[SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.

List Mail User track at Plectere.com
Fri Apr 8 17:41:47 CEST 2005

>> 	If they are legitimate, I certainly wouldn't want to buy any anti-virus
>> or anti-spam software from these people!
>> 	They are running an open relay:
>> % telnet mailgate.gfi.com 25
>> Trying
>> Connected to mailgate.gfi.com.
>> Escape character is '^]'.
>> 220 mailgate.gfi.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at  Fri, 8 Apr 2005 07:43:44 +0200
>> helo plectere.com
>> 250 mailgate.gfi.com Hello []
>> mail from: <>
>> 250 2.1.0 <>....Sender OK
>> rcpt to: <test at plectere.com>
>> 250 2.1.5 test at plectere.com
>> quit
>> 221 2.0.0 mailgate.gfi.com Service closing transmission channel
>> Connection closed by foreign host.
>gfi.com, the same gfi.com thats selling mail security products?
>One word: Amazing.
>550 5.7.1 Unable to relay for ...
>Just checked, and it seems they closed it allready.

	Very nice apology from David Vella late last night (or early
this morning, depending on your point of view ):

>Subject: RE: [SURBL-Discuss] Forge SURBL mail from gfi.com, just minutes ago.
>Date: Fri, 8 Apr 2005 09:06:25 +0200
>From: "David Vella" <david at gfi.com>
>To: "SURBL Discussion list" <discuss at lists.surbl.org>
>Sorry for this.  I am the GFI MailEssentials/MailSecurity/MailArchiver
>product manager and I am a list subscriber because I like the SURBL
>concept.  The reason of these emails seems to be because yesterday our
>network administrator installed a new email relay server (named
>passthrough) and I believe that he has mis-configured it.  I sent him
>all this info so that he will look into it.
>I will make sure that this is fixed immediately.
>David Vella - GFI Software Ltd. - www.gfi.com 
>Messaging, Content Security & Network security software 
>GFI: FAXmaker - LANguard - MailSecurity - DownloadSecurity 
>[snipped - mostly a copy of one of my mesages]

	Now we just have to help them off of the blacklists they got on
last night (rfci.{whois,postmaster,abuse}) and they were already on L2

	It seems that while the evidence for the "whois" listing, was
correct, it was actually "insufficient" - San Gwann is not a "city",
but it is a valid postal station in Malta (and I have learned, that
similar situations also occur in some North African countries), so they
can get off of the "rfci.whois" list with an email to rfci.  They did
bounce the postmaster@ and abuse@ messages, so they'll have to add/enable
those accounts, then they can get off of those lists quickly too.  As to
SPEWS, well, someone will have to do the standard beg and plead and suffer
abuse on NAMAE (I haven't checked why they were listed there to begin with,
so I don't know exactly how much pleading and abuse will be required).

	Since you already have abuse@ and postmaster@ on the "Cc:" list,
we'll quickly see if they still bounce.

	Paul Shupak
	track at plectere.com

More information about the Discuss mailing list