I just had an important email message from a colleague (not yet a 'friend') in England using operamail rejected for a Country Fault (Ukraine)

I'm trying to figure out how and why. Here are the headers:

Delivered-To: [my email address]
Received: by 10.210.88.17 with SMTP id l17cs54674ebb;
Thu, 25 Sep 2008 12:42:27 -0700 (PDT)
Received: by 10.114.153.2 with SMTP id a2mr214241wae.135.1222371745628;
Thu, 25 Sep 2008 12:42:25 -0700 (PDT)
Return-Path: <hisname@operamail.com>
Received: from mx13.uniserve.ca (mx13.uniserve.ca [204.239.42.85])
by mx.google.com with ESMTP id j26si5535775waf.32.2008.09.25.12.42.24;
Thu, 25 Sep 2008 12:42:25 -0700 (PDT)
Received-SPF: neutral (google.com: 204.239.42.85 is neither permitted nor denied by best guess record for domain of cfeltham@operamail.com) client-ip=204.239.42.85;
Authentication-Results: mx.google.com; spf=neutral (google.com: 204.239.42.85 is neither permitted nor denied by best guess record for domain of cfeltham@operamail.com) smtp.mail=hisname@operamail.com
Received: from webmail-outgoing.us4.outblaze.com ([205.158.62.67])
by mx13.uniserve.ca with esmtp (Exim 4.63)
(envelope-from <hisname@operamail.com>)
id 1KiwjI-0004W7-A4
for [me] ; Thu, 25 Sep 2008 12:42:24 -0700
Received: from wfilter.us4.outblaze.com.int (wfilter.us4.outblaze.com.int [192.168.9.180])
by webmail-outgoing.us4.outblaze.com (Postfix) with QMQP id 5F5B818001CD
for <me>; Thu, 25 Sep 2008 19:42:23 +0000 (GMT)
X-OB-Received: from unknown (205.158.62.131)
by wfilter.us4.outblaze.com; 25 Sep 2008 19:42:23 -0000
Received: by ws5-1.us4.outblaze.com (Postfix, from userid 1001)
id 40B214476B; Thu, 25 Sep 2008 19:42:23 +0000 (GMT)
Content-Disposition: inline
Content-Type: text/plain
MIME-Version: 1.0
From: "Can Feltham" <hisname@operamail.com>
To: "Paul Belserene" <me@email.com>
Date: Thu, 25 Sep 2008 19:42:23 +0000
X-PURIFY-RATING: SPAM
X-PURIFY-REASON: Country fault UA, Ukraine


is that
unknown (205.158.62.131 )

the offender? I didn't get anywhere tracing it.

Is it possible that some of my more security-conscious or technically advanced colleagues might run afoul of the GEOIP database?

BTW, I just pinged my friend who was both puzzled and concerned because though he lives in the UK, he had visited Ukraine the previous month

I get the following for that IP:

CustName: Outblaze, Limited
Address: 10 Marshall Street
City: Old Greenwich
StateProv: CT
PostalCode: 06870
Country: US
RegDate: 2007-07-12
Updated: 2007-07-12

NetRange: 205.158.62.0 - 205.158.62.255
CIDR: 205.158.62.0/24
NetName: CNC-205-158-62-0
NetHandle: NET-205-158-62-0-1
Parent: NET-205-158-60-0-1
NetType: Reassigned
Comment:
RegDate: 2007-07-12
Updated: 2007-07-12

OrgAbuseHandle: NETWO1899-ARIN
OrgAbuseName: Network Violations
OrgAbusePhone: +1-866-553-4228
OrgAbuseEmail: abuse@cnc.net

OrgTechHandle: IPADM366-ARIN
OrgTechName: IP Administrator
OrgTechPhone: +1-866-553-4228
OrgTechEmail: ipadmin@cnc.net

# ARIN WHOIS database, last updated 2008-09-27 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

so, where does Ukraine come in?

The Purify log for this message will tell you what happened.
Do you have Enforce Country Filter for URLs On?
Did the content of this message contain a link to a website, possibly hosted in UA?

Yes, Enforce Counry Filters for URLs is On.
Unfortunately I didn't have my debug log on.

The only link was this:

Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com

Powered by Outblaze

This happened a second time to me yesterday, Jeff, with another sender, using gmail in France. In this case it was html mail. He did have one of those free/ad urls in his sig: <http://www.incredimail.com/index.asp?id=109097&rui=96254710> And Purify flagged a Country Fault for Israel. See the html code (minus the MIME for the animated gif) below

These two false positives are a sign that your Country Filtering is very robust, Jeff. That's a good thing. I need now to figure out how to tweak it. Whether it's turning Enforce Country Filter for URLs off, or letting Ukraine and Israel in or what.... I couldn't have made these people friends until I got their first messages.

Content-Type: Text/HTML;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-=
1">
<META content=3D"IncrediMail 1.0" name=3DGENERATOR>
<STYLE>=0Av\:* {behavior:url (#default#vml);}=0A</STYLE>
<style>v\:* {
=09BEHAVIOR: url (#default#vml)
}
</style>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER>0.000000</X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style=3D"FONT-SIZE: 12pt; MARGIN: 5px 10px 10px; FONT-FAMILY: Arial=
" bgColor=3D#ffffff background=3D"" scroll=3Dyes>
<TABLE id=3DINCREDIMAINTABLE cellSpacing=3D0 cellPadding=3D2 width=3D"100=
%" border=3D0>
<TBODY>
<TR>
<TD id=3DINCREDITEXTREGION dir=3Dltr style=3D"FONT-SIZE: 12pt; DIRECTION:=
ltr" width=3D"100%">
<DIV>Hello Paul,</DIV>
<DIV>&nbsp;</DIV>
<DIV>If you want me to put a message in the box for your friend, send it =
to me in an email and I can print it out. Unfortunately I have no pretty =
wrapping paper or bows.</DIV>
<DIV>&nbsp;</DIV>
<DIV>Regards&nbsp; Brian</DIV></TD></TR>
<TR>
<TD id=3DINCREDIFOOTER width=3D"100%">
<TABLE cellSpacing=3D0 cellPadding=3D0 width=3D"100%">
<TBODY>
<TR>
<TD width=3D"100%"></TD>
<TD id=3DINCREDISOUND vAlign=3Dbottom align=3Dmiddle></TD></TR></TBODY></=
TABLE></TD></TR></TBODY></TABLE><SPAN id=3DIncrediStamp><A href=3D"http:/=
/www.incredimail.com/index.asp?id=3D109097&amp;rui=3D96254710"><SPAN name=
=3D"imgCache" border=3D"0"><IMG alt=3D"Animations GRATUITES pour votre me=
ssagerie - par IncrediMail! Cliquez ici!" src=3D"cid:8B730C55-7A80-454F-B=
4B8-3DEDE6839EEB" border=3D0></SPAN></A></SPAN></BODY></HTML>
--------------Boundary-00=_IGRWUGI4G6G000000000--

--------------Boundary-00=_IGRWZ5E4G6G000000000
Content-Type: image/gif;
name="imstp_animation_butterflies_fr_020908.gif"
Content-Transfer-Encoding: base64
Content-ID: <8B730C55-7A80-454F-B4B8-3DEDE6839EEB>

<snip the graphic>