The refusal by an
ISP
to accept a bounce message (one with an empty envelope sender) is increasingly rare these days, but occasionally we do see it.
This is always a bad idea:
H=mx01.csx1.net [38.103.192.105] … SMTP error from remote mail server after pipelined DATA: 550 Empty envelope senders not allowed
The sender of the message (their client remember) will never
find out that the email has not been delivered. In this case the mail was being forwarded, so it's impossible for us to do any better than accept the mail and then test the
recipient address by trying a delivery. We had to delete the bounce message — there was nowhere to send it.
TFL
are rejecting authenticated mail relayed through our servers
due to one of the SMTP Received: headers containing an IP address listed at
Spamhaus.
In this case, it's the mistaken & inadvertent use of the
Spamhaus PBL where the error lies.
A majority of e-mail sent from a home broadband connection will contain an IP listed in the PBL.
TFL (or is it
Capita?)
are wrongly using the
Spamhaus ZEN
blocklist which is an aggregate of all the lists maintained by Spamhaus. This includes the PBL.
Here's the rejection message:
REDACTED@tflcc.co.uk
host smtp.tflcc.co.uk [80.82.130.162]
SMTP error from remote mail server after end of data:
550 5.7.1 92.40.249.10 listed at zen.spamhaus.org
The IP address TFL take an exception to is [
92.40.249.10] which is indeed listed in the PBL. The crucial thing is that this IP
has not connected to TFL's servers at all. Instead it has been plucked from the trace headers included in the message.
Here’s a phish, sent by: mail14-co9on0066.outbound.messaging.microsoft.com [157.56.211.66] seconds ago:
From: Barclays Bank PLC
Subject: Important Information From Barclays!
You have not used the telephone banking service for some
time now and this could lead to a temporary de-activation
of your access to this service.
In order to ensure your continued usage of the service and
other services such as the internet banking, please follow
the steps below :
Click here to begin
© 2014 Barclays Bank.
All Rights Reserved
We've trapped a couple of mails from gmail containing malware. Malware in the form of an attachment called
"Payment.rar", "document.rar" or "INVOICES.rar";
within that file is a windows ".scr" or ".exe" executable.
The text is like this (sic):
Dear Sir/Ma
Please check attachment for the confirmation of the part payment into your account. Thanks for your patient and we sincerely apologize for the delay. Please find swift message for the payment made via attachment and confirm back.
--
Thanks & Regard,
Rohitashwa K. Mishra,
Senior Journalist,
Dainik Bhaskar Group.
Or perhaps like this, received from
mail-vc0-f194.google.com [209.85.220.194]
on Tue, 29 Oct 2013 06:12:01
(sic):
Dear sir ,
Regarding to the previous order i made in your company , the goods shipped
to me are not exactly what i purchased, the attachments are the slip of
the payment i made and sample of the products i need if you have them give
me feedback and the new account so that i`ll make the next payment as you
told me .
thanks.
Of little importance in the great scheme of things, but
MessageLabs
are currently rejecting reports sent to
LloydsTSB's
reporting address:
2013-07-08 09:08:18 ** emailscams@lloydstsb.REDACTED SMTP error from remote mail server after end of data:
host cluster1.eu.messagelabs.com [195.245.230.115]:
553-Message filtered. Please see the FAQs section on spam
553-at http://www.messagelabs.com/support/ for more
553 information. (#5.7.1)
It's a mystery to us why companies that send mail don't seem to care if its ever delivered.
Yesterday I dealt with mail from the domain: credit.trade.co.uk. Our servers refuse mail from this domain as it is invalid:
~# host credit.trade.co.uk
Host credit.trade.co.uk not found: 3(NXDOMAIN)
We've just forwarded a spam report to the Bell South (part of AT&T) abuse address and got this for our trouble:
abuse@REDACTED
SMTP error from remote mail server after initial connection:
host gateway-f1.isp.att.net [204.127.217.16]:
550-77.74.196.254 blocked by ldap:ou=rblmx,dc=att,dc=net
550 Error - Blocked for abuse. See http://att.net/blocks
As most Sky mail customers will be only too aware of by now; Sky are trransferring their service from Gmail to Yahoo!
So far the change, which started on the 4th April, has not exactly gone smoothly.
One legacy from the Gmail service is the
SPF record for sky.com:
"v=spf1 ip4:87.86.189.0/25 include:aspmx.googlemail.com a:im3.sky.com mx:sky.com include:sendgrid.net ~all"
which has not been updated to reflect the new status.
Our customers may experience delays on mail from non-whitelisted @sky.com addresses as a result.
Sky.com mail users must now take
additional precautions
to secure their account.
A quick note that our servers are rejecting mail from calendarnotification(AT)email.microsoft.com as they currently fail Microsoft's own SPF policy for email.microsoft.com.
These mails could be bogus or could be genuine. The SPF error is what makes our decision to reject an easy one.
Currently the SPF record reads:
"v=spf1 mx:email.microsoft.com ip4:207.46.222.193/26
include:_spf-ssg-a.microsoft.com -all"
and mails are being sent from: 65.54.190.226 (bay0-omc4-s24.bay0.hotmail.com).
Following a single complaint from our incoming server MX5 (which forwards no other mail into AOL); AOL in their wisdom have blocked the server:
554 CON:B1 The IP address has been blocked due to a spike in unfavorable e-mail statistics.
We are tmpfailing AOL's servers on MX5 so messages will be delivered to the alternative server and so we can still continue to report abuse to AOL. Here is the message in full (with some redaction) which we wish to report as spam:
UPDATE 17th June: Our server just rejected a spam sent via a Yahoo! server from
<bigbiglottocompany@gmail.com>.
You do wonder sometimes. Why on earth are
Yahoo!
sending SPAM on behalf of these users of other webmail services: hotmail.fr, hotmail.com, gmail.com, rediffmail.com, live.com.
These are sender domains strained from our recent logs and are associated with connections from yahoo.com servers.