Jump to content

External Blacklist (bl.spamcop.net[fe80::24ba:19d1:32e3:a3be])


Karate
 Share

Recommended Posts

Hello everyone. I am having issues with a customer where the spam firewall is reporting their server is on spamcops blacklist. I have checked the two ips the IT personnel gave me which are 208.69.32.132 and 208.62.43.196.

Here is the information from our barracuda spam firewall.

Time: 2009-04-21 10:49:42

From: xx

To: xx

Subject:

Size:

Action: Blocked

Reason: External Blacklist (bl.spamcop.net[fe80::24ba:19d1:32e3:a3be])

Score:

Delivery Status:

Source IP: rtr.usxpress.com[208.62.43.196]

Delivery Detail:

ID: 1240325381-8529-768-1

Message:

View Message View Source View Bayesian Breakdown

Message body unavailable.

The bounce the user receives.

From: Microsoft Exchange

Sent: Tuesday, April 21, 2009 10:50 AM

To: xx

Subject: Undeliverable: RE: test for email

Delivery has failed to these recipients or distribution lists:

'xx'

An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: barracuda.chattanooga.net.

Any help is appreciated. Thanks.

Edited by Karate
Link to comment
Share on other sites

Hello everyone. I am having issues with a customer where the spam firewall is reporting their server is on spamcops blacklist. I have checked the two ips the IT personnel gave me which are 208.69.32.132 and 208.62.43.196.

Those 2 IP addresses seem to be on completely seperate netowrks...

208.62.43.196 - U S Xpress Enterprises Inc

208.69.32.132 - OpenDNS, LLC

Neither IP address has any spamcop reports, do not seem to be on any major blocklists, and all sending IP's from both companies are rated Neutral to Good on SenderBase.

Same with your posting address.. No SpamCop reports, no listings, neutral to good reputation

Who is running the "spam firewall" you are having issue with? Is it you and these IP addresses are people trying to get mail into your system? Or is it someone else and your messages are being rejected?

Link to comment
Share on other sites

Its our firewall and its pulling this off of bl.spamcop.net but its listing a mac address and like you said the two ips above are not listed but the user is still being blocked.

Reason: External Blacklist (bl.spamcop.net[fe80::24ba:19d1:32e3:a3be])

Thats where i'm thrown for a loop.

Link to comment
Share on other sites

Hi, Karate,

...Do I understand correctly that:

  • Your firewall is blocking incoming e-mail from 208.69.32.132 and 208.62.43.196.
  • The reason given for the firewall blocking is that these IP addresses are on the SpamCop BL.
  • Neither of these IP addresses is actually on the SpamCop BL.

...If so, then I think the question becomes: why does your firewall believe that these IP addresses are on the SpamCop BL? Are you sure you are retrieving the latest list from SpamCop BL? Are you sure you are purging old IP addresses from the list? Are you sure you are actually retrieving IP addresses from the SpamCop BL and not some other place? Are you sure the message is accurate, that the firewall is actually finding these addresses on (what it thinks is) the SpamCop DL and not some other place?

...[Edit: added] For caching discussion, see SpamCop Forum "thread" "[Resolved] Blocking List Rejecting Emails When Active."

Edited by turetzsr
Link to comment
Share on other sites

turetzsr,

Yes I am checking against bl.spamcop.net. The bounce doesn't specify an IP that was listed, but in my barracuda firewall the log shows this as the reason.

Reason: External Blacklist (bl.spamcop.net[fe80::24ba:19d1:32e3:a3be])

The mac address appears to be an IPv6 address but the sender doesn't have any ipv6 setup. I am trying to figure out how spamcop is blocking this mac and how to get this sender off the list if listed by this mac. Thanks for all the insight.

Link to comment
Share on other sites

turetzsr,
...That's my signon. I prefer to be referred to as "Steve T," per my sig. :) <g>
Yes I am checking against bl.spamcop.net. The bounce doesn't specify an IP that was listed, but in my barracuda firewall the log shows this as the reason.
...Period, end of story? Perhaps the implicit assumption that Barracuda's message is 100% accurate needs to be examined.
<snip>The mac address appears to be an IPv6 address but the sender doesn't have any ipv6 setup. I am trying to figure out how spamcop is blocking this mac

<snip>

...Can you explain this a bit more? Here, again, I'm a bit suspicious because, as far as I know, the SpamCop BL lists only IP addresses, not MAC addresses.
Link to comment
Share on other sites

Got off the phone from barracuda and they have confirmed that barracuda just reports back what spamcop outputs. So we have a strange situation here. Not sure what else to check, but I have made a temporary fix for my issue. If anyone else has some additional insight that would be great.

Thanks guys.

Link to comment
Share on other sites

Yes I am checking against bl.spamcop.net. The bounce doesn't specify an IP that was listed, but in my barracuda firewall the log shows this as the reason.

Reason: External Blacklist (bl.spamcop.net[fe80::24ba:19d1:32e3:a3be])

The mac address appears to be an IPv6 address but the sender doesn't have any ipv6 setup. I am trying to figure out how spamcop is blocking this mac and how to get this sender off the list if listed by this mac. Thanks for all the insight.

I haven't yet run across any hardware that displayed a MAC addrss in anything other than hex. In you sample, note the double colon .... which is used to denote One or any number of consecutive groups of 0 value .... so I'll state that in my opinion, this has nothing to do with a MAC address, it really us an IPv6 address.

The question in my mind boils down to trying to determine just what and where an IPv6 address enters into the datastream at all. Thus far, you've only pointed to the Barracuda firewall as the source of this data value. Whether there is any actual support for IPv6 addresses by the SpamCopDBSBL is yet another question, but I don't believe that it does at this point. However, if it doesn't, then there's yet another question as to just what the Barracuda is reacting to, going with the premise that a BL look-up for a non-listed IP Address would be "nothing returned" .... on the other hand, perhaps some sort of error message is being sent due to the unrecognized IPv6 address tossed into the look-up, and because there was 'something' returned, the Barracuda accepts that data as a "hit" for a listing. Any way to determine just what traffic caused this data to trigger the look-up with an IPv6 IP Address?

Link to comment
Share on other sites

Just so there's no confusion...

The SpamCop Blocking List can NOT be used against an IP that is not on the list.

The list ONLY contains IPv4 dotted.quad IP addresses.

Software that blames SpamCop and doesn't show the offending IP address is misconfigured.

Software that blames SpamCop and cites an IP address that is not on the list is misconfigured.

- Don D'Minion - SpamCop Admin -

service[at]admin.spamcop.net

Link to comment
Share on other sites

Thanks for all assistance. I am pursuing further investigation with barracuda.

Have you done a search on "barracuda" here? There are lots of discusion on the topic. Without reading any of the background, I seem to remember an other case were barracuda was found to be blocking traffic incorrectly stating that the SCBL was the reason.

I suggest using the search at the top of the page as part of your investigation.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...