Jump to content

Converting *someone else's* report ID to a tracking URL


MR GNASH

Recommended Posts

Hello. Is it possible to extract a tracking URL from someone else's report ID?

The reason I ask is that I run a silly mag, theweekly.co.uk (IP 66.48.80.139, though the site's currently a holding page with our reg company's nameservers for reasons you'll see), and we've been accused by our hosts of spamming, with the result, they say, that our (shared) IP was blocked by Spamcop on October 23rd and the further result that they've "suspended" us, ie cut us off.

Now I've been faithfully reporting spam to dear ol' Spamcop for yonks, so know all about the auto-delisting for innocent parties vacuumed up by accident. And, indeed, when I nipped along to check, our IP was free and clear and as far I can tell was never in the stickier lists like Spamhaus. The trouble is, because of various fairly obvious problems (eg, our hosts e-mailing us except they've shut down our e-mail) I didn't get to poll bl.spamcop.net until a couple of days later when the handy why-you-were-blocked(-if-indeed-you-were) link had vanished.

Right. All well and good so far. (Incidentally, I wholly deny that we spam and that we've ever spammed, and all we do via e-mail is erratically bung around a legit double-opt-in Mailing List, but naturally you'd expect me to say that.) Then the beardy-weirdiness starts. It's a week on and by now I've asked our hosts roughly 138,001 times for the Spamcop report tracking URL -- fairly standard if you want to defend yourself against the serious charge of spamming. Nothing doing. Partly in the spirit of justice and ratiocination, and partly out of guilt for using Spamcop for 4.9 years for free, I've signed up properly so I can inspect the 66.48.80.139 reports and work out for myself what might have happened.

You've ably spotted, of course, that what I've done is run up against the bit where (apparently) only the original reporter can see the full tracking report. And the original reporter's the trad Anonymous Mole Address so I can't ask for help there. So: is it possible to extract a tracking URL from someone else's report ID? The summary page

http://mailsc.spamcop.net/mcgi?action=show...id;val=64585940

excitingly suggests ("Mil's Mailing List #42") that we're demonstrably in the clear because (and I'm sure Mil won't mind me saying) some dopey dimbo fan of Mil's has completely forgotten they signed up for the double-opt-in List, or reported us by accident or something, but it would be *tremendously* helpful to have an iron-clad tracking URL report for the two Mil List entries (1975742966 and 1978246608 -- the other four, ironically the unsubscribe and further info links, would be a top bonus but don't knock yourself out) because, quite frankly, our hosts are being a shower of dunces about this.

"But MR GNASH," you quiz keenly, rubbing your chin with a doily, "you might just want the tracking URL so you can find the original complainant and go round and stab them with a big pikestaff or something." It's a loophole, but if you're bothered I'd be happy if whoever had the permish to find the tracking URL (an admin, perhaps?) whipped out the sender's e-mail; all I want is to be able to shew the detailed report to our hosts as evidence that, as I've been telling them for a week now of non-service, we are thoroughly innocent. (But please leave in the sending domain, because if it's the idiots at Comcast I'm going to go spare.)

Incidentally, lord knows what the other summaries are about. Apparently 66.48.80.139 is shared between c800 sites. The two MLM42s are definitely us though.

Okay. Thanks. For the short of patience, a handy summary is:

1. Could someone (presumably a super-powered admin) extract the tracking URLs for anonymous report IDs 1975742966 and 1978246608?

2. Could someone tell me if (a) 66.48.80.139 was blocked by Spamcop on or around October 23rd and if so (B) was this a result of the previously mentioned report IDs?

If I've missed out some vital info or got the wrong end of one or more sticks or something, do peck away (eg, "You fool, you've posted in entirely the wrong forum! It's going to blow! Aieee! Gurgle").

Link to comment
Share on other sites

It is not possible to see others reports unless you receive them via email.

"Double OPt-in" in a spammers term. Confirmed opt-in is the preferred term, if that is what you are doing. That is, you send a single, non-commercial reply to the address provided and only add that address to your list if they then return a unique (not auto-reply) token or some similiar message. Otherwise, your list can be used to bother innocent third parties.

As a paying reporter, I can see some information on that IP as follows:

I see Mill's list, some misdirected bounces, and some phishing attempts, all spam, but maybe not from you if it is indeed a shared server. The 2 Mil's lists were both mole reports, so no full report is sent. You will need to contact the deputies to get any additional information, but they will not give you anything that would allow you to whitelist (remove) the reporter. In most cases, if there are 2 reports, it means many others received the message who also don't want it but simply delete it. If you believe you know the person that reported you, and have the confirmation information, provide that to the deputies[at]spamcop.net address and they can compare it to the reports and the reporter can be penalized for false reporting, from a warning to removal of reporting rights.

Report History: 


--------------------------------------------------------------------------------

Submitted: Saturday, October 21, 2006 4:45:41 PM -0400: 
Mil's Mailing List #42 
1978246608 ( 66.48.80.139 ) To: mole[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Thursday, October 19, 2006 7:10:29 PM -0400: 
Mil's Mailing List #42 
1975743005 ( [url="http://www.mil-millington.com/"]http://www.mil-millington.com/[/url] ) To: mole[at]devnull.spamcop.net 
1975742997 ( [url="http://theweekly.co.uk/mil_mailing_list/index.c"]http://theweekly.co.uk/mil_mailing_list/index.c[/url]... ) To: mole[at]devnull.spamcop.net 
1975742983 ( [url="http://theweekly.co.uk/mil_mailing_list/index.cgi"]http://theweekly.co.uk/mil_mailing_list/index.cgi[/url] ) To: mole[at]devnull.spamcop.net 
1975742976 ( [url="http://microurl.com/mil/phorteetoo"]http://microurl.com/mil/phorteetoo[/url] ) To: mole[at]devnull.spamcop.net 
1975742966 ( 66.48.80.139 ) To: mole[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Friday, September 15, 2006 4:22:06 AM -0400: 
Urgent Notice: Security Alert® 
1921966551 ( [url="http://okay.cl/db/var/online.lloydstsb.co.uk/cu"]http://okay.cl/db/var/online.lloydstsb.co.uk/cu[/url]... ) To: marketing[at]dattatec.com 
1921966549 ( 66.48.80.139 ) To: spamcop[at]imaphost.com 
1921966546 ( 66.48.80.139 ) To: abuse[at]ca.mci.com 
1921966544 ( 66.48.80.139 ) To: abuse[at]uu.net 

--------------------------------------------------------------------------------

Submitted: Thursday, September 07, 2006 2:37:04 PM -0400: 
Mail delivery failed: returning message to sender 
1911689178 ( 66.48.80.139 ) To: abuse[at]ca.mci.com 
1911689173 ( 66.48.80.139 ) To: abuse[at]uu.net 

--------------------------------------------------------------------------------

Submitted: Friday, August 11, 2006 2:31:22 PM -0400: 
****spam(6.2)**** CITIBANK Account Update 
1872943747 ( 66.48.80.139 ) To: mole[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Friday, August 11, 2006 1:29:26 PM -0400: 
CITIBANK Account Update 
1872884199 ( 66.48.80.139 ) To: spamcop[at]imaphost.com 
1872884197 ( 66.48.80.139 ) To: abuse[at]ca.mci.com 
1872884193 ( 66.48.80.139 ) To: abuse[at]uu.net 
1872884189 ( 192.43.244.163 ) To: abuse#ucar.edu[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Wednesday, August 09, 2006 11:30:17 AM -0400: 
CITIBANK Account Update 
1870313423 ( [url="http://www.taekwondo-bs.ch/photogallery/albums/"]http://www.taekwondo-bs.ch/photogallery/albums/[/url]... ) To: postmaster[at]as8833.net 
1870313422 ( 66.48.80.139 ) To: spamcop[at]imaphost.com 
1870313421 ( 66.48.80.139 ) To: abuse[at]ca.mci.com 
1870313420 ( 66.48.80.139 ) To: abuse[at]uu.net 

Link to comment
Share on other sites

... The 2 Mil's lists were both mole reports, so no full report is sent. ...
Report History: 
--------------------------------------------------------------------------------

Submitted: Saturday, October 21, 2006 4:45:41 PM -0400: 
Mil's Mailing List #42 
1978246608 ( 66.48.80.139 ) To: mole[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Thursday, October 19, 2006 7:10:29 PM -0400: 
Mil's Mailing List #42 
1975743005 ( [url="http://www.mil-millington.com/"]http://www.mil-millington.com/[/url] ) To: mole[at]devnull.spamcop.net 
1975742997 ( [url="http://theweekly.co.uk/mil_mailing_list/index.c"]http://theweekly.co.uk/mil_mailing_list/index.c[/url]... ) To: mole[at]devnull.spamcop.net 
1975742983 ( [url="http://theweekly.co.uk/mil_mailing_list/index.cgi"]http://theweekly.co.uk/mil_mailing_list/index.cgi[/url] ) To: mole[at]devnull.spamcop.net 
1975742976 ( [url="http://microurl.com/mil/phorteetoo"]http://microurl.com/mil/phorteetoo[/url] ) To: mole[at]devnull.spamcop.net 
1975742966 ( 66.48.80.139 ) To: mole[at]devnull.spamcop.net 

... 

As a mole, I would have to add (2d) that mole reports do not contribute to the blocklist. They may affect the reputation score and thus have some minor effect on the arcane mathematics surrounding the "tripping point" at which the errant IP is precipitated into the BL but they certainly cannot cause an IP to be listed in isolation of more "accountable" reports nor can they even do as much as prolong the period of listing (not for many months past).

Mil's Mailing List has had nothing to do with the IP's listing on the basis of the evidence seen. The OP's ISP has shot the most visible bystander while the fate (and identity) of the actual perpetrators is unknown. Commendable zeal on the ISP's part but poor form really (sitting ducks come to mind).

HTH

Link to comment
Share on other sites

Sounds like you've got a fairly accurate understanding of what happened, but most of us here can't give you any more specifics because we're fellow users, not SpamCop admins. I'd recommend that you try to reach the Deputies at: deputies at admin dot spamcop dot net

They might be willing to give you a better picture of what caused that IP to get listed, because it *might* involve spamtrap hits from "after the fact" bounce activity, and they'd be able to see that.

As for those moles, you should report them to the Deputies as well, in that they seem to be reporting things that they signed up to receive and that diminishes the efforts of the rest of the SpamCop users.

DT

Link to comment
Share on other sites

It is not possible to see others reports unless you receive them via email.

Bum. As you'll appreciate, I'm a bit stuck here, because our hosts won't let me in to see my e-mail at all and continually evade my requests to forward the abuse report (which presumably I'd have been sent anyway by Spamcop so is languishing on the server).

"Double OPt-in" in a spammers term. Confirmed opt-in is the preferred term, if that is what you are doing.

How embarrassing. I've always called it "verifying" but a rapid glance about the place suggested the accepted term was "double-opt-in." Anyway, yes, that's the idea: there's a Mailing List page where you lob in your address and click Sub Up, it sends you a confirmation e-mail with a personalised URL, you click that to confirm; only at that point is the associated address added to the list. You could try it yourself to double-check it's legit, but, of course, our entire place has been shut down. I'll postscript the URL when this has been resolved so anyone with lingering interest can see, which by extrapolation from events so far will be in the year 9000 or something.

As a paying reporter, I can see some information on that IP as follows:

I'm not a paying reporter, but that's exactly the info I see -- I wasn't sure if it was okay to post the summary rather than a ref. Vexingly, it's *so* close to conclusive, which is why I was hoping the extra step of connecting rep to track was available. (I did sign up for Spamcop e-mail, so presumably that's why I have access too.)

I see Mill's list, some misdirected bounces, and some phishing attempts, all spam, but maybe not from you if it is indeed a shared server.

No, we're the List bits only. Maybe the bounces, come to think of it -- theweekly.co.uk's recently been adopted by spammers as their all-new false domain for the attached-gif spam which claims to be from a gibberish string at victim.com, so we're getting a lot of narked postmaster bounces; but what can you do? (Unless you know something we can do, which would be ace, but as far as I could tell from talking to other vics, you have to ride it out until your domain's been thoroughly discredited and mostly blocked on the name so the spammers abandon the coughing husk and you can get back to normal. Seethe.)

The 2 Mil's lists were both mole reports, so no full report is sent. You will need to contact the deputies to get any additional information, but they will not give you anything that would allow you to whitelist (remove) the reporter.

Exc, I'll try that. As I say, if the reporting address has to concealed, that's fine. Obviously it'd be nice to know, because I'm all but convinced it'll turn out to be some fantastically apologetic long-time subber (the List tends to attract people like that; cheerful reading fans you wouldn't leave alone in a room because they'd manage to set fire to the place while scratching their nose), but it's the meat of the facts that's the important bit.

In most cases, if there are 2 reports, it means many others received the message who also don't want it but simply delete it.

That would be a big surprise, because of the verification bit. We simply don't know your address until you confirm the sub. (Obviously, there are clear, unambiguous unsub links and instructions at every step, plus in every erratic newsletter, and you don't need an unsub code or anything.) I can definitively state even with the minimal info in the summaries that the reported MLM42 messages are proper subber newsletters (rather than the "someone at this address is trying to sub up; please click here to confirm" initial requested e-mail) because of the format of the links in the first report and the fact there are no links in the second.

You may want to sign up for a free ISP account - see How can I get SpamCop reports about my network?

It says I'm already registered, so I'm guessing the ISP account has the same functionality as the e-mail one. I'm kicking myself actually, because I only discovered when looking into this that you're meant to register your abuse[at] address with abuse.net in order to be sure of personally receiving Spamcop complaints. (I thought Spamcop would always send to abuse[at]) Still, the standard postmaster[at] would have come through -- which leads us straight back to our hosts locking up our site and e-mail and sitting there with arms folded and fingers in ears, if you see what I mean.

As a mole, I would have to add (2d) that mole reports do not contribute to the blocklist. They may affect the reputation score and thus have some minor effect on the arcane mathematics surrounding the "tripping point" at which the errant IP is precipitated into the BL but they certainly cannot cause an IP to be listed in isolation of more "accountable" reports nor can they even do as much as prolong the period of listing (not for many months past).

Spook. The mystery thickens. As I say, from my shallow understanding of Spamcop the fact any block that might have existed was clear by the time I checked a couple of days later suggests I was right in thinking it was a standard auto-delist for a technical infringement.

Mil's Mailing List has had nothing to do with the IP's listing on the basis of the evidence seen. The OP's ISP has shot the most visible bystander while the fate (and identity) of the actual perpetrators is unknown. Commendable zeal on the ISP's part but poor form really (sitting ducks come to mind).

A helpful analysis, but I might politely suggest that it's more than poor form for an ISP not to establish the facts. There's a difference between zeal and a zealot. What irks me from the summary is that one of our neighbours *is* spamming; ironically, I asked our hosts if they could check a while ago because I couldn't understand why we were being blocked on sight when -- by definition -- we could only be e-mailing someone who asked to join, twice. Our hosts explained the size of the shared server. It's a bit like being repeatedly blocked then cleared then blocked as "recidivist spammers" by Certain Large Company, then the next day a bunch of genuine spam turns up via Certain Large Company's open proxies. Gah.

Sounds like you've got a fairly accurate understanding of what happened, but most of us here can't give you any more specifics because we're fellow users, not SpamCop admins. I'd recommend that you try to reach the Deputies at: deputies at admin dot spamcop dot net.

Yep, thanks, I'll be whizzing an e-mail off straight after this as also suggested above. I thought I'd check the forums first, because the Report ID FAQ mentioned numbers were tied to reporters, but didn't answer the obvious follow-up question of what happened if you wanted to see another's. Good to know I'm on the right track though.

They might be willing to give you a better picture of what caused that IP to get listed, because it *might* involve spamtrap hits from "after the fact" bounce activity, and they'd be able to see that.

That'd be interesting because, as you'd expect from a slightly popular, wildly irregular newsletter, we have *tons* of bounces the day after each edition. Most are the notorious "I'm not in the office, so I'm sending your entire message back to tell you that" bone-grinders, but we conscientiously zap the dead names to keep our little bit of online drainpipe flowing briskly in the rain while tutting indulgently at the scatterbrained subbers. Except when someone's signed up, changed their address and signed up again, but not bothered to unsub the first one; then we go round and bludgeon them with a rowing oar. Anyway, er, the point was, I hadn't thought of police traps, so that'll be worth knowing if the deps can pin it down. (Deliberately verifying a police trap then complaining when it's sent e-mail seems a bit odd though, unless I've misunderstood your meaning.)

As for those moles, you should report them to the Deputies as well, in that they seem to be reporting things that they signed up to receive and that diminishes the efforts of the rest of the SpamCop users.

Well, I'd rather give them the benefit of the doubt -- as I say, my feeling after seeing the summary (which proves by the semi-layout of the links that it's a verified subber; also, if they'd been forwarded Mil-42 by a chum and reported it thinking we'd sent it directly, obviously our IP wouldn't be involved) is that someone's made a silly mistake. My cardboard thunderbolt of blazingish justice is aimed more at our hosts, who have made no attempt to establish the facts (or even answer my requests for details and evidence); the more solid and accurate a picture of the circumstances of the block I can demonstrate, the longer and more packed with diagrams my eventual e-mail to their top bod will be. And everyone's responses here have helped that a lot, so thanks forum.

Or maybe it'll turn out I was a sinister criminal mastermind all along. The suspense.

My instinctive grasp of quoting, there.

Link to comment
Share on other sites

MR GNASH,

About the bounces....no, I wasn't talking about bounced newsletters. Rather, I'm referring to the bad practice of a server that first accepts a message and then later bounces it back to the "From" address because it decides that the "To" (or BCC) address wasn't any good after all. This has nothing to do with your outbound newsletters. I'm speaking of mail addressed to any of the domains hosted on your shared server. I suspect that your hosting company hasn't caught up with the times on the issue of "misdirected bounces" and other "backscatter." Here's the SpamCop FAQ on this issue:

http://www.spamcop.net/fom-serve/cache/329.html#bounces

If the server is doing that, then some of those error messages (the "bounces") will likely be sent to designated "spam trap" addresses that aren't ever supposed to receive mail, and those probably trigger instantaneous BL listings.

DT

Link to comment
Share on other sites

You may want to sign up for a free ISP account - see How can I get SpamCop reports about my network?
It says I'm already registered, so I'm guessing the ISP account has the same functionality as the e-mail one
No they are not the same.

The issue is that you MUST use a separate email address for the ISP account. You can not use the same email address for different account types.

Also a SpamCop email account includes all the features of a paid reporting account and more. There is no need for both.

The following Wiki entries may be helpfull

ISPAccount

SpamCopReportingAccounts

Link to comment
Share on other sites

... but I might politely suggest that it's more than poor form for an ISP not to establish the facts. There's a difference between zeal and a zealot. What irks me from the summary is that one of our neighbours *is* spamming ...
Of course you are right, it was meant to be tongue-in-cheek but the matter is vexed, I appreciate.
Link to comment
Share on other sites

Just a quick update: I've been corresponding with an epically patient admin and, after a bit of lateral thinking about how to establish the facts without giving away any reports I might not be entitled to see (essentially, I bunged over a list of complaint numbers and samples of what each type of Mil List e-mail looks like -- verified newsletter, opt-in confirmation request, etc -- and the admin checked the report bodies against the samples to see who'd complained about what) we've reached some kind of conclusion.

I'm still working on a few details (and, er, have just had my latest request for answers to questions I've now sent about 138,004 times bounced from our hosts' support department as a failed connection) but can reveal that, barring some last-minute double-bluff surprise twist reverse ending, I'm not a sinister criminal mastermind. Hurrah!

Link to comment
Share on other sites

Noting theweekly.co webpage still carries the forlorn message "We are currently experiencing a slight technical hitch. An urchin is wedged up a chimney." Deep forebodings - can't help thinking "Chimley sweep! chimley sweep/What wi' troubles great and small/My sweet life must pay for all/Chimley sweep!"

Link to comment
Share on other sites

Noting theweekly.co webpage still carries the forlorn message "We are currently experiencing a slight technical hitch. An urchin is wedged up a chimney." Deep forebodings - can't help thinking "Chimley sweep! chimley sweep/What wi' troubles great and small/My sweet life must pay for all/Chimley sweep!"

You're right -- our hosts have promoted themselves by their actions from "a shower of dunces" to "stupefying bumbleneds." Their response to our every polite question and request for details and evidence distils accurately to "LA LA LA WE'RE NOT LISTENING LA LA LA PAY US IF YOU WANT TO SEE YOUR DATA AGAIN" (with several days' wait in between for their replies, which is dead helpful when your site's been shut down, obviously). This includes our pretty presentation informed by all the top Spamcop Forum and Spamcop Dep help, featuring a convenient timeline of convincing exoneration. It makes your bones grind, really it does.

Incidentally, we are hurling wrapped packets of sandwiches down the chimney at the urchin out of winning kindness and have established a small fire in the grate as proof against the nippy weather.

Link to comment
Share on other sites

...Incidentally, we are hurling wrapped packets of sandwiches down the chimney at the urchin out of winning kindness and have established a small fire in the grate as proof against the nippy weather.
Please stop, his arms are pinned and your fire has awakened the 'roaches who can't unwrap your sarnies/sangers either ... I don't need to complete the picture.

Anyway, I take it you are not about to hie off to http://forums.hostingplex.com/forumdisplay...mp;daysprune=-1 to add your praise to that assemblage of sycophantism. Since they are apparently in the habit of deleting entire topics which don't suit them (one of which was taken "outside" to http://www.digg.com/tech_news/HostingPlex_backhand_tactics_) there would seem little chance of getting an airing in a forum there. But what do you have to lose in trying? Not to suggest posting in the "testimonials" forum, obviously.

I wonder what you are doing with that host anyway. They seem very "commercial". Not that there's anything wrong with that, it's just that their extreme senstivity on the matter of "lists" is evidently driven by concern for their bread and butter rather than any need to nurture their individual customers or to display any sort of kindly impulse. Not your type of "place", I would have thought. But then, never having seen past the padlocks on your portal, I would not know.

Link to comment
Share on other sites

  • 2 weeks later...
I wonder what you are doing with that host anyway. They seem very "commercial". Not that there's anything wrong with that, it's just that their extreme senstivity on the matter of "lists" is evidently driven by concern for their bread and butter rather than any need to nurture their individual customers or to display any sort of kindly impulse. Not your type of "place", I would have thought. But then, never having seen past the padlocks on your portal, I would not know.

We don't mind at all that they're driven by commerce. (Their enormously low prices is what attracted us in the first place, because we are ragged.) What we're objecting to is their repeatedly exhibited lack of interest in facts, fair play, their customers and their own T&Cs. As you may recall, they're holding our files hostage, ignoring our requests for details of the supposed spam (and our dossier of evidence that we're innocent, as contributed to by a valiantly unboreable Spamcop Dep and this forum) and just shouting "LA LA LA, WE'RE NOT LISTENING, LA LA LA, $150" when they bother to reply at all. Their last message makes it perfectly clear they'd rather we went away quietly and wrote off our losses.

So we've set up Hostingplex Are a Shower of Dunces at http://theweekly.co.uk/dunces/ instead.

Link to comment
Share on other sites

Read it all ... definitely love the humour involved ...

However, as you've already noted, approaching this from the outside, as just another user, one can only use the data that is 'out there' ... Trting to read the data, apply that to what I do know, try to extrapolate from there .... I come up with the fact that there are some missing words in all of this.

The previously supplied 'Report History" for 66.48.80.139 listed seven entries, and some of those were Mole Reports ...

..... (only showing two items now for me .. both "Wachovia Bank Warning" items .. assume phishing spam)

The "Report History" on 204.92.120.30 only lists five items for the "last 30 days" ....

Here's "my" problem with this part of the data ....

http://www.senderbase.org/search?searchBy=...g=204.92.120.30

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.1 .. 326%

Last 30 days .. 4.0 .. 270%

Average ........ 3.5

Date of first message seen from this address 2006-10-19

# of domains controlled by this network owner 14338

http://groups.google.com/groups?scoring=d&...0+group:*abuse*

zero entries

http://www.senderbase.org/search?searchBy=...ng=66.48.80.139

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ....... 3.1 .. -91%

Last 30 days . 2.1 .. -99% (does beg the question .. was this due to 'you getting shut down'?)

Average ....... 4.1

Date of first message seen from this address 2005-01-27

# of domains controlled by this network owner 3

http://groups.google.com/groups?scoring=d&...9+group:*abuse*

Two items that date back to August

Addresses in hostingplex.com used to send email

address hostname DNS Verified Daily Magnitude Monthly Magnitude

204.92.120.30 s1.edge.hostingplex.com Y 4.1 4.0

66.48.80.245 ses4.managed.hostingplex.com Y 2.7 2.5

66.48.80.144 server8.hostingplex.com Y 2.2 2.3

66.48.80.141 server5.hostingplex.com Y 3.6 2.2

(not for me to say why 66.48.80.139 isn't in this list ...???)

SenderBase's "Magnitude" Explained

What is the SpamCop Blocking List (SCBL)?

The 'math' doesn't really work out from the 'available' data ....

Take the Magnitude of 4 .. equating to 13,000+ e-mails a day .... five or seven 'complaints' simply doesn't seem to meet the tipping point.

From another perspective, some of thise available Report History listings appear to be in the realm of Bounces/Mis-Directed/etc. types of e-mail traffic that usually feeds into "spamtrap" hits .... which is one of the words not used in your history .... not sure if it came up at all in your dialog with one or more of the Depities ..... I would think that they would have brought it up, but not knowing exactly how/what questions were asked ....?????

So if one was to 'run' with the mis-directed bounces scenario ... add in your self-admitted issue of spammers using your Domain in their forged headers .... mix in some cluelessness on the parties that you are showering with your praises <g> ..... the math could fit, and ignorance being what it is, you certainly may have looked extremely guilty in one (assmedly) idiot's eyes ...

Then we might have to add a few more coals to the fire ....

Parsing input: 204.92.120.30

host 204.92.120.30 = s1.edge.hostingplex.com (cached)

host 204.92.120.30 = s1.edge.hostingplex.com (cached)

[report history]

ISP does not wish to receive report regarding 204.92.120.30

ISP does not wish to receive reports regarding http://204.92.120.30/ - no date available

Routing details for 204.92.120.30

Report routing for 204.92.120.30: abuse[at]ca.mci.com

Parsing input: 66.48.80.139

host 66.48.80.139 = server3.hostingplex.com (cached)

host 66.48.80.139 = server3.hostingplex.com (cached)

[report history]

Routing details for 66.48.80.139

Report routing for 66.48.80.139: abuse[at]ca.mci.com, abuse[at]uu.net

One might have to wonder just what data hostingplex.com actually used to make their initial decision ...???

Link to comment
Share on other sites

Just a quick reply, so I'll probably miss bits.

As far as I can tell, 204.etc (the s1.edge server) is Hostingplex's brand new dedicated e-mail server. It appears that all normal servers now send via s1.edge -- this explains the colossal drop in e-mail on (for example) 66.48.80.139 and the sudden appearance and colossal explosion of e-mail from 204.etc. If you look at the dates, 204.etc (which is flagged as boinging into life on 19/10) appeared *during* our send. (We split the list and sent half on 19/10 and half on 21/10.) I've no doubt this is a contributory factor. As Farelf suggested (and I nicked for our timeline) it might be that we happened to be top of the e-mail queue when our neighbour's real actual genuine spam flashed alarms in Hostingplex's face and they didn't bother to look twice.

The bounce trap idea (which was also mentioned by someone miles earlier in a clump of posts I've embarrassingly overlooked) -- I wondered about this but (as long as I understand the concept correctly; you don't let something through then bounce it locally -- we didn't) the Spamcop reports all have the subject "Mil's Mailing List #42" -- wouldn't bounces be something like "Re: Mil's Etc" or "Failed: Mil's Thing"? From my investigations, all the reported Mil-42 e-mails were (a) verified newsletters; and (B) straight from us to subscribers. For example, I thought at one point we might be caught accidentally because people were forwarding their copy of the newsletter to the wrong address, but obviously in that case our 66.48.80.139 IP wouldn't have been on it.

All of this is covered in the dossier, on p137 comment 19b pie-chart 45 or something. At the bottom.

Oh aye, yeah -- the aggregate report history. I've suggested this as a feature to our hardy Spamcop Dep contact, who's a bit mystified why anyone would want it (nobody else has asked before) but will bung it up the ladder. Obviously I couldn't sign up for the aggregate reports until *after* I'd found out about the spam accusation, so it'd be handy if we could peer into history and see, for instance, if traps were involved.

Link to comment
Share on other sites

From: "WazoO"

To: deputies

Subject: spamtrap hits for 66.48.80.139 and 204.92.120.30 ????

Date: Wed, 22 Nov 2006 18:08:42 -0600

http://forum.spamcop.net/forums/index.php?...ost&p=51349

As usual, sticking my nose into something brought up in the Forum.

Noting that the issue has also been taken 'public' elsewhere with

kudos and praise offered to "a SpamCop Deputy" <g>

The issue I'm asking about is that 'spamtrap hits' did not seem

to come up with some recent dialog about the IP addresses

of 66.48.80.139 and 204.92.120.30 .... possibly based on

the questions asked/answered not going 'there' ..???

As I posted in the referenced link, the "Report History"

does not seem to reflect enough stuff to lead to a BL

listing .... Don't mean to make someone duplicate previous

work, but .... as the 'story' is out there, and SpamCop.net

is mentioned a number of times, I'd like to have some of the

'holes' filled .. but can't seem to do it with the data available.

spamtrap hits seems to be the 'easy' answer, also guessing that

perhaps the inclusion of forged headers pointing back to

this user's Domain ...????

Link to comment
Share on other sites

Yaas, I'd be interested in the trap thing too. (Not least because I still don't understand it.)

On the mentioning-Spamcop point, I hope that wasn't some searing faux pas. To make things gleamingly clear I've added a big disclaimer at the top of the main page emphasising that everything's based on publicly available info and pesky questions and that any conclusions are strictly ours. (Which maybe Pipex's stupid built-in cache'll get around to bothering in the next day or so to notice I've uploaded. Tch.)

Link to comment
Share on other sites

  • 1 month later...

Hello again everybody. Gosh, is it that long already? How the days whizz past when your shower of dunces hosts kill you off without justification. To save you scrolling back up through this bruisingly long thread, our silly mag was shut down by Hostingplex who accused us of spamming but provided no evidence of any wrongdoing, then blamed Spamcop, then held our data hostage and ignored all questions and points except to say "LA LA LA WE'RE NOT LISTENING PAY US USD150 TO SEE YOUR DATA AGAIN LA LA LA" for months; and with the help of a tremendously helpful and patient Spamcop Dep and the folk on this page, we compiled a dossier investigating these claims by examining the facts.

(And in case anybody was wondering, we now have our data back. This was thanks to a new employee's PERSONAL professionalism and nowt to do with Hostingplex's COMPANY behaviour, which has at no point during the affair been anything less than dunderheaded.)

Anyway, about three hundred years ago I said this:

Anyway, yes, that's the idea: there's a Mailing List page where you lob in your address and click Sub Up, it sends you a confirmation e-mail with a personalised URL, you click that to confirm; only at that point is the associated address added to the list. You could try it yourself to double-check it's legit, but, of course, our entire place has been shut down. I'll postscript the URL when this has been resolved so anyone with lingering interest can see, which by extrapolation from events so far will be in the year 9000 or something.

Now, nothing's actually been *resolved* -- we're still as much in the dark as ever about why Hostingplex shut us down (they continue not to answer any of our questions and, no doubt quite by accident, deleted the relevant thread on their own forum) -- but as we're back online (with a different host, obv) I thought it only fair to stump up the previously unavailable page so you could check I wasn't a big fat liar all along or something.

The Mil's Mailing List page, as mentioned in the reports above, is at http://theweekly.co.uk/mil_mailing_list . It's exactly the same as it was when Hostingplex accused us of spamming without supplying any details or evidence to support those accusations.

I'm horribly aware this may appear to be some kind of advertisement rather than the dusty fulfilment of a promised PS, so feel free to whip out the link once you've had a go and cursed furiously at the effort required actually to be accepted as a subscriber to the wretched thing. (Or got on first time and we've immediately used the info to rob your bank account, I suppose.)

Link to comment
Share on other sites

Thanks for the update Mr Gnash.

Now, nothing's actually been *resolved* -- we're still as much in the dark as ever about why Hostingplex shut us down (they continue not to answer any of our questions and, no doubt quite by accident, deleted the relevant thread on their own forum) -- but as we're back online (with a different host, obv) I thought it only fair to stump up the previously unavailable page so you could check I wasn't a big fat liar all along or something.
It's a pity it was not resolved, a festering cess-pit awaits others but obviously you are better off away from those thunkless whatkins.
I'm horribly aware this may appear to be some kind of advertisement rather than the dusty fulfilment of a promised PS, so feel free to whip out the link once you've had a go and cursed furiously at the effort required actually to be accepted as a subscriber to the wretched thing. (Or got on first time and we've immediately used the info to rob your bank account, I suppose.)
I'm sure you don't owe it to anyone "here" to prove yourself Mr G (if you really were delinquent we'd be seeing you on the BLs soon enough) - but the gesture is appreciated, for those who like to ferret about. Another moderator may choose to break the link or remove it entirely but I'm for leaving it there for a tic.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...