Go Back  FlyerTalk Forums > Travel&Dining > Travel Technology
Reload this Page >

Verizon is blocking all incoming e-mail from outside the USA!!!

Verizon is blocking all incoming e-mail from outside the USA!!!

Old Jan 3, 05, 4:17 am
  #46  
 
Join Date: Mar 2000
Programs: Hy-Vee Fuel Saver
Posts: 404
The answer to Verizon's mail blocking?
http://www.theinquirer.net/?article=20474
scruffy is offline  
Old Jan 10, 05, 10:20 pm
  #47  
 
Join Date: Mar 2000
Programs: Hy-Vee Fuel Saver
Posts: 404
Verizon's E-Mail Embargo Enrages
http://www.wired.com/news/ebiz/0,1272,66226,00.html
scruffy is offline  
Old Jan 21, 05, 5:22 am
  #48  
 
Join Date: Dec 2001
Posts: 872
Originally Posted by stimpy
Like I said above, send me your Verizon email account and I will send you foreign email so you can see that it works fine. There are plenty of Flyertalkers from outside the US who can do the same. As long as the mail comes from a reputable source that doesn't forward a ton of spam to Verizon, it will work fine.

What is the name of the source domains in the UK and Scandinavia that have problems sending to you? Tell us and maybe we can help you debug the problem.
Sorry Stimpy - this is complete rubbish. I run my own mailservers. I run some of the strongest spam filtering available on my servers. I have worked professionally in internet security for about ten years. In the past I was the product manager for the UK's third largest ISP and subsequently their senior technical consultant for special projects. I've set up mail servers for major international manufacturers, banks, software houses and stockbrokers.

None of the servers I run are open relays. None of the servers I run have ever sent a single spam email. None of the servers I run nor the domains they run are blacklisted anywhere nor have they ever been.

I am still unable to send email to Verizon subscribers. Take a look at my headers in this bounce message from last night.

The problem;

Received: from localhost (localhost)
by espresso.coffee.co.uk (8.12.11/8.12.11) id j0KL90RZ002948;
Thu, 20 Jan 2005 21:09:12 GMT
Date: Thu, 20 Jan 2005 21:09:12 GMT
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <[email protected] >
To: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="j0KL90RZ002948.1106255352/espresso.coffee.co.uk"
Subject: Warning: could not send message for past 4 hours
Auto-Submitted: auto-generated (warning-timeout)
Content-Length: 2412

This is a MIME-encapsulated message

--j0KL90RZ002948.1106255352/espresso.coffee.co.uk

**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Thu, 20 Jan 2005 17:08:30 GMT
from espresso [192.168.0.10]

----- Transcript of session follows -----
... while talking to relay.verizon.net.:
<<< 421 SMTP service not available, closing transmission channel
<[email protected]>... Deferred: 421 SMTP service not available, closing
transmission channel
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old

--j0KL90RZ002948.1106255352/espresso.coffee.co.uk
Content-Type: message/delivery-status
--j0KL90RZ002948.1106255352/espresso.coffee.co.uk
Content-Type: message/delivery-status

Reporting-MTA: dns; espresso.coffee.co.uk
Arrival-Date: Thu, 20 Jan 2005 17:08:30 GMT

Final-Recipient: RFC822; [email protected]
Action: delayed
Status: 4.5.0
Diagnostic-Code: SMTP;
Last-Attempt-Date: Thu, 20 Jan 2005 21:09:12 GMT
Will-Retry-Until: Tue, 25 Jan 2005 17:08:30 GMT
My network setup;
  • espresso.coffee.co.uk is a Sun SPARC running Sendmail using nine DNSBLs and one RHSBL. It will only relay from localhost.
  • filter.coffee.co.uk (81.168.81.70) is a standalone enterprise grade firewall (but for security reasons I'm not going to tell you what it is) that provides both outbound and inbound SMTP proxying and NAT for the two mail servers I run on site.
  • The mail servers are visible externally as espresso.coffee.co.uk (81.168.81.66) and santos.coffee.co.uk (81.168.81.67)
  • espresso.coffee.co.uk runs on a reserved IP address of 192.168.0.10 and santos.coffee.co.uk runs on a reserved IP address of 192.168.0.20
  • I can send email from a number of domains including .com, .org and .co.uk but they are all rejected by relay.verizon.net
So Stimpy, it's time to put your money where your mouth is. Can you tell me why I am not a reputable source and can you debug my problem?

Note to mods; I am perfectly happy for my email address to appear in this posting - I don't have a spam problem and it might help Stimpy to debug my problem.
SarahWest is offline  
Old Jan 21, 05, 10:12 am
  #49  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,557
Sarah,

I privately asked you to send me a test message to my Verizon account to see if you get the same result.

Tell me what you see for the Verizon MX record? What is the IP address? Have you tried telnetting to it to see what you get?
stimpy is online now  
Old Jan 21, 05, 10:40 am
  #50  
 
Join Date: Dec 2001
Posts: 872
Stimpy, here goes;

espresso:~$ dig verizon.net mx

; <<>> DiG 8.4 <<>> verizon.net mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; QUERY SECTION:
;; verizon.net, type = MX, class = IN

;; ANSWER SECTION:
verizon.net. 39m37s IN MX 0 relay.verizon.net.

;; AUTHORITY SECTION:
verizon.net. 39m36s IN NS ns4.verizon.net.
verizon.net. 39m36s IN NS ns1.bellatlantic.net.
verizon.net. 39m36s IN NS ns2.verizon.net.
verizon.net. 39m36s IN NS ns2.bellatlantic.net.

;; ADDITIONAL SECTION:
relay.verizon.net. 14m33s IN A 206.46.170.12
ns4.verizon.net. 8h58m22s IN A 151.203.0.87
ns1.bellatlantic.net. 8h58m22s IN A 199.45.32.40
ns2.verizon.net. 8h58m22s IN A 151.203.0.86
ns2.bellatlantic.net. 8h58m22s IN A 199.45.32.41

;; Total query time: 31 msec
;; FROM: espresso to SERVER: 192.168.0.10
;; WHEN: Fri Jan 21 16:28:54 2005
;; MSG SIZE sent: 29 rcvd: 216


I get exactly the same result when I run the query from a shell account in the USA.

From the UK;

espresso:~$ telnet relay.verizon.net 25
Trying 206.46.170.12...
Connected to relay.verizon.net.
Escape character is '^]'.
421 SMTP service not available, closing transmission channel
Connection closed by foreign host.


From the USA;

bash$ telnet relay.verizon.net 25
Trying 206.46.170.12...
Connected to relay.verizon.net.
Escape character is '^]'.
220 sc014pub.verizon.net MailPass SMTP server v1.1.1 - 121803235448JY ready Fri,
21 Jan 2005 10:32:03 -0600
421 sc014pub.verizon.net terminating connection
Connection closed by foreign host.


Pretty conclusive blocking I'd say.

I'd love to say "you've got mail" in that annoying voice but so far it doesn't look promising. This is what syslog threw out;

Jan 21 16:35:30 espresso sendmail[7446]: j0LGZUe1007446: from=<[email protected]
k>, size=323, class=0, nrcpts=1, msgid=<[email protected]
o>, proto=ESMTP, daemon=MTA, relay=espresso [192.168.0.10]
Jan 21 16:35:42 espresso sendmail[7448]: j0LGZUe1007446: to=<[email protected]
on.net>, ctladdr=<[email protected]> (6001/1), delay=00:00:12, xdelay=00:00:12,
mailer=esmtp, pri=120323, relay=relay.verizon.net. [206.46.170.12], dsn=4.0.0,
stat=Deferred: 421 SMTP service not available, closing transmission channel


For the record I'm sending email from [email protected] from a valid MX host for coffee.co.uk.
SarahWest is offline  
Old Jan 21, 05, 3:01 pm
  #51  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,557
Yep that looks fairly conclusive for your IP address at that particular time. Here is a sample from my French ISP to my Verizon account...

Return-Path: <[email protected]>
Received: from smtp1.wanadoo.fr ([206.46.170.121]) by mta016.verizon.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id <[email protected] .wanadoo.fr>
for <[email protected]>; Fri, 21 Jan 2005 14:46:39 -0600
Received: from smtp1.wanadoo.fr (193.252.22.30) by sc003pub.verizon.net (MailPass SMTP server v1.1.1 - 121803235448JY) with ESMTP id <2-25697-23-25697-4516-1-1106340397> for mta016.verizon.net; Fri, 21 Jan 2005 14:46:39 -0600
Received: from me-wanadoo.net (localhost [127.0.0.1])
by mwinf0109.wanadoo.fr (SMTP Server) with ESMTP id 5702B1C00209
for <[email protected]>; Fri, 21 Jan 2005 21:46:37 +0100 (CET)
Received: from wwinf0102 (wwinf0102 [172.22.132.29])
by mwinf0109.wanadoo.fr (SMTP Server) with ESMTP id 548C41C001FD
for <[email protected]>; Fri, 21 Jan 2005 21:46:37 +0100 (CET)
X-ME-UUID: [email protected] r
Message-ID: <[email protected]>
From: xxxx <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: test
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Originating-IP: [208.179.69.254]
X-WUM-FROM: |~|
X-WUM-TO: |~|
X-WUM-REPLYTO: |~|
Date: Fri, 21 Jan 2005 21:46:37 +0100 (CET)

I'm not sure what the X-WUM's are, but this is pretty conclusive evidence that Verizon is accepting email from this French ISP. I wonder if it is a British thing since so many of the reports came from Britian? I tested France and Micronesia successfully so far. Sarah was the first to have a problem sending to me. If anyone has any other non US accounts that want to test, let me know via PM.
stimpy is online now  
Old Jan 21, 05, 3:14 pm
  #52  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,557
I just looked in my trash file and found a some emails from the UK. So some UK mail is making it through to Verizon. I guess you need to try to contact Verizon to see why they are blocking you. I'm am sure that is easier said than done!

Here is some spam from the UK

Return-Path: <[email protected]>
Received: from runshaw-stud.co.uk ([206.46.170.121]) by mta005.verizon.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id <[email protected] aw-stud.co.uk>
for <[email protected]>; Fri, 21 Jan 2005 06:56:07 -0600
Received: from runshaw-stud.co.uk (200.30.245.221) by sc008pub.verizon.net (MailPass SMTP server v1.1.1 - 121803235448JY) with SMTP id <4-31402-159-31402-143206-1-1106312164> for mta005.verizon.net; Fri, 21 Jan 2005 06:56:07 -0600
Message-ID: <[email protected]>
From: "Someone You Want"
Date: Fri, 21 Jan 2005 06:56:08 -0600

And here is some legit mail from the UK, from someone who is an NTL subscriber...


Return-Path: <[email protected]>
Received: from visiongaingroup.com ([192.168.1.2]) by mta020.verizon.net
(InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP
id <[email protected] ngaingroup.com>
for <[email protected]>; Thu, 18 Nov 2004 09:37:31 -0600
Received: from visiongaingroup.com (202.70.193.69) by sc015pub.verizon.net (MailPass SMTP server v1.1.1 - 121803235448JY) with ESMTP id <3-997-204-997-135276-1-1100792244> for mta020.verizon.net; Thu, 18 Nov 2004 09:37:32 -0600
Received: from IBMCA8D325E423 [80.168.243.66] by visiongaingroup.com with ESMTP
(SMTPD32-8.05) id A97622401A6; Thu, 18 Nov 2004 19:23:58 +0530
Reply-To: <[email protected]>
From: "xxxx" <[email protected]>
To: <[email protected]>
Subject: Wireless Services in Iraq
Date: Thu, 18 Nov 2004 13:47:21 -0000
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
Importance: Normal

I also get email from Concorde-Hotels.com which is a Colt customer in France.

Last edited by stimpy; Jan 21, 05 at 3:20 pm
stimpy is online now  
Old Jan 21, 05, 3:17 pm
  #53  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,557
Poking around more in my trash bin I see lots of other spam that originated in the UK, but were forwarded via other US servers. In fact, pretty much all the non-US spam I am getting now is coming from the UK. Maybe that is why Verizon is blocking some of the UK sites. But if they leave NTL open....???
stimpy is online now  
Old Jan 24, 05, 5:55 am
  #54  
 
Join Date: Dec 2001
Posts: 872
<long boring geeky post>
Nice try Stimpy but you've fallen at the first hurdle with both emails you've posted. Let's start by looking at the one you claim came to you from NTL.

The email originated from a PC (possibly an IBM) with an IP address of 80.168.243.66. We can tell this from the line in the headers;

Received: from IBMCA8D325E423 [80.168.243.66] by visiongaingroup.com with SMTP
(SMTPD32-8.05) id A97622401A6; Thu, 18 Nov 2004 19:23:58 +0530


We can perform a WHOIS query on the IP address to find out where it belongs;

espresso:~$ whois -h whois.ripe.net 80.168.243.66
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 80.168.243.64 - 80.168.243.71
netname: VISIONGAIN
descr: Routed Connection
country: GB
admin-c: SAM80-RIPE
tech-c: CH309-RIPE
rev-srv: ns0.clara.net
rev-srv: ns1.clara.net
status: ASSIGNED PA
notify: [email protected]
mnt-by: AS8426-MNT
source: RIPE
changed: [email protected] 20041102

route: 80.168.0.0/16
descr: CLARA-AGG4
origin: AS8426
mnt-by: AS8426-MNT
changed: [email protected] 20030408
source: RIPE

role: Claranet Hostmaster
address: Claranet Ltd
address: 21 Southampton Row
address: London WC1B 5HA
address: United Kingdom
phone: +44 (0) 20 7685 8000
fax-no: +44 (0) 20 7685 8001
e-mail: [email protected]


This tells us that the ISP is not NTL but Claranet and the IP address belongs to a subnet that is allocated to Visiongain for a routed connection which means it's probably a leased line rather than ADSL (although that's not always the case)

So where did the email go from here? Well, looking further up the headers we see it was received by visiongaingroup.com (202.70.193.69) which is the Visiongain corporate email server. This is confirmed by doing an MX query (this asks which mailsever handles email for a particular domain) against the nameservers which gives;

espresso:~$ dig visiongaingroup.com mx
; <<>> DiG 8.4 <<>> visiongaingroup.com mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2180
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; QUERY SECTION:
;; visiongaingroup.com, type = MX, class = IN

;; ANSWER SECTION:
visiongaingroup.com. 1H IN MX 10 mail.visiongaingroup.com.
visiongaingroup.com. 1H IN MX 10 202.70.193.69.


OK, this mail server then passes the email onto the first of two Verizon mail servers. The question you now have to ask is whether the mailserver for Visiongain.com is in the UK.

We check this by doing a WHOIS query of the IP address and even before I do this just by looking at the number I can tell it's an Asia Pacific address. It actually turns out to be in India (belonging to India Online in fact);

espresso:~$ whois -h whois.apnic.net 202.70.193.69
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 202.70.192.0 - 202.70.207.255
netname: IOLNET
descr: India Online Network Ltd.
descr: Broadband ISP
descr: Mumbai
country: IN
admin-c: DT136-AP
tech-c: DT136-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-IOL
changed: [email protected] 20010130
changed: [email protected] 20021007
changed: [email protected] 20021010
status: ALLOCATED PORTABLE
source: APNIC

route: 202.70.192.0/20
descr: Broadband - ISP
origin: AS9910
notify: [email protected]
mnt-by: APNIC-HM
changed: [email protected] 19991123
source: APNIC

person: Dhananjay Singh Thakur
nic-hdl: DT136-AP
e-mail: [email protected]
address: IOL Broadband Limited,
address: AB-01, Neelam Centre,
address: Hind Cycle Road, WORLI,
address: MUMBAI--400025, INDIA
phone: +91-22-56319400
fax-no: +91-22-56319401
country: IN
changed: [email protected] 20031212
mnt-by: MAINT-IN-IOL
source: APNIC


So, we now know that although the email originated in the UK, it wasn't from an NTL subscriber and it wasn't received by Verizon.net from a UK mailserver but one based in India. If Verizon.net was blocking UK emails this one would get round the block by using a mailserver in India which appears not to be locked.

Now we've cleared that up let's look at the spam you think you received from the UK.

Again we need to look at headers carefully and understand how folks can try to make them mislead us.

The first IP address we see in the headers is 200.30.245.221. This IP address claims to be runshaw-stud.co.uk but that's a bit strange as the IP address originates in South America. We can do two things to confirm that something is amiss here. The first is simply do a WHOIS lookup of the IP address which gives;

espresso:~$ whois -h whois.lacnic.net 200.30.245.221

% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2005-01-24 09:24:31 (BRST -02:00)

inetnum: 200.30.240/20
status: reassigned
owner: Metropolis Intercom
ownerid: CL-MEIN-LACNIC
responsible: Eulogio Robles Perez
address: Avenida Jose Pedro Alessandri, 3082, Macul
address: -- - Santiago - RM
country: CL
phone: +56 2 8105442 []
owner-c: ERP
tech-c: ERP
inetrev: 200.30.240/20
nserver: NS-1.METROPOLIS-INTER.COM
nsstat: 20050120 AA
nslastaa: 20050120
nserver: NS-2.METROPOLIS-INTER.COM
nsstat: 20050120 AA
nslastaa: 20050120
created: 20011019
changed: 20011019
inetnum-up: 200.30.192/18


So the IP address is actually in Santiago, Chile. So where does the runshaw-stud.co.uk bit come from? It is conceivable that it could be a British company operating in Chile but let's find out what the WHOIS records for runshaw-stud.co.uk show;

espresso:~$ whois -h whois.nic.uk runshaw-stud.co.uk

Domain Name:
runshaw-stud.co.uk

Registrant:
Helen Tattersall

Administrative Contact's Address:
Unit 22 Walworth Enterprise Centre
Duke Close
West Way
Walworth Industrial Estate
Andover
Hampshire
SP10 5AP
UK

Registrant's Agent:
Namesco Limited [Tag = NAMESCO]
URL: http://www.names.co.uk

Relevant Dates:
Registered on: 09-Aug-2000
Renewal Date: 09-Aug-2006
Last updated: 10-Aug-2004

Registration Status:
Registered until renewal date.

Name servers listed in order:
ns0.phase8.net 212.84.175.69
ns1.phase8.net 212.84.175.68
ns2.phase8.net 80.253.126.16

WHOIS database last updated at 11:25:01 24-Jan-2005

--
(c) Nominet UK 1996 - 2005

For further information and terms of use please see http://www.nic.uk/whois
Nominet reserves the right to withhold access to this service at any time.


Now that doesn't look very Chilean to me so let's see if there is a slight chance that the email server for runshaw-stud.co.uk is based in Chile. Again, it's back to our old friend Dig to query the nameservers;
espresso:richard/etc/mail$ dig runshaw-stud.co.uk mx

; <<>> DiG 8.4 <<>> runshaw-stud.co.uk mx
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28023
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3
;; QUERY SECTION:
;; runshaw-stud.co.uk, type = MX, class = IN

;; ANSWER SECTION:
runshaw-stud.co.uk. 1D IN MX 30 fwd2.hosts.co.uk.
runshaw-stud.co.uk. 1D IN MX 30 fwd1.hosts.co.uk.

;; AUTHORITY SECTION:
runshaw-stud.co.uk. 1D IN NS ns0.phase8.net.
runshaw-stud.co.uk. 1D IN NS ns1.phase8.net.
runshaw-stud.co.uk. 1D IN NS ns2.phase8.net.

;; ADDITIONAL SECTION:
ns0.phase8.net. 1d23h59m55s IN A 212.84.175.69
ns1.phase8.net. 1d23h59m55s IN A 212.84.175.68
ns2.phase8.net. 1d23h59m55s IN A 80.253.126.16

;; Total query time: 5086 msec
;; FROM: espresso to SERVER: 192.168.0.10
;; WHEN: Mon Jan 24 11:31:05 2005
;; MSG SIZE sent: 36 rcvd: 214


We need to do a bit more work here to work out the IP addresses of the two mailservers which handle email for runshaw-stud.co.uk. Their hostnames are listed as fwd1.hosts.co.uk and fwd2.hosts.co.uk

Using Dig to look up the IP addresses for these two hostnames we find that fwd1.hosts.co.uk is 212.84.175.148 and fwd2.hosts.co.uk is 212.84.175.146. Now there are reasons that this worries me but it has nothing to do with the legitimacy of the servers. We can immediately see that 212.84.175.148 and 212.84.175.146 are nowhere near the address in the email header of 200.30.245.221 so what is that IP address?

Back to the DNS tools and we do a host lookup which shows that the IP address has a hostname of pc-30-245-221.la-reina.pc.metropolis-inter.com. La Reina is a town in Chile and the fact that the hostname includes the word "PC" suggests strongly that it's a dial-up connection.

So the email came from a dial-up pc in La Reina, Chile. Not exactly from the UK. We still have to work out how the runshaw-stud.co.uk bit got there.

To do that you have to understand how email servers work. It's often a wise precaution to set your email server to reject incoming email that claims to be from a non-existent domain. Spammers therefore use legitimate domains belonging to other people to trick email servers into accepting their spams. The domain works its way into the headers because of another thing that mail exchange systems do. If your PC is networked (and it needs to be to send email) it will have a network name. This network name may only be relevant locally as far as you are concerned but when you send an email from your PC that network name is sent in the headers of the email. If you tweak your network name to be runshaw-stud.co.uk then you can appear to send email from runshaw-stud.co.uk. Often this trick is foiled because the receiving mail server tries to look for the public regustered hostname for the IP address of the remote machine and if it finds it, it includes that in the headers. Had Verizon's mail server done this the header you would have seen would have said;

Received: from runshaw-stud.co.uk (pc-30-245-221.la-reina.pc.metropolis-inter.com [206.46.170.121]) by sc008pub.verizon.net

That might have given you some warning that the address was faked. Basically ignore any hostname or domain outside the () brackets.

So you can get email from France but us Brits are still out in the cold (and not responsible for your spam either!)

If you want to go poking around to find out where an email really came from you can check IP addresses at http://www.samspade.org

</long boring geeky post>

Last edited by SarahWest; Jan 24, 05 at 6:14 am
SarahWest is offline  
Old Jan 24, 05, 12:35 pm
  #55  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,557
Sarah,

I don't have time to go through your message right now (day job and all), but I recall I did a quick traceroute to the IP address source of the visiongain email and it was NTL. It looks like you did a lot of work. I will try to poke through it when I get a chance.

But don't get hung up on DNS as it is inheirently unsecure and abused. Stick to the IP addresses.
stimpy is online now  
Old Jan 24, 05, 5:51 pm
  #56  
 
Join Date: Dec 2001
Posts: 872
Originally Posted by stimpy
Sarah,

I don't have time to go through your message right now (day job and all), but I recall I did a quick traceroute to the IP address source of the visiongain email and it was NTL. It looks like you did a lot of work. I will try to poke through it when I get a chance.

But don't get hung up on DNS as it is inheirently unsecure and abused. Stick to the IP addresses.
Stimpy, I think you've just shot yourself in the foot and I don't think you're doing yourself any favours. If you used traceroute you were relying entirely on DNS information to give you a host lookup for every host on the route to the destination. However, DNS is not inherently insecure as you state and without it the internet wouldn't work. I'm not at all sure that you understand the way the internet works quite as well as you think you do.

When you read my post you'll see that I take the IP addresses and do a WHOIS query. This isn't DNS but a separate system. It is a much more powerful (and accurate) tool than simply using traceroute (which I have to say is the amateur sleuth method). The netblock that contains the Visiongain originating IP address has belonged to Claranet at least since April 2003 and probably longer so there's no way you should have come up with NTL. I've just done a traceroute to that IP address from a host in the USA and the route goes nowhere near NTL. I know for a fact that Claranet doesn't rely on NTL connectivity either.
SarahWest is offline  
Old Jan 24, 05, 5:59 pm
  #57  
 
Join Date: Dec 2001
Posts: 872
OK Stimpy, if you wish to redeem yourself, take a look at the headers below in a spam I received moments ago;

Received: from c-67-184-203-205.client.comcast.net
(c-67-184-203-205.client.comcast.net [67.184.203.205])
by espresso.coffee.co.uk (8.12.11/8.12.11) with SMTP id j0ONmGJq012853
for <[email protected]>; Mon, 24 Jan 2005 23:48:26 GMT
X-Message-Info: GH910upcNI826SIJo675rixPfY8dakOU05gfEroqZ297
Received: from dns7westvalley.edu ([242.96.222.160]) by
[email protected] with Microsoft
SMTPSVC(5.0.2064.8904);
Mon, 24 Jan 2005 17:44:53 -0600
Message-ID: <[email protected]@stegmuehlhof.co m>
Reply-To: "Milo Barnett" <[email protected]>
From: "Milo Barnett" <[email protected]>
To: "Hostmaster" <[email protected]>
Subject: lowest prices on your medications Avery
Date: Mon, 24 Jan 2005 17:44:53 -0600
MIME-Version: 1.0 (produced by arizona 56.23)
Content-Type: multipart/alternative;
boundary="--12728757886035385"
Content-Length: 1346


The question for you to answer is to whom did I submit an abuse report and why?
SarahWest is offline  
Old Jan 24, 05, 6:00 pm
  #58  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,557
Um Sarah, you have completely shot yourself in the foot. Maybe read Internet for Dummies? Traceroute does NOT, I repeat NOT have the slightest thing to do with DNS. It uses ICMP. Please go read some of the relevant IETF RFC's. You may even find my name as the author of them.

Then go read the DNS Security RFC's. Then go learn a thing or two about WHOIS. Then come back and criticize. Honestly, why would you use DIG to find out who sent you an email? There is no direct relation!
stimpy is online now  
Old Jan 24, 05, 6:12 pm
  #59  
FlyerTalk Evangelist
Four Seasons Contributor BadgeMandarin Oriental Contributor Badge
 
Join Date: Feb 1999
Location: Seat 1A, Juice pretty much everywhere, Mucci des Coins Exotiques
Posts: 31,557
After taking a chill pill, I'll add I don't quite understand the hostility here. I'm trying to help in my very limited spare time. Obviously Verizon is NOT blocking all foreign email. I hope we have put that to bed. Maybe we can help figure out why some British sites are having problems. But tone down the attitude, eh?

If you have all the free time in the world, then come up with an answer to your problem.
stimpy is online now  
Old Jan 24, 05, 6:47 pm
  #60  
KVS
FlyerTalk Evangelist
 
Join Date: Jan 2004
Location: Worldwide
Posts: 12,792
Originally Posted by stimpy
And here is some legit mail from the UK, from someone who is an NTL subscriber...
[..]
Received: from visiongaingroup.com (202.70.193.69) by sc015pub.verizon.net (MailPass SMTP server v1.1.1 - 121803235448JY) with ESMTP id <3-997-204-997-135276-1-1100792244> for mta020.verizon.net; Thu, 18 Nov 2004 09:37:32 -0600
All that Verizon's incoming SMTP server (mta020.verizon.net) cares about is the identity of the relay server that connects to it. In your example of a "mail from the UK", the IP address of the server that connects to Verizon's SMTP server is [202.70.193.69] and that address is a part of a block (202.70.192.0 - 202.70.207.255) that belongs to an ISP in Mumbai (India) called "India Online Network Ltd."
KVS is offline  

Thread Tools
Search this Thread
Search Engine: