1

My email is being marked as SPAM by SpamAssasin. The problem is score 3.3 (among others):

3.3 RCVD_IN_PBL RBL: Received via a relay in Spamhaus PBL
*      [212.95.7.48 listed in zen.spamhaus.org]

I have no connection to 212.95.7.48 whatsoever. Where did this IP come from?

Danijel
  • 256
  • 6
  • 19
  • `212.95.7.48` looks like an Austrian cell phone (or related infrastructure). What are you using to send e-mail from? Send an e-mail to `check-auth@verifier.port25.com`, it will send an e-mail back, see what it says. – Chris S Oct 22 '12 at 15:46
  • Checked with `verifier.port25.com` and all seems to be ok. Their SpamAssasin gives only 0.4 points. – Danijel Oct 22 '12 at 16:47
  • 2
    It may well be the recipient you're sending to has a misconfigured e-mail server (probably a relay at the IP address you mentioned, and the destination is improperly recognizing that relay as the sending host) – Chris S Oct 22 '12 at 17:00
  • @ChrisS That would be Austria, not Australia. It's a common mistake. :-P – Ladadadada Oct 22 '12 at 17:55
  • What do you mean by "my email"? Do you mean email you are sending or email you are receiving? If email you are receiving *you* are the one marking it as spam. If email you are sending, ask the recipient why *they* are marking it as spam. – David Schwartz Oct 22 '12 at 20:09
  • It's internal company email. So, I am sending it internaly, and our server is marking it as SPAM. – Danijel Oct 22 '12 at 21:15

1 Answers1

1

Generally you'll want to check SpamHaus to see what the reported issue is:

http://cbl.abuseat.org/lookup.cgi?ip=212.95.7.48

IP Address 212.95.7.48 is listed in the CBL. It appears to be infected with a spam sending trojan or proxy.

It was last detected at 2012-10-21 09:00 GMT (+/- 30 minutes), approximately 1 days, 7 hours, 59 minutes ago.

It has been relisted following a previous removal at 2011-06-22 17:06 GMT (487 days, 23 hours, 52 minutes ago)

Chances are, there's a compromised server listed on this node that's spoofing an address of yours to send SPAM. You might be interested in checking your logs on your mail server to see if there's any failed responses from hosts that you haven't been sending mail to.

rwc
  • 316
  • 1
  • 7
  • Thanks. To be honest, I did not understand your post completely, but it's true - we've been hacked lately by a rootkit. And successfully removed it. What exactly should I check to fix this? – Danijel Oct 22 '12 at 21:18