(writing with my dnswl.org hat on)
Am 11.05.2015 um 15:42 schrieb Alex Regan mysqlstud...@gmail.com:
Hi,
I have a fp that was passed through thomsonreuters, hitting RCVD_IN_DNSWL_HI,
receiving -5 points, from an obvious hacked account.
http://pastebin.com/5LYS7s2v http://pastebin.com/5LYS7s2v
IP 163.231.6.26, mailout2-trp.thomsonreuters.com
http://mailout2-trp.thomsonreuters.com/, DNSWL Id 1251.
No abuse reports on this IP yet (overall for this DNSWL Id: one back in October
2014, two in April 2014, and four in 2012 - all but the October 2014 coming
from a single IP, all different from the one reported here). History of the IP
reported here:
1251/163.231.6.26 [-] 2015-05-12 00:00Last seen
163.231.6.26 [rbl] regular-rblcheck2015-03-06 20:31
2015-03-06 20:31:00 ix dnsbl 163.231.6.26 RBL filtered by ix.dnsbl.manitu.net:
Your e-mail service was detected by mx.selfip.biz (NiX Spam) as spamming at
Fri, 06 Mar 2015 15:03:13 +0100. Your admin should visit
http://www.dnsbl.manitu.net/lookup.php?value=163.231.6.26
163.231.6.26 [rbl] regular-rblcheck2012-06-13 16:31
1251/163.231.6.26 [c] 2011-04-30 19:23DNSWL Id 0 - 1251
163.231.6.26 [c] 2011-04-30 19:23Score med - hi
163.231.6.26 [c] 2011-04-30 19:23Score low - med
163.231.6.26 [c] 2011-04-30 19:23Score none - low
163.231.6.26 [a] 2011-02-25 01:52Added record
1251/163.231.6.26 [-] 2011-02-25 00:00First seen
(The RBL hit from 2012 is from a source we only used for a short period of time
due to the lack of accuracy, eg listing all of thomsonreuters.com
http://thomsonreuters.com/; the actions in 2011 were done while cleaning up
the whole DNSWL Id).
Two „incidents“ in the two months is quite a lot, especially for a DNSWL Id
with such an overall good record as this one, and hints at some particular
problem, of which we have no way of knowing whether it is solved or not.
Score now lowered to low - it will automatically be increased once sufficient
time has passed and no new RBL hits / abuse reports are coming in.
Is it also interesting that thomsonreuters.com has no SPF information?
Their email setup is… interesting. Lots of different domain names, IP ranges,
ASes, and obviously different businesses/business units. I believe maintaining
somewhat proper and sane SPF record would be a nightmare…
— Matthias
smime.p7s
Description: S/MIME cryptographic signature