The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Who gets Blacklisted? (a question that stumped the pros)

Discussion in 'General Discussion' started by mach5, Feb 16, 2006.

  1. mach5

    mach5 Registered

    Joined:
    Feb 14, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Newbie Here!

    I have a question that stumped the technicians at my hosting company. So I pose the question to all of you.
    ----------------
    Which email address will get blacklisted in the scenario below?

    Example:
    An email called "I AM SPAM" originates from the sender, spam @ spam.com.

    The email is sent to person1 @ xyz.com (on mail server #1)

    The email is automatically forwarded (using email forwarding) to person2 @ xyz.com (from the same domain, also on mail server #1)

    Now,
    When person2 is viewing their emails, they see the email "I AM SPAM", and of course, they blacklist the "sender".

    My question is:
    Which sender is being blacklisted? Is it the ORIGINAL sender (spam@spam.com)
    or the FORWARDING sender (person1@xyz.com)?

    Mike
     
    #1 mach5, Feb 16, 2006
    Last edited: Feb 16, 2006
  2. ShockHosts

    ShockHosts Well-Known Member

    Joined:
    Nov 25, 2005
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Hm.... Hard one... Just try testing it... But I am guessing your friend would be blacklisted.
     
  3. mach5

    mach5 Registered

    Joined:
    Feb 14, 2006
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    That is my guess too - Person1 would get blacklisted.

    This question stemmed from the whole AOL forwarding mess. I was one of those people (sad to say) who set-up automatic email forwarding to my AOL account. When spam was forwarded, I unknowingly selected "Reported as spam". Unknowingly, I wasn't reporting the original spam senders, I was reporting the innocent forwarding mail server. When hundreds of AOL users do this, AOL blocked the forwarding email's server (not the original sender's server).

    This is why, in this scenario. I think the forwarder (Person1@xyz.com) would get blacklisted.
     
  4. WestBend

    WestBend Well-Known Member

    Joined:
    Oct 12, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    The forwarder would be because the email has technically been officially received before it it forwarded so when it forwards it , its is now the source server and not some intermediary.

    I think ;)
     
  5. ShockHosts

    ShockHosts Well-Known Member

    Joined:
    Nov 25, 2005
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Yeah... Hint: Don't use forwarders! :D
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Strictly speaking, it should indeed be the sender. However, the main problem is that only the last (first as you read it) Received: email header can be trusted as all the others can be forged. So, some email companies (AOL is the biggest culprit) simply blacklist evey relay host in the header - which is pretty stupid when you understand how relaying works.

    RBL's such as bl.spamcop.net attempt to verify exactly which relays are the culprits and put more logic into the blocks that the likes of AOL.
     
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    RBL services are pretty smart about that and would not blacklist ANY of the sender addresses
    because they are most likely falsified. The IP adddress of the original sender in the
    original message is what would be blacklisted.

    Now if your friend has their own spam filtering then who knows .... 95% of regular users
    and some ISPs (*cough* AOL) are total morons where it comes to properly setting up their
    own spam controls and tend to screw things up badly.
     
  8. VexT

    VexT Active Member

    Joined:
    Nov 15, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I've seen AOL blacklist the relayer and I feel that they are right in doing so. One scenario that's happened to one of my boxes is that someone setup a cpanel account and they sent out spam using authenticated SMTP using my server. This mail came to my server from another MX server using fixed authentication.

    Return-Path: Received: from rly-yh06.mx.aol.com (rly-
    yh06.mail.aol.com
    > [172.18.180.70]) by air-yh03.mail.aol.com (vx) with ESMTP id
    MAILINYH32-
    > 79343f637032e5; Fri, 17 Feb 2006 15:50:36 -0500 Received: from
    > my.server.com (my.server.com [127.0.0.1]) by
    > rly-yh06.mx.aol.com (vx) with ESMTP id MAILRELAYINYH65-
    79343f637032e5;
    > Fri, 17 Feb 2006 15:50:11 -0500 Received: from [4.79.248.76]
    (port=2356
    > helo=mail.worldsupersite.com) by my.server.com with esmtpa
    > (Exim 4.52) id 1FACXd-0007Ud-9b for sophosmr@aol.com; Fri, 17 Feb
    2006
    > 15:49:03 -0500 Message-ID:
    > <20060217154923.77B3DE895AF2A372@worldsupersite.com> From: "Tara
    > Garnet" To: Subject: Need a response today Reply-To:


    > root@mybox [/var/log]# grep luser exim_mainlog
    > 2006-02-17 15:49:03 1FACXd-0007Ud-9b <= spammer@worldsupersite.com
    > H=(mail.worldsupersite.com) [4.79.248.76]:2356 I=[67.15.2.7]:25
    P=esmtpa
    > A=fixed_login:cpaneluser+athosteddomain.com S=110356660
    > id=20060217154923.77B3DE895AF2A372@worldsupersite.com T="Need a
    response
    > today" from <spammer@worldsupersite.com> for luser@aol.com
    > 2006-02-17 15:49:49 1FACXd-0007Ud-9b => luser@aol.com
    > F=<spammer@worldsupersite.com> P=<spammer@worldsupersite.com>
    R=lookuphost
    > T=remote_smtp S=4349 H=mailin-04.mx.aol.com [205.188.159.217]:25
    C="250 OK"
    > QT=46s DT=1s


    This new rash of spam from account holders is seriously prompting me to find ways to disable SMTP access for all of our accounts.

    I heard of a hack where I can remove domains from /etc/localdomains to do this but whenever Fix Mail permissions is run, the domains are added back in. Oh well.
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Somewhat harsh perhaps. However, if you want to do that, add the domains to /etc/remotedomains (create the file if missing) and they should not be put back into localdomains.
     
  10. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
  11. VexT

    VexT Active Member

    Joined:
    Nov 15, 2003
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I've submitted all of my sites to their feedback loop(http://postmaster.aol.com/fbl/index.html ) which many times shows me false positives but other times (rare) it has shown me that a problem exists like the one shown in my post above.

    I also encourage my customers to remove AOL users from their lists when I get a TOS complaint from AOL. They try to hide the user's address but many times I can figure out what the AOL addy is from the message.
     
Loading...

Share This Page