail server admin) false positives will not be a rare event. They may be sporatic. But when mail servers from Earthlink, Yahoo and other large ISP's get on the SpamCop BL (and they do) there will be plenty of false postives if you are accepting mail from the public in general.

31148[/snapback]

...Rejecting (or tagging) mail from Earthlink, Yahool and other large ISPs that get on the SpamCop BL are not, in my view, false positives. They really are spam sources. See below.

I'd rather have my customer's e-mail provider handle it.

31148[/snapback]

I would refuse to use any ISP that does outright blocking. That translates to I will refuse to accept any mail from any customer who is stupid enough to use an ISP who gets listed on the SpamCop BL (at least during the time period that the ISP is listed).  Not a practical option from my point of view.

31148[/snapback]

...That is your right, and in the everyday e-mail world, reasonable. In the world of business-to-business, however, especially where customers are almost all sizable enterprises. customers who haven't done their homework and wind up with an ISP or e-mail provider that's listed deserves to have their e-mails rejected. And since the customer will be alerted that the e-mail did not go through because their e-mail provider's outbound server is listed on the SCBL (upon which notice they can press their provider to get the situation corrected), no long-term harm is done.

[dbiel]

Rejecting (or tagging) mail from Earthlink, Yahool and other large ISPs that get on the SpamCop BL are not, in my view, false positives.  They really are spam sources.

Sources of spam - yes; but the vast majority of the mail they process is not spam.

In the world of business-to-business, however, especially where customers are almost all sizable enterprises. customers who haven't done their homework and wind up with an ISP or e-mail provider that's listed deserves to have their e-mails rejected

I would agree with that, but how many companies are 100% business to business and do not also have a very important public portion that they also contact via email where it is far less controlable.

[StevenUnderwood]

Sources of spam - yes; but the vast majority of the mail they process is not spam.

31155[/snapback]

As is the case with most legitimate servers. Zombied machines being just the opposite (large amounts of spam vs. few legitimate messages.

[KKadow]

IMHO, the whole point of maintaining a whitelist is to determine the source hostnames and email addresses of your customers, your vendors, and your other critical correspondents, and ensure that no matter what happens with any of the blacklists you might choose to make use of, email offered by hosts on your whitelist will always be accepted and delivered.

If your whitelist is not effective at overriding your blacklists, why have a whitelist?

Without using white lists (not an option available to a mail server admin)

Why are whitelists not an option?

Or are you saying "not using whitelists is not an option"?

false positives will not be a rare event.  They may be sporatic.  But when mail servers from Earthlink, Yahoo and other large ISP's get on the SpamCop BL (and they do) there will be plenty of false postives if you are accepting mail from the public in general.

I would refuse to use any ISP that does outright blocking. That translates to I will refuse to accept any mail from any customer who is stupid enough to use an ISP who gets listed on the SpamCop BL (at least during the time period that the ISP is listed).  Not a practical option from my point of view.

31148[/snapback]

In this case, Cummings runs a mail server, Tribune runs many mail servers. Cummings trusts SpamCop and (contrary to the recommendations on the SpamCop site, but like many other server admins) Cummings blocks email based on lookups against bl.spamcop.net. So when SpamCop decides to add Tribune's mail servers to the BL (due to Tribune generating bounces for spoofed email showing spamtrap source addresses), suddenly cummings is unable to receive email from Tribune. Based on this negative experience, Cummings decides to no longer trust SpamCop to block email.

If Cummings had configured an overriding whitelist which would always accept email from *.tribune.com regardless of what might appear in the bl.spamcop.net domain, this problem would never have been an issue for Cummings.

[dbiel]

The reason I said that using white lists is not an option for mail server admins is the simple fact that for a white list to be effect it must represent the wishes of the end user. A mail server admin has many end users who may have different desires. One may consider a specific email spam while another was waiting eagerly for it. In commings case he could white list upsteam mail servers like tribune, but that is a very limited use of a white list but would be effective in this case.

If cummings were to build a complete white list of customers and vendors, he in effect has become the end user who has delegated others to handle specific messages and in a true sense is no longer a mail server admin but the company itself (which he represents) is the actual end user. Yes he does perform the mechanical functions of an admin (to make the hardware and software work) but in reality he (and the company he represents) is the single end user who is simply filtering mail into separate folders for individual employes to handle on his behalf.

[Miss Betsy]

Another way of saying what dbiel is saying (if I understand it correctly) is that a mail admin cannot use blocklists/whitelists without express permission of the end users or if he is the only one receiving mail. The mail admin's job is to make sure the hardware and software are functioning properly, not to filter email. If he does filter email, then he does so as the agent of the end user with their permission and using their criteria.

A mail admin with many end users cannot configure server filtering to suit all possible end user criteria. That is why so many want to accept the email before filtering.

The solution to that dilemma is to educate end users in the use of server blocklists so that they can receive the most efficient spam filtering which they delegate to the mail admin. Companies who sell products online will not want to use server blocklists because they don't want to alienate customers and must spend the extra money to accept all email and sort it. Individuals who do not use email for business could, however, direct their mail admin to reject email based on blocklists. Unfortunately, many mail admins who sell email service do not think that the average end user is capable of understanding the concept of rejection. They either use blocklists and are secretive about what has happened to rejected email or refuse to do anything forcing customers to rely on sorting accepted email for spam control.

Miss Betsy

[StevenUnderwood]

The reason I said that using white lists is not an option for mail server admins is the simple fact that for a white list to be effect it must represent the wishes of the end user.  A mail server admin has many end users who may have different desires.  One may consider a specific email spam while another was waiting eagerly for it.

31173[/snapback]

Postini's whitelists are user and/or site specific but they do not reject mail for an active user.

It would be possible to fulfill the needs of individuals at the server level. Implementation into a specific email package may not be easy, however.

[turetzsr]

Another way of saying what dbiel is saying (if I understand it correctly) is that a mail admin cannot use blocklists/whitelists without express permission of the end users or if he is the only one receiving mail.

<snip>

31184[/snapback]

...Yes and I think there is another component to what dbiel is saying -- even if the e-mail admin received permission from all end users to use a whitelist, it would (1) be a nightmare to maintain and (2) cause potential conflicts, as one group of users may wish to whitelist a source while other users may not want that source whitelisted.

[cummings]

In this case, Cummings runs a mail server, Tribune runs many mail servers.  Cummings trusts SpamCop and (contrary to the recommendations on the SpamCop site, but like many other server admins) Cummings blocks email based on lookups against bl.spamcop.net.  So when SpamCop decides to add Tribune's mail servers to the BL (due to Tribune generating bounces for spoofed email showing spamtrap source addresses), suddenly cummings is unable to receive email from Tribune.  Based on this negative experience, Cummings decides to no longer trust SpamCop to block email.

If Cummings had configured an overriding whitelist which would always accept email from *.tribune.com regardless of what might appear in the bl.spamcop.net domain, this problem would never have been an issue for Cummings.

31171[/snapback]

again, KKadow is exactly right.

the only problem i still have is that i cannot VERIFY that tribune actually IS on the blocklist.

163.192.21.6 not listed in bl.spamcop.net

198.187.230.11 not listed in bl.spamcop.net

163.192.2.12 not listed in bl.spamcop.net

163.192.2.14 not listed in bl.spamcop.net

163.192.4.179 not listed in bl.spamcop.net

so the bottom line is this: i can't figure out why my customer got a message saying 521 Mail rejected - you are listed in Spamcop (spam) [FREE] - http://spamcop.net/bl.shtml when NONE of their servers are listed on Spamcop's blocklist.

i could implement a whitelist strategy but that still leaves two problems:

1. it doesn't explain why our customer's email got rejected when i can't find them on the Spamcop blocklist

2. it puts me in the position of making our customer do all sorts of testing. "ok, send me another email" "ok, i added you to our whitelist and turned spamcop on again, send me another one" "nope still didn't work, let me change the whitelist entry and ok email me again" "nope still having trouble, let me change something else". i have no intention of making it look like we are having them do our job (even if that isn't the case, it comes across that way).

i want to re-enable spamcop, i simply need to know WHY it was rejected and inform them of what they need to do get un-listed. OR, i need to know that they are NOT blocklisted and that i can safely turn spamcop back on without having to pester my customer to send me test emails.

any help is greatly appreciated. i want to use spamcop. the amount of spam i personally receive has tripled, but the bottom line is: the management here has told me on no uncertain terms to not make this an inconvenience for our customers and that means leaving spamcop off, so be it, unfortunately.

[Wazoo]

the only problem i still have is that i cannot VERIFY that tribune actually IS on the blocklist.

31196[/snapback]

I believe what you seem to be missing is the difference between the word "IS" and "WAS" ..... The SpamCopDNSBL is very dynamic, again, data found via the FAQ here will get you to a description of the mathematical model involved.

[Merlyn]

It would be really easy if the rejection notice would add the IP being blocked.

[turetzsr]

<snip>

the only problem i still have is that i cannot VERIFY that tribune actually IS on the blocklist.

163.192.21.6 not listed in bl.spamcop.net

198.187.230.11 not listed in bl.spamcop.net

163.192.2.12 not listed in bl.spamcop.net

163.192.2.14 not listed in bl.spamcop.net

163.192.4.179 not listed in bl.spamcop.net

so the bottom line is this: i can't figure out why my customer got a message saying 521 Mail rejected - you are listed in Spamcop (spam) [FREE] - http://spamcop.net/bl.shtml when NONE of their servers are listed on Spamcop's blocklist.

<snip>

31196[/snapback]

Hi, cummings!

...Did you try StevenUnderwood's 31141[/snapback] suggestion, above?

[cummings]

I believe what you seem to be missing is the difference between the word "IS" and "WAS" .....  The SpamCopDNSBL is very dynamic, again, data found via the FAQ here will get you to a description of the mathematical model involved.

31199[/snapback]

this involves 'bugging' the customer. to see if they "WERE" on the list and "AREN'T" any more, i would have to turn on spamcop and have them send another test email. it is my intention not to bother them with testing.

i was hoping i wouldn't have to do that with "ok, send me another email" "ok, i turned spamcop on again, send me another one" "nope still didn't work, let me change something else". etc. etc.

It would be really easy if the rejection notice would add the IP being blocked.

31200[/snapback]

this doesn't help me now, unless i turn it back on and 'bug' the customer. plus, all 5 IPs are not coming up as blocked on bl.shtml, so it doesn't matter what the report would say. if it's one of those 5, i already know the answer.

Hi, cummings!

...Did you try StevenUnderwood's 31141[/snapback] suggestion, above?

31201[/snapback]

Steve's suggestions are:

1. Have you re-enabled the SCBL and retested?

this involves 'bugging' the customer.

2. Have you contacted 602 about modifying the reject message to indicate the connecting IP address?

this doesn't help me now, unless i turn it back on and 'bug' the customer, asking them to send another email so i can get the information.

if it boils down to the fact that i have no other option, i will talk to management here and get their thoughts on bugging the customer with making them send us test emails, but i'm pretty sure the answer is already "no, don't bother the customer with that, just leave spamcop off".

[Wazoo]

this involves 'bugging' the customer.  to see if they "WERE" on the list and "AREN'T" any more, i would have to turn on spamcop and have them send another test email.  it is my intention not to bother them with testing.

31205[/snapback]

I personally don't see the problem issue as you describe it. First of all, being listed is an issue for their Admin folks. Second, if things aren't listed at present, then there should be no impact to turning on the SpamCopBL at this point. It sounds to me like you need to 'suggest' to "them" that someone there needs to get proactive and research what was going on to get their servers listed.

[Jeff G.]

In any case, if you continue to use that mailserver software and ANY of its anti-spam techniques, it would behoove you to get that software's vendor to help you, your users, and your customers with the following:

• holding or tagging messages from servers listed by the SCBL
  
• for IP Addresses blocked via 500-series error message, indicating the IP Address in that message
  
• whitelisting capabilities
  

[turetzsr]

Hi, cummings!

...Did you try StevenUnderwood's 31141[/snapback] suggestion, above?

31201[/snapback]

<snip>

Steve's suggestions are:

1. Have you re-enabled the SCBL and retested?

this involves 'bugging' the customer.

2. Have you contacted 602 about modifying the reject message to indicate the connecting IP address?

this doesn't help me now, unless i turn it back on and 'bug' the customer, asking them to send another email so i can get the information.

31205[/snapback]

...Steven also suggested:

<snip> contact the deputies<at>spamcop.net to find out the history of being on the BL <snip>

[cummings]

in the past, i have had customers get on the blocklist. i go to bl.shtml and confirm it. then i contact the company with instructions on getting themselves removed. when they do so, i re-enable spamcop.

i don't want to contact their admin and say "uhm... i think you were on the blocklist, but then i searched and you weren't on it. so maybe your emails won't be rejected anymore. let me turn it on and have you send me an email...... oh you're still getting a rejection notice? ok, let me turn off spamcop again. hmmm... you're still not listed on bl.shtml. i don't know why you're emails are getting rejected when you aren't on the blocklist. let me go back to the forum and see if i can resolve this. i'll call you back with more 'maybes' and 'lets trys' and 'not sures' tomorrow."

i find it odd that my customers email was blocked by spamcop, but when i research it on the same day, they aren't on the blocklist. is the list THAT dynamic? could they be on the 'virge' of being listed throughout the day? could they be on the list at 10am and off at 2pm? and then back on for an hour the next day randomly? i hope the list isn't THAT dynamic.

i will contact deputies at spamcop.net right now

[turetzsr]

in the past, i have had customers get on the blocklist.  i go to bl.shtml and confirm it.  then i contact the company with instructions on getting themselves removed.  when they do so, i re-enable spamcop.

i don't want to contact their admin and say "uhm... i think you were on the blocklist, but then i searched and you weren't on it.  so maybe your emails won't be rejected anymore.  let me turn it on and have you send me an email...... oh you're still getting a rejection notice?  ok, let me turn off spamcop again.  hmmm... you're still not listed on bl.shtml.  i don't know why you're emails are getting rejected when you aren't on the blocklist.  let me go back to the forum and see if i can resolve this.  i'll call you back with more 'maybes' and 'lets trys' and 'not sures' tomorrow."

31211[/snapback]

...Understood -- I wouldn't want to do that, either. But if the rejection notice gets fixed, that would at least solve the problem of trying to figure out which of the several outbound e-mail servers sent the spam. Besides, you shouldn't have to contact them at all -- they should be getting abuse reports from SpamCop (unless their only spam is going to spam traps or they've asked that SpamCop not send reports or their abuse address is bouncing).

i find it odd that my customers email was blocked by spamcop, but when i research it on the same day, they aren't on the blocklist.  is the list THAT dynamic?  could they be on the 'virge' of being listed throughout the day?  could they be on the list at 10am and off at 2pm?  and then back on for an hour the next day randomly?  i hope the list isn't THAT dynamic.

<snip>

31211[/snapback]

...Yes, it could be! There's a complex algorithm but, generally, IIUC a listing "lives" for about two hours unless renewed by new reports of spam.

...One more thing: if I remember correctly, there has been at least one occassion when a SpamCop BL user was not getting updated copies of the BL, so old IPs appeared to remain listed forever. Try to check to ensure that isn't happening to you!