Facebooks mailserver listed in SPAMCOP, ix.dnsbl.manitu.net, mails looking fishy

This is going to be a little bit technical.

User enters ********@ks-webstyle.de on facebook register form. Facebook checks if entered address can receive mail.
Postfix does sender verification (reject_unverified_sender), policyd-weight checks DNS, RBLs and some other stuff.
69.63.178.167 is listed in ix.dnsbl.manitu.net, oops! Overall rated as spam since some checks made this email look fishy:

May  6 11:36:08 zeus postfix/smtpd[14590]: connect from outmail008.snc1.tfbnw.net[69.63.178.167]
May  6 11:36:09 zeus postfix/qmgr[21372]: 675DA3206E: from=<double-bounce@zeus.andox.de>, size=260, nrcpt=1 (queue active)
May  6 11:36:14 zeus postfix/smtp[14593]: 675DA3206E: to=<notification+abcdefgh=6g1@facebookmail.com>, relay=mx01.facebookmail.com[69.63.179.27]:25, delay=5.1, delays=0.01/0/5.1/0, dsn=4.4.2, status=undeliverable (lost connection with mx01.facebookmail.com[69.63.179.27] while receiving the initial server greeting)
May  6 11:36:14 zeus postfix/qmgr[21372]: 675DA3206E: removed
May  6 11:36:20 zeus postfix/policyd-weight[25030]: weighted check:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=SKIP(0) IN_IX_MANITU=4.35 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=5.95 CLIENT_NOT_MX/A_FROM_DOMAIN=5.85 CLIENT/24_NOT_MX/A_FROM_DOMAIN=5.85; <client=69.63.178.167> <helo=mx-out.facebook.com> <from=notification@facebookmail.com> <to=********@ks-webstyle.de>; rate: 18.59
May  6 11:36:20 zeus postfix/policyd-weight[25030]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (facebookmail.com); <client=69.63.178.167> <helo=mx-out.facebook.com> <from=notification+abcdefgh=6g1@facebookmail.com> <to=********@ks-webstyle.de>; delay: 1s
May  6 11:36:20 zeus postfix/smtpd[14590]: NOQUEUE: reject: RCPT from outmail008.snc1.tfbnw.net[69.63.178.167]: 550 5.7.1 <********@ks-webstyle.de>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (facebookmail.com); from=<notification+abcdefgh=6g1@facebookmail.com> to=<********@ks-webstyle.de> proto=ESMTP helo=<mx-out.facebook.com>
May  6 11:36:26 zeus postfix/smtpd[14590]: disconnect from outmail008.snc1.tfbnw.net[69.63.178.167]

Facebook decides to accept ********@ks-webstyle.de as valid email address to register with and sends email with activation link.
This time sender verification succeeds without error, client IP is not listed in RBLs, mail not looking fishy.
So do we accept it? Nope – let’s do greylisting:

May  6 11:38:42 zeus postfix/smtpd[14662]: connect from outmail021.snc1.tfbnw.net[69.63.178.180]
May  6 11:38:42 zeus postfix/qmgr[21372]: C59AE3206E: from=<double-bounce@zeus.andox.de>, size=260, nrcpt=1 (queue active)
May  6 11:38:44 zeus postfix/smtp[14666]: C59AE3206E: to=<password+abcdefgh=6g1@facebookmail.com>, relay=mx01.facebookmail.com[69.63.179.27]:25, delay=1.4, delays=0.01/0/0.88/0.56, dsn=2.1.5, status=deliverable (250 2.1.5 <password+abcdefgh=6g1@facebookmail.com>… Recipient ok)
May  6 11:38:44 zeus postfix/qmgr[21372]: C59AE3206E: removed
May  6 11:38:54 zeus postfix/policyd-weight[8422]: weighted check:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR(0) NOT_IN_IX_MANITU=0 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=1.6; <client=69.63.178.180> <helo=mx-out.facebook.com> <from=password@facebookmail.com> <to=********@ks-webstyle.de>; rate: -1.81
May  6 11:38:54 zeus postfix/policyd-weight[8422]: decided action=PREPEND X-policyd-weight:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR(0) NOT_IN_IX_MANITU=0 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=1.6; rate: -1.81; <client=69.63.178.180> <helo=mx-out.facebook.com> <from=password+abcdefgh=6g1@facebookmail.com> <to=********@ks-webstyle.de>; delay: 7s
May  6 11:38:54 zeus postgrey: action=greylist, reason=new, client_name=outmail021.snc1.tfbnw.net, client_address=69.63.178.180, sender=password+abcdefgh=6g1@facebookmail.com, recipient=********@ks-webstyle.de
May  6 11:38:54 zeus postfix/smtpd[14662]: NOQUEUE: reject: RCPT from outmail021.snc1.tfbnw.net[69.63.178.180]: 450 4.2.0 <********@ks-webstyle.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/ks-webstyle.de.html; from=<password+abcdefgh=6g1@facebookmail.com> to=<********@ks-webstyle.de> proto=ESMTP helo=<mx-out.facebook.com>
May  6 11:39:00 zeus postfix/smtpd[14662]: disconnect from outmail021.snc1.tfbnw.net[69.63.178.180]

Five minutes passed, facebook tries to deliver password mail again.
69.63.178.168 is listed in SPAMCOP, oops!
policyd-weight again has reservations about this mail … looking fishy again.
We better don’t accept this mail – looks like spam if you ask me:

May  6 11:43:55 zeus postfix/smtpd[14843]: connect from outmail009.snc1.tfbnw.net[69.63.178.168]
May  6 11:43:57 zeus postfix/policyd-weight[8427]: weighted check:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 IN_SPAMCOP=3.75 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=SKIP(0) NOT_IN_IX_MANITU=0 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=5.35 CLIENT_NOT_MX/A_FROM_DOMAIN=5.25 CLIENT/24_NOT_MX/A_FROM_DOMAIN=5.25; <client=69.63.178.168> <helo=mx-out.facebook.com> <from=password@facebookmail.com> <to=********@ks-webstyle.de>; rate: 17.69
May  6 11:43:57 zeus postfix/policyd-weight[8427]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (facebookmail.com); <client=69.63.178.168> <helo=mx-out.facebook.com> <from=password+abcdefgh=6g1@facebookmail.com> <to=********@ks-webstyle.de>; delay: 1s
May  6 11:43:57 zeus postfix/smtpd[14843]: NOQUEUE: reject: RCPT from outmail009.snc1.tfbnw.net[69.63.178.168]: 550 5.7.1 <********@ks-webstyle.de>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (facebookmail.com); from=<password+abcdefgh=6g1@facebookmail.com> to=<********@ks-webstyle.de> proto=ESMTP helo=<mx-out.facebook.com>
May  6 11:44:02 zeus postfix/smtpd[14843]: disconnect from outmail009.snc1.tfbnw.net[69.63.178.168]

User triggers sending validation mail again.
69.63.184.110 listed in ix.dnsbl.manitu.net, oops!
Again, this email looks too fishy to be accepted:

May  6 15:26:35 zeus postfix/smtpd[23994]: connect from outmail010.ash1.tfbnw.net[69.63.184.110]
May  6 15:26:39 zeus postfix/policyd-weight[25030]: weighted check:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=SKIP(0) IN_IX_MANITU=4.35 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=5.95 CLIENT_NOT_MX/A_FROM_DOMAIN=5.85 CLIENT/24_NOT_MX/A_FROM_DOMAIN=5.85; <client=69.63.184.110> <helo=mx-out.facebook.com> <from=password@facebookmail.com> <to=********@ks-webstyle.de>; rate: 18.59
May  6 15:26:39 zeus postfix/policyd-weight[25030]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (facebookmail.com); <client=69.63.184.110> <helo=mx-out.facebook.com> <from=password+abcdefgh@facebookmail.com> <to=********@ks-webstyle.de>; delay: 3s
May  6 15:26:39 zeus postfix/smtpd[23994]: NOQUEUE: reject: RCPT from outmail010.ash1.tfbnw.net[69.63.184.110]: 550 5.7.1 <********@ks-webstyle.de>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; please relay via your ISP (facebookmail.com); from=<password+abcdefgh=6g1@facebookmail.com> to=<********@ks-webstyle.de> proto=ESMTP helo=<mx-out.facebook.com>
May  6 15:26:45 zeus postfix/smtpd[23994]: disconnect from outmail010.ash1.tfbnw.net[69.63.184.110]

It’s a new day, it’s a new day… lets try again.
User triggers sending validation mail again.
69.63.178.162 not listed in RBLs, DNS and HELO looking good!
So do we accept it? Nope – let’s do greylisting (postgrey running with –lookup-by-host):

May  7 10:26:49 zeus postfix/smtpd[1571]: connect from outmail003.snc1.tfbnw.net[69.63.178.162]
May  7 10:26:51 zeus postfix/policyd-weight[8427]: weighted check:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=SKIP(0) NOT_IN_IX_MANITU=0 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=1.6; <client=69.63.178.162> <helo=mx-out.facebook.com> <from=password@facebookmail.com> <to=********@ks-webstyle.de>; rate: -1.81
May  7 10:26:51 zeus postfix/policyd-weight[8427]: decided action=PREPEND X-policyd-weight:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=SKIP(0) NOT_IN_IX_MANITU=0 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=1.6; rate: -1.81; <client=69.63.178.162> <helo=mx-out.facebook.com> <from=password+abcdefgh=6g1@facebookmail.com> <to=********@ks-webstyle.de>; delay: 1s
May  7 10:26:51 zeus postgrey: action=greylist, reason=new, client_name=outmail003.snc1.tfbnw.net, client_address=69.63.178.162, sender=password+abcdefgh=6g1@facebookmail.com, recipient=********@ks-webstyle.de
May  7 10:26:51 zeus postfix/smtpd[1571]: NOQUEUE: reject: RCPT from outmail003.snc1.tfbnw.net[69.63.178.162]: 450 4.2.0 <********@ks-webstyle.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/ks-webstyle.de.html; from=<password+abcdefgh=6g1@facebookmail.com> to=<********@ks-webstyle.de> proto=ESMTP helo=<mx-out.facebook.com>
May  7 10:26:57 zeus postfix/smtpd[1571]: disconnect from outmail003.snc1.tfbnw.net[69.63.178.162]

Policyd-weight being angry with facebook:

May  7 10:31:52 zeus postfix/smtpd[2382]: connect from outmail008.snc1.tfbnw.net[69.63.178.167]
May  7 10:31:53 zeus postfix/policyd-weight[8427]: decided action=550 temporarily blocked because of previous errors – retrying too fast. penalty: 30 seconds x 0 retries.; <client=69.63.178.167> <helo=mx-out.facebook.com> <from=password+abcdefgh=6g1@facebookmail.com> <to=********@ks-webstyle.de>; delay: 0s
May  7 10:31:53 zeus postfix/smtpd[2382]: NOQUEUE: reject: RCPT from outmail008.snc1.tfbnw.net[69.63.178.167]: 550 5.7.1 <********@ks-webstyle.de>: Recipient address rejected: temporarily blocked because of previous errors – retrying too fast. penalty: 30 seconds x 0 retries.; from=<password+abcdefgh=6g1@facebookmail.com> to=<********@ks-webstyle.de> proto=ESMTP helo=<mx-out.facebook.com>
May  7 10:31:58 zeus postfix/smtpd[2382]: disconnect from outmail008.snc1.tfbnw.net[69.63.178.167]

User triggers sending validation mail again.
69.63.184.101 not listed in RBLs, DNS and HELO looking good!
But … new IP, new greylisting:

May  7 11:13:45 zeus postfix/smtpd[4138]: connect from outmail001.ash1.tfbnw.net[69.63.184.101]
May  7 11:13:47 zeus postfix/policyd-weight[8422]: weighted check:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=SKIP(0) NOT_IN_IX_MANITU=0 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=1.6; <client=69.63.184.101> <helo=mx-out.facebook.com> <from=password@facebookmail.com> <to=********@ks-webstyle.de>; rate: -1.81
May  7 11:13:47 zeus postfix/policyd-weight[8422]: decided action=PREPEND X-policyd-weight:  NOT_IN_DYN_PBL_SPAMHAUS=0 NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=SKIP(0) NOT_IN_IX_MANITU=0 NOT_IN_RELAYS_SORBS=0 NOT_IN_CBL_ABUSEAT_ORG=0 HELO_IP_IN_CL16_SUBNET=-0.41 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .facebookmail. – helo: .mx-out.facebook. – helo-domain: .facebook.)  FROM/MX_MATCHES_NOT_UNVR_HELO(DOMAIN)=1.6; rate: -1.81; <client=69.63.184.101> <helo=mx-out.facebook.com> <from=password+abcdefgh=6g1@facebookmail.com> <to=********@ks-webstyle.de>; delay: 1s
May  7 11:13:47 zeus postgrey: action=greylist, reason=new, client_name=outmail001.ash1.tfbnw.net, client_address=69.63.184.101, sender=password+abcdefgh=6g1@facebookmail.com, recipient=********@ks-webstyle.de
May  7 11:13:47 zeus postfix/smtpd[4138]: NOQUEUE: reject: RCPT from outmail001.ash1.tfbnw.net[69.63.184.101]: 450 4.2.0 <********@ks-webstyle.de>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/ks-webstyle.de.html; from=<password+abcdefgh=6g1@facebookmail.com> to=<********@ks-webstyle.de> proto=ESMTP helo=<mx-out.facebook.com>
May  7 11:13:52 zeus postfix/smtpd[4138]: disconnect from outmail001.ash1.tfbnw.net[69.63.184.101]

5 Minutes passed, facebook trying again.
Finally, mail gets accepted and delivered!

May  7 11:18:48 zeus postfix/smtpd[4138]: connect from outmail001.ash1.tfbnw.net[69.63.184.101]
May  7 11:18:49 zeus postfix/policyd-weight[8422]: decided action=PREPEND X-policyd-weight: using cached result; rate: -1.81; <client=69.63.184.101> <helo=mx-out.facebook.com> <from=password+abcdefgh=6g1@facebookmail.com> <to=********@ks-webstyle.de>; delay: 1s
May  7 11:18:49 zeus postgrey: action=pass, reason=triplet found, delay=302, client_name=outmail001.ash1.tfbnw.net, client_address=69.63.184.101, sender=password+abcdefgh=6g1@facebookmail.com, recipient=********@ks-webstyle.de
May  7 11:18:49 zeus postfix/smtpd[4138]: 4FA823206E: client=outmail001.ash1.tfbnw.net[69.63.184.101]
May  7 11:18:49 zeus postfix/cleanup[4365]: 4FA823206E: message-id=<8bcuca248z9101532add24ac7fa02be5@www.facebook.com>
May  7 11:18:49 zeus postfix/qmgr[21372]: 4FA823206E: from=<password+abcdefgh=6g1@facebookmail.com>, size=2464, nrcpt=1 (queue active)
May  7 11:18:49 zeus postfix/pipe[4367]: 4FA823206E: to=<********@ks-webstyle.de>, relay=dovecot, delay=0.99, delays=0.97/0/0/0.01, dsn=2.0.0, status=sent (delivered via dovecot service)
May  7 11:18:49 zeus postfix/qmgr[21372]: 4FA823206E: removed
May  7 11:18:54 zeus postfix/smtpd[4138]: disconnect from outmail001.ash1.tfbnw.net[69.63.184.101]

Maybe we use –lookup-by-subnet with postgrey instead of –lookup-by-host. Or Facebook just fixes the DNS/HELO and RBL issues – it’s in their own interest.