Theo Van Dinter <[EMAIL PROTECTED]> writes:
> If it comes from a BSP host, report them!
> http://www.bondedse in hellnder.org/complaint/
Not so fast. (Disclaimer: I work for IronPort.)
First, I looked at the message -- *none* of the Received header IPs are
listed in Bonded Sender (I checked both with SA 3.0 and manually).
If you do rDNS on the IPs:
pop.starband.net
10.78.249.50
adsl-69-226-175-17.dsl.frs2ca.pacbell.net
8.77.156.36
There's no way any of those IPs has ever been Bonded.
Second, I also get very different blacklist hits for SA 3.0 than John
which is hard to explain, but I have a theory.
him: RCVD_IN_BSP_TRUSTED,RCVD_IN_NJABL_SPAM,RCVD_IN_SORBS_WEB
me: RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DSBL,RCVD_IN_XBL
Now, the hits for my run:
<dns:17.175.226.69.sbl-xbl.spamhaus.org>
[127.0.0.4]
<dns:17.175.226.69.list.dsbl.org?type=TXT>
["http://dsbl.org/listing?69.226.175.17";]
<dns:17.175.226.69.dnsbl.sorbs.net>
[127.0.0.6, 127.0.0.7]
<dns:17.175.226.69.bl.spamcop.net?type=TXT>
["Blocked - see http://www.spamcop.net/bl.shtml?69.226.175.17";]
Okay, the XBL, DSBL, and SpamCop (another fine service of IronPort) hits
all make sense. SORBS not firing because the rule has a zero score,
okay, that makes sense too.
But, I don't get a RCVD_IN_NJABL_SPAM hit and I doubt that list is
updated that frequently and I also don't have the RCVD_IN_BSP_TRUSTED
hit.
Note the XBL and SpamCop hits!!!
me: RCVD_IN_XBL is 127.0.0.4
RCVD_IN_BL_SPAMCOP_NET is a TXT record
him: RCVD_IN_NJABL_SPAM *wants* 127.0.0.4
RCVD_IN_BSP_TRUSTED *wants* a TXT record
DING DING DING DING DING!!!!!!!!!
Theory: the DNS responses got mixed up somewhere. This may be related
to bug 3997, although if that is the case, then it would suggest some
probability that my patch will not entirely workaround the issue,
although it does improve my confidence that it will help.
Daniel
--
Daniel Quinlan
http://www.pathname.com/~quinlan/
