FQDN Added to Blacklist still not blocked...

Answered Question

Hello,

I'm adding FQDN in the Blacklist and users are still receiving emails from those FQDN...


For example, I've blocked organisationdutravail.com last week, but here is the message tracking from this week :


Results
Displaying 1 — 16 of 16 items.

1 08 Apr 2010 14:20 (GMT -04:00)  MID: 19670     Show Details  
  SENDER: [email protected] 
RECIPIENT: ****REMOVED**** 
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19670 to ****REMOVED****  received remote SMTP response '... 

2 08 Apr 2010 14:17 (GMT -04:00)  MID: 19666     Show Details  
  SENDER: [email protected] 
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19666 to ****REMOVED****  received remote SMTP response 'ok:... 

3 08 Apr 2010 14:17 (GMT -04:00)  MID: 19665     Show Details  
  SENDER: [email protected] 
RECIPIENT: ****REMOVED**** 
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19665 to ****REMOVED****  received remote SMTP response '... 

4 08 Apr 2010 14:17 (GMT -04:00)  MID: 19664     Show Details  
  SENDER: [email protected] 
RECIPIENT: ****REMOVED****
SUBJECT: Connaitre les nouvelles procedures aux douanes Connaitre les nouvelles procedures aux douanes 
LAST STATE: Message 19664 to ****REMOVED****  received remote SMTP response '2.6....



And here is the full tracking of one of those emails :

08 Apr 2010 14:20:20 (GMT -04:00)  Protocol SMTP interface IncomingIP (IP ****REMOVED****) on incoming connection (ICID 175563) from sender IP 205.237.40.104. Reverse DNS host 40-104.cgocable.ca verified no. 
08 Apr 2010 14:20:20 (GMT -04:00)  (ICID 175563) ACCEPT sender group UNKNOWNLIST match sbrs[-1.0:10.0] SBRS -0.8 
08 Apr 2010 14:20:20 (GMT -04:00)  Start message 19670 on incoming connection (ICID 175563). 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 enqueued on incoming connection (ICID 175563) from [email protected]
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 on incoming connection (ICID 175563) added recipient (****REMOVED****). 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 contains message ID header '<[email protected]>'
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 original subject on injection: Connaitre les nouvelles procedures aux douanes 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 (18352 bytes) from [email protected] ready. 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 matched per-recipient policy DEFAULT for inbound mail policies. 
08 Apr 2010 14:20:20 (GMT -04:00)  Message 19670 encountered CASE down (1/10). Retry scanning in 12 seconds. 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Interim verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Spam engine: CASE. Final verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 scanned by Anti-Virus engine. Final verdict: Negative 
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 queued for delivery. 
08 Apr 2010 14:20:38 (GMT -04:00)  SMTP delivery connection (DCID 10816) opened from IronPort interface ****REMOVED**** to IP address ****REMOVED**** on port 25. 
08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery started for message 19670 to ****REMOVED****. 
08 Apr 2010 14:20:38 (GMT -04:00)  (DCID 10816) Delivery details: Message 19670 sent to ****REMOVED****
08 Apr 2010 14:20:38 (GMT -04:00)  Message 19670 to ****REMOVED**** received remote SMTP response '2.6.0 <[email protected]> Queued mail for delivery'.



We can see that the address is considered as an UNKNOWN sender and not a BLACKLIST... What's up with that?


Thanks for you help!

Correct Answer by dzavasni about 6 years 11 months ago

Looks like you're receiving communication from a different server:

organisationdutravail.com's MX records point to:


organisationdutravail.com. 900  IN      MX      10 q1.netfirms.com.
organisationdutravail.com. 900  IN      MX      10 q0.netfirms.com.

who's IP's point to:

q1.netfirms.com.        1551    IN      A       70.35.17.139
q1.netfirms.com.        1551    IN      A       70.35.17.171
q1.netfirms.com.        1551    IN      A       70.35.17.203
q1.netfirms.com.        1551    IN      A       70.35.17.235
q1.netfirms.com.        1551    IN      A       70.35.17.11
q1.netfirms.com.        1551    IN      A       70.35.17.43
q1.netfirms.com.        1551    IN      A       70.35.17.75
q1.netfirms.com.        1551    IN      A       70.35.17.107


However you're receiving communication from 205.237.40.104 which doesn't match any of the above.
I suspect someone is spoofing organisationdutravail.com's domain. I would suggest blacklisting by IP address instead of FQDN
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
dzavasni Fri, 04/09/2010 - 08:57
User Badges:

Looks like you're receiving communication from a different server:

organisationdutravail.com's MX records point to:


organisationdutravail.com. 900  IN      MX      10 q1.netfirms.com.
organisationdutravail.com. 900  IN      MX      10 q0.netfirms.com.

who's IP's point to:

q1.netfirms.com.        1551    IN      A       70.35.17.139
q1.netfirms.com.        1551    IN      A       70.35.17.171
q1.netfirms.com.        1551    IN      A       70.35.17.203
q1.netfirms.com.        1551    IN      A       70.35.17.235
q1.netfirms.com.        1551    IN      A       70.35.17.11
q1.netfirms.com.        1551    IN      A       70.35.17.43
q1.netfirms.com.        1551    IN      A       70.35.17.75
q1.netfirms.com.        1551    IN      A       70.35.17.107


However you're receiving communication from 205.237.40.104 which doesn't match any of the above.
I suspect someone is spoofing organisationdutravail.com's domain. I would suggest blacklisting by IP address instead of FQDN