Spam Blacklists and Peter G

I was reading Peter Glaskowsky‘s blog (Speeds and Feeds here) where he posits that some of his mail sent through Comcast (his ISP) is being blocked because his Comcast IP is on a blacklist.

I was going to add a comment, but it was getting long, so I thought I would explain my theory here. So, first, go read his blog entry. I’ll wait. Then come back here for my theory.

Welcome back.

I don’t think that Peter’s problem is with his Comcast IP being on a blacklist. I think that the problem is with one of the mac.com mail servers being on a blacklist.

As I mentioned before on a private list, at the office I have one external user with a mac.com address who has problems with *some* of his mail being blocked by our web filter. Whenever his mail goes through a particular mac.com server, that mac.com mail server’s IP address is on our vendor’s mail filter blacklist (we use the Websense/Surfcontrol mail filter product). They have a database of known spam IP addresses that they build with an automated process. If their sensors detect 99%+ of mail from a particular IP address as spam, they put that IP address on their blacklist. We use that blacklist to block about 80% of the spam attempts we get (about 500,000 a day).

If I take the mail header from one of Peter’s mail messages, using the excellent Email Header Analyzer here http://www.mxtoolbox.com/EmailHeaders.aspx , I see that his mail comes from one of the mac.com servers (asmtp020.mac.com). His email address domain name (that’s the part after the “@” in your email address) is at mac.com, not comcast.net. The mac.com mail server is sending out his email. The IP address of that mac.com mail server is the IP address that will be used by the blacklists to determine if that mail server is a spammer.

In my external user’s case, his email (from mac.com) is randomly assigned to one of many mac.com mail servers. Usually, that works fine. But one of the mac.com mail servers is on our blacklist. And therefore any message he sends that is randomly assigned to that ‘bad’ mail server will get blocked.

Again, this is a random problem that only happens when his message is assigned to a ‘bad’ mail server. And that’s what I think is randomly happening to Peter’s email.

A computer that is infected with a ‘spam bot’ will send out mail using the mail server that was installed on the user’s computer when the spam bot was installed via malware. The spammer will then ‘relay’ messages through the spam bot computer using the spam bot’s internal mail server. The result is that the mail will appear to come from a ‘mail server’ at the computer’s IP address.

If the computer has Comcast (or anyone else) as their Internet Service Provider, then the user’s Comcast-assigned IP address will be seen as the IP address of the mail server (the spam bot) sending out the spam. And that IP address will eventually get on a black list. That’s why you would see lots of Comcast IP addresses on spam lists.

Peter’s mail is not coming from a Comcast email address. It is coming from a mail server at mac.com. And one of those mac.com mail servers is on the blacklist.

Now, it could be that Peter’s Comcast IP address is within an IP range on a blacklist. So if Peter has his own mail server at his place, his mail would be coming from that Comcast IP address. (Although he would have a dedicated IP address with the MX – Mail Exchange – record for his domain name.)

But Peter’s mail is coming from mac.com. It has to, the domain name of his email address is mac.com. It may be that the messages that aren’t being delivered are coming from a ‘bad’ email server at mac.com. And that mac.com mail server is the one on the blacklist.

That’s my theory. You are welcome to discuss it in the comments.

Leave a Reply

Name and email are required. Your email address will not be published.