openstack email server blacklisted

Bug #1745512 reported by Father Vlasie
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Core Infrastructure
Won't Fix
OpenStack CI Core

Bug Description email server blacklisted again!

IP address:

From address: <email address hidden>

Reputation Mailspike DNSBL - see

Revision history for this message
Stefano Maffulli (smaffulli) wrote :

Delivering email reliably is too hard to do from The best solution at this point is to hook-up the service to a reliable SMTP server, like the same used by I don't know how/if this can be done.

Assigning this to the core infrastructure team, hoping they have ideas.

Changed in openstack-community:
status: New → Confirmed
importance: Undecided → High
assignee: nobody → OpenStack CI Core (openstack-ci-core)
affects: openstack-community → openstack-ci
Revision history for this message
Clark Boylan (cboylan) wrote : is its own mail server. It doesn't use any other service.

In this case is the issue that is sending mail for I don't think it should be doing that.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Strange that the mailspike lookup form claims "worst possible reputation" when Talos (formerly Senderbase) isn't indicating presence on any widely-used blacklists:

The current SPF record for is "v=spf1 ?all" so unless we're going to set the sender to something we should probably add in there. That said, I can't imagine a blacklist adding hosts solely for sending messages with an address which isn't included in a ?all SPF record. I'll see if I can spot any nefarious use from the MTA logs.

Revision history for this message
Jeremy Stanley (fungi) wrote :

Messages logged by the MTA look like relatively typical patterns for the notification mechanisms askbot provides. Some of the rejections logged also mentioned the IPv4 address showing up on the Spamhaus PBL (which is not uncommon for Rackspace servers so we tend to file exceptions for them if we know they'll be sending E-mail), but Spamhaus's lookup form does not indicate this is actually the case either.

I also ran a packet capture on the server looking at all SMTP traffic, and didn't see any being sent outside the MTA (e.g., via direct socket connections).

Revision history for this message
Jeremy Stanley (fungi) wrote :

I've requested delisting from the Mailspike BL for now.

Revision history for this message
Jeremy Stanley (fungi) wrote :

The server is no longer showing up in the Mailspike BL, but I'll keep an eye on that over the next few days. I'm also no longer seeing nearly as many vague rejections from random MTAs in the log (though seems to fairly consistently reject with a "mail content denied" message.

Revision history for this message
Jeremy Stanley (fungi) wrote :

The server remains on (or perhaps continues to get relisted on though I see no indication their delisting interface actually does anything) the Mailspike RBL after repeated delisting attempts. Given that the blacklists tracked at as well as the ones tracked by (except for Mailspike on the latter) indicate no problem, and seeing no way to easily find out why we seem to keep running afoul of Mailspike, I'm going to mark this bug report as won't fix for now. It's unfortunate, but it looks to me like Mailspike is probably an overzealous and/or unreliable blacklist (which may be part of the reason Talos doesn't acknowledge their listings).

Changed in openstack-ci:
importance: High → Undecided
status: Confirmed → Won't Fix
Revision history for this message
Jeremy Stanley (fungi) wrote :

As a last followup (for now), I did eventually manage to get the server delisted in Mailspike and set up a packet capture to log all E-mail exiting the server. With a few days it ended up listed in Mailspike again with "worst possible reputation" and the only messages which ever left the server were notifications about updated questions going out to people who had explicitly subscribed to the tags associated with those questions. I have to assume that someone has somehow managed to subscribed a Mailspike honeypot address or is reporting the notifications to Mailspike as spam, but either way I don't see any solution to this short of disabling E-mail notification for the server or clearing everyone's subscription preferences and asking them to re-subscribe to question tags all over again.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers