Personal blacklist question

Hi,

  I'm having trouble getting my personal blacklist to reject
entire domains.  What I'd like to do is reject the entire .info
domain.  Here is what is has been in my blacklist for a while:

.cn
.info
.ru

I thought all was good, but then today spamcop did not put a
.info Return-Path message in the held mail area and instead made it
available for POP'ing off via my local e-mail application.   My
assumptions were that the blacklist could apply to entire domains
and that the Return-Path would be scanned prior to making the message
available via POP, IMAP, or webmail.  Are these assumptions correct?
Thanks.

---------- Offending message ----------
Return-Path: <go8213909nov@novnewsa.info> 
Delivered-To: spamcop-net-x 
Received: (qmail 22043 invoked from network); 7 Nov 2007 16:14:44 -0000 
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blade4 
X-Spam-Level: * 
X-Spam-Status: hits=1.4 tests=HTML_MESSAGE,SARE_GIF_ATTACH version=3.2.3 
Received: from unknown (192.168.1.107) 
 by blade4.cesmail.net with QMQP; 7 Nov 2007 16:14:44 -0000 
Received: from out-p-b.customernews.net (212.199.222.42) 
 by mx70.cesmail.net with SMTP; 7 Nov 2007 16:14:43 -0000 
Received: from localhost ([127.0.0.1]) by out-p-b.customernews.net with SMTP;
Wed, 7 Nov 2007 18:14:43 +0300 
Message-ID:
<NTcz____________________________________Mw==@out-p-b.customernews.net> 
From: "GenericOnline Pharmacy" <gonov@novnewsa.info> 
To: "Mr. X X" <x> 
Subject: This month we say THANK YOU 
Date: Wed, 7 Nov 2007 18:14:43 +0300 
Content-Type: multipart/related;
boundary="----=_NextPart_000_0007_8213909" 
MIME-Version: 1.0 

"r5" <r5ahhj@r5ahhj.bounceme.net> wrote in message 
news:r5ahhj-8A0775.11434007112007@news.cesmail.net...
> Hi,
>
>  I'm having trouble getting my personal blacklist to reject
> entire domains.  What I'd like to do is reject the entire .info
> domain.  Here is what is has been in my blacklist for a while:
<snip>

I don't have a spamcop email account so I don't know how the filters work. 
Most of the support for email accounts is provided in the forum where you 
might get better answers.

However, AFAICS, the spam did not come from a *.info IP address, but from 
out-p-b.customernews.net.  The return path was to a .info email address but 
that is commonly forged by the spammer and not generally used in filters to 
block. One can whitelist a particular email address, however.

Miss Betsy
an almost new internet user

"Farelf" <user@domain.invalid> wrote in message 
news:fh1r9p$ifo$1@news.spamcop.net...
<snip>
> True, very true, but in this instance novnewsa.info and customernews.net 
> appear to have the same mail exchange server IP address so the association

> seems legitimate (agreeing therefore with the message ID).
>
> mail.novnewsa.info      internet address = 80.179.30.71
> mx1.customernews.net    internet address = 80.179.30.71
>
> Where that leaves us, I have no idea, not being an email account user 
> either.  Perhaps some kind soul will wander by ...?
>
I am not adept at reading email headers, but this email seemed to come from 
Received: from out-p-b.customernews.net (212.199.222.42)
which is not 80.179.30.71.

It may be from a zombie that hasn't been identified yet.

Miss Betsy 

Miss Betsy wrote:


> However, AFAICS, the spam did not come from a *.info IP address, but from 
> out-p-b.customernews.net.  The return path was to a .info email address but

> that is commonly forged by the spammer and not generally used in filters to

> block. One can whitelist a particular email address, however.
> 

True, very true, but in this instance novnewsa.info and customernews.net 
appear to have the same mail exchange server IP address so the 
association seems legitimate (agreeing therefore with the message ID).

mail.novnewsa.info      internet address = 80.179.30.71
mx1.customernews.net    internet address = 80.179.30.71

Where that leaves us, I have no idea, not being an email account user 
either.  Perhaps some kind soul will wander by ...?

"Farelf" <user@domain.invalid> wrote in message 
news:fh32v1$f8h$1@news.spamcop.net...
<snip>
> You're reading the header just fine Miss Betsy but 212.199.222.42 is just 
> one of (2 that SenderBase knows about)customernews.net's outwards servers 
> and a vey busy one too, but not (yet) in any major bl.  The MX association

> with novnewsa is a matter of network infrastructure/organization and 
> indicates that, at a certain level, there is an association.  Maps (at 
> page bottom) show their internet structures in
> http://www.robtex.com/dns/novnewsa.info.html
> http://www.robtex.com/dns/customernews.net.html
>
> customernews.net says it only sends out its *own* mail from the domains
& 
> IP addresses shown at http://www.custnews.net/ips.html  If that is 
> comprehensive/trustworthy it means 212.199.222.42 was used for someone 
> else's mail since it is not on that list.
>
> novnewsa.info doesn't seem to send its own mail.  I'm thinking 
> customernews.net provides that service, but is not the originator as such,

> but the "operator" certainly.  Abuse/reporting addresses for
novnewsa.info 
> and customernews.net would then be one and the same. Well, sorta - SC says

> abuse@012.net for novnewsa.info which is the same as for 212.199.222.42.
>
> Yeah, I know, I'm going cross-eyed at this point too.  But QED to the 
> point I was making.  I think.

QED.  I wonder how the OP's filters work - whether they filter on the return 
path or on the IP address of .cn, .info, .ru?  I don't see any X headers 
listing the 'domains' Usually, one would have to put *.cn, etc. in a typical 
blacklist/whitelist (though I don't know any that allow that) to capture 
all.  Otherwise, you have to have a specific address which is why that kind 
of filter is almost worthless.  I think that spamcop email clients can 
choose 'country' blacklists based on IP address.  I would guess that .info 
wouldn't have a block of IP addresses assigned to it so it couldn't be 
filtered by the extension unless the filter allowed *.info.

Apparently, the OP gave up on getting an answer here so our musings are 
academic.

Miss Betsy