You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Michael Scheidell <mi...@secnap.com> on 2011/07/22 17:50:03 UTC
broken emails from techtarget/crn mag? omeda communications?
any of you subscribed to techtarget or crm emails?
seems on june 16th or 17th, something broke. and I am trying to
determine if its something we did or something they did.
headers come in, received, received, then a BIG BLANK LIKE, then
DATA DKIM
(its almost like they shoved an extra DATA\r\n in there. or SA did.. or
amavisd-new did)
sometimes they are totally blank.
headers (yes, it looks like spam, this one does) but we do have people
who subscribed to it. notice the blank line after the received header?
if you grep for 205.162.4[0-7]\.* you might see some like this.
(and, no, this is not after microsoft mangles it.. maybe amavisd/sa/dkim
version 38 does, but I don't know)
Received: from crnnetwork.com (crnnetwork.com [205.162.47.163])
by mx2.slpowers.com.ionspam.net (Postfix) with ESMTP id 115F06FE15B
for <us...@domain.com>; Fri, 22 Jul 2011 10:08:50 -0400 (EDT)
DATA
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
t=1311343699; d=crnnetwork.com; s=dkim;
h=date:message-id:from:to:subject:mime-version:content-type:list-unsubscribe;
bh=WveFEzHxhYkhwXaVxeYtjjm8Q34bjdVex+sTxWOdwXg=;
b=lL4+c3ymOfW+NTTsa1liqJrB4TPeV5ANFPiFeTkow8XWD796wMJdsCUVh8iNyuThGzngShLI0AByxbZk5g6MmWMNbujzSKf2Tnpm59BcISmOxOsVvUpNSfYO07K2rrqvDlRyiu0SZ6LZz85XAcVJGFHYXYXr1Z+GG6QwByltY4M=;
Date: Fri, 22 Jul 2011 09:08:19 -0500 (CDT)
Message-ID:
<4O...@OMS05.crnnetwork.com>
From: CRN <CR...@crnnetwork.com>
Sender: CRN <CR...@crnnetwork.com>
Reply-To: CRN <CR...@crnnetwork.com>
To: user@domain.com
Subject: Confirm Your Free Subscription to CRN Magazine Now
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary=----4Oz1ccmceDmcBfmLekDNsxjec.mD
X-MailSessionID: 4Oz1ccmceDmcBfmLekDNsxjec.mD.1311343694695
Referer: http://crnnetwork.com/portal/
------4Oz1ccmceDmcBfmLekDNsxjec.mD
common factors seem to be their ESP
NetRange: 205.162.40.0 - 205.162.47.255
CIDR: 205.162.40.0/21
OriginAS:
NetName: SPRINTLINK
NetHandle: NET-205-162-40-0-1
Parent: NET-205-160-0-0-1
NetType: Reassigned
RegDate: 2003-11-12
Updated: 2003-11-12
Ref: http://whois.arin.net/rest/net/NET-205-162-40-0-1
OrgName: Omeda Communications
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: broken emails from techtarget/crn mag? omeda communications?
Posted by mouss <mo...@ml.netoyen.net>.
Le 22/07/2011 17:50, Michael Scheidell a écrit :
> any of you subscribed to techtarget or crm emails?
>
> seems on june 16th or 17th, something broke. and I am trying to
> determine if its something we did or something they did.
no, it's much older than that. I can see a borked one dating back to 25
April 2011 (yeah, I use European date format, not US format).
when they send via
http://www.omeda.com/careers_environment.html
a borked app sends SMTP commands inside data. so they send a
<CRLF>
DATA
<CRLF>
DKIM-Signature: ....
as _data_.
that ESP is also "forgetting" to expand variables:
Reply-To: "@{from_ttnt}@ Recommends" <no...@lists.techtarget.com>
now, even when they send via other means (for ex 206.19.49.33), their
mail is spammy (html only, bold font, unclickable URLs, ... etc).
so I'd say: all their mail may be blocked. this is probably the only way
to get them understand how email works...
>
> headers come in, received, received, then a BIG BLANK LIKE, then
>
> DATA DKIM
>
> (its almost like they shoved an extra DATA\r\n in there. or SA did.. or
> amavisd-new did)
>
> sometimes they are totally blank.
they are never blank. what is blank is what your mailer shows.
>
> headers (yes, it looks like spam, this one does) but we do have people
> who subscribed to it. notice the blank line after the received header?
> if you grep for 205.162.4[0-7]\.* you might see some like this.
> (and, no, this is not after microsoft mangles it.. maybe amavisd/sa/dkim
> version 38 does, but I don't know)
>
>
> Received: from crnnetwork.com (crnnetwork.com [205.162.47.163])
> by mx2.slpowers.com.ionspam.net (Postfix) with ESMTP id 115F06FE15B
> for <us...@domain.com>; Fri, 22 Jul 2011 10:08:50 -0400 (EDT)
>
> DATA
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> t=1311343699; d=crnnetwork.com; s=dkim;
> h=date:message-id:from:to:subject:mime-version:content-type:list-unsubscribe;
> bh=WveFEzHxhYkhwXaVxeYtjjm8Q34bjdVex+sTxWOdwXg=;
> b=lL4+c3ymOfW+NTTsa1liqJrB4TPeV5ANFPiFeTkow8XWD796wMJdsCUVh8iNyuThGzngShLI0AByxbZk5g6MmWMNbujzSKf2Tnpm59BcISmOxOsVvUpNSfYO07K2rrqvDlRyiu0SZ6LZz85XAcVJGFHYXYXr1Z+GG6QwByltY4M=;
>
> Date: Fri, 22 Jul 2011 09:08:19 -0500 (CDT)
> Message-ID:
> <4O...@OMS05.crnnetwork.com>
> From: CRN <CR...@crnnetwork.com>
> Sender: CRN <CR...@crnnetwork.com>
> Reply-To: CRN <CR...@crnnetwork.com>
> To: user@domain.com
> Subject: Confirm Your Free Subscription to CRN Magazine Now
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary=----4Oz1ccmceDmcBfmLekDNsxjec.mD
> X-MailSessionID: 4Oz1ccmceDmcBfmLekDNsxjec.mD.1311343694695
> Referer: http://crnnetwork.com/portal/
>
> ------4Oz1ccmceDmcBfmLekDNsxjec.mD
>
> common factors seem to be their ESP
>
> NetRange: 205.162.40.0 - 205.162.47.255
> CIDR: 205.162.40.0/21
> OriginAS:
> NetName: SPRINTLINK
> NetHandle: NET-205-162-40-0-1
> Parent: NET-205-160-0-0-1
> NetType: Reassigned
> RegDate: 2003-11-12
> Updated: 2003-11-12
> Ref: http://whois.arin.net/rest/net/NET-205-162-40-0-1
>
> OrgName: Omeda Communications
>
>
>
Re: solved: Re: broken emails from techtarget/crn mag? omeda communications?
Posted by mouss <mo...@ml.netoyen.net>.
Le 26/07/2011 01:57, Michael Scheidell a écrit :
> On 7/22/11 12:49 PM, Michael Scheidell wrote:
>> On 7/22/11 12:08 PM, Michael Scheidell wrote:
>>> On 7/22/11 12:04 PM, Bret Miller wrote:
>>>> Well, I don't actually subscribe to any active techtarget lists, but
>>>> I do still get marketing garbage from them. Got one on the 19th that
>>>> looked fine here.
>>>>
>> packet captures SEEMS to indicate its them: note the two 'data'
>> statements?
>>
> i have been in contact with marketing vendor. they confirm that they did
> have a new MTA build on the night of 6/15.
> I suspect they are 'pipelining' and not waiting a valid multi-line banner.
> this might only affect you if you use multiline banners:
No multi-line banner here. yet, the borked stuff from techtarget...
and as I said in my other post, this has nothing to do with a "new MTA
... 6/15". they've been sending borked mail since a lot longer...
>
> 220-Hey, this is a phoney banner, don't spam me
> 220 Email Ready ESMTP
>
> or use postfix/postscreen with pregreet (phoney 220- banner)
> notice the dash in first one? mta is NOT supposed to start blasting
> email yet!
>> EHLO mail.officer.com
>> MAIL FROM:<Of...@mail.officer.com>
>> RCPT TO:<us...@domain.com>
>> DATA
>> DATA
>> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
>> t=1311353125; d=mail.officer.com; s=dkim;
>> h=date:message-id:from:to:subject:mime-version:content-type:list-unsubscribe;
>> bh=R0ioSboUdz708ua7iQOcmgvGuTJIMNcLAX0/xUjmq+I=;
>> b=e1N+skXWqY6NGf4Gt9fcbv0nvTffPzktcT6qMG29/XsGFqk4/1MfJdK3C+5IN21C4lwcsliNEzsX+F5yUBzt8kV7j/MhuVxpDSST3XyIQbXsZrs6uuRJ7iGg2A0oqGIUwI+XRVxIjevUqArvxg1V4HLlQyRgWI1wNTw/4nYJQdo=;
>>
>>
>>
>>
>
>
solved: Re: broken emails from techtarget/crn mag? omeda communications?
Posted by Michael Scheidell <mi...@secnap.com>.
On 7/22/11 12:49 PM, Michael Scheidell wrote:
> On 7/22/11 12:08 PM, Michael Scheidell wrote:
>> On 7/22/11 12:04 PM, Bret Miller wrote:
>>> Well, I don't actually subscribe to any active techtarget lists, but
>>> I do still get marketing garbage from them. Got one on the 19th that
>>> looked fine here.
>>>
> packet captures SEEMS to indicate its them: note the two 'data'
> statements?
>
i have been in contact with marketing vendor. they confirm that they did
have a new MTA build on the night of 6/15.
I suspect they are 'pipelining' and not waiting a valid multi-line banner.
this might only affect you if you use multiline banners:
220-Hey, this is a phoney banner, don't spam me
220 Email Ready ESMTP
or use postfix/postscreen with pregreet (phoney 220- banner)
notice the dash in first one? mta is NOT supposed to start blasting
email yet!
> EHLO mail.officer.com
> MAIL FROM:<Of...@mail.officer.com>
> RCPT TO:<us...@domain.com>
> DATA
> DATA
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> t=1311353125; d=mail.officer.com; s=dkim;
> h=date:message-id:from:to:subject:mime-version:content-type:list-unsubscribe;
> bh=R0ioSboUdz708ua7iQOcmgvGuTJIMNcLAX0/xUjmq+I=;
> b=e1N+skXWqY6NGf4Gt9fcbv0nvTffPzktcT6qMG29/XsGFqk4/1MfJdK3C+5IN21C4lwcsliNEzsX+F5yUBzt8kV7j/MhuVxpDSST3XyIQbXsZrs6uuRJ7iGg2A0oqGIUwI+XRVxIjevUqArvxg1V4HLlQyRgWI1wNTw/4nYJQdo=;
>
>
>
>
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: broken emails from techtarget/crn mag? omeda communications?
Posted by Michael Scheidell <mi...@secnap.com>.
On 7/22/11 12:08 PM, Michael Scheidell wrote:
> On 7/22/11 12:04 PM, Bret Miller wrote:
>> Well, I don't actually subscribe to any active techtarget lists, but
>> I do still get marketing garbage from them. Got one on the 19th that
>> looked fine here.
>>
packet captures SEEMS to indicate its them: note the two 'data' statements?
EHLO mail.officer.com
MAIL FROM:<Of...@mail.officer.com>
RCPT TO:<us...@domain.com>
DATA
DATA
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
t=1311353125; d=mail.officer.com; s=dkim;
h=date:message-id:from:to:subject:mime-version:content-type:list-unsubscribe;
bh=R0ioSboUdz708ua7iQOcmgvGuTJIMNcLAX0/xUjmq+I=;
b=e1N+skXWqY6NGf4Gt9fcbv0nvTffPzktcT6qMG29/XsGFqk4/1MfJdK3C+5IN21C4lwcsliNEzsX+F5yUBzt8kV7j/MhuVxpDSST3XyIQbXsZrs6uuRJ7iGg2A0oqGIUwI+XRVxIjevUqArvxg1V4HLlQyRgWI1wNTw/4nYJQdo=;
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: broken emails from techtarget/crn mag? omeda communications?
Posted by Michael Scheidell <mi...@secnap.com>.
On 7/22/11 12:04 PM, Bret Miller wrote:
> Well, I don't actually subscribe to any active techtarget lists, but I
> do still get marketing garbage from them. Got one on the 19th that
> looked fine here.
>
> Bret
I am running a packet capture on one of our larger clients, looking for
their net. Ill see if they sent it wrong.
best I can tell:
6/15/ 1605 edt good
6/15/ 1900 edt no good.
I am also running some checks for files that changed in that 3 hour
period. maybe updated something that broke (some) dkim signed emails.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
>*| *SECNAP Network Security Corporation
* Best Mobile Solutions Product of 2011
* Best Intrusion Prevention Product
* Hot Company Finalist 2011
* Best Email Security Product
* Certified SNORT Integrator
______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________
Re: broken emails from techtarget/crn mag? omeda communications?
Posted by Bret Miller <br...@gci.org>.
Well, I don't actually subscribe to any active techtarget lists, but I
do still get marketing garbage from them. Got one on the 19th that
looked fine here.
Bret
On 7/22/2011 8:50 AM, Michael Scheidell wrote:
> any of you subscribed to techtarget or crm emails?
>
> seems on june 16th or 17th, something broke. and I am trying to
> determine if its something we did or something they did.
>
> headers come in, received, received, then a BIG BLANK LIKE, then
>
> DATA DKIM
>
> (its almost like they shoved an extra DATA\r\n in there. or SA did..
> or amavisd-new did)
>
> sometimes they are totally blank.
>
> headers (yes, it looks like spam, this one does) but we do have people
> who subscribed to it. notice the blank line after the received header?
> if you grep for 205.162.4[0-7]\.* you might see some like this.
> (and, no, this is not after microsoft mangles it.. maybe
> amavisd/sa/dkim version 38 does, but I don't know)
>
>
> Received: from crnnetwork.com (crnnetwork.com [205.162.47.163])
> by mx2.slpowers.com.ionspam.net (Postfix) with ESMTP id
> 115F06FE15B
> for <us...@domain.com>; Fri, 22 Jul 2011 10:08:50 -0400 (EDT)
>
> DATA
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> t=1311343699; d=crnnetwork.com; s=dkim;
> h=date:message-id:from:to:subject:mime-version:content-type:list-unsubscribe;
> bh=WveFEzHxhYkhwXaVxeYtjjm8Q34bjdVex+sTxWOdwXg=;
> b=lL4+c3ymOfW+NTTsa1liqJrB4TPeV5ANFPiFeTkow8XWD796wMJdsCUVh8iNyuThGzngShLI0AByxbZk5g6MmWMNbujzSKf2Tnpm59BcISmOxOsVvUpNSfYO07K2rrqvDlRyiu0SZ6LZz85XAcVJGFHYXYXr1Z+GG6QwByltY4M=;
>
> Date: Fri, 22 Jul 2011 09:08:19 -0500 (CDT)
> Message-ID:
> <4O...@OMS05.crnnetwork.com>
> From: CRN <CR...@crnnetwork.com>
> Sender: CRN <CR...@crnnetwork.com>
> Reply-To: CRN <CR...@crnnetwork.com>
> To: user@domain.com
> Subject: Confirm Your Free Subscription to CRN Magazine Now
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary=----4Oz1ccmceDmcBfmLekDNsxjec.mD
> X-MailSessionID: 4Oz1ccmceDmcBfmLekDNsxjec.mD.1311343694695
> Referer: http://crnnetwork.com/portal/
>
> ------4Oz1ccmceDmcBfmLekDNsxjec.mD
>
> common factors seem to be their ESP
>
> NetRange: 205.162.40.0 - 205.162.47.255
> CIDR: 205.162.40.0/21
> OriginAS:
> NetName: SPRINTLINK
> NetHandle: NET-205-162-40-0-1
> Parent: NET-205-160-0-0-1
> NetType: Reassigned
> RegDate: 2003-11-12
> Updated: 2003-11-12
> Ref: http://whois.arin.net/rest/net/NET-205-162-40-0-1
>
> OrgName: Omeda Communications
>
>