I manage an email server that uses an Atlantic Broadband SMTP server as a smart host. I maintain a mailing list on the server that currently has about 1,300 email addresses. Each month someone sends a monthly newsletter to the email addresses in that list; the people associated with those addresses are all members of a retirees organization and have all indicated they wish to receive that organization's newsletter. Usually, the newsletter is transmitted without problems, but occasionally I will find that email transmitted from the server is silently discarded with no bounced emai indicating why that is occurring. Though that doesn't occur often, when it occurs, it usually occurs when the newsletter is sent. When the problem occurs, as it did yesterday, I have to request that the IP address of my server be unblocked. Initially, I would call the ISP's phone support number, i.e, an Atlantic Broadband support number, but they would in turn have to contact their email service provider, since the email service they provide is outsourced to Echo Labs as I found from examining email headers - see Email sent via an Atlantic Broadband SMTP server not being delivered. But I found that I could get the block removed more quickly if I submitted a request through Cloudmark, an anti-spam company co-founded by Vipul Ved Prakash and Napster's co-founder Jordan Ritter, which provides an anti-spam service used by Echo Labs.

[ More Info ]

[/network/email/spam/blocklists] permanent link

Examining the message headers from an email sent from a tech support person at Atlantic Broadband, whom I contacted on June 1 regarding the problem, to my Gmail account (see Viewing message headers in Gmail), I learned that Atlantic Broadband uses Echo Labs to handle their email. I saw the following in the message headers:

Received: from cluster1.echolabs.net (mail.atlanticbb.net. [38.111.141.32])
        by mx.google.com with ESMTP id l144si10145927ybf.89.2016.06.01.19.40.53

[ More Info ]

[/network/email/spam/blocklists] permanent link

FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl', `bl.csma.biz', `550 Spam Block: mail from $&{client_addr} refused - See http://bl.csma.biz/')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org', `550 Spam Block: mail from $&{client_addr} refused - See http://www.spamhaus.org/sbl/')dnl
FEATURE(`dnsbl', `psbl.surriel.com', `550 Spam Block: mail from $&{client_addr} refused - see http://psbl.surriel.com/')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`550 Spam Block: mail from $&{client_addr} refused - see http://dnsbl.sorbs.net/')dnl
FEATURE(`dnsbl',`dnsrbl.swinog.ch',`550 Spam Block: mail from $&{client_addr} refused - see http://antispam.imp.ch/spamikaze/remove.php')dnl

After adding the entry for the Swinog RBL, I generated a sendmail.cf file from sendmail.mc and restarted sendmail.

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /etc/init.d/sendmail restart

I checked /var/log/maillog just moments after adding that blacklist and found it had blocked spam:

# grep 'antispam.imp.ch' /var/log/maillog
Apr  8 21:16:57 frostdragon sendmail[15676]: n391GuGi015676: ruleset=check_rcpt,
 arg1=<broderbundxxxxxx@moonpoint.com>, relay=65-75-229-245.dsl.ctcn.net [65.75.
229.245] (may be forged), reject=550 5.7.1 <broderbundxxxxxx@moonpoint.com>... S
pam Block:mail from 65.75.229.245 refused - see http://antispam.imp.ch/spamikaze
/remove.php

The Swinog DNSBL blocked email to an email address that I used on December 8, 2004 when I registered software with Brøderbund Software. I never used the email for any other purpose. Usually, when I'm providing an email address to any company, I don't use my primary email address, but instead create an alias for that address that points to my primary email address. So, if I start getting a lot of spam addressed to the alias, I can just invalidate the alias. And, since the aliases I create are not ones a spammer would use if the spammer was employing a name dictionary attack, i.e. guessing likekly names, I know that the company has provided the email address I gave them to a spammer. So I know the spammer got the address above, which I've changed for any spam spiders that may crawl across this page, from Brøderbund Software or one of the companies that subsequently owned Brøderbund Software.

The Wikipedia article on the company at Brøderbund lists the following history of corporate ownership for Brøderbund.

Brøderbund was purchased by The Learning Company in 1998 for about USD$420 million in stock. Ironically, Brøderbund had initially attempted to purchase the original The Learning Company in 1995, but was outbid by Softkey, who purchased The Learning Company for $606 million in cash and then adopted its name. In a move to rationalize costs, The Learning Company promptly terminated 500 employees at Brøderbund the same year, representing 42% of the company's workforce. Then in 1999 the combined company was bought by Mattel for $3.6 billion. Mattel reeled from the financial impact of this transaction, and Jill Barad, the CEO, ended up being forced out in a climate of investor outrage. Mattel then gave away The Learning Company in September 2000 to Gores Technology Group, a private acquisitions firm, for a share of whatever Gores could obtain by selling the company. In 2001, Gores sold The Learning Company's entertainment holdings to Ubisoft, and most of the other holdings, including the Brøderbund name, to Irish company Riverdeep. Currently, all of Brøderbund's games, such as the Myst series, are published by Ubisoft.

I suspect that it wasn't just my email address that was sold to spammers. Probably Brøderbund's entire mailing list was sold by either Brøderbund or one of the companies that acquired it, though, of course there is a possibility it could just have been an employee of one of the companies trying to make some easy cash or one who was losing a job as his or her company was acquired by another company, who could have been looking to compensate for lost wages.

The address is still being used by spammers over four years later, even though the address has probably not been valid for over a year. Unfortunately, I don't remember when I first started getting spam addressed to that email address.

After having a hernia operation recently, I noticed I've been getting spam on a fairly regular basis suggesting I might want to use the legal services mentioned in the spam if I wanted to sue for any problems related to the patch used in the surgery. I don't remember seeing any of this type of message previously, though it's possible that I might have received such messages, but they never registered in my consciousness then as I deleted spam. But I'm wondering now if someone at the office of the doctor who performed the surgery sold my email address. I believe I did put my primary email address on a form I filled out at the doctor's office. If I had used an alias, I would know for certain, if that was the case.

[/network/email/spam/blocklists] permanent link

# ./find-recipients.pl wendyvi21@alltel.net /var/log/maillog
Found 2 messages from wendyvi21@alltel.net in /var/log/maillog

Message recipients

Time            Message ID     Status        Recipient
----------------------------------------------------------------
Jun 10 07:58:02 l5ABupmb001042 Rejected      kittycat321@moonpoint.com
Jun 10 08:05:03 l5AC3omb001081 Sent          kittycat321@moonpoint.com

When I checked the /var/log/maillog file for those two message IDs, I found that the first message had been blocked by the Spam and Open-Relay Blocking System (SORBS) blocklist. SORBS is a DNS Blacklist (DNSBL).

The message that was rejected was from ispmxmta05-srv.windstream.net [166.102.165.166], while the one that was accepted was from ispmxmta09-srv.windstream.net [166.102.165.170].

When I checked the SORBS list, it appeared that the 166.102.165.166 had been there for at least a week due to SORBS detecting spam orginating from the email server at that address.

But when I looked up the other IP address, 166.102.165.170, it appeared it was also in the SORBS blocklist.

When I queried the SORBS database through the SORBS Database Lookup webpage, it appeared both addresses were present in the SORBS blocklist, yet when I used blq to query the SORBS blocklist, I found only the first .166 address listed and not the .170 address, which was consistent with Sendmail's rejection of the first message, but not the second one.

# ./blq sorbs 166.102.165.166
166.102.165.166 ispmxmta05-srv.windstream.net : dnsbl.sorbs.net : BLOCKED
# ./blq sorbs 166.102.165.170
166.102.165.170 ispmxmta09-srv.windstream.net : dnsbl.sorbs.net : ok

I received another report from a Hotmail sender that she was finding email rejected as well. I went through the same process as above. Again the SORBS website database query seemed to indicate that both addresses would be blocked, but using blq showed only one was blocked, which matched the entries I found in today's maillog file with the first message from the sender being rejected and the second accepted. The first was from bay0-omc2-s36.bay0.hotmail.com [65.54.246.172] and the second from bay0-omc2-s37.bay0.hotmail.com [65.54.246.173].

When performing a database check via the website, I saw the following for the IP address from which a message was rejected:

But I also saw the following for the IP address of the server from which a message was accepted:

Again, the information returned didn't seem to be consisttent with what a blq query returned:

# ./blq sorbs 65.54.246.172
65.54.246.172 bay0-omc2-s36.bay0.hotmail.com : dnsbl.sorbs.net : BLOCKED
# ./blq sorbs 65.54.246.173
65.54.246.173 bay0-omc2-s37.bay0.hotmail.com : dnsbl.sorbs.net : ok

So the results I obtained through the website query don't seem to accurately reflect what will be blocked, if I interpret seeing "Currently active and flagged to be published in DNS" appearing in a red block as an indication the address is in the blocklist as one to be blocked.

[/network/email/spam/blocklists] permanent link

The email was blocked because the sending IP address was on a blacklist that I use to curtail spam coming into the email server. When I checked the IP address against other blacklists, I found it was present on several lists. The system may be running an open SOCKS proxy service.

[ More Info ]

[/network/email/spam/blocklists] permanent link

Blitzed Open Proxy Monitor List
Open Relay Database
Composite Block List (CBL)
McFadden Associates E-Mail Blacklist
Spam and Open Relay Blocking System (SORBS)
Passive Spam Block List (PSBL)

To add the PSBL to the blacklists queried by sendmail, I added the following line to /etc/mail/sendmail.mc.

FEATURE(`dnsbl', `psbl.surriel.com', `"550 Mail from " $`'&{client_addr} " refused - see http://psbl.surriel.com/"')dnl

I then regenerated the sendmail.cf file from the sendmail.mc file and restarted sendmail with the commands below.

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
/etc/init.d/sendmail restart

[/network/email/spam/blocklists] permanent link

[ More Info ]

[/network/email/spam/blocklists] permanent link

To find out whether your IP address is on such a list or to see what lists you might use for your own email server, I've created a list of sites that provide links to multiple blocklists from one webpage and also my own list of sites.

[/network/email/spam/blocklists] permanent link

When I used my own test account, I found that email from hotmail.com and msn.com accounts was being rejected because the hotmail.com email servers are on a SORBS blocklist.

I resolved the problem by adding the relevant hotmail.com and msn.com email addresses to sendmail's /etc/mail/access file.

[ More Info ]

[/network/email/spam/blocklists] permanent link