Spamhaus PBL question

[Teknophobia]

Since I turned on PBL blocking on my mail server (adding zen.spamhaus.org to the DNS blacklist), a few people have reported sending me emails, but I'm not getting them and they're not getting a rejection notice.

Looking through the logs, I can see that my mail server refused the email with a '554 Message contains known spam source in Received: header' (the header being the IP address of the sendee).

When I checked the IP address through spamhaus, it failed on PBL:

"It is the policy of Sky Broadband that email sent from this IP address should be sent out only via the dedicated outbound mail server for the Sky Broadband service."

Now I know the person who sent this email done so through their Yahoo on-line account, so are they saying that it's Sky's policy to block any emails unless it is sent through their mail server? Does this include email sent via HTTP?

I could add their block to my whitelist, but is there anything I'm missing here?

Thanks,

TEk

[jdc2000]

If the sender really sent the message from Yahoo's web mail, the header should have contained Yahoo's information. We might be able to see what really happened if you posted all of the header info. Issues like this are why I don't like or use Spamhaus for filtering e-mail.

[Teknophobia]

Thanks jdc2000, header info below (forgive the asterisks!). I should point out that without PBL switched on, I would be getting some 2500 spams a day!!!

Thu 2008-02-28 22:06:31: Session 1062; child 1; thread 1004
Thu 2008-02-28 22:06:30: Accepting SMTP connection from [217.146.183.117 : 30713]
Thu 2008-02-28 22:06:30: Performing PTR lookup (117.183.146.217.IN-ADDR.ARPA)
Thu 2008-02-28 22:06:30: * D=117.183.146.217.IN-ADDR.ARPA TTL=(20) PTR=[web25014.mail.ukl.yahoo.com]
Thu 2008-02-28 22:06:30: * Gathering A records...
Thu 2008-02-28 22:06:30: * D=web25014.mail.ukl.yahoo.com TTL=(30) A=[217.146.183.117]
Thu 2008-02-28 22:06:30: ---- End PTR results
Thu 2008-02-28 22:06:30: --> 220 ********.com ESMTP MDaemon 9.6.4; Thu, 28 Feb 2008 22:06:30 +0000
Thu 2008-02-28 22:06:30: <-- HELO web25014.mail.ukl.yahoo.com
Thu 2008-02-28 22:06:30: --> 250 ********.com Hello web25014.mail.ukl.yahoo.com, pleased to meet you
Thu 2008-02-28 22:06:30: <-- MAIL FROM:<********@yahoo.co.uk>
Thu 2008-02-28 22:06:30: --> 250 <********@yahoo.co.uk>, Sender ok
Thu 2008-02-28 22:06:30: <-- RCPT TO:<********@********.com>
Thu 2008-02-28 22:06:30: Performing DNS-BL lookup (217.146.183.117 - connecting IP)
Thu 2008-02-28 22:06:30: * zen.spamhaus.org - passed
Thu 2008-02-28 22:06:30: ---- End DNS-BL results
Thu 2008-02-28 22:06:30: --> 250 <********@********.com>, Recipient ok
Thu 2008-02-28 22:06:30: <-- DATA
Thu 2008-02-28 22:06:30: Creating temp file (SMTP): c:\mdaemon\temp\md50000001564.tmp
Thu 2008-02-28 22:06:30: --> 354 Enter mail, end with <CRLF>.<CRLF>
Thu 2008-02-28 22:06:30: Message size: 3020 bytes
Thu 2008-02-28 22:06:31: Performing DNS-BL lookup (90.197.23.xxx - 'Received' header)
Thu 2008-02-28 22:06:31: * zen.spamhaus.org - failed
Thu 2008-02-28 22:06:31: ---- End DNS-BL results
Thu 2008-02-28 22:06:31: --> 554 Message contains known spam source in Received: header
Thu 2008-02-28 22:06:31: <-- QUIT
Thu 2008-02-28 22:06:31: --> 221 See ya in cyberspace
Thu 2008-02-28 22:06:31: SMTP session terminated (Bytes in/out: 3144/352)

Out of interest, what do you use for spam filtering?

Regards,

TEk

[jdc2000]

Info:

217.146.183.117 is the RIPE Network Coordination Centre - a source for much of the spam I receive. Legitimate mail can also arrive from there as well.

117.183.146.217 - Asia Pacific Network Information Centre - also a big spam source.

90.197.23.xxx - RIPE again.

Note that this information is not the real e-mail header info - it is what you got from your spam filter after it analyzed the e-mail header. The real header would allow us to analyze the data ourselves. The .xxx in the last address may be what Spamhaus doesn't like, even though the real IP might be OK.

As for what spam filter I use - I don't use one. I have not found a personal one or an ISP based one that won't delete important non-spam e-mails from known good sources. Spamhaus has been known to blacklist an entire ISP that might cover large areas of the western U.S. just because some of their clients may have an infected PC that is sending out spam. This is not a reliable filternig method. All of the ISP based filters I have encountered that have been automatically enabled (without asking the users) have quarantined some or most of my e-mail. When I have tried to pass legitimate messages through using them, they have all deleted them instead. Not good. In any case, in order to insure that important messages are not deleted you still need to have a Spam folder for those. Since I would have to check that folder for good messages anyway, a spam filter is not going to save me any time. Also, some of my friends may occasionally be infected, and ask for my help via e-mail. If I their messages are deleted, I can't help them. On my oldest e-mail address (about 12 years old), I get about 100 spam e-mails per day, which is not too troublesome. If you are getting 2500 per day, then a spam filter is not optional. However, you will have to regularly maintain a white list in order to prevent legitimate messages from being spammed. For e-mail server spam filtering, I have used Exclaimer (on Microsoft Exchange Server). This software works very well. Only a very few spam messages get through, and very few legitimate messages are flagged as spam. You still have to spend some time to set up an initial white list, and then maintain it though.