MailScanner mailing list ended up on a black list.

[Lew Wolfgang]

Hi Jim,

Well, it happened to me too.  One of my sites hosts email
for a small research company.  This past Saturday I noticed
that a message from the president to his sister on hotmail.com
was rejected as being spammy.  A quick check showed that we
were listed on apews.org with the reason being that another
host on our subnet was caught spamming, but is now shut down.
Further, it's a /17 subnet!  32,765 other innocent sites
(potentially) were judged guilty by association!  Microsoft's
web site said the thing to do was implement SPF, which I
did and after registering with Microsoft, was able to send
mail to hotmail/msn addresses.  SPF overrides a hit from
a DNSBL in Microsoft's world, I guess.

Then, this evening, we had another spammy bounce from an att.net
address.  This time, we're also listed in blackholes.five-ten-sg.com
for the same "guilt by association" rationale.  I guess they got
mailscanner.info with the same broad brush.  I see that 83.98.192.7
is in apews.org too.

It's not right that innocent mail users and smtp sites have
to change IP addresses and/or hosting companies to get away from
spam-by-association.  I also don't think that customer complaints
to the likes of att.net and Microsoft would carry much water.
So what are we to do?

Lew Wolfgang

Jim Barber wrote:
> Hi all.
> 
> Last night I noticed that most (all?) of my incoming posts from this
> list were tagged as spam (despite having really low scores).
> I found the cause was due to an RBL server that I use having listed one
> of the email servers this list comes from.
> 
> The MailScanner server that is getting black listed is: 83.98.192.7
> which reverse resolves to safir.blacknight.ie
> The RBL server that I am using is blackholes.five-ten-sg.com
> This one I've added myself, but I am reluctant to remove it since so far
> over the months it has served me well.
> 
> If you go to http://www.five-ten-sg.com/blackhole.php and enter
> 83.98.192.7 into the form it comes back with the following:
> 
> ------------------------------------------------------------
> IP address 83.98.192.7 is listed here as 83.98.192.165 misc.
> 
> Although there may be other reasons, most of the listings in this
> category are due to
> (1. systems apparently sending bulk mail from ip addresses with bogus or
> missing reverse dns, or with no web server, or with boilerplate web
> content, or
> 2. a suspected multistage relay output, or
> 3. machines probably running MS SMTPSVC with an open guest account, or
> 4. running some open proxy), or it is in the same /24 subnet containing
> multiple machines with that property.
> ------------------------------------------------------------
> 
> The 'misc' (127.0.0.9) return code is defined by the site as:
> 
> ------------------------------------------------------------
> misc - Miscellaneous includes (but is NOT limited to) the following groups.
> Note that this does NOT include misc.spam which is listed under spam above.
> 1) /24 blocks of addresses containing systems that are apparently
> sending bulk email (in volumes apparently comparable with the volume
> from AOL, Earthlink, Google), with any of the following attributes:
> missing or bogus reverse dns, reverse dns names in domains with no web
> server, or domains with boilerplate web content.
> 2) Systems that are strongly suspected of being multistage open relays
> (where I have not been able to identify the input stage) or open proxies.
> 3) Any system that delivers spam here, that appears to be running MS
> SMTPSVC, and that appears to have relayed the message from China, Korea,
> Brazil, or any known open proxy.
>    These are generally systems that have enabled the guest account, and
> spammers are using them as open relays, even though they do require SMTP
> AUTH.
>    Enabling the guest account allows anyone to relay thru them.
> ------------------------------------------------------------
> 
> Is this the correct place to report it to?
> It's sort of ironic having an anti-spam list ending up marked as spam.
> Oh well.
> 
> Regards,
>