OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Getting bounced mail from att.net

From: Jonathan Dill (jonathannerds.net)
Date: Thu Apr 24 2008 - 10:45:07 CDT

On Apr 24, 2008, at 10:59 AM, Gallagher, Tim (NE) wrote:

> Hello all,
> I have an email server running Postfix, dovcott, MailScanner and
> other stuff. I can send mail to most addresses fine except to
> att.net. I am not on any real time black hole lists, I am not sure
> what the problem is. Here is the mail log of the bounced mail,
>
> Apr 24 09:59:17 host postfix/cleanup[3152]: D0DBF1C6852B: hold:
> header Received: from www.danati.com (host.danati.com [127.0.0.1])??
> by host.danati.com (Postfix) with ESMTP id D0DBF1C6852B??for <betsybagssbcglobal.net
> >; Thu, 24 Apr 2008 09:59:17 -0400 (EDT) from
> host.danati.com[127.0.0.1]; from=<tgallagherdanati.com> to=<betsybagssbcglobal.net
> > proto=ESMTP helo=<www.danati.com>
> Apr 24 09:59:19 host postfix/smtp[3160]: 7ECA91C6852C: to=<betsybagssbcglobal.net
> >, relay=sbcmx2.prodigy.net[207.115.20.21]:25, delay=1.4,
> delays=0.67/0/0.64/0.06, dsn=5.3.0, status=bounced (host
> sbcmx2.prodigy.net[207.115.20.21] said: 553 5.3.0 flpi193,DNSBL:521<
> 72.52.242.116 >_is_blocked.__For_information_see_http://worldnet.att.net/general-info/bls_info/block_inquiry.html
> (in reply to MAIL FROM command))
>
> I believe the problem is my server ip address host.danati.com
> [127.0.0.1], but I am not sure where this information is being
> pulled from.
>
> Here is my hosts file
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1 localhost.localdomain localhost
> 72.52.XXX.XXX host.danati.com danati
> ::1 localhost6.localdomain6 localhost6

Seems kind of silly to block out the IP there since 72.52.242.116 is
already listed in the log entry. Anyway, the reject message mentions
"DNSBL" which suggests that your address is listed in a DNSBL,
probably their internal one since doing a quick multi-rbl lookup on
dnsstuff did not find any hits in the generally accepted DNSBL.

The messages about "127.0.0.1" looks like you used an e-mail client on
the server to submit the test message, so that is just the server
talking to itself and has nothing to do with the message being
rejected by sbcglobal. That could have been command line, webmail,
some formmail script, or something like mutt or pine, it is probably
irrelevant.

You may ask yourself what you did to get blacklisted. If you have
something like formmail script, that would be one of the first things
to suspect, possibly it has some security hole, you should be able to
find log entries for weird messages getting sent out, there may be
clues in the http access / error logs. Also, if you are forwarding e-
mail to some address at sbcglobal.net, and the forwarded mail contains
spam, some ISP and antispam appliances are not smart enough to figure
out that you did not originate the message, especially if the
recipient reports the spam to the ISP. You can also get into trouble
with things like blogs or discussion forum software that generates e-
mail, either has some hole that spammers could use, or e-mails
"updates" which could contain spam that was posted to the website.

>
>
> I need help finding the problem and some help correcting it.
>
> Thank you,
> Tim Gallagher
>
> Timothy F. Gallagher
> CSC Systems Engineer
> General Dynamics Advanced Information Systems
> Tel 734-480-5156
> Cell 248-320-6881
> <image001.gif>