RE: contact at yahoo mail? (they think we're an open relay :< )
Its a very confusing page to read, we are listed as 127.0.0.2 and that is NERD-CA. The other entries like: ARIXDICTSTALE Sender has a history of dictionary spamming: stale.dict.rbl.arix.com -> 127.0.0.1 I think indicate what that RBL is for and what the value indicates, we are NOT in there: host smtp.easydns.comstale.dict.rbl.arix.com and the txt record looks like a wildcard for all of the lists. In fact, several of the people who emailed me off list saying "you're in no-more-funn" were ALSO listed in "no-more-funn" in the same manner. So that, combined with the number of "same here" posts wrt yahoo lead me to believe that that's not the reason. -mark On Thu, 9 Oct 2003, Thor Larholm wrote:
If you would read the page through, you would see that you are listed MULTIPLE places.
No-more-funn.moensted.dk ARIXDICTSTALE NERD-CA NERD-ZZ
Only the last two are country specific
/thor
-----Original Message----- From: Mark Jeftovic [mailto:markjr@easydns.com] Sent: Thursday, October 09, 2003 2:30 PM To: Thor Larholm Cc: nanog@merit.org Subject: RE: contact at yahoo mail? (they think we're an open relay :< )
We are listed in no-more-funn.moensted.dk as 127.0.0.2 which is described as:
+ NERD-CA ip-space assigned to Canada: ca.countries.nerd.dk -> 127.0.0.2 216.220.40/24 is in ca, rejected based on geographical location about: Please see our webpage for more information about: This zone lists ONLY based on geographic information about: The zone does NOT contain known spammers, nor open relays
We do cop to being Canadian, but that's about it. I hope yahoo isn't keying on this RBL.
-mark
...and we've already filled out the retest form at Yahoo.
On Thu, 9 Oct 2003, Thor Larholm wrote:
If you read through all of that page, you will notice that Yahoo itself has a re-test script you can use to trigger a verification.
http://add.yahoo.com/fast/help/us/mail/cgi_retest
Yahoo is not your only problem, if you look at http://moensted.dk/spam/?addr=216.220.40.247 you will notice that several DNSBL lists that IP address. No-more-fun believes it to be a "Direct spam source" and ArixDictStale says it has performed active dictionary attacks within the last 3 months.
If you want to positively check whether you are an open relay, I would
recommend testing through ORDB at http://ordb.org/submit/
Regards Thor Larholm PivX Solutions, LLC - Senior Security Researcher
-----Original Message----- From: Mark Jeftovic [mailto:markjr@easydns.com] Sent: Thursday, October 09, 2003 1:23 PM To: nanog@merit.org Subject: contact at yahoo mail? (they think we're an open relay :< )
Today our email forwarders started getting this from yahoo.com mail handlers:
553 Mail from 216.220.40.247 not allowed - VS99-IP1 deferred - see help.yahoo.com/help/us/mail/defer/defer-02.html (#5.7.1) Connection closed by foreign host.
Which when you go look at that page basically tells you you're probably an open relay (which we're not), etc.
Can any mail admins at Yahoo contact me offlist, or post what the restrictions are or at what levels this will kick in?
-mark
-- Mark Jeftovic <markjr@easydns.com> Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
At 6:34 PM -0400 10/9/03, Mark Jeftovic wrote:
So that, combined with the number of "same here" posts wrt yahoo lead me to believe that that's not the reason.
I have seen yahoo block based on excessive mail sent to non-existent addresses. If you are bouncing mail with a return-path set to yahoo, that can be a problem. -- Kee Hinckley http://www.messagefire.com/ Next Generation Spam Defense http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
Thus spake Kee Hinckley (nazgul@somewhere.com) [09/10/03 22:30]:
I have seen yahoo block based on excessive mail sent to non-existent addresses. If you are bouncing mail with a return-path set to yahoo, that can be a problem.
Out of curiousity, can those who have had their mail blocked by Yahoo! report back on their abuse complaints lately? What I'm looking for is either an increased volume of complaints, or a certain volume of complaints that the end user has seemingly been infected by a trojan of some sort. Please keep replies off-list.
I've received an email offlist that this problem should be back to "pre-yesterday" conditions. It looks better on our end, as it should for all else affected I would think. Thanks to all who replied, compared notes and emailed offlist with suggestions or ideas. -mark -- Mark Jeftovic <markjr@easydns.com> Co-founder, easyDNS Technologies Inc. ph. +1-(416)-535-8672 ext 225 fx. +1-(416)-535-0237
Mark Jeftovic [10/10/03 08:33 -0400]:
I've received an email offlist that this problem should be back to "pre-yesterday" conditions. It looks better on our end, as it should for all else affected I would think.
Our problem looks considerably larger than pre yesterday conditions now :( I'd appreciate a contact there if you have one. -- srs (postmaster|suresh)@outblaze.com // gpg : EDEDEFB9 manager, outblaze.com antispam and security operations
On Fri, 10 Oct 2003, Suresh Ramasubramanian wrote:
Mark Jeftovic [10/10/03 08:33 -0400]:
I've received an email offlist that this problem should be back to "pre-yesterday" conditions. It looks better on our end, as it should for all else affected I would think.
Our problem looks considerably larger than pre yesterday conditions now :(
I'd appreciate a contact there if you have one.
As would I. They are blocking only the server where we put undergraduate accounts, over 60% of which have forwarding set, most frequently to Hotmail, Yahoo and AOL accounts. When the spam volume coming in here gets too high, our server *appears* to be an open relay (which it is not). The bounced messages contain a pointer to a web page which claims they only block after running a relay test on the suspect IP, this being done "after that IP address has been identified as source of significant suspicious inbound traffic". I'm wondering it they aren't bothering with the test anymore. AOL did the same thing to us about ago. It took several days to get that resolved. - SLS ------------------------------------------------------------------------ Scott L. Stursa - 850/644-2591 Network Security Officer stursa@acns.fsu.edu Academic Computing and Network Services Florida State University - No good deed goes unpunished -
In a message written on Fri, Oct 10, 2003 at 11:59:56AM -0400, Scott Stursa wrote:
They are blocking only the server where we put undergraduate accounts, over 60% of which have forwarding set, most frequently to Hotmail, Yahoo and AOL accounts. When the spam volume coming in here gets too high, our server *appears* to be an open relay (which it is not).
This happens to my server a couple of times a week, but I've noticed a slightly different pattern. I also run a mail forwarding service. What I notice is Yahoo seems to delete a few accounts (not sure if this is an inactive deletion, suspension, user closing, or what, all I know is it delivers right before, and then gets "user unknown" right after). About 10-30 minutes later, typically from a few spams to the user-unknown addresses, the server gets blocked with "too many attempts to unknown addresses". Now, here's the problem, it now returns that for every yahoo e-mail. So all the other people with forwards break, and more importantly there is _NO_ way to tell what userid's are valid or not, short of going back through the logs and finding the 10-30 minute window where you got user unknown. It can be a large amount of work. It also of course backs up mail queues since they are returning temporary errors for everything. I have never had a similar problem with AOL or hotmail. I submitted requests for help via their web form and they were just ignored. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
participants (6)
-
Damian Gerow
-
Kee Hinckley
-
Leo Bicknell
-
Mark Jeftovic
-
Scott Stursa
-
Suresh Ramasubramanian