Am I spamming?

Lorne Kates

I got a couple "your mail could not be sent", referencing a domain I take care of. As far as I know, the mail server is fairly well locked down-- authenticated accounts only (and only for sending website notification, no user mail), huge random passwords, etc.

I'm not confident I'm reading the rejection notice I got (from, of course, mail.ru because of fucking course it's russia). I've anonymized my domain & IP, but is anyone good at reading these things?

A message that you sent was rejected by the local scanning code that
checks incoming messages on this system. The following error was given:

  spam message rejected. Please visit http://help.mail.ru/notspam-support/id?c=rVo90Oq2zbY7sHtw55eQjviDdemyJDJvXsDGek9T2L5dfGINrpMMOSEAAABjAAAAxR40LQ~~ or
 report details to abuse@corp.mail.ru. Error code: D03D5AADB6CDB6EA707BB03B8E9097E7E97583F86F3224B27AC6C05EBED8534F0D627C5D390C93AE. ID: 00000021000000632D341EC5.

------ This is a copy of your message, including all the headers.
------ No more than 1K characters of the body are included.

Received: from [213.87.224.86] (ident=mail)
        by del9.m.smailru.net with local (envelope-from <zgwgz@LORNEREDACTED.com>)
        id 1fnrpE-0007Bw-QW
        for lenysik-1003@mail.ru; Thu, 09 Aug 2018 23:46:28 +0300
X-ResentFrom: <lenysik1812@mail.ru>
X-MailRu-Forward: 1
Authentication-Results: mxs.mail.ru; spf=permerror (mx23.mail.ru: error in processing during lookup of domain of LORNEREDACTED.com: include: or redirect= caused unlimited recursion) smtp.mailfrom=zgwgz@LORNEREDACTED.com smtp.helo=mail.howsecureismypassword.net
Received-SPF: permerror (mx23.mail.ru: error in processing during lookup of domain of LORNEREDACTED.com: include: or redirect= caused unlimited recursion) client-ip=213.87.224.86; envelope-from=zgwgz@LORNEREDACTED.com; helo=mail.howsecureismypassword.net;
Received: from [213.87.224.86] (port=54832 helo=mail.howsecureismypassword.net)
        by mx23.mail.ru with esmtp (envelope-from <zgwgz@LORNEREDACTED.com>)
        id 1fnrp6-0001zs-Pt; Thu, 09 Aug 2018 23:46:23 +0300
Received: from gMailpost (145.22.21.10) by antiplastics.com (10.21.7.40) with
 Microsoft SMTP Server id 14.3.294.0; Thu, 9 Aug 2018 23:45:53 +0300
Received: from 10.40.19.5 ([10.58.241.16]) by gMailpost with Microsoft
 SMTPSVC(9.4.4112.85412);        Thu, 9 Aug 2018 23:45:53 +0300
Date: Thu, 9 Aug 2018 23:45:53 +0300
To: <kostya49-stydent@mail.ru>
From: "ttypo.de" <zgwgz@LORNEREDACTED.com>
Subject: =?windows-1251?B?x+D36PHr5e3o5Q==?=
Message-ID: <9KZ33EB8-8242-4E78-A46B-IPBB7639917D@googlegroups.com>
X-Priority: 3
X-Mailer: PHPMailer 5.2.1 (http://code.google.com/a/apache-extras.org/p/phpmailer/)
MIME-Version: 1.0
Content-Type: text/html; charset="windows-1251"
Content-Transfer-Encoding: quoted-printable
X-OriginalArrivalTime: Thu, 9 Aug 2018 23:45:53 +0300.0585 (UTC) FILETIME=[4A07EE10:01D24C3F]
X-KLMS-Rule-ID: 11
X-KLMS-Message-Action: skipped
X-KLMS-AntiSpam-Status: not checked
X-KLMS-AntiVirus: Kaspersky Security 8.0 for Linux Mail Server 8.0.0.455, not checked
X-1B851999: 1
X-6b629377: 1

Gribnit

@Lorne-Kates seems to say you have a redirect loop. if maybe it is bad at making sense, maybe it's bitching about an open redirect maybe (maybe).

Cursorkeys

@Lorne-Kates Do you control either of:

145.22.21.1
10.40.19.5

If not then it's just your standard faked sender domain, I get a ridiculous number of bounces per day like this. Spammers seem to think spoofing your domain adds legitimacy or something.

ben_lubar

Set up SPF on your domain. If you never send emails from your domain, a TXT record containing v=spf1 -all will do quite nicely.

ben_lubar

@Cursorkeys said in Am I spamming?:

@Lorne-Kates Do you control either of:

10.40.19.5

I can tell you right now that Lorne Kates does not have control over the 10.0.0.0/8 reserved IP range.

loopback0

@ben_lubar He might have control over a 10.0.0.0/8 range.

ben_lubar

@loopback0 said in Am I spamming?:

@ben_lubar He might have control over a 10.0.0.0/8 range.

Probably not one in Russia, especially if he's not sure if he's running a spam botnet.

Tsaukpaetra

@ben_lubar said in Am I spamming?:

@loopback0 said in Am I spamming?:

@ben_lubar He might have control over a 10.0.0.0/8 range.

Probably not one in Russia, especially if he's not sure if he's running a spam botnet.

Oh, speaking of, we got probed a week ago.

aitap

@Lorne-Kates said in Am I spamming?:

Received: from [213.87.224.86]

I could be mistaken, but, according to WHOIS, that address belongs to a cell network in Siberia. You are probably clean. Like others say, make sure you have SPF records on the domain of your mail server.

The link from the bounce mail leads to a "I'm not a spammer" form of a widely used Russian e-mail service, which you probably won't need unless you have customers there.

DoctorJones

@Lorne-Kates are you sending your emails from your own servers, or via a service?

We used to send from our own mail server, but our deliver-ability fell sharply, and our members complained they were no longer receiving our emails. This was despite us being a fairly large, well known company.

We decided to move to using SendGrid, and we now have 99% deliver-ability, because they know their shit. Their diagnostic tools are very good when you do need to investigate why a particular person isn't receiving mail. It's usually because they've manually marked your message as spam (which you can see in the tools), or because their address is wrong.

Seriously though, for how cheap the service is, I'd recommend using SendGrid, or an equivalent service like MailGun, MailChimp, etc. It's saved so much time, and the quality of service is top notch.

PJH

@Cursorkeys said in Am I spamming?:

@Lorne-Kates Do you control either of:
145.22.21.1
10.40.19.5

That one's mine.

More seriously, there appears to be insufficient information. From

­ https://www.spamcop.net/sc?id=z6478604105z3d7a370f3a54a9635ceb7168e29420e0z

Parsing header:
0: Received: from [213.87.224.86] (ident=mail) by del9.m.smailru.net with local (envelope-from <zgwgz@LORNEREDACTED.com>) id 1fnrpE-0007Bw-QW for x; Thu, 09 Aug 2018 23:46:28 +0300
No unique hostname found for source: 213.87.224.86
Possible forgery. Supposed receiving system not associated with any of your mailhosts
Will not trust this Received line.
Mailhost configuration problem, identified internal IP as source
Mailhost:
Please correct this situation - register every email address where you receive spam
No source IP address found, cannot proceed.

dkf

@Lorne-Kates said in Am I spamming?:

I'm not confident I'm reading the rejection notice I got

If none of the IP addresses (not the domain/hostnames) in any of the Received headers correspond to any of the external IP addresses (10.*.*.* doesn't count) of the service you maintain, it's very unlikely to be a problem and very likely to be just someone faking a From field (which is trivially easy). Almost all spammers aren't competent enough to fake a Received chain properly, and it's quite difficult to do as that requires actual understanding of how email custody chains work.

Getting SPF set up is a good idea, but the omens emitted by this set of headers (given that 145.22.21.10 isn't routable) are that this is just a trivial forgery and nothing to worry about.

Cursorkeys

@ben_lubar said in Am I spamming?:

@Cursorkeys said in Am I spamming?:

@Lorne-Kates Do you control either of:

10.40.19.5

I can tell you right now that Lorne Kates does not have control over the 10.0.0.0/8 reserved IP range.

I blame drinking whisky wrong for that one.

Also, who needs a private /8.

ben_lubar

@Cursorkeys said in Am I spamming?:

@ben_lubar said in Am I spamming?:

@Cursorkeys said in Am I spamming?:

@Lorne-Kates Do you control either of:

10.40.19.5

I can tell you right now that Lorne Kates does not have control over the 10.0.0.0/8 reserved IP range.

I blame drinking whisky wrong for that one.

Also, who needs a private /8.

127.0.0.0/8 is also a private /8, and you might argue that it's even more private.

e4tmyl33t

@Cursorkeys I don't NEED one, per se, but my home network is set up on the 10. schema for two reasons:

1. Looks cleaner for me when separating things out for DHCP vs static addresses
2. Unskilled malicious wireless attackers likely wouldn't expect that from a home network and it'd help stonewall them from messing with my router. (Mind you, since I switched over to my AmpliFi router, there's pretty much fuckall you can do from a PC anyway, since for some reason they only let you do a subset of the normal functions via a browser and the rest of the configuration has to be done via a mobile app...)

PJH

@Cursorkeys said in Am I spamming?:

Also, who needs a private /8.

We do - see link from my previous post. (the /12 and /16 are used for other things as well.)

Polygeekery

@Cursorkeys said in Am I spamming?:

drinking whisky wrong

There is no such thing. It is not possible.

Well, except for butt chugging.

Cursorkeys

@PJH said in Am I spamming?:

@Cursorkeys said in Am I spamming?:

Also, who needs a private /8.

We do - see link from my previous post. (the /12 and /16 are used for other things as well.)

Interesting! Well, ok you do then :)

Is having such a large broadcast domain actually a problem in practice? I've always wondered about that piece of advice.

@Polygeekery said in Am I spamming?:

@Cursorkeys said in Am I spamming?:

drinking whisky wrong

There is no such thing. It is not possible.

I'm reliably informed that it is:

@blakeyrat said in WTF Bites:

You're drinking wrong.

PJH

@Cursorkeys said in Am I spamming?:

Is having such a large broadcast domain actually a problem in practice? I've always wondered about that piece of advice.

It's only a problem if you try broadcasting, because (here) you're not actually allowed broadcast.

(In reality they're broken up into smaller CIDR blocks, where if there's actually a need broadcast, then it can be permitted within a (sub-)block of a /24 or /25 e.g.)

@Cursorkeys said in Am I spamming?:

I'm reliably informed that it is:
@blakeyrat said in WTF Bites:

You're drinking wrong.

Well as long as you're not having a whiskey enema, it's difficult to get it not-right.

DoctorJones

@PJH said in Am I spamming?:

Well as long as you're not having a whiskey enema

loopback0

@DoctorJones said in Am I spamming?:

@PJH said in Am I spamming?:

Well as long as you're not having a whiskey enema

I don't think that's how one works.

boomzilla

@PJH said in Am I spamming?:

@Cursorkeys said in Am I spamming?:

I'm reliably informed that it is:
@blakeyrat said in WTF Bites:

You're drinking wrong.

Well as long as you're not having a whiskey enema, it's difficult to get it not-right.

You'd be surprised.

Gribnit

@boomzilla The man has a drinking problem, show some sympathy.

Erufael

@boomzilla Darn, beat me to it!