broken emails from techtarget/crn mag? omeda communications?

Tue Jul 26 23:19:56 CEST 2011

Le 22/07/2011 17:50, Michael Scheidell a écrit :
> any of you subscribed to techtarget or crm emails?
> 
> seems on june 16th or 17th, something broke. and I am trying to
> determine if its something we did or something they did.

no, it's much older than that. I can see a borked one dating back to 25
April 2011 (yeah, I use European date format, not US format).

when they send via
	http://www.omeda.com/careers_environment.html
a borked app sends SMTP commands inside data. so they send a
<CRLF>
DATA
<CRLF>
DKIM-Signature: ....

as _data_.

that ESP is also  "forgetting" to expand variables:
Reply-To: "@{from_ttnt}@ Recommends" <no_reply at lists.techtarget.com>

now, even when they send via other means (for ex 206.19.49.33), their
mail is spammy (html only, bold font, unclickable URLs, ... etc).

so I'd say: all their mail may be blocked. this is probably the only way
to get them understand how email works...

> 
> headers come in, received, received, then a BIG BLANK LIKE, then
> 
> DATA DKIM
> 
> (its almost like they shoved an extra DATA\r\n in there. or SA did.. or
> amavisd-new did)
> 
> sometimes they are totally blank.

they are never blank. what is blank is what your mailer shows.

> 
> headers (yes, it looks like spam, this one does) but we do have people
> who subscribed to it. notice the blank line after the received header?
> if you grep for 205.162.4[0-7]\.* you might see some like this.
> (and, no, this is not after microsoft mangles it.. maybe amavisd/sa/dkim
> version 38 does, but I don't know)
> 
> 
> Received: from crnnetwork.com (crnnetwork.com [205.162.47.163])
>         by mx2.slpowers.com.ionspam.net (Postfix) with ESMTP id 115F06FE15B
>         for <user at domain.com>; Fri, 22 Jul 2011 10:08:50 -0400 (EDT)
> 
> DATA
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
> t=1311343699; d=crnnetwork.com; s=dkim;
> h=date:message-id:from:to:subject:mime-version:content-type:list-unsubscribe;
> bh=WveFEzHxhYkhwXaVxeYtjjm8Q34bjdVex+sTxWOdwXg=;
> b=lL4+c3ymOfW+NTTsa1liqJrB4TPeV5ANFPiFeTkow8XWD796wMJdsCUVh8iNyuThGzngShLI0AByxbZk5g6MmWMNbujzSKf2Tnpm59BcISmOxOsVvUpNSfYO07K2rrqvDlRyiu0SZ6LZz85XAcVJGFHYXYXr1Z+GG6QwByltY4M=;
> 
> Date: Fri, 22 Jul 2011 09:08:19 -0500 (CDT)
> Message-ID:
> <4Oz1ccmceDmcBfmLekDNsxjec.mD.1311343694695 at OMS05.crnnetwork.com>
> From: CRN <CRNmagazine at crnnetwork.com>
> Sender: CRN <CRNmagazine at crnnetwork.com>
> Reply-To: CRN <CRNmagazine at crnnetwork.com>
> To: user at domain.com
> Subject: Confirm Your Free Subscription to CRN Magazine Now
> MIME-Version: 1.0
> Content-Type: multipart/mixed; boundary=----4Oz1ccmceDmcBfmLekDNsxjec.mD
> X-MailSessionID: 4Oz1ccmceDmcBfmLekDNsxjec.mD.1311343694695
> Referer: http://crnnetwork.com/portal/
> 
> ------4Oz1ccmceDmcBfmLekDNsxjec.mD
> 
> common factors seem to be their ESP
> 
> NetRange:       205.162.40.0 - 205.162.47.255
> CIDR:           205.162.40.0/21
> OriginAS:
> NetName:        SPRINTLINK
> NetHandle:      NET-205-162-40-0-1
> Parent:         NET-205-160-0-0-1
> NetType:        Reassigned
> RegDate:        2003-11-12
> Updated:        2003-11-12
> Ref:            http://whois.arin.net/rest/net/NET-205-162-40-0-1
> 
> OrgName:        Omeda Communications
> 
> 
> 