dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
765
share rss forum feed

ispalten

join:2005-04-16
Clermont, FL
kudos:1

Some ISP's e-mail blocked by TWC/RR or BHN?

Our Travel Agent got a letter from Carnival Cruise Lines today about a change that will take place before our cruise. They gave him names of those of his clients that need to be contacted. So he has my e-mail ID and my wife's and he sent it to us. His ISP's last part is CRUISEMASTER.COM. He got e-mail back that they could NOT deliver the e-mail and would try in 4 hours. At one time that ISP's e-mail was blocked I recall as it was 'sending' too much spam. Realizing that, he sent e-mail to me and my wife using another ISP e-mail address that ended in CRUISESHIPCENTERS.COM. That one got to my wife, but not me (I AM also correctly on the TO: list)?

Any idea what could be going on?

Gary, I can send you the 2nd e-mail that Laraine got and I didn't if you wish.
--
Irv Spalten


BHNtechXpert
BHN Staff
Premium,VIP
join:2006-02-16
Saint Petersburg, FL
kudos:153
No you will need to work through the RR national helpdesk on this. They are tasked with handling all email issues of this type.

ispalten

join:2005-04-16
Clermont, FL
kudos:1
OK.

I am trying but it seems I can't get to the Tech. support? I dial 611, say yes to my #, and then say Internet e-mail. "Ok, I'll connect you to e-mail Internet Tech' supt." Asked to press 1 if I'd like to do a survey or just hang on. Then is says I'll connect you, hear a few bars of music, and then silence... 8 minutes so far, and I really don't know if I am connected? So I hang up and call again, same thing, 6 minutes now... I'll stay on until the phone disconnects, but this is NOT promising?
--
Irv Spalten


EDIT: 7 min 10 Sec., DISCONNECTED!

ispalten

join:2005-04-16
Clermont, FL
kudos:1
reply to BHNtechXpert
RR National Help IS NOT. I don't even think it is in this nation. Comprehension problems. Keeps telling ME I've blocked the e-mail. I have NOT and it isn't on a block or filter list (checked on the web e-mail client).

She is now checking on the e-mail ID of the person who sent it to me. I don't think she really understands at all?

I give up! Maybe it will fix itself and I'll get the e-mail tomorrow, sigh...
--
Irv Spalten


geo44

join:2013-03-20
Saint Petersburg, FL
that why I got away from ISP provided email , I use gmail and haven't had a moments trouble. The only time I use rr is for a disposable address.

ispalten

join:2005-04-16
Clermont, FL
kudos:1
Yeah, the RR Help Desk is NOT!

Got more info from the sender on the one I did NOT get that my wife did. It says my e-mail address has a permanent error? Yes, I am getting e-mail anyway?

============
This is the error message I am getting for your email. It says your address has fatal errors:

The original message was received at Tue, 8 Jul 2014 12:39:01 -0400
from atl4mhob11.myregisteredsite.com [209.17.115.49]

----- The following addresses had permanent fatal errors -----

----- Transcript of session follows -----
... Deferred
Message could not be delivered for 6 hours
Message will be deleted from queue

Reporting-MTA: dns; atl4mhfb03.myregisteredsite.com
Arrival-Date: Tue, 8 Jul 2014 12:39:01 -0400

Final-Recipient: RFC822; zzzzzzzz@cfl.rr.com
Action: failed
Status: 4.4.7
Remote-MTA: DNS; cdptpa-pub-iedge-vip.email.rr.com
Last-Attempt-Date: Tue, 8 Jul 2014 18:41:46 -0400

--
================

It seems to me from the above this is NOT a blocked e-mail and the last Remote-MTA had the failure and it is on RR.COM. Don't know what the status means though? Seems to be a mail server problem but a google search is no help on the status.

I'll call in, again...
--
Irv Spalten


BHNtechXpert
BHN Staff
Premium,VIP
join:2006-02-16
Saint Petersburg, FL
kudos:153

1 edit
reply to ispalten
This sender is spewing mail in bulk. At any time if the sender exceeds predetermined send rates to our network rising to the point of spam they will be blocked. You can influence this to some degree by placing the senders email address in your whitelist via webmail. Asside from this there is not much you can do because of the senders status. They may be able to improve this by using a professional mail service with proper opt in/out features etc.
--
~All truth goes through three phases. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as self-evident. - Arthur Schopenhauer ~


ispalten

join:2005-04-16
Clermont, FL
kudos:1
said by BHNtechXpert:

This sender is spewing mail in bulk. At any time if the sender exceeds predetermined rising to the point of spam they will be blocked. You can influence this to some degree by placing the senders email address in your whitelist via webmail. Asside from this there is not much you can do because of the senders status. They may be able to improve this by using a professional mail service with proper opt in/out features etc.

Thanks Gary. I'll add it now.

Good news, the 611 call did get me to the RR Help desk. Bad news, still have a 'comprehension' problem. Still on the phone but I'm NOT optimistic. Search MY ID to see why it failed, I'm on hold.
--
Irv Spalten

ispalten

join:2005-04-16
Clermont, FL
kudos:1
reply to BHNtechXpert
Love it, was put on Hold as 'Ram' was researching it and my ID. 10 minutes and the phone rings as I'm transferred it seems. "Hello, welcome to Microsoft" and they had no idea why I was sent to them. They don't handle e-mail. Useless support.

Oh, that e-mail ID IS in my whitelist. Guess it doesn't help?
--
Irv Spalten


BHNtechXpert
BHN Staff
Premium,VIP
join:2006-02-16
Saint Petersburg, FL
kudos:153
reply to ispalten
It does help but in numbers....this isn't going to make an instant change.....this sender has a history of spammy material otherwise this wouldnt happen...in other words other people don't like his mail....and given the subject material its not too hard to figure it out.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to ispalten
Your correspondent says he got a bounce with the following:
Reporting-MTA: dns; atl4mhfb03.myregisteredsite.com
 

You say he was sending from:
<%User%@CRUISESHIPCENTERS.COM>
 

That will mostly fail with mail systems using a strict version of DMARC ("Domain-based Message Authentication, Reporting & Conformance"). I have seen similar, with a "From: <%User%@gmail.com> through MTA <diego.dreamhost.com> to an old Netscape email account that I have (now handled by AOL). The domain mismatch caused a DMARC fail, shown thus in the headers:
X-AOL-SCOLL-DMARC: mtain-mp09.r1000.mx.aol.com ; domain : gmail.com ; policy : none ; result : F
 

AOL had the good sense to not reject it, but routed it to the "Spam" folder of my account. This would happen, even though I whitelisted the sender email address, so I changed from receiving this list at any mail service which has implemented DMARC. My ISP has not, so far, implemented DMARC, and allows me to alias email addresses in my personal domain to their MX server.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

ispalten

join:2005-04-16
Clermont, FL
kudos:1
Problem is the e-mail never got delivered. The e-mail errors I was sent didn't have the headers so I can only go by what I saw (and posted).

The main point to me was:

==========
The original message was received at Tue, 8 Jul 2014 12:39:01 -0400
from atl4mhob11.myregisteredsite.com [209.17.115.49]

----- The following addresses had permanent fatal errors -----

----- Transcript of session follows -----
... Deferred
Message could not be delivered for 6 hours
Message will be deleted from queue
===========

Unless the DMARC returns the above info, then it wasn't due to that?

To me, the last part:

============
Reporting-MTA: dns; atl4mhfb03.myregisteredsite.com
Arrival-Date: Tue, 8 Jul 2014 12:39:01 -0400

Final-Recipient: RFC822; zzzzzzz@cfl.rr.com
Action: failed
Status: 4.4.7
Remote-MTA: DNS; cdptpa-pub-iedge-vip.email.rr.com
Last-Attempt-Date: Tue, 8 Jul 2014 18:41:46 -0400
============

indicates it was email.rr.com that couldn't deliver it due to a fatal error on MY ID and it deleted the message.

Now THIS is interesting? I looked at the SOURCE that the above was sent to me.

Interesting in that the CRUISESHIPCENTER.COM was used to send the e-mail, but the CRUISEMASTER.COM was also IN the header? Look here, I can't explain it:

===============

Return-Path:
Received: from cdptpa-pub-iedge-vip.email.rr.com ([107.14.174.244])
by cdptpa-fep02.email.rr.com
(InterMail vM.8.04.01.11 201-2343-100-164-20130125) with ESMTP
id
for ; Wed, 9 Jul 2014 12:23:53 +0000
Return-Path:
Received: from [209.17.115.zz] ([209.17.115.zz:57514] helo=atl4mhob07.myregisteredsite.com)
by cdptpa-iedge01 (envelope-from )
(ecelerity 3.5.0.35861 r(Momo-dev:tip)) with ESMTP
id 47/87-06111-9543DB35; Wed, 09 Jul 2014 12:23:53 +0000
Received: from mailpod.hostingplatform.com ([10.30.71.210])
by atl4mhob07.myregisteredsite.com (8.14.4/8.14.4) with ESMTP id s69CNqj0015742
for ; Wed, 9 Jul 2014 08:23:52 -0400
Received: (qmail 23563 invoked by uid 0); 9 Jul 2014 12:23:52 -0000
X-TCPREMOTEIP: 108.215.250.xxx
X-Authenticated-UID: zzzzzz@cruisemaster.com
Received: from unknown (HELO ?192.168.1.77?) (xxxxxxx@cruisemaster.com@108.215.250.xxx_not 77)
by 0 with ESMTPA; 9 Jul 2014 12:23:52 -0000
Message-ID:
Date: Wed, 09 Jul 2014 07:23:58 -0500
From: xxxxxx
===========

Don't understand the mix of domains, but it DID get to me?
--
Irv Spalten

bighorn1

join:2004-06-19
Bakersfield, CA
kudos:1
reply to ispalten
said by ispalten:

Love it, was put on Hold as 'Ram' was researching it and my ID. 10 minutes and the phone rings as I'm transferred it seems. "Hello, welcome to Microsoft" and they had no idea why I was sent to them. They don't handle e-mail. Useless support.

Probably TWC tech looked into MX records for that domain and saw outlook.com entry and sent you to MS. Even though (in this case) MX records have nothing to do with that domain outgoing mail.

said by ispalten:

Oh, that e-mail ID IS in my whitelist. Guess it doesn't help?

User filters are applied towards the end of all checks done. If email is dropped beforehand then there's nothing left to apply to.

Do yourself a favor. Drop TWC as your primary email provider. You will be happier.

bighorn1

join:2004-06-19
Bakersfield, CA
kudos:1
Oh, and why would you deal with cruisemaster.com anyway?

Look at their website

Sometimes you have to apply some common sense...


BHNtechXpert
BHN Staff
Premium,VIP
join:2006-02-16
Saint Petersburg, FL
kudos:153
reply to ispalten
Um yea just checked that myself and see the same warning....that is NOT good.


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC

1 edit
reply to ispalten
What's with the "[209.17.115.zz]"? You included the "helo=" argument, from which:
C:\util\dig>nslookup atl4mhob07.myregisteredsite.com
Server:  ordns.he.net
Address:  2001:470:20::2
 
Non-authoritative answer:
Name:    atl4mhob07.myregisteredsite.com
Address:  209.17.115.45
 

Basically, 'myregisteredsite.com' and 'hostingplatform.com' are MTAs handling email for probably dozens, or scores of domains (such as, 'cruisemaster.com'); if not hundreds.

A "4.4.7" status would be a temporary fail; meaning 'cdptpa-pub-iedge-vip.email.rr.com' was deferring the receipt for some reason (could still be a DMARC policy, but the rr.com MTA isn't saying).

Don't understand the mix of domains ...

It happens when the MTA for some domain handles email for another domain:
Return-Path: <**********@aosake.net>
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50])
    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    (No client certificate requested)
    by mtaiw-mcb02.mx.aol.com (Internet Inbound) with ESMTPS id EB92F700000BA
    for <**********@netscape.net>; Wed,  9 Jul 2014 14:44:06 -0400 (EDT)
Received: from Miyuki.aosake.net (reki.aosake.net [173.228.7.217])
    (authenticated bits=0)
    by d.mail.sonic.net (8.14.9/8.14.9) with ESMTP id s69Ii1GS012974
    (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT)
    for <**********@netscape.net>; Wed, 9 Jul 2014 11:44:03 -0700
Message-ID: <53BD8D6F.2040309@Miyuki.aosake.net>
Date: Wed, 09 Jul 2014 11:43:59 -0700
From: "NormanS" <**********@aosake.net>
Organization: PDR
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: **********@netscape.net
Subject: [TEST] DMARC: Pass or Fail?
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Sonic-ID: C;CgbP/pgH5BG79muUdPQXfw== M;8g+g/5gH5BG79muUdPQXfw==
X-Spam-Flag: No
X-Sonic-Spam-Details: 0.0/5.0 by cerberusd
x-aol-global-disposition: G
Authentication-Results: mx.aol.com;
    spf=pass (aol.com: the domain aosake.net reports 64.142.111.50 as a permitted sender.) smtp.mailfrom=aosake.net;
x-aol-sid: 3039ac1a32a853bd8d756e02
X-AOL-IP: 64.142.111.50
X-AOL-SPF: domain : aosake.net SPF : pass
 

Notice that that the MTA is for Sonic.net (which is my ISP mail agent), but is sending for my hobby domain. I was curious how AOL would handle this because a similar arrangement failed their (AOL's) DMARC test. It may be that my SPF record allows my ISP mail server as an authorized source:
C:\util\dig>dig txt aosake.net
 
;; ANSWER SECTION:
aosake.net.             7200    IN      TXT     "v=spf1 a mx ptr ip4:173.228.7.2
17 include:mail.sonic.net -all"
 

The domain, 'cruisemaster.com' has no SPF record:
C:\util\dig>dig txt cruisemaster.com
 
; <<>> DiG 9.9.2-P1 <<>> txt cruisemaster.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14735
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cruisemaster.com.              IN      TXT
 
;; AUTHORITY SECTION:
cruisemaster.com.       3600    IN      SOA     NS13.WORLDNIC.com. namehost.WORL
DNIC.com. 112031911 10800 3600 604800 3600
 
;; Query time: 192 msec
;; SERVER: 192.168.102.1#53(192.168.102.1)
;; WHEN: Wed Jul 09 13:07:55 2014
;; MSG SIZE  rcvd: 104
 

Edited for missing indents in the example headers. Note that I bracketed my headers with code tags, the word "code" in square brackets at the start, and "/code" in square brackets at the end. This preserves the angle brackets in the headers.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

bighorn1

join:2004-06-19
Bakersfield, CA
kudos:1
Is there a reason you have listed mx in SPF? Seems that sonic never sends emails from their mailin servers. Just an extra DNS lookup...


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
said by bighorn1:

Is there a reason you have listed mx in SPF? Seems that sonic never sends emails from their mailin servers. Just an extra DNS lookup...

It is just a legacy from when I had a different MX record. I modified it to add the Sonic.net server; just never occurred to me to remove the mx part of it.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

bighorn1

join:2004-06-19
Bakersfield, CA
kudos:1
RGR that

ispalten

join:2005-04-16
Clermont, FL
kudos:1
reply to BHNtechXpert
Click for full size
OK Gary and Bighorn1, HOW did you get to see that?

I do not using both Firefox and IE11 (on Win8.1.1) when I go to »www.cruisemaster.com/?
--
Irv Spalten

Aprel

join:2013-09-14
kudos:2
The "This site may be hacked" is a message on a Google Search results page. Be aware that it can be a false positive.

ispalten

join:2005-04-16
Clermont, FL
kudos:1
Click for full size
said by Aprel:

The "This site may be hacked" is a message on a Google Search results page. Be aware that it can be a false positive.

Ahh, now I see it. I use DuckDuckGo for searching. It seems to show more targeted links than Google but misses a lot too.

I used Google, but my computer came with and I still use McAfee and its Site Advisor had NO problems with the site? So it probably was a false positive.
--
Irv Spalten

bighorn1

join:2004-06-19
Bakersfield, CA
kudos:1
said by ispalten:

So it probably was a false positive.

Maybe, maybe not.

If you look at »www.cruisemaster.com/meetgeo.htm you'll see links to completely unrelated websites. Few of those are defunct and were selling products for which weren't authorized to do so, or were selling counterfeited products and 1 of those was actively scamming people.

It's possible that owners took part in some advertising scheme, unaware of what's going on, or that they were hacked.

As for difference between McAfee and Google. McAfee checks only for malicious code which may cause harm to your machine (ie getting infected by malware).

Google on the other hand will also look for outgoing links leading to other suspicious websites.

bighorn1

join:2004-06-19
Bakersfield, CA
kudos:1

1 edit
Click for full size
Click for full size
As you see, spam links which supposed to be hidden.

If you check the source code, you'll see another long line (the last one before closing html tag). This line appears on ALL pages

All links lead to sites which will try to redirect you to yet another site.

Looks like a hack to me...

Edit: (added 1 more image)

ispalten

join:2005-04-16
Clermont, FL
kudos:1

2 edits
OK, but since one can't see them how can one take the link? Wait, I can see the hidden links, if I run my mouse on the bottom of the page, the 800# and Fax# and along the blank area to the right I do see the links in the last long line in the source and the mouse changes to a link. I guess I would go there is I clicked the mouse, yup clicked on the Fax# and I went to the Kate MacIntyre Foundation!

However, this is a web site and part of the domain, but not the e-mail address? Why does a hacked web site stop e-mail? These links do not send e-mail from the domain?

I am learning a lot from this thread, thanks guys.
--
Irv Spalten


EDIT: That junk is on the main page as well.

ispalten

join:2005-04-16
Clermont, FL
kudos:1
reply to NormanS
Got some different info from my Travel Agent after I alerted him to the hidden links on his site.

It appears he is ONLY having a problem sending e-mail to me and my wife via CFL.RR.COM? This is using a different domain, not the cruisemaster.com one.

===============
I'm also puzzled why I am getting error messages sometimes when I send you email from the cruiseshipcenters.com domain. Again... I'm only getting these for you and Laraine... not other cfl.rr.com people:

**********************************************
** THIS IS A WARNING MESSAGE ONLY **
** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
**********************************************

The original message was received at Wed, 9 Jul 2014 08:59:34 -0400
from atl4mhob05.myregisteredsite.com [209.17.115.43]

----- Transcript of session follows -----
... Deferred
Warning: message still undelivered after 4 hours
Will keep trying until message is 6 hours old

Reporting-MTA: dns; atl4mhfb03.myregisteredsite.com
Arrival-Date: Wed, 9 Jul 2014 08:59:34 -0400

Final-Recipient: RFC822; zzzzzzz@cfl.rr.com
Action: delayed
Status: 4.5.0
Diagnostic-Code: SMTP; 452 Too many recipients received this hour. Please see our rate limit policy at »postmaster.rr.com/spam#ratelimit .
Last-Attempt-Date: Wed, 9 Jul 2014 13:08:26 -0400
Will-Retry-Until: Wed, 9 Jul 2014 14:59:34 -0400
==================

The above to me implies he sent too many e-mails or to too many CFL.RR.COM id's e-mails in the hour?

I'd call RR national again but they are useless it seems. I know Gary can't help as it is not his (or BHN's) domain/work area. Suggestions?

Now this seems to be a 'on and off' deal. He's had this problem in the past, and I got the above e-mail from the CRUISEMASTER.COM domain. Remember, I and my wife did NOT get e-mails 2 days ago from that domain?
--
Irv Spalten


Pixiloxx

join:2013-08-15
Melbourne, FL
reply to ispalten
Irv, save yourself the headache and switch over to gmail or something like it. You'll be much happier, I promise!

ispalten

join:2005-04-16
Clermont, FL
kudos:1
said by Pixiloxx:

Irv, save yourself the headache and switch over to gmail or something like it. You'll be much happier, I promise!

I do have a GMAIL account, but use it only for 'junk' stuff.

I guess what bothers me most about this is that if the Travel Agent is correct, and it is only me and my wife, have I lost other emails too?

Gary can't help out here, RR National is useless, and I don't know the real problem here? The Travel Agent, RR, or even something with my e-mail account causing this?
--
Irv Spalten


NormanS
I gave her time to steal my mind away
Premium,MVM
join:2001-02-14
San Jose, CA
kudos:12
Reviews:
·SONIC.NET
·Pacific Bell - SBC
reply to ispalten
I followed the link in the DFN; the one in the "Diagnostic-Code: SMTP; 452" line. I went to the SenderScore web site. It appears that SenderScore ranks "myregisteredsite.com" as a, "very high volume" mailer.

Road Runner is the issue; they think the volume is too high. I actually compared "atl4mhfb03.myregisteredsite.com" ([209.17.115.43]) against "nm35.bullet.mail.ne1.yahoo.com" ([98.138.229.28]), from one of my messages. Considering the volume of email Yahoo! handles, they actually scored lower than Registeredsite Internet Services, owner of the server your travel agent is using.

As a guess, Registeredsite Internet Services is providing email service to multiple domains, and Road Runner is seeing a lot of connections from 209.17.115.43; but not all are for "cruiseshipcenters.com". So the choice seems pretty clear:

• Road Runner is not likely to be persuaded to change their policy.
• Expedia Cruiseshipcenters Inc. is not likely to be persuaded to change their ESP.

That leaves any changes up to you.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

ispalten

join:2005-04-16
Clermont, FL
kudos:1
There is nothing I can change it seems. Travel Agent is working with his ISP on this. He did clean out the web site at least.

His true ISP hosting his CRUISEMASTER domain is Network Solutions. He is in contact with them.

Other than learn more info from posts here, I've done all I can do.
--
Irv Spalten