Re: DNSWL fp and other problems

Mon, 11 May 2015 23:36:42 -0700 

(writing with my dnswl.org hat on)

> Am 11.05.2015 um 15:42 schrieb Alex Regan <mysqlstud...@gmail.com>:
> 
> Hi,
> 
> I have a fp that was passed through thomsonreuters, hitting RCVD_IN_DNSWL_HI, 
> receiving -5 points, from an obvious hacked account.
> 
> http://pastebin.com/5LYS7s2v <http://pastebin.com/5LYS7s2v>

IP 163.231.6.26, mailout2-trp.thomsonreuters.com 
<http://mailout2-trp.thomsonreuters.com/>, DNSWL Id 1251. 

No abuse reports on this IP yet (overall for this DNSWL Id: one back in October 
2014, two in April 2014, and four in 2012 - all but the October 2014 coming 
from a single IP, all different from the one reported here). History of the IP 
reported here:


 1251/163.231.6.26 [-]          2015-05-12 00:00        Last seen
 163.231.6.26 [rbl]     regular-rblcheck        2015-03-06 20:31        
2015-03-06 20:31:00 ix dnsbl 163.231.6.26 RBL filtered by ix.dnsbl.manitu.net: 
Your e-mail service was detected by mx.selfip.biz (NiX Spam) as spamming at 
Fri, 06 Mar 2015 15:03:13 +0100. Your admin should visit 
http://www.dnsbl.manitu.net/lookup.php?value=163.231.6.26
 163.231.6.26 [rbl]     regular-rblcheck        2012-06-13 16:31        
 1251/163.231.6.26 [c]          2011-04-30 19:23        DNSWL Id 0 -> 1251
 163.231.6.26 [c]               2011-04-30 19:23        Score med -> hi
 163.231.6.26 [c]               2011-04-30 19:23        Score low -> med
 163.231.6.26 [c]               2011-04-30 19:23        Score none -> low
 163.231.6.26 [a]               2011-02-25 01:52        Added record
 1251/163.231.6.26 [-]          2011-02-25 00:00        First seen

(The RBL hit from 2012 is from a source we only used for a short period of time 
due to the lack of accuracy, eg listing all of thomsonreuters.com 
<http://thomsonreuters.com/>; the actions in 2011 were done while cleaning up 
the whole DNSWL Id). 

Two „incidents“ in the two months is quite a lot, especially for a DNSWL Id 
with such an overall good record as this one, and hints at some particular 
problem, of which we have no way of knowing whether it is solved or not. 

Score now lowered to low - it will automatically be increased once sufficient 
time has passed and no new RBL hits / abuse reports are coming in.

> Is it also interesting that thomsonreuters.com has no SPF information?

Their email setup is… interesting. Lots of different domain names, IP ranges, 
ASes, and obviously different businesses/business units. I believe maintaining 
somewhat proper and sane SPF record would be a nightmare…

— Matthias

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to