You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dan Barker <db...@visioncomm.net> on 2007/06/12 16:42:04 UTC
DUL Lists? - OT
I'm receiving a lot of 421 rejects with:
Unexpected connection response from server:
421 mails from 74.254.46.133 refused: local dynamic IP address
74.254.46.133"
Does anybody recognize the text of the message? I'd like to confirm that
there are no popular DUL lists showing 74.254.46.133 as dynamic, but the 421
message says very little. DNSReport says it's clean. I've tried to contact
some postmaster accounts (using Yahoo.com, since I can't use my own mailer)
but they appear to be RFC ignorant too. Unfortunately, it's not just one ISP
in Germany and I'd like to understand if there's anything I can do on my
side.
The only thing that comes to mind is that my rDNS is delegated to my own
name server. Maybe there's some sort of DNS software out in the wild that
doesn't support delegation? I'm really at a loss.
Dan
Re: DUL Lists? - OT
Posted by arni <ma...@arni.name>.
Dan Barker schrieb:
> Dan Barker follows up:
> I "think" you confirmed that my delegated rDNS is proper and that the 421
> message is in error. But I'm not certain. Can you please confirm your
> assessment? My ISP provides me a /26 subnet out of the 74.254.46.0 class C,
> so the rDNS delegation is done with CNAMEs from the class C subnet to my
> 74.254.46.128/26 subnet's DNS servers. They serve the appropriate PTR
> records.
>
> Thanks again for the bandwidth;
> Dan
>
>
I'd advise you to just give the ip you send email from a real, non
aliased reverse dns entry which is the same as your HELO and also points
back to your IP through an A record.
Guess thats just the easiest way to solve it. Making the "foreign"
admins aware of their buggy system is gonna be more complicated.
arni
RE: DUL Lists? - OT
Posted by Dan Barker <db...@visioncomm.net>.
Dan Barker schrieb:
> > I'm receiving a lot of 421 rejects with:
> >
> > Unexpected connection response from server:
> > 421 mails from 74.254.46.133 refused: local dynamic IP address
> > 74.254.46.133"
> >
> > Does anybody recognize the text of the message? I'd like to confirm
> > that there are no popular DUL lists showing 74.254.46.133 as dynamic,
> > but the 421 message says very little. DNSReport says it's clean. I've
> > tried to contact some postmaster accounts (using Yahoo.com, since I
> > can't use my own mailer) but they appear to be RFC ignorant too.
> > Unfortunately, it's not just one ISP in Germany and I'd like to
> > understand if there's anything I can do on my side.
> >
> > The only thing that comes to mind is that my rDNS is delegated to my
> > own name server. Maybe there's some sort of DNS software out in the
> > wild that doesn't support delegation? I'm really at a loss.
> >
> > Dan
> >
arni writes:
> 133.46.254.74.in-addr.arpa is an alias for 133.128.46.254.74.in-addr.arpa.
> 133.128.46.254.74.in-addr.arpa domain name pointer mail.visioncomm.net.
>
> probably a not so clever blacklist considering your ip dynamic because the
alias has its own ip in the alias name
>
> arni
>
Dan Barker follows up:
I "think" you confirmed that my delegated rDNS is proper and that the 421
message is in error. But I'm not certain. Can you please confirm your
assessment? My ISP provides me a /26 subnet out of the 74.254.46.0 class C,
so the rDNS delegation is done with CNAMEs from the class C subnet to my
74.254.46.128/26 subnet's DNS servers. They serve the appropriate PTR
records.
Thanks again for the bandwidth;
Dan
Re: DUL Lists? - OT
Posted by arni <ma...@arni.name>.
Dan Barker schrieb:
> I'm receiving a lot of 421 rejects with:
>
> Unexpected connection response from server:
> 421 mails from 74.254.46.133 refused: local dynamic IP address
> 74.254.46.133"
>
> Does anybody recognize the text of the message? I'd like to confirm that
> there are no popular DUL lists showing 74.254.46.133 as dynamic, but the 421
> message says very little. DNSReport says it's clean. I've tried to contact
> some postmaster accounts (using Yahoo.com, since I can't use my own mailer)
> but they appear to be RFC ignorant too. Unfortunately, it's not just one ISP
> in Germany and I'd like to understand if there's anything I can do on my
> side.
>
> The only thing that comes to mind is that my rDNS is delegated to my own
> name server. Maybe there's some sort of DNS software out in the wild that
> doesn't support delegation? I'm really at a loss.
>
> Dan
>
133.46.254.74.in-addr.arpa is an alias for 133.128.46.254.74.in-addr.arpa.
133.128.46.254.74.in-addr.arpa domain name pointer mail.visioncomm.net.
probably a not so clever blacklist considering your ip dynamic because
the alias has its own ip in the alias name
arni
Re: DUL Lists? - OT
Posted by SM <sm...@resistor.net>.
At 07:42 12-06-2007, Dan Barker wrote:
>I'm receiving a lot of 421 rejects with:
>
>Unexpected connection response from server:
>421 mails from 74.254.46.133 refused: local dynamic IP address
>74.254.46.133"
That IP address is not dynamic. The reverse DNS is correct.
>Does anybody recognize the text of the message? I'd like to confirm that
>there are no popular DUL lists showing 74.254.46.133 as dynamic, but the 421
>message says very little. DNSReport says it's clean. I've tried to contact
>some postmaster accounts (using Yahoo.com, since I can't use my own mailer)
>but they appear to be RFC ignorant too. Unfortunately, it's not just one ISP
>in Germany and I'd like to understand if there's anything I can do on my
>side.
Isn't it a web hosting provider? If so, maybe they have some web
form for contacting them.
Regards,
-sm
Re: DUL Lists? - OT
Posted by arni <ma...@arni.name>.
Dan Barker schrieb:
> Definitions:
> "right": follow the CNAME to get a PTR
> "wrong": return the CNAME as an answer.
>
Yes thats what I meant, the script on the other side seems to be to
stupid to realise that the first lookup isnt the final answer, in this
wrong answer it finds the own ip and considers it a sign of a dynamic ip.
arni
RE: DUL Lists? - OT
Posted by Dan Barker <db...@visioncomm.net>.
Thanks for yet _more_ confirmation. However, if botnet is depending on DNS
pulling the "right" stuff, and someone's DNS is pulling the "wrong" stuff,
then it still could be botnet; just not directly.
Definitions:
"right": follow the CNAME to get a PTR
"wrong": return the CNAME as an answer.
I'm trying to get my provider to change the mailer's in-addr records to PTR
and leave the other 59 as CNAMES to my DNS server. If that works, then the
problem might go away. If they won't/can't do that, I don't know what else
to try. I guess I could go through all the hassle of having my rDNS remoted.
Sure sounds like a pain. It would _really_ be a pain if it didn't work<g>!
Dan Barker
-----Original Message-----
From: John Rudd [mailto:jrudd@ucsc.edu]
Sent: Tuesday, June 12, 2007 1:25 PM
To: Dan Barker
Cc: 'Spamassassin'
Subject: Re: DUL Lists? - OT
Dan Barker wrote:
> I'm receiving a lot of 421 rejects with:
>
> Unexpected connection response from server:
> 421 mails from 74.254.46.133 refused: local dynamic IP address
> 74.254.46.133"
>
In case there's any doubt about whether or not the Botnet plugin tripped up
on the PTR record situation (and someone used that as a basis for a
tempfail), here's the output of Botnet.pl for that IP address:
% Botnet.pl 74.254.46.133 visioncomm.net Botnet Version = 0.8 checking IP
address: 74.254.46.133
BOTNET_NORDNS: not hit - mail.visioncomm.net
BOTNET_BADDNS: not hit - hostname resolves back to ip
BOTNET_IPINHOSTNAME: not hit
BOTNET_CLIENTWORDS: not hit
BOTNET_SERVERWORDS: hit, matches=mail
BOTNET_CLIENT (meta) not hit
BOTNET_CLIENT (code) not hit, tests=none
BOTNET_SOHO: not hit
BOTNET (meta) not hit
BOTNET (code) not hit, tests=none
So:
a) Botnet wasn't mislead by the PTR alias
b) None of the Botnet tests flagged this as a Botnet (the one hit was for
"server words" which would have helped you, not hurt you).
Re: DUL Lists? - OT
Posted by John Rudd <jr...@ucsc.edu>.
Dan Barker wrote:
> I'm receiving a lot of 421 rejects with:
>
> Unexpected connection response from server:
> 421 mails from 74.254.46.133 refused: local dynamic IP address
> 74.254.46.133"
>
In case there's any doubt about whether or not the Botnet plugin tripped
up on the PTR record situation (and someone used that as a basis for a
tempfail), here's the output of Botnet.pl for that IP address:
% Botnet.pl 74.254.46.133 visioncomm.net
Botnet Version = 0.8
checking IP address: 74.254.46.133
BOTNET_NORDNS: not hit - mail.visioncomm.net
BOTNET_BADDNS: not hit - hostname resolves back to ip
BOTNET_IPINHOSTNAME: not hit
BOTNET_CLIENTWORDS: not hit
BOTNET_SERVERWORDS: hit, matches=mail
BOTNET_CLIENT (meta) not hit
BOTNET_CLIENT (code) not hit, tests=none
BOTNET_SOHO: not hit
BOTNET (meta) not hit
BOTNET (code) not hit, tests=none
So:
a) Botnet wasn't mislead by the PTR alias
b) None of the Botnet tests flagged this as a Botnet (the one hit was
for "server words" which would have helped you, not hurt you).