FlyerTalk Forums - View Single Post - Verizon is blocking all incoming e-mail from outside the USA!!!
Old Jan 24, 05, 5:55 am
Join Date: Dec 2001
Posts: 873
<long boring geeky post>
Nice try Stimpy but you've fallen at the first hurdle with both emails you've posted. Let's start by looking at the one you claim came to you from NTL.

The email originated from a PC (possibly an IBM) with an IP address of We can tell this from the line in the headers;

Received: from IBMCA8D325E423 [] by with SMTP
(SMTPD32-8.05) id A97622401A6; Thu, 18 Nov 2004 19:23:58 +0530

We can perform a WHOIS query on the IP address to find out where it belongs;

espresso:~$ whois -h
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See

inetnum: -
descr: Routed Connection
country: GB
admin-c: SAM80-RIPE
tech-c: CH309-RIPE
notify: [email protected]
mnt-by: AS8426-MNT
source: RIPE
changed: [email protected] 20041102

descr: CLARA-AGG4
origin: AS8426
mnt-by: AS8426-MNT
changed: [email protected] 20030408
source: RIPE

role: Claranet Hostmaster
address: Claranet Ltd
address: 21 Southampton Row
address: London WC1B 5HA
address: United Kingdom
phone: +44 (0) 20 7685 8000
fax-no: +44 (0) 20 7685 8001
e-mail: [email protected]

This tells us that the ISP is not NTL but Claranet and the IP address belongs to a subnet that is allocated to Visiongain for a routed connection which means it's probably a leased line rather than ADSL (although that's not always the case)

So where did the email go from here? Well, looking further up the headers we see it was received by ( which is the Visiongain corporate email server. This is confirmed by doing an MX query (this asks which mailsever handles email for a particular domain) against the nameservers which gives;

espresso:~$ dig mx
; <<>> DiG 8.4 <<>> mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2180
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;;, type = MX, class = IN


OK, this mail server then passes the email onto the first of two Verizon mail servers. The question you now have to ask is whether the mailserver for is in the UK.

We check this by doing a WHOIS query of the IP address and even before I do this just by looking at the number I can tell it's an Asia Pacific address. It actually turns out to be in India (belonging to India Online in fact);

espresso:~$ whois -h
% [ node-2]
% Whois data copyright terms

inetnum: -
netname: IOLNET
descr: India Online Network Ltd.
descr: Broadband ISP
descr: Mumbai
country: IN
admin-c: DT136-AP
tech-c: DT136-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-IOL
changed: [email protected] 20010130
changed: [email protected] 20021007
changed: [email protected] 20021010
source: APNIC

descr: Broadband - ISP
origin: AS9910
notify: [email protected]
mnt-by: APNIC-HM
changed: [email protected] 19991123
source: APNIC

person: Dhananjay Singh Thakur
nic-hdl: DT136-AP
e-mail: [email protected]
address: IOL Broadband Limited,
address: AB-01, Neelam Centre,
address: Hind Cycle Road, WORLI,
address: MUMBAI--400025, INDIA
phone: +91-22-56319400
fax-no: +91-22-56319401
country: IN
changed: [email protected] 20031212
mnt-by: MAINT-IN-IOL
source: APNIC

So, we now know that although the email originated in the UK, it wasn't from an NTL subscriber and it wasn't received by from a UK mailserver but one based in India. If was blocking UK emails this one would get round the block by using a mailserver in India which appears not to be locked.

Now we've cleared that up let's look at the spam you think you received from the UK.

Again we need to look at headers carefully and understand how folks can try to make them mislead us.

The first IP address we see in the headers is This IP address claims to be but that's a bit strange as the IP address originates in South America. We can do two things to confirm that something is amiss here. The first is simply do a WHOIS lookup of the IP address which gives;

espresso:~$ whois -h

% Copyright LACNIC
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2005-01-24 09:24:31 (BRST -02:00)

inetnum: 200.30.240/20
status: reassigned
owner: Metropolis Intercom
responsible: Eulogio Robles Perez
address: Avenida Jose Pedro Alessandri, 3082, Macul
address: -- - Santiago - RM
country: CL
phone: +56 2 8105442 []
owner-c: ERP
tech-c: ERP
inetrev: 200.30.240/20
nsstat: 20050120 AA
nslastaa: 20050120
nsstat: 20050120 AA
nslastaa: 20050120
created: 20011019
changed: 20011019
inetnum-up: 200.30.192/18

So the IP address is actually in Santiago, Chile. So where does the bit come from? It is conceivable that it could be a British company operating in Chile but let's find out what the WHOIS records for show;

espresso:~$ whois -h

Domain Name:

Helen Tattersall

Administrative Contact's Address:
Unit 22 Walworth Enterprise Centre
Duke Close
West Way
Walworth Industrial Estate
SP10 5AP

Registrant's Agent:
Namesco Limited [Tag = NAMESCO]

Relevant Dates:
Registered on: 09-Aug-2000
Renewal Date: 09-Aug-2006
Last updated: 10-Aug-2004

Registration Status:
Registered until renewal date.

Name servers listed in order:

WHOIS database last updated at 11:25:01 24-Jan-2005

(c) Nominet UK 1996 - 2005

For further information and terms of use please see
Nominet reserves the right to withhold access to this service at any time.

Now that doesn't look very Chilean to me so let's see if there is a slight chance that the email server for is based in Chile. Again, it's back to our old friend Dig to query the nameservers;
espresso:richard/etc/mail$ dig mx

; <<>> DiG 8.4 <<>> mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28023
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
;;, type = MX, class = IN



;; ADDITIONAL SECTION: 1d23h59m55s IN A 1d23h59m55s IN A 1d23h59m55s IN A

;; Total query time: 5086 msec
;; FROM: espresso to SERVER:
;; WHEN: Mon Jan 24 11:31:05 2005
;; MSG SIZE sent: 36 rcvd: 214

We need to do a bit more work here to work out the IP addresses of the two mailservers which handle email for Their hostnames are listed as and

Using Dig to look up the IP addresses for these two hostnames we find that is and is Now there are reasons that this worries me but it has nothing to do with the legitimacy of the servers. We can immediately see that and are nowhere near the address in the email header of so what is that IP address?

Back to the DNS tools and we do a host lookup which shows that the IP address has a hostname of La Reina is a town in Chile and the fact that the hostname includes the word "PC" suggests strongly that it's a dial-up connection.

So the email came from a dial-up pc in La Reina, Chile. Not exactly from the UK. We still have to work out how the bit got there.

To do that you have to understand how email servers work. It's often a wise precaution to set your email server to reject incoming email that claims to be from a non-existent domain. Spammers therefore use legitimate domains belonging to other people to trick email servers into accepting their spams. The domain works its way into the headers because of another thing that mail exchange systems do. If your PC is networked (and it needs to be to send email) it will have a network name. This network name may only be relevant locally as far as you are concerned but when you send an email from your PC that network name is sent in the headers of the email. If you tweak your network name to be then you can appear to send email from Often this trick is foiled because the receiving mail server tries to look for the public regustered hostname for the IP address of the remote machine and if it finds it, it includes that in the headers. Had Verizon's mail server done this the header you would have seen would have said;

Received: from ( []) by

That might have given you some warning that the address was faked. Basically ignore any hostname or domain outside the () brackets.

So you can get email from France but us Brits are still out in the cold (and not responsible for your spam either!)

If you want to go poking around to find out where an email really came from you can check IP addresses at

</long boring geeky post>

Last edited by SarahWest; Jan 24, 05 at 6:14 am
SarahWest is offline