MTN SMTP servers blacklisted

Looks more like a dynamic IP to me. MTN's mail servers sit in the 196 range:
smtp.mtn.co.za. 600 IN A 196.11.240.32
smtp.mtn.co.za. 600 IN A 196.11.240.33
smtp.mtn.co.za. 600 IN A 196.13.230.130
smtp.mtn.co.za. 600 IN A 196.13.230.131
smtp.mtn.co.za. 600 IN A 196.13.230.156
smtp.mtn.co.za. 600 IN A 196.13.230.165

mail.mtn.co.za. 300 IN A 196.11.240.20

Where did you come across that IP?
 
I have a client who was battling to receive mail from someone and this came up in the mail logs. Unfortunately I have no idea what the setup looks like on the senders end.

Below is the mail header info (I have removed email addresses and host names):

X-Spam-Flag: YES
X-Spam-Score: 5.384
X-Spam-Level: *****
X-Spam-Status: Yes, score=5.384 tag=2 tag2=4 kill=5 tests=[AWL=0.863,
HTML_MESSAGE=0.001, RCVD_IN_BL_SPAMCOP_NET=2.188,
RCVD_IN_SORBS_WEB=1.117, TVD_FW_GRAPHIC_NAME_MID=1.205,
T_TVD_FW_GRAPHIC_ID1=0.01]
Received: from unknown by localhost (amavisd-new, unix socket) id jp2wI3wtA0XM
for <XXXX@XXXX>; Thu, 29 May 2008 19:20:36 +0200 (SAST)
Received: from blizzard.stormnet.co.za (blizzard.stormnet.co.za [196.22.220.24])
by XXXX (amavisd-milter) id m4THKOo3052330;
Thu, 29 May 2008 19:20:24 +0200 (SAST)
(envelope-from <XXXX>)
Received: from smtp5a.wadns.net ([196.40.109.25] helo=mail5.wadns.net)
by blizzard.stormnet.co.za with esmtp (Exim 4.62 (FreeBSD))
(envelope-from <XXXX>)
id 1K1lgt-0000Ur-8W
for XXXX; Thu, 29 May 2008 19:13:37 +0200
Received: from 41-208-50-160.mtnns.net [41.208.50.160] by mail5.wadns.net with SMTP;
 
Looks legit to me. Your client's mail server seems to be the problem. The original sending IP is 41-208-50-160.mtnns.net [41.208.50.160], this is most like one of MTN's dynamic IPs (think 3G card). This machine made a connection to mail5.wadns.net which in turn connected to blizzard.stormnet.co.za.

It seems spamcop is set to traverse through the received list and check each one of these against a blacklist. In which case, every dynamic IP should cause RCVD_IN_BL_SPAMCOP_NET to trigger (probably not a problem if no other rules trigger as well).

You should rather look at blocking connections to port 25 directly based on rbl checks rather than have spamassassin traverse through the received headers (if you're running qmail, look into rblsmtpd and tcpserver). This will save bandwidth as the connection is dropped before data is even sent to the server (of course, you lose some functionality in spamassassin as you only check the connecting IP instead of the entire list of sending servers). Your other option is to find out how to prevent spamassassin from checking the first "received" header.


Your short term fix would be to find out why TVD_FW_GRAPHIC_NAME_MID is triggering (can't find it in the standard ruleset, I might be blind though). My guess would be that its simply a forwarded email with either an inline or attached image. Maybe ask the sender to forward the image as an attachment and write something less spammy in the body.

Hope thats helpful
 
I was under the impression MTN didn't have the equivalent of Vodacom's unrestricted APN. I suspect this is a gateway of sorts with a fixed IP and not a dynamic IP.

As I have not had this problem with other senders I have simply white listed this particular sender and will see how it goes. I can't use RBL's because their mail is delivered to Storm and then passed on to them (will be changing this when they move ISP) so spamassassin needs to stay.

Thanks for the suggestions. I had already worked around the problem, just thought I'd mention it for the benefit of others :)
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X