0sg.net bouncing for bad reverse lookups?

Use this forum to get help.

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Tue Jan 31, 2023 8:12 am

It might help troubleshooting if we post which providers are still working with Spamgourmet as well as those that don't, as it might become obvious what the difference in set up is. Or it might not. It might also act as a convenient list of candidates for providers people can use to receive Spamgourmet messages while the situation is resolved.

List of providers where incoming mail from Spamgourmet is successfully delivered to the user's mailbox:
Gmail

List of providers where incoming mail from Spamgourmet is not (currently) successfully delivered to the user's mailbox:
freenet.de
gmx.com (thank you JFK)
gmx.de
mail.de (thank you Bulli)
mailbox.org
posteo (thank you JFK)
protonmail
riseup
tutanota
web.de (thank you Friedhelm)
Last edited by Clewby on Wed Feb 01, 2023 2:47 pm, edited 3 times in total.
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Bulli » Tue Jan 31, 2023 5:35 pm

Here the same. In the last days i changes dozens of Mailadresses to another provider. Hours of wasted time because spamgourmet doesn't forwarded my mails.

After 12 days, i found out why. I changed my forward-adress 5 times.

You can add Mail.de to the list. Some mails (a few) came in after 8 days after sending! Now i have a mailadresse which is functioning with SG. I am afraid this will not last for long. That's why i will change all of my nearly 100 SG-Adresses to another Provider. It's a shame because i am SG-User since over 2 decades.

List of providers where incoming mail from Spamgourmet is not (currently) successfully delivered to the user's mailbox:

Mail.de

freenet.de
gmx.de
mailbox.org
protonmail
riseup
tutanota
Bulli
 
Posts: 2
Joined: Tue Jan 31, 2023 5:24 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby FreeMan » Tue Jan 31, 2023 7:48 pm

notmysgusername1 wrote:I've been on the line with their support


Thanks for doing that!! I've been meaning to get in touch with them, but have been swamped with other things and I've got the gmail band-aid working for now.
The most important point in a man's life is knowing his time when it comes.
FreeMan
 
Posts: 7
Joined: Fri Sep 23, 2005 4:24 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby JFK » Wed Feb 01, 2023 1:46 am

List of providers where incoming mail from Spamgourmet is not (currently) successfully delivered to the user's mailbox:

Mail.de

freenet.de
gmx.de / gmx.com (maybe different issue: problems known for about 3 years)
mailbox.org
posteo
protonmail
riseup
tutanota
Last edited by JFK on Fri Feb 03, 2023 11:37 pm, edited 1 time in total.
JFK
 
Posts: 12
Joined: Mon Mar 30, 2020 7:53 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Friedhelm » Wed Feb 01, 2023 1:14 pm

Clewby wrote:List of providers where incoming mail from Spamgourmet is not (currently) successfully delivered to the user's mailbox:
freenet.de
gmx.com (thank you JFK)
gmx.de
mail.de (thank you Bulli)
mailbox.org
posteo (thank you JFK)
protonmail
riseup
tutanota


Add web.de to this list.
Friedhelm
 
Posts: 2
Joined: Fri Jun 23, 2017 12:43 am

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Wed Feb 01, 2023 4:33 pm

Clewby wrote:It might help troubleshooting if we post which providers are still working with Spamgourmet as well as those that don't, as it might become obvious what the difference in set up is. Or it might not. It might also act as a convenient list of candidates for providers people can use to receive Spamgourmet messages while the situation is resolved.


I've been looking to see if there is anything in the public configurations that might give a clue as to the differences between providers that work and ones that don't. At the moment, I don't see anything obvious. There's no guarantee that there is a common problem, unfortunately. [s]If/when I get time, I'll update the missing info.[/s]If anyone has other providers that currently work, please let me know.

List of providers where incoming mail from Spamgourmet is successfully delivered to the user's mailbox:
Gmail.com
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX gmail.com
gmail.com.      3600   IN   MX   5 gmail-smtp-in.l.google.com.
gmail.com.      3600   IN   MX   10 alt1.gmail-smtp-in.l.google.com.
gmail.com.      3600   IN   MX   20 alt2.gmail-smtp-in.l.google.com.
gmail.com.      3600   IN   MX   30 alt3.gmail-smtp-in.l.google.com.
gmail.com.      3600   IN   MX   40 alt4.gmail-smtp-in.l.google.com.
 - SPF (TXT)
dig +noall +answer -t TXT gmail.com
gmail.com.      300   IN   TXT   "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
gmail.com.      300   IN   TXT   "v=spf1 redirect=_spf.google.com"
dig +noall +answer -t TXT _spf.google.com
_spf.google.com.   300   IN   TXT   "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
-TLSA
dig +noall +noanswer -t TLSA _25._tcp.gmail-smtp-in.l.google.com
<blank>
dig +noall +noanswer -t TLSA _465._tcp.gmail-smtp-in.l.google.com
<blank>
dig +noall +noanswer -t TLSA _585._tcp.gmail-smtp-in.l.google.com
<blank>
dig +noall +noanswer -t TLSA _993._tcp.gmail-smtp-in.l.google.com
<blank>

List of providers where incoming mail from Spamgourmet is not (currently) successfully delivered to the user's mailbox:
freenet.de
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX freenet.de
freenet.de.      600   IN   MX   1 emig.freenet.de.
 - SPF (TXT)
dig +noall +answer -t TXT freenet.de
freenet.de.      300   IN   TXT   "facebook-domain-verification=1ibucxg0i8l4qzzh8eyo4k78r0717n"
freenet.de.      300   IN   TXT   "v=spf1 ip4:195.4.92.0/23 ip6:2001:748:100:40::2:0/112 ~all"
freenet.de.      300   IN   TXT   "postman-domain-verification=8492cae6072d315c14fb7d7de333432e94caba6171fe2a51d7b66afdac6382f697906a25e7d62a1316b54e74dac7bc00eeb89c4f808a06e99138dd52e16d23d3"
freenet.de.      300   IN   TXT   "google-site-verification=96dfcZCQHB-a4nEHCGk69AgSMWk5fJCSlwRbkBWlZ8U"
- TLSA
$ dig +noall +noanswer -t TLSA _25._tcp.emig.freenet.de
<blank>
$ dig +noall +noanswer -t TLSA _465._tcp.emig.freenet.de
<blank>
$ dig +noall +noanswer -t TLSA _585._tcp.emig.freenet.de
<blank>
$ dig +noall +noanswer -t TLSA _993._tcp.emig.freenet.de
<blank>

gmx.com (thank you JFK)
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX gmx.com
gmx.com.      7186   IN   MX   10 mx01.gmx.net.
gmx.com.      7186   IN   MX   10 mx00.gmx.net.
 - SPF (TXT)
dig +noall +answer -t TXT gmx.com
gmx.com.      300   IN   TXT   "google-site-verification=YxvYPeuavgDRQDYTX-3dSD3JNMsDn5yO7loiNot-h0Q"
gmx.com.      300   IN   TXT   "v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26 ip4:74.208.122.0/26 ip4:212.227.126.128/25 ip4:212.227.15.0/24 ip4:212.227.17.0/27 ip4:74.208.4.192/26 ip4:82.165.159.0/24 ip4:217.72.207.0/27 -all"
gmx.com.      300   IN   TXT   "tpverification20190725"
gmx.com.      300   IN   TXT   "facebook-domain-verification=rrwl4taoaitv2jrqmz719qv6f18jgo"
gmx.com.      300   IN   TXT   "cs2wypdfpjcvt13xc979nk7wbfyk732l"
 - TLSA
dig -t TLSA  +noall +answer _25._tcp.mx00.gmx.net
_25._tcp.mx00.gmx.net.   900   IN   TLSA   3 1 1 ABB4B5627716349590908EEDE5BF434F11832076766CE348F8EF0EB0 26F4622D
_25._tcp.mx00.gmx.net.   900   IN   TLSA   3 1 1 435958AAD6A4985BAF62935BDF5D71088C40420A5BF83F03F69DDB81 F2C64229
dig -t TLSA  +noall +answer _465._tcp.mx00.gmx.net
<blank>
dig -t TLSA  +noall +answer _585._tcp.mx00.gmx.net
<blank>
dig -t TLSA  +noall +answer _993._tcp.mx00.gmx.net
<blank>

gmx.de/gmx.net
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX gmx.de
gmx.de.         298   IN   MX   10 mx00.emig.gmx.net.
gmx.de.         298   IN   MX   10 mx01.emig.gmx.net.
 - SPF (TXT)
dig +noall +answer -t TXT gmx.net
gmx.net.      300   IN   TXT   "google-site-verification=J0NZ2F6kdhXzsguHSKZTm3CWujnrImftkDG3zhz14g0"
gmx.net.      300   IN   TXT   "179gjz475x3lvxbtsv2mn24vc1l1q9tb"
gmx.net.      300   IN   TXT   "vxxrjnnhhz1vd8r51zps6swntc43k2j1"
gmx.net.      300   IN   TXT   "v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26 ip4:212.227.126.128/25 ip4:212.227.15.0/25 ip4:212.227.17.0/27 ip4:74.208.4.192/26 ip4:82.165.159.0/24 ip4:217.72.207.0/27 ip4:82.165.229.31 ip4:82.165.230.21 -all"
gmx.net.      300   IN   TXT   "Trustpilot-Verification-kqvVskCm6JQ9Vg1qAmahpBSJ5tvZORbriFyVIk4E"
gmx.net.      300   IN   TXT   "facebook-domain-verification=scdn4fwr0on3j97l5py9vp9raerciu"
 - TLSA
dig -t TLSA  +noall +answer _25._tcp.mx00.emig.gmx.net
_25._tcp.mx00.emig.gmx.net. 900   IN   TLSA   3 1 1 435958AAD6A4985BAF62935BDF5D71088C40420A5BF83F03F69DDB81 F2C64229
_25._tcp.mx00.emig.gmx.net. 900   IN   TLSA   3 1 1 ABB4B5627716349590908EEDE5BF434F11832076766CE348F8EF0EB0 26F4622D
dig -t TLSA  +noall +answer _465._tcp.mx01.emig.gmx.net
<blank>
dig -t TLSA  +noall +answer _585._tcp.mx01.emig.gmx.net
<blank>
dig -t TLSA  +noall +answer _993._tcp.mx01.emig.gmx.net
<blank>

mail.de (thank you Bulli)
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX mail.de
mail.de.      3600   IN   MX   10 mx02.mail.de.
mail.de.      3600   IN   MX   10 mx01.mail.de.
 - SPF (TXT)
dig +noall +answer -t TXT mail.de
mail.de.      3600   IN   TXT   "google-site-verification=sl9KWG5m93CAT_QCIN1hq9Ryle8rp_9wNCd0_JvX2mA"
mail.de.      3600   IN   TXT   "v=spf1 ip4:62.201.172.0/27 ip4:62.201.172.32/27 ip6:2001:0868:0100:0600::/64 ~all"
 - TLSA
dig -t TLSA  +noall +answer _25._tcp.mx01.mail.de
_25._tcp.mx01.mail.de.   600   IN   TLSA   3 1 1 6C92CA45CDB261DBF4148E3651F18B5A3A05D0FBAB543024F64F5E92 A26E833E
_25._tcp.mx01.mail.de.   600   IN   TLSA   3 1 1 6FD2BA2DC8356F93C96584926BD4F3003B25C3744155FA14A6135C1A FE01B221
dig -t TLSA  +noall +answer _465._tcp.mx01.mail.de
<blank>
dig -t TLSA  +noall +answer _585._tcp.mx01.mail.de
<blank>
dig -t TLSA  +noall +answer _993._tcp.mx01.mail.de
<blank>

mailbox.org
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX mailbox.org
mailbox.org.      3687   IN   MX   10 mx2.mailbox.org.
mailbox.org.      3687   IN   MX   20 mx3.mailbox.org.
mailbox.org.      3687   IN   MX   50 mx-n.mailbox.org.
mailbox.org.      3687   IN   MX   10 mx1.mailbox.org.
- SPF (TXT)
dig +noall +answer -t TXT mailbox.org
mailbox.org.      300   IN   TXT   "have-i-been-pwned-verification=aa98600469e4f52f5b4c8e6952a0927d"
mailbox.org.      300   IN   TXT   "google-site-verification=bCdtsEmyfsVIfzBgWZpEvCf3TeJgpw0f6x5miXGwakY"
mailbox.org.      300   IN   TXT   "mailru-verification: 0c2c482975b1fc2f"
mailbox.org.      300   IN   TXT   "swisssign-check=1tuXIQOBa4NZh2EIQI5nFD8fbJW2EvxB6W8rYhAoQ5"
mailbox.org.      300   IN   TXT   "v=spf1 ip4:213.203.238.0/25 ip4:195.10.208.0/24 ip4:91.198.250.0/24 ip4:80.241.56.0/21 ip6:2001:67c:2050::/48 mx ~all"
mailbox.org.      300   IN   TXT   "google-site-verification=ojrG-cXIWNDWMmRomplDCsZknBUmg2PO32SffP1Xy2E"
- TLSA
dig +noall +answer -t TLSA _25._tcp.mx1.mailbox.org
_25._tcp.mx1.mailbox.org. 3600   IN   TLSA   3 1 1 996AD31D65E03F038B8EC950F6F26611529DA03E3A283E4400CBA2ED D04B8A88
dig +noall +answer -t TLSA _465._tcp.mx1.mailbox.org
<blank>
dig +noall +answer -t TLSA _585._tcp.mx1.mailbox.org
<blank>
dig +noall +answer -t TLSA _993._tcp.mx1.mailbox.org
<blank>

posteo.de (thank you JFK)
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX posteo.de
posteo.de.      81   IN   MX   10 mx04.posteo.de.
posteo.de.      81   IN   MX   10 mx01.posteo.de.
posteo.de.      81   IN   MX   10 mx03.posteo.de.
 - SPF (TXT)
dig +noall +answer -t TXT posteo.de
posteo.de.      3600   IN   TXT   "v=spf1 ip4:185.67.36.0/23 ip4:89.146.220.128/29 ip4:89.146.194.160/28 ip4:89.146.230.64/26 ip4:185.67.36.111/32 ip6:2a05:bc0:1000::/64 ~all"
 - TLSA
dig +noall +answer -t TLSA _25._tcp.mx01.posteo.de
_25._tcp.mx01.posteo.de. 900   IN   TLSA   3 1 1 F6A2D50F7616F4CC627A15ADF5A7A3CFBE2096B2638C83E8E35614F5 F884B836
_25._tcp.mx01.posteo.de. 900   IN   TLSA   3 1 1 1F7BB94AC6C2F5BBC9940C3D61C371929F3AE52785A57E30C4AC60C2 096E274F
_25._tcp.mx01.posteo.de. 900   IN   TLSA   3 1 1 7FE9B80819C4A2E0BC30949E33B19C947836C7FBE0EE9281F50607E4 CAAD6C10
dig +noall +answer -t TLSA _465._tcp.mx01.posteo.de
<blank>
dig +noall +answer -t TLSA _585._tcp.mx01.posteo.de
<blank>
dig +noall +answer -t TLSA _993._tcp.mx01.posteo.de
<blank>

proton.me/protonmail.ch
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX proton.me
proton.me.      1200   IN   MX   10 mail.protonmail.ch.
proton.me.      1200   IN   MX   20 mailsec.protonmail.ch.
 - SPF (TXT)
dig +noall +answer -t TXT proton.me
proton.me.      3600   IN   TXT   "protonmail-verification=5262a92f988e64f1be1362138befdf1e19d6a4c1"
proton.me.      3600   IN   TXT   "google-site-verification=_ayl1WqWIag2WkIbK4sNg_x3NCT5nYOl_DgtFPTYKeg"
proton.me.      3600   IN   TXT   "yandex-verification: 95a7888a0f987e6a"
proton.me.      3600   IN   TXT   "google-site-verification=QviHfE1VQ57-tDmDLxM6BQH1mdgvdQ_0QsIvCht2IaU"
proton.me.      3600   IN   TXT   "google-site-verification=MUjtKY-4uQAjE92Z2-s1nm9m4mvdqY2z6HCvi_Bj4so"
proton.me.      3600   IN   TXT   "v=spf1 include:_spf.protonmail.ch ~all"
  - TLSA
dig +noall +answer -t TLSA _25._tcp.mail.protonmail.ch
_25._tcp.mail.protonmail.ch. 609 IN   TLSA   3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947A CC8399E1
_25._tcp.mail.protonmail.ch. 609 IN   TLSA   3 1 1 6111A5698D23C89E09C36FF833C1487EDC1B0C841F87C49DAE8F7A09 E11E979E
dig +noall +answer -t TLSA _465._tcp.mail.protonmail.ch
<blank>
dig +noall +answer -t TLSA _585._tcp.mail.protonmail.ch
<blank>
dig +noall +answer -t TLSA _993._tcp.mail.protonmail.ch
<blank>
dig +noall +answer -t TLSA _25._tcp.mailsec.protonmail.ch
_25._tcp.mailsec.protonmail.ch.   656 IN   TLSA   3 1 1 6111A5698D23C89E09C36FF833C1487EDC1B0C841F87C49DAE8F7A09 E11E979E
_25._tcp.mailsec.protonmail.ch.   656 IN   TLSA   3 1 1 76BB66711DA416433CA890A5B2E5A0533C6006478F7D10A4469A947A CC8399E1
dig +noall +answer -t TLSA _465._tcp.mailsec.protonmail.ch
<blank>
dig +noall +answer -t TLSA _585._tcp.mailsec.protonmail.ch
<blank>
dig +noall +answer -t TLSA _993._tcp.mailsec.protonmail.ch
<blank>

riseup.net
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX riseup.net
riseup.net.      600   IN   MX   10 mx1.riseup.net.
 - SPF (TXT)
dig +noall +answer -t TXT riseup.net
riseup.net.      600   IN   TXT   "v=spf1 a mx a:mx0.riseup.net a:mx2.riseup.net -all"
riseup.net.      600   IN   TXT   "google-site-verification=5eSMKvTpr4VmxLM9SrzyPW_gdlRrw-tL9hGomvsYd9U"
riseup.net.      600   IN   TXT   "hns-claim:aakmvwsdeou4tzmyjsmyruwebtbgfmikvah752bpaeaaaaaaaaaklzaororjdpl6qzexi75h7ofhv447lownw5btzuxvs4ibaaaabtqtdybq"
 - TLSA
dig -t TLSA  +noall +answer _25._tcp.mx1.riseup.net
_25._tcp.mx1.riseup.net. 600   IN   CNAME   tlsa._mxdane.riseup.net.
tlsa._mxdane.riseup.net. 599   IN   TLSA   3 1 1 DFF6C2683211D0712A5D5C5EFF753DFBB2FCD446728154EBC5448440 E7D97FE5
tlsa._mxdane.riseup.net. 599   IN   TLSA   2 1 1 E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77 990F2D03
tlsa._mxdane.riseup.net. 599   IN   TLSA   2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422 E0C89270
tlsa._mxdane.riseup.net. 599   IN   TLSA   2 1 1 9253B6DE74F67A11435C27F1DDE1D30D1112333DDAB23D66B8EFB868 87638AE6
tlsa._mxdane.riseup.net. 599   IN   TLSA   2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DC FBCF286D
tlsa._mxdane.riseup.net. 599   IN   TLSA   2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B220407 1ED04F10
dig -t TLSA  +noall +answer _465._tcp.mx1.riseup.net
<blank>
dig -t TLSA  +noall +answer _585._tcp.mx1.riseup.net
<blank>
dig -t TLSA  +noall +answer _993._tcp.mx1.riseup.net
<blank>

tutanota.com
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX tutanota.com
tutanota.com.      600   IN   MX   0 mail.tutanota.de.
 - SPF (TXT)
dig +noall +answer -t TXT mail.tutanota.de
mail.tutanota.de.   600   IN   TXT   "v=spf1 -all"
 - TLSA
dig +noall +answer -t TLSA _25._tcp.mail.tutanota.de
_25._tcp.mail.tutanota.de. 300   IN   CNAME   dane.tutaos.de.
dane.tutaos.de.      299   IN   TLSA   3 0 1 F8E4F4ED7B8CBD72F0D04217099D19F3B534AE71EE8005F354C2CAEF 2ABECDA4
dane.tutaos.de.      299   IN   TLSA   3 0 1 5EB3A224AD39E1423F3A30A0FB5082CC3E716A763B59588311CC5516 64BC38F5
dig +noall +answer -t TLSA _465._tcp.mail.tutanota.de
<blank>
dig +noall +answer -t TLSA _585._tcp.mail.tutanota.de
<blank>
dig +noall +answer -t TLSA _993._tcp.mail.tutanota.de
<blank>

web.de (thank you Friedhelm)
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX web.de
web.de.         900   IN   MX   100 mx-ha03.web.de.
web.de.         900   IN   MX   100 mx-ha02.web.de.
 - SPF (TXT)
dig +noall +answer -t TXT web.de
web.de.         300   IN   TXT   "Trustpilot-Verification-kqvVskCm6JQ9Vg1qAmahpBSJ5tvZORbriFyVIk4E"
web.de.         300   IN   TXT   "google-site-verification=No4jlUg2OIV7IsI2UF0v792Q8HgI9Brnp7qary1nMAQ"
web.de.         300   IN   TXT   "v=spf1 ip4:212.227.126.128/25 ip4:212.227.15.0/25 ip4:212.227.17.0/27 ip4:217.72.192.248/29 ip4:82.165.159.0/26 ip4:217.72.207.0/27 ip4:217.72.192.64/26 ip4:82.165.229.130 ip4:82.165.230.22 -all"
web.de.         300   IN   TXT   "dzd5thdqpcp7f5d2p8l4vj5m5wdt21cs"
web.de.         300   IN   TXT   "g6ftbncmryg0y6h956jfd242s1z9tndk"
web.de.         300   IN   TXT   "kqpx82j1ql9zhqh54gdr8pj9f1ytvht1"
web.de.         300   IN   TXT   "facebook-domain-verification=ksd7xc6g15rm7xkdga4qcm9hasgkny"
 - TLSA
dig -t TLSA  +noall +answer _25._tcp.mx-ha02.web.de
_25._tcp.mx-ha02.web.de. 562   IN   TLSA   3 1 1 6364F921F0878583C800A15970ED20BC17A0152696F306AD762E7EC6 78334D2C
_25._tcp.mx-ha02.web.de. 562   IN   TLSA   3 1 1 BC9BA6268FB04BD0DECFF05FFC84546A713AE0A1A956322FBF14B1BE 9A6E1C9B
dig -t TLSA  +noall +answer _465._tcp.mx-ha02.web.de
<blank>
dig -t TLSA  +noall +answer _585._tcp.mx-ha02.web.de
<blank>
dig -t TLSA  +noall +answer _993._tcp.mx-ha02.web.de
<blank>


++++++++++++++++++++++
I'm going to make a guess here.

Gmail works. The rest don't. One difference is that gmail is not using DANE/TLSA wheras all the others (except freenet.de) are.
I don't know if mail is getting through to outlook and icloud, but I'll guess that it does - I can't see the logs, but given how popular those providers are, I would expect some noise if they didn't.

outlook.com
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX outlook.com
outlook.com.      300   IN   MX   5 outlook-com.olc.protection.outlook.com.
 - SPF (TXT)
dig +noall +answer -t TXT outlook.com
outlook.com.      300   IN   TXT   "google-site-verification=DC2uC-T8kD33lINhNzfo0bNBrw-vrCXs5BPF5BXY56g"
outlook.com.      300   IN   TXT   "google-site-verification=0iLWhIMhXEkeWwWfFU4ursTn-_OvoOjaA0Lr7Pg1sEM"
outlook.com.      300   IN   TXT   "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 include:spf.protection.outlook.com include:spf-a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg-c.microsoft.com ~all"
 - TLSA
dig +noall +answer -t TLSA _25._tcp.outlook-com.olc.protection.outlook.com.
<blank>
dig +noall +answer -t TLSA _465._tcp.outlook-com.olc.protection.outlook.com.
<blank>
dig +noall +answer -t TLSA _585._tcp.outlook-com.olc.protection.outlook.com.
<blank>
dig +noall +answer -t TLSA _993._tcp.outlook-com.olc.protection.outlook.com.
<blank>


icloud.com
Code: Select all
 - Mailserver(s)
dig +noall +answer -t MX icloud.com
icloud.com.      3600   IN   MX   10 mx01.mail.icloud.com.
icloud.com.      3600   IN   MX   10 mx02.mail.icloud.com.
 - SPF (TXT)
dig +noall +answer -t TXT icloud.com
icloud.com.      300   IN   TXT   "google-site-verification=Ik3jMkCjHnUgyIoFR0Kw74srr0H5ynFmUk8fyY1uBck"
icloud.com.      300   IN   TXT   "google-site-verification=knAEOH4QxR29I4gjRkpkvmUmP2AA7WrDk8Kq0wu9g9o"
icloud.com.      300   IN   TXT   "v=spf1 ip4:17.41.0.0/16 ip4:17.58.0.0/16 ip4:17.142.0.0/15 ip4:17.172.0.0/16 ip4:17.179.168.0/23 ip4:144.178.36.0/24 ip4:144.178.38.0/24 ip4:17.42.251.0/24 ip4:17.57.156.0/24 ip4:17.56.9.0/24" " ip4:112.19.199.64/29 ip4:112.19.242.64/29 ip4:222.73.195.64/29 ip4:157.255.1.64/29 ip4:106.39.212.64/29 ip4:123.126.78.64/29 ip4:183.240.219.64/29 ip4:39.156.163.64/29 ip4:17.57.152.0/22 ~all"
 - TLSA
dig +noall +answer -t TLSA _25._tcp.mx01.mail.icloud.com
<blank>
dig +noall +answer -t TLSA _465._tcp.mx01.mail.icloud.com
<blank>
dig +noall +answer -t TLSA _585._tcp.mx01.mail.icloud.com
<blank>
dig +noall +answer -t TLSA _993._tcp.mx01.mail.icloud.com
<blank>


So it looks like Spamgourmet is failing when trying to send to mail servers that have DANE/TLSA enabled. With luck it's 'just' a configuration issue, although my mind is a blank when it comes to dealing with certificates.
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby notmysgusername1 » Thu Feb 02, 2023 12:20 am

A slight follow-up.

Hotmail works with SG. Hotmail does not appear to have DANE enabled (checked with https://www.huque.com/bin/danecheck). Hotmail's MX record also does not have DANE enabled.

proton.me does not work with SG. Proton.me does not have DANE enabled. Proton.me's MX record _does_ have DANE enabled, and it's valid.

---
Follow-up, it looks like freenet.de from your post above does NOT have TLSA record, but also does not work. The MX server for that host does pass the DANE check, however.
notmysgusername1
 
Posts: 9
Joined: Fri Jan 27, 2023 12:58 am

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Thu Feb 02, 2023 7:31 am

notmysgusername1 wrote:A slight follow-up.

Hotmail works with SG. Hotmail does not appear to have DANE enabled (checked with https://www.huque.com/bin/danecheck). Hotmail's MX record also does not have DANE enabled.

proton.me does not work with SG. Proton.me does not have DANE enabled. Proton.me's MX record _does_ have DANE enabled, and it's valid.

---
Follow-up, it looks like freenet.de from your post above does NOT have TLSA record, but also does not work. The MX server for that host does pass the DANE check, however.

I just checked. The MX server for freenet.de does (now) have a TLSA record. Perhaps it did before, and I made a typo/braino.

Code: Select all
dig +noall +answer -t TLSA _25._tcp.emig.freenet.de
_25._tcp.emig.freenet.de. 300   IN   TLSA   3 1 1 093CFBE3404DF2A9944B5DA4BC08584953F4B9FE36DACBEBD7221BCA 0A4E8AC4
_25._tcp.emig.freenet.de. 300   IN   TLSA   2 1 1 6106C0E3A0A299831875127BD7D3CC1859803D511CAC11EB6E0840DD 166FC10E


So I'm more convinced (Bayesian probability) that Spamgourmet's handling of DANE-enabled mailservers is at fault here. I'm pretty certain Spamgourmet managed it in the past, so the problem can probably be solved.

Thank you for pointing out https://www.huque.com/bin/danecheck-smtp, which makes checking very easy.
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby hilde4705 » Thu Feb 02, 2023 5:20 pm

Hi folks,

I'm observing this thread for a while now and for days I want to publish my observations on this BUT:
Since I didn't have a bbs account before I couldn't post anything -- I had to register before. BUT:
For registering I'm to use a SG mail address -- which an activation mail is being sent to. BUT:
The activation mail was delayed a few times until the activation link sent was invalid. :oops: BUT:
Now I made it.

Here my two cents:

For me it looks as if
  • few mails are being delivered very delayed,
  • some got lost at all,
  • some are delivered immediately
all of this not depending on the SG account the eMail was addressed to.

  • From about January 18th to about January 23rd (period 1) no eMails to my SG accounts were delivered to my hidden account at GMX at all.
  • Since January 23rd some mails sent to that SG accounts during the period 1 are delivered from time to time, maybe 2 or 3 a day.
  • Some mails -- for example an answer to a mail I sent as a test to one of my SG accounts -- obviously got lost completely.
  • Up to now a lot of mails are delayed for up to 4 days, a few get lost.

So for me theres no completely loss of mails to some SG accounts at a certain SG domain.
But if there would be a problem with TLS, DNS, ..., whatever: shouldn't all mails to a certain SG account get lost?
Why are mails delayed instead? Are there any fallback mechanisms hit due to timeouts which sum up to 4 days?

I made these two tests days before and want to share my observations with you:

Code: Select all
_#sender_account#_          is the originating (senders) eMail address
_#sg_account#_@dfgh.net     is the disposable SG-address the eMail was addressed to
_#hidden_account#_          is the eMail account at GMX that SG should deliver to


The following mail was sent by me from another GMX account to my SG account ... and delivered about 47 hours later:

Code: Select all
Received: from gourmet8.spamgourmet.com ([216.75.62.102])    by mx-ha.gmx.net (mxgmx116 [212.227.17.5])
with ESMTPS (Nemesis) id ###
for <_#hidden_account#_>;                                    Sun, 29 Jan 2023 13:35:26 +0100

Received: from spamgourmet                                   by gourmet7.spamgourmet.com
with local (Exim 4.94.2)
(envelope-from <_#sender_account#_>) id ###
for _#hidden_account#_;                                      Fri, 27 Jan 2023 13:31:06 +0000

Received: from mout.gmx.net ([212.227.17.20])                by gourmet7.spamgourmet.com
with esmtps (TLS1.3)
tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
(envelope-from <_#sender_account#_>) id ###
for _#sg_account#_@dfgh.net;                                 Fri, 27 Jan 2023 13:31:06 +0000

Received: from [##ip##] ([##ip##])                           by web-mail.gmx.net (3c-app-gmx-bap10.server.lan [172.19.172.80])
(via HTTP);                                                  Fri, 27 Jan 2023 14:31:04 +0100

From: "_#sender_account#_" <...@ob.0sg.net>
To:   _#sg_account#_@dfgh.net
Date: Fri, 27 Jan 2023 14:31:04 +0100


The mail retour which I sent about 8pm that day via "answer" never arrived.

As another test I caused booking.com to send me an mail to the same account. This was delivered nearly immediately:

Code: Select all
Received: from gourmet8.spamgourmet.com ([216.75.62.102])   by mx-ha.gmx.net (mxgmx117 [212.227.17.5])
with ESMTPS (Nemesis)
id ### for <_#hidden_account#_>;                            Sun, 29 Jan 2023 22:14:19 +0100

Received: from spamgourmet                                  by gourmet7.spamgourmet.com
with local (Exim 4.94.2)
(envelope-from <noreply@mailer.booking.com>)
id ###
for _#hidden_account#_;                                     Sun, 29 Jan 2023 20:44:18 +0000

Received: from mailout-106-r3.booking.com ([37.10.31.9])    by gourmet7.spamgourmet.com
with esmtps (TLS1.3)
tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
(envelope-from <noreply@mailer.booking.com>)
id ###
for _#sg_account#_@dfgh.net;                                Sun, 29 Jan 2023 20:44:18 +0000

From:   "customer.service@booking.com" <...@ob.0sg.net>
Sender: "customer.service@booking.com" <...@ob.0sg.net>
To:     _#sg_account#_@dfgh.net
Date:   Sun, 29 Jan 2023 21:44:14 +0100


I cannot imagine that the "Sender" field makes the difference.

At the beginning of my observations the delay was around 2 days (Jan 27th - Jan 29th).
At the moment its's 4 days (Jan 29th - Feb 2nd).

Could there be a (increasing) load problem somewhere at SG?


Best regards
Hilde
hilde4705
 
Posts: 6
Joined: Sun Jan 29, 2023 9:04 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby xxxxmee » Thu Feb 02, 2023 8:55 pm

Here's the reply to my support request to tutanota:
We would actually reject emails if reverse dns look up fails, but this is not the case. I cannot find any incoming email from 0sg.net in the delivery logs of the past week. I think those emails are failing before being sent in the first place. Please keep in mind that we delete logs older than that.

I found however the spamgourmet domain in the logs. There are multiple successful TLS connections but then this error occurs:

lost connection after STARTTLS from gourmet.spamgourmet.com[216.75.62.102]

afterwards the connection is closed. Spamgourmet should be able to see some errors and details from their side.
xxxxmee
 
Posts: 1
Joined: Thu Feb 02, 2023 8:50 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby foo » Fri Feb 03, 2023 8:24 am

xxxxmee wrote:Here's the reply to my support request to tutanota:
We would actually reject emails if reverse dns look up fails, but this is not the case. I cannot find any incoming email from 0sg.net in the delivery logs of the past week. I think those emails are failing before being sent in the first place. Please keep in mind that we delete logs older than that.

I found however the spamgourmet domain in the logs. There are multiple successful TLS connections but then this error occurs:

lost connection after STARTTLS from gourmet.spamgourmet.com[216.75.62.102]

afterwards the connection is closed. Spamgourmet should be able to see some errors and details from their side.


Very good response from tutanota admins! The fact it kills the connection at STARTTLS makes me wonder if they hardened their cipher suites and removed a commonly used one...
foo
 
Posts: 3
Joined: Sun Jan 29, 2023 8:12 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Fri Feb 03, 2023 10:50 am

foo wrote:
xxxxmee wrote:Here's the reply to my support request to tutanota:
We would actually reject emails if reverse dns look up fails, but this is not the case. I cannot find any incoming email from 0sg.net in the delivery logs of the past week. I think those emails are failing before being sent in the first place. Please keep in mind that we delete logs older than that.

I found however the spamgourmet domain in the logs. There are multiple successful TLS connections but then this error occurs:

lost connection after STARTTLS from gourmet.spamgourmet.com[216.75.62.102]

afterwards the connection is closed. Spamgourmet should be able to see some errors and details from their side.


Very good response from tutanota admins! The fact it kills the connection at STARTTLS makes me wonder if they hardened their cipher suites and removed a commonly used one...

I think that is a good suggestion, but given that multiple providers are affected, I would guess they have not co-ordinated efforts to remove a commonly used cipher suite. On the balance of probabilities, I would suspect a change in configuration at Spamgourmet that has stopped it working with DANE-enabled recipients.

This document "DANE as Basis for Secure Data Transmission of Emails" (from an email marketing certification organisation) gives a nice overview of DANE-enabled security of email transmission.

What does typical email transport with DANE look like? Supposing that you, as an online
retailer, send an email to a customer with an account at example.com, it would look like
this:
 Your mail server determines which mail server is responsible for the receiver
domain. IN the process, it also checks whether the receiver domain’s DNS server
offers DNSSEC.
 If the DNS server offers DNSSEC, then your mail server checks whether there is a
TLSA Record for the receiver domain.
 Then your mail server establishes a connection to the receiver domain’s mail
server. If the latter does not offer STARTTLS for encrypting the connection, your
mail server immediately terminates the connection, because this looks
suspiciously like it could be a Downgrade Attack.
 If the destination server offers STARTTLS, then your mail server begins a TLS-
encrypted connection. In doing so, it compares the checksum of the destination
server’s certificate with the TLSA information that it has obtained via DNSSEC.
 If the checksums correspond, the destination server is verified. If the checksums
do not match, a DANE-activated client will immediately abort, because this looks
suspiciously like it could be a “Man in the Middle” attack. Traditional clients would
at this point cluelessly continue to transmit, and would send data to an
untrustworthy destination.
So far, so good. So that DANE works with DNSSEC, both DANE and DNSSEC must be
configured on the online retailer’s mail server. In the case that an email service provider
is used for sending emails, the email platform must be upgraded so that DNS requests
also check for DNSSEC functionality and use its capabilities for verification.


So this is not incompatible with Tutanota's logs. It could well be Spamgourmet that is trying to use DANE and getting to the point of STARTTLS and failing the checksum comparison as described above - that is, it is Spamgourmet that is dropping the connection; not the recipient email provider.

I don't know, because I don't have access to any logs, but the fact that it appears to be DANE-enabled recipients where transmission of emails from Spamgourmet fails makes me suspicious.

Clewby
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Clewby » Fri Feb 03, 2023 11:59 am

OK, looking deeper into DANE, using tutanota as an example.

It requires working DNSSEC. Checking this out is a bit involved using dig, but possible, as detailed here: Cyberciti.biz: How to test and validate DNSSEC using dig command line. Alternatively, I can use delv.

Code: Select all
delv tutanota.de
;; no valid DS resolving 'tutanota.de/A/IN': 127.0.0.53#53
;; resolution failed: no valid DS


- but a problem occurs - if the DNS server doesn't support it, I'll not get a valid response.

Try using 1.1.1.1 as the DNS server
Code: Select all
delv @1.1.1.1 tutanota.de
; fully validated
tutanota.de.      7   IN   A   185.205.69.12
tutanota.de.      7   IN   RRSIG   A 13 2 300 20230203122913 20230203102413 64619 tutanota.de. AK+a1VPIHKXm1OYO0fbHYMAkAQLeZ05nZiwkq7/Gyfw4pENYZEkOQO1o BgHSxcPb6eVc0i2enc5f22PIdUrmWQ==


or I can use the online checkers here: https://dnsviz.net/ or here: https://dnssec-analyzer.verisignlabs.com/

Let's find tutanota's mailserver(s)
Code: Select all
dig @1.1.1.1 +noall +answer -t MX tutanota.de
tutanota.de.      600   IN   MX   0 mail.tutanota.de.


Check out DNSSEC
Code: Select all
delv @1.1.1.1 mail.tutanota.de
; fully validated
mail.tutanota.de.   470   IN   A   81.3.6.162
mail.tutanota.de.   470   IN   A   81.3.6.165
mail.tutanota.de.   470   IN   A   185.205.69.211
mail.tutanota.de.   470   IN   RRSIG   A 13 3 600 20230203124206 20230203103206 64619 tutanota.de. JyJtQhdCYOS9OX0oKUb1BHOJTLLJRNn7mXVPy2Bs02DyHIz0lCVsUQUd DR4Vo09t+b5KxQHPKjcNPAsF2J6gZQ==


Now, I don't know what DNS servers Spamgourmet is using. The domain is registered at namecheap, and the free dns servers (dns1.registrar-servers.com and dns2.registrar-servers.com) are not much use at all as they refuse to reply to many queries, including DNSSEC.

So the problem might not be a misconfiguration of the Spamgourmet mail software - it could be whoever provides the DNS service has changed something so that previously good queries now fail. Difficult to say without looking at connection logs. I don't have access. And I don't want access.
Clewby
 
Posts: 44
Joined: Mon Jun 13, 2011 4:48 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby JFK » Fri Feb 03, 2023 11:54 pm

hilde4705 wrote:Hi folks,

....

  • From about January 18th to about January 23rd (period 1) no eMails to my SG accounts were delivered to my hidden account at GMX at all.
  • Since January 23rd some mails sent to that SG accounts during the period 1 are delivered from time to time, maybe 2 or 3 a day.
  • Some mails -- for example an answer to a mail I sent as a test to one of my SG accounts -- obviously got lost completely.
  • Up to now a lot of mails are delayed for up to 4 days, a few get lost.

....

Best regards
Hilde


Regarding GMX:
- It's a known problem for about 3 years:

https://bbs.spamgourmet.com/viewtopic.php?f=4&t=1804&sid=742bf210fafb8aceb90a40ca6e806be4&sid=742bf210fafb8aceb90a40ca6e806be4#p8415

Cheers,

JFK
JFK
 
Posts: 12
Joined: Mon Mar 30, 2020 7:53 pm

Re: 0sg.net bouncing for bad reverse lookups?

Postby Dianeslaak » Sat Feb 04, 2023 10:29 am

Confirming for Posteo (www.posteo.de): not a single mail through spamgourmets disposable addresses has reached me since 16th of january. I made an account with an Outlook mailaddres to be able to post here.

Posteo support was able to recreate the issue when signing up themselves. They tried to reach a maintainer since about a week ago, but let me know yesterday they haven't been able to reach anyone.

I have also send a pm to Syskoll with the 'mail does not reach me'-template.

I would love to help to make Spamgourmet work again, but am no programmer. Very willing to test whatever if that helps.
Dianeslaak
 
Posts: 2
Joined: Sat Feb 04, 2023 10:07 am

PreviousNext

Return to Support / Hilfe / ayuda / ondersteuning / ...

Who is online

Users browsing this forum: No registered users and 4 guests

cron