[TriLUG] TWC IPs blocked in spamhaus Zen list?

Cristóbal Palmer cmp at cmpalmer.org
Tue Jan 26 12:15:41 EST 2010 

On Tue, Jan 26, 2010 at 5:40 AM, Kevin Hunter <hunteke at earlham.edu> wrote:
> This is for folks running their own *MTA*, right?

No. Some clients send outbound on 25 locally when/if they bomb out
trying to send to your default smtp server. I think that is what is
going on here. The real problem is that they haven't been able to use
their default smtp server (smtp-server.nc.rr.com) all day. They tell
me it started working properly again about an hour ago.

> Would you enlighten us non-mail gurus to what "roughly resembles secure"
> means?  I thought I was secure, due to SSL, but now I'm not sure.  Here
> is one of my TBird configs:
> Outgoing mail:
>  Port: 587
>  Security and Authentication:
>  - Use name and password
>  - Use secure connection: TLS
>

That would be nice if that worked. Connecting to smtp-server.nc.rr.com
only seems to work if you do not use authentication or any kind of
security whatsoever. I can in fact open a 'telnet
smtp-server.nc.rr.com 587' and I'm confident the username/password
combo is right (tested with TWC webmail), but only plain SMTP on 25
has ever worked from their office.

> Since I'm encrypting the layer (SSL and TLS), and assuming I haven't
> blindly accepted any SSL/TLS certificates (I haven't), I'm good to go, yes?

With an intelligent SMTP server, probably yes. I'm sorry if I sound a
bit belligerent here, but I spent 1h49min on the phone with TWC
yesterday, over half of which was spent with the guy I was talking to
proxying information to an "email technician" that he wouldn't let me
talk to. So it went Me -> (phone) -> TWC tier 2 -> (text chat) ->
"email technician" and I never could get them to understand that
working configs on our end had not changed any time in the past week,
but about 7 employees at the client site suddenly couldn't send email
and were using @nc.rr.com addresses and the smtp-server.nc.rr.com SMTP
server, so regardless of where the problem was, they needed to help me
find it. They never admitted a problem.

So, to recap: Clients on site use a mix of Outlook, Thunderbird, and
other desktop mail clients, but the main one I'm worried with is
Thunderbird for $BOSS. Clients have been able to send email outbound
via smtp-server.nc.rr.com unencrypted on port 25 for some number of
years. This has not worried me too much in the past, since their
traffic getting sniffed would require... more effort than is worth it
given the client's business practices, setup, and the nature of the
business. I made a pitch for them to change email providers back when
I started with them, but they're pretty entrenched and change would
mean pain. Flash forward to yesterday's pain. Clients all get an error
when sending email:

An error occurred while sending mail. The mail server responded:
Outbound mail refused - XX.XX.XXX.XX - See
http://help.rr.com/outboundemail [R0209004].

Which through poking around leads to a link of the format:

http://security.rr.com/cgi-bin/block-lookup?ip=XX.XX.XXX.XX

for their IP, which leads me to spamhaus, where their IP is on the PBL
because it's actually from a DHCP pool despite being a business
account. The reverse on their IP resolves to something that includes
"biz" in the name. In any event, this information is rather confusing
to me because I know that they're actually sending mail via the SMTP
server... or are they? So I fire up telnet and connect directly to the
server, which ends up looking like this:

cmpalmer at remora:~$ telnet smtp-server.nc.rr.com 25
Trying 75.180.132.33...
Connected to smtp-server.nc.rr.com.
Escape character is '^]'.
220 Welcome Road Runner. WARNING: *** FOR AUTHORIZED USE ONLY! ***
HELO rrcs-XX-XX-XXX-XX.midsouth.biz.rr.com.
250 cdptpa-omtalb.mail.rr.com says HELO to XX.XX.XXX.XX:56035
MAIL FROM:<Xxxxx-XX at nc.rr.com>
250 MAIL FROM accepted
RCPT TO:<cmp at cmpalmer.org>
452 Outbound mail refused - XX.XX.XXX.XX - See
http://help.rr.com/outboundemail [R0209004]

Just to be clear: remora -> unmanaged 10/100 switch -> pfsense-based
router -> cable modem

I tried several variations on this, all of which ended in a 452. I
pasted these to a pastebin and got on the phone with TWC. I pasted
some mtr output (Why does traffic to an NC SMTP server go through New
York?) and several more telnet attempts. I also pasted showing that
port 587 is open, but I cannot send mail through it. After nearly two
hours I gave up and told the client I was wasting his money, and if he
wanted to spend it on fixing things with TWC I would do that, but
wanted him to know I thought it was a waste and he should get his mail
to a dedicated mail provider ASAP.

Anyway, that's most of my story, and if you have any suggestions for
how to deal with TWC I welcome them, on- or off-list.

Cheers,
-- 
Cristóbal M. Palmer
ibiblio.org systems
cdla.unc.edu research assistant

More information about the TriLUG mailing list