[sf-lug] wiki ... Re: I have a spare lenovo T420 laptop

Rick Moen rick at linuxmafia.com
Thu May 6 15:10:40 PDT 2021 

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

> Drats ...
> # fgrep -hi ehud.kaldor at gmail.com /var/log/exim4/mainlog{.1,}
> 2021-05-05 17:55:56 1leLkZ-0004uQ-3U ** ehud.kaldor at gmail.com
> R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com
> [2607:f8b0:400e:c07::1a] X=TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256
> CV=yes DN="C=US,ST=California,L=Mountain View,O=Google
> LLC,CN=mx.google.com": SMTP error from remote mail server after
> pipelined end of data: 550-5.7.1 [2001:470:1f05:19e::2      19] Our
> system has detected that this\n550-5.7.1 message is likely
> suspicious due to the very low reputation of the\n550-5.7.1 sending
> domain. To best protect our users from spam, the message
> has\n550-5.7.1 been blocked. Please visit\n550 5.7.1
> https://support.google.com/mail/answer/188131 for more information.
> b4si5793943pgw.419 - gsmtp
> #

Auntie Goog thinks poorly of balug.org as an SMTP-sending domain?
Time to check those DNSBLs.


1 of 2: http://multirbl.valli.org/ , test "DNSBL lookups", checking balug.org:

Completely clean.  Test runs at this site sometimes must be run again on
account of transient test failures (somewhat misleadingly shown in red,
intending to show failure not as a test return value but rather failure
to connect to the back-end DNSBL sites).


2 of 2:  https://www.dnsbl.info/ , checking 96.86.170.229 (IP where the
MX record for balug.org points):

47 DNSBL passes, 2 failures.  Those failures are:

1 b.barracudacentral.org

$ dig 229.170.86.96.b.barracudacentral.org +short
127.0.0.2
$ dig -t txt 229.170.86.96.b.barracudacentral.org +short
"http://www.barracudanetworks.com/reputation/?pr=1&ip=96.86.170.229"
$

(Return page snippet from doing lookup on the site:)

  The IP address 96.86.170.229 is listed as "poor" on the Barracuda
  Reputation System. To request removal, please click here.





2.  spam.dnsbl.sorbs.net
$ dig 229.170.86.96.spam.dnsbl.sorbs.net +short
127.0.0.6
$ dig -t txt 229.170.86.96.spam.dnsbl.sorbs.net +short
;; Truncated, retrying in TCP mode.
"Spam Received See: http://www.sorbs.net/lookup.shtml?96.86.170.229"
$



Spam record for address 96.86.170.229
Description:    Spam Received from this host
Record Created:    04:30:02 24 Apr 2021 GMT-04
Message ID (munged):    590**************************9$@******org
Additional Information:    No Info

The following hostname is found within this spam.
j.mp    Hostname has been marked as hosting a spamvertised website/URL.



Spam record for address 96.86.170.229
Description:    Spam Received from this host
Record Created:    04:30:01 24 Apr 2021 GMT-04
Message ID (munged):    590**************************9$@******org
Additional Information:    No Info

The following hostname is found within this spam.
j.mp    Hostname has been marked as hosting a spamvertised website/URL.



Spam record for address 96.86.170.229
Description:    Spam Received from this host
Record Created:    04:49:44 16 Apr 2021 GMT-04
Message ID (munged):    C6C*******************************0D@******org
Additional Information:    No Info



Spam record for address 96.86.170.229
Description:    Spam Received from this host
Record Created:    17:07:50 12 Apr 2021 GMT-04
Message ID (munged):    6.8***********************.5@******org
Additional Information:    No Info




Above presumably will help you a little, Michael, in hunting through
logs, etc., trying to find what these two DNSBLs are reacting to.

This may or may not apply, and some DNSBLs are just error-prone and
collectors of bad information, but _sometimes_ in my experience the 
root cause turns out to be one or more Mailman listadmin who voluntarily
signed up to receive Mailman administrative notices, which often concern
held or rejected spam, but failed to think about collateral damage from 
the listadmin's (or more often the listadmin's ISP's) antispam defences.

For example, for a while when Jim Stockford was _theoretically_ one of
the listadmins for the SF-LUG mailing list (hosted on my linuxmafia.com
server) -- although he seems to have never actually shouldered any of
the listadmin duties over more than a decade of allegedly being a
listadmin -- his ISP's spam defences added linuxmafia.com to a number of
DNSBLs as a spamhaus, strictly in reaction to the (legitimate) Mailman
administrative notices that the ISP's MTA considered spammy.

That injury persisted until I noticed the syndrome and removed Jim as a
listadmin.

You might want to check the roster of BALUG listadmins to see if any
listadmin is likewise shooting balug.org in the foot.

More information about the sf-lug mailing list