[SC-Help] Re: Understanding dsbl?

[Mike Easter]

Alan Harper wrote:
> A colleague who I work with is in Mexico, so he needs to use
> telnor.net as his ISP. He has a windows computer and is sending mail
> using Outlook, through a router (don't know which model), and uses
> opensourcehost.com as the smtp server. Our web site,
> terrapeninsular.org, maps to jag.opensourcehost.com = 69.93.35.100.

That all fits with what you've posted.  But if you want to work that
'router' into the conversation it is going to make things sound more
complicated than they need to.

IMO  200.79.150.31  rDNS  red-corp-200.79.150.31.telnor.net  is your
friend's user IP and the headers show the item going from that IP to his
smtpserver to your spamcop account.  Whether there is just one machine
or a little network doing network address translation behind a NAT
device or 'switch router' isn't really important.  Whatever that is is
represented by the IP 200.79.150.31 - whether it be one machine or a
router representing one IP for several machines.

The headers also show SC spotting the blocklisted IP and also passing
the mailitem because its From domainname is whitelisted.

X-SpamCop-Checked: 192.168.1.101 69.93.35.100 200.79.150.31
X-SpamCop-Disposition: Blocked list.dsbl.org
X-SpamCop-Whitelisted: terrapeninsular.org

> I guess the first question is, do you think that 200.79.150.31 is the
> IP of his router, or a computer that is somewhere "upstream" of his
> computer?

I have a so-called switch router [actually just a NAT device] on my
little network.  As a result of that, my 'machine' doesn't really have
my IP.  My machine has an address translation that results in it having
a nonroutable 192.168.1.* IP number -- but that is just a 'translation'
and when I access something, like my smtp server or this newsgroup, 'my'
IP is recorded as the 'router's' IP, which is 64.203.51.197 -- For me
that number corresponds to your friend's 200.79.150.31

> This IP was listed in njabl
> http://njabl.org/cgi-bin/lookup.cgi?query=200.79.150.31 and is listed
> in dsbl http://dsbl.org/listing?200.79.150.31 . It appears that it is
> listed because there was an open relay at that IP in in 2004. Someone,
> not me, tried to get it unlisted from dsbl, but dsbl won't unlist it
> because telnor doesn't respond to the postmaster mail addresses to
> confirm anything. (Telnor doesn't have to care, it is a near
> monopoly).

You are fretting over this problem of your friend's telnor IP being
listed.  You are going to be able to do a little with blocklists which
will accept your attempts to get it unlisted, and those blocklists which
require correspondence with telnor you won't be able to do it yourself.

> The second question is, is there any easy way to see if there is still
> an open proxy at this address? As far as I can tell, njabl hasn't
> retested the address, and dsbl won't retest it until telnor changes
> its procedures (I.e, until hell freezes over).

I'm not sure I'm in agreement with that plan, but you could probe the
IP's ports for insecurities.  But, that isn't the best strategy to
evaluate an IP;  ie remotely.  Your friend can go to websites and get
his own IP probed and his insecurities evaluated more easily and without
creating some potential problems for whoever would be doing this
portscanning you are thinking about.

> Right now, whatever was blocking his email is no longer blocking it.
> This corresponds with my asking njabl to unlist this address, but I
> suspect that it was coincidence.

The reason is that it is passing because of your having whitelisted
terrapeninsular.org

> Any other thoughts about what I can do to increase his chance of
> sending emails would be appreciated.

If you have his mail whitelisted, it shouldn't be a problem.

-- 
Mike Easter
kibitzer, not SC admin