Who gets Blacklisted? (a question that stumped the pros)

mach5

Registered
Feb 14, 2006
2
0
151
Newbie Here!

I have a question that stumped the technicians at my hosting company. So I pose the question to all of you.
----------------
Which email address will get blacklisted in the scenario below?

Example:
An email called "I AM SPAM" originates from the sender, spam @ spam.com.

The email is sent to person1 @ xyz.com (on mail server #1)

The email is automatically forwarded (using email forwarding) to person2 @ xyz.com (from the same domain, also on mail server #1)

Now,
When person2 is viewing their emails, they see the email "I AM SPAM", and of course, they blacklist the "sender".

My question is:
Which sender is being blacklisted? Is it the ORIGINAL sender ([email protected])
or the FORWARDING sender ([email protected])?

Mike
 
Last edited:

mach5

Registered
Feb 14, 2006
2
0
151
That is my guess too - Person1 would get blacklisted.

This question stemmed from the whole AOL forwarding mess. I was one of those people (sad to say) who set-up automatic email forwarding to my AOL account. When spam was forwarded, I unknowingly selected "Reported as spam". Unknowingly, I wasn't reporting the original spam senders, I was reporting the innocent forwarding mail server. When hundreds of AOL users do this, AOL blocked the forwarding email's server (not the original sender's server).

This is why, in this scenario. I think the forwarder ([email protected]) would get blacklisted.
 

WestBend

Well-Known Member
Oct 12, 2003
173
0
166
The forwarder would be because the email has technically been officially received before it it forwarded so when it forwards it , its is now the source server and not some intermediary.

I think ;)
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Strictly speaking, it should indeed be the sender. However, the main problem is that only the last (first as you read it) Received: email header can be trusted as all the others can be forged. So, some email companies (AOL is the biggest culprit) simply blacklist evey relay host in the header - which is pretty stupid when you understand how relaying works.

RBL's such as bl.spamcop.net attempt to verify exactly which relays are the culprits and put more logic into the blocks that the likes of AOL.
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
RBL services are pretty smart about that and would not blacklist ANY of the sender addresses
because they are most likely falsified. The IP adddress of the original sender in the
original message is what would be blacklisted.

Now if your friend has their own spam filtering then who knows .... 95% of regular users
and some ISPs (*cough* AOL) are total morons where it comes to properly setting up their
own spam controls and tend to screw things up badly.
 

VexT

Active Member
Nov 15, 2003
34
0
156
I've seen AOL blacklist the relayer and I feel that they are right in doing so. One scenario that's happened to one of my boxes is that someone setup a cpanel account and they sent out spam using authenticated SMTP using my server. This mail came to my server from another MX server using fixed authentication.

Return-Path: Received: from rly-yh06.mx.aol.com (rly-
yh06.mail.aol.com
> [172.18.180.70]) by air-yh03.mail.aol.com (vx) with ESMTP id
MAILINYH32-
> 79343f637032e5; Fri, 17 Feb 2006 15:50:36 -0500 Received: from
> my.server.com (my.server.com [127.0.0.1]) by
> rly-yh06.mx.aol.com (vx) with ESMTP id MAILRELAYINYH65-
79343f637032e5;
> Fri, 17 Feb 2006 15:50:11 -0500 Received: from [4.79.248.76]
(port=2356
> helo=mail.worldsupersite.com) by my.server.com with esmtpa
> (Exim 4.52) id 1FACXd-0007Ud-9b for [email protected]; Fri, 17 Feb
2006
> 15:49:03 -0500 Message-ID:
> <[email protected]> From: "Tara
> Garnet" To: Subject: Need a response today Reply-To:


> [email protected] [/var/log]# grep luser exim_mainlog
> 2006-02-17 15:49:03 1FACXd-0007Ud-9b <= [email protected]
> H=(mail.worldsupersite.com) [4.79.248.76]:2356 I=[67.15.2.7]:25
P=esmtpa
> A=fixed_login:cpaneluser+athosteddomain.com S=110356660
> [email protected] T="Need a
response
> today" from <[email protected]> for [email protected]
> 2006-02-17 15:49:49 1FACXd-0007Ud-9b => [email protected]
> F=<[email protected]> P=<[email protected]>
R=lookuphost
> T=remote_smtp S=4349 H=mailin-04.mx.aol.com [205.188.159.217]:25
C="250 OK"
> QT=46s DT=1s


This new rash of spam from account holders is seriously prompting me to find ways to disable SMTP access for all of our accounts.

I heard of a hack where I can remove domains from /etc/localdomains to do this but whenever Fix Mail permissions is run, the domains are added back in. Oh well.
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
Somewhat harsh perhaps. However, if you want to do that, add the domains to /etc/remotedomains (create the file if missing) and they should not be put back into localdomains.
 

mctDarren

Well-Known Member
Jan 6, 2004
665
8
168
New Jersey
cPanel Access Level
Root Administrator

VexT

Active Member
Nov 15, 2003
34
0
156
I've submitted all of my sites to their feedback loop(http://postmaster.aol.com/fbl/index.html ) which many times shows me false positives but other times (rare) it has shown me that a problem exists like the one shown in my post above.

I also encourage my customers to remove AOL users from their lists when I get a TOS complaint from AOL. They try to hide the user's address but many times I can figure out what the AOL addy is from the message.