FQDN Added to Blacklist still not blocked...

Guest

FQDN Added to Blacklist still not blocked...

Post by Guest » Sat Sep 12, 2009 3:23 am

Hello,Im adding FQDN in the Blacklist and users are still receiving emails from those FQDN... For example, Ive blocked organisationdutravail.com last week, but here is the message tracking from this week : ResultsDisplaying 1 — 16 of 16 items.1 08 Apr 2010 14:20 GMT -04:00  MID: 19670     Show Details    SENDER: fichiers@organisationdutravail.com RECIPIENT: ****REMOVED**** SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes LAST STATE: Message 19670 to ****REMOVED****  received remote SMTP response ... 2 08 Apr 2010 14:17 (GMT -04:00)  MID: 19666     Show Details    SENDER: fichiers@organisationdutravail.com RECIPIENT: ****REMOVED****SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes LAST STATE: Message 19666 to ****REMOVED****  received remote SMTP response ok:... 3 08 Apr 2010 14:17 (GMT -04:00)  MID: 19665     Show Details    SENDER: fichiers@organisationdutravail.com RECIPIENT: ****REMOVED**** SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes LAST STATE: Message 19665 to ****REMOVED****  received remote SMTP response ... 4 08 Apr 2010 14:17 (GMT -04:00)  MID: 19664     Show Details    SENDER: fichiers@organisationdutravail.com RECIPIENT: ****REMOVED****SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes LAST STATE: Message 19664 to ****REMOVED****  received remote SMTP response 2.6....  And here is the full tracking of one of those emails :08 Apr 2010 14:20:20 (GMT -04:00)  Protocol SMTP interface IncomingIP (IP ****REMOVED****) on incoming connection (ICID 175563) from sender IP 205.237.40.104. Reverse DNS host 40-104.cgocable.ca verified no. 08 Apr 2010 14:20:20 (GMT -04:00)  (ICID 175563) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.8 08 Apr 2010 14:20:20 (GMT -04:00)  Start message 19670 on incoming connection (ICID 175563). 08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 enqueued on incoming connection (ICID 175563) from fichiers@organisationdutravail.com. 08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 on incoming connection (ICID 175563) added recipient (****REMOVED****). 08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 contains message ID header <6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com>. 08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 original subject on injection: Connaitre les nouvelles procedures aux douanes 08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 (18352 bytes) from fichiers@organisationdutravail.com ready. 08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 matched per-recipient policy DEFAULT for inbound mail policies. 08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 encountered CASE down (1/10). Retry scanning in 12 seconds. 08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Interim verdict: Negative 08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Final verdict: Negative 08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine. Final verdict: Negative 08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 queued for delivery. 08 Apr 2010 14:20:38 (GMT -04:00)  SMTP delivery connection (DCID 10816) opened from IronPort interface ****REMOVED**** to IP address ****REMOVED**** on port 25. 08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery started for message 19670 to ****REMOVED****. 08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery details: Message 19670 sent to ****REMOVED****08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 to ****REMOVED**** received remote SMTP response 2.6.0 <6bdb6f64469b3af0006fc7b02bd2ec07@organisationdutravail.com> Queued mail for delivery.  We can see that the address is considered as an UNKNOWN sender and not a BLACKLIST... Whats up with that? Thanks for you help!

Guest

Re:FQDN Added to Blacklist still not blocked...

Post by Guest » Sat Sep 12, 2009 3:58 am

Looks like you
e receiving communication from a different server:organisationdutravail.coms MX records point to:organisationdutravail.com. 900  IN      MX      10 q1.netfirms.com.organisationdutravail.com. 900  IN      MX      10 q0.netfirms.com.whos IPs point to:q1.netfirms.com.        1551    IN      A       70.35.17.139q1.netfirms.com.        1551    IN      A       70.35.17.171q1.netfirms.com.        1551    IN      A       70.35.17.203q1.netfirms.com.        1551    IN      A       70.35.17.235q1.netfirms.com.        1551    IN      A       70.35.17.11q1.netfirms.com.        1551    IN      A       70.35.17.43q1.netfirms.com.        1551    IN      A       70.35.17.75q1.netfirms.com.        1551    IN      A       70.35.17.107However you
e receiving communication from 205.237.40.104 which doesn match any of the above.I suspect someone is spoofing organisationdutravail.coms domain. I would suggest blacklisting by IP address instead of FQDN

Guest

Re:FQDN Added to Blacklist still not blocked...

Post by Guest » Sat Sep 12, 2009 4:00 am

You are right, shame on me for not having looked at the IPs before posting... Thanks a lot!

Guest

Re:FQDN Added to Blacklist still not blocked...

Post by Guest » Sat Sep 12, 2009 4:48 am

No problem. Glad to help!

Post Reply