Domain Suspended

[WFerrari]

Not sure what exactly happened, but my domain has apparently been blacklisted. I received a huge load of spam into the domain, which is forwarded to my spamcop.net mail account. I usually report spam within 5-6 hours.

I'm wondering if I've been blacklisted because of the volume of spam I've been reporting or somebody reported some fake spam mail. The server is not been used as smtp server, at least not recently.

Domain: beneventi.net

IP address: 209.51.150.35

Any help or clarification is appreciated.

TIA Walter

[dra007]

209.51.150.35 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

SpamCop users have reported system as a source of spam about 60 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

It has been listed for 43 hours.

You might have reported yourself! ..about 60 times... go back to the reports and check if any has been sent to your own abuse desk!

[WFerrari]

Thanks for the prompt reply!

I went back to the older reports until I've found one referring to the IP address above:

This page may be saved for future reference:

http://www.spamcop.net/sc?id=z528261362z6a...588a593c71332cz

[report history]

Reports regarding this spam have already been sent:

Re: 209.51.150.35 (Administrator of network where email originates)

   Reportid: 1089431317 To: abuse[at]mfn.com

   Reportid: 1089431318 To: abuse[at]gnax.net

If reported today, reports would be sent to:

Re: 209.51.150.35 (Administrator of network where email originates)

abuse[at]mfn.com

abuse[at]gnax.net

Re: 209.51.150.35 (Third party interested in email source)

spamcop[at]imaphost.com

Re: http://edjihjem.info/ph009/?affiliate_id=233524... (Administrator of network hosting website referenced in spam)

spamrelay[at]certcc.or.kr

nospam[at]hanaro.com

It appears that the mail was not sent from me, but I may be wrong. The IP is shared among other several domain, I'm wondering if all the other domains are blocked as well.

NOTE: Tracking URL was provided, poster's comment was "here are the headers" but the entire spam was posted ... Wazoo deleted the spam

[WFerrari]

Looking back at the e-mail makes me wonder why the IP 153.190.184.54 was not blocked instead of the SMTP server of my ISP.

Anyway, is there a simple method to avoid reporting spam without having my domain blocked again?

[Wazoo]

First of all, if this IP is "shared" then you can't equate an IP being blocked to a "Domain" being blocked ... noting that the SpamCopDNSbl doesn't deal with Domains" to begin with.

A "simple" thing appears to be that you are a candidate for setting up the MailHost thing on your account.

Going through this routine might also clear up some of your confusing facts ....

1. The server is not been used as smtp server

and yet, the IP you say is "yours" is smack in the middle of things.

2. .... wonder why the IP 153.190.184.54 was not blocked instead of the SMTP server of my ISP. ....

You switched from "my Domain with an IP of" to "the SMTP server of my ISP"

Are you still talking about the same IP, and again, equating a Domain to an IP (which may or may not be true)

[Tommy]

Looking back at the e-mail makes me wonder why the IP 153.190.184.54 was not blocked instead of the SMTP server of my ISP.

Anyway, is there a simple method to avoid reporting spam without having my domain blocked again?

It sounds like you assume it was your one report that caused your IP to show up on the block list. That's not how SpamCop works -- it requires multiple reports from independent reporters AND if no other reports get filed, the block goes away after a prescribed amount of time. It sounds like there's another spam source on your network, causing your domain's IP to appear on the block list.

[StevenUnderwood]

Looking back at the e-mail makes me wonder why the IP 153.190.184.54 was not blocked instead of the SMTP server of my ISP.

SpamCop's explanation from the link you provided:

host-65-6-226-111.cae.bellsouth.net looks like a dynamic host, untrusted as relay

My parse would have gone to back to that host, 65.6.226.111 as the source because of that reason. It looks to me that www12.dixiesys.net= ns12.dixiesys.net= beneventi.net is a webmail host that received the message from the client at 65.6.226.111. That is further backed up by the X-ClientAddr: 65.6.226.111, which could be forged and is ignored by the parser.

I assume spamcop did not believe the headers that www12.dixiesys.com was giving it, though I don't see that explanation in the spamcop parse. In fact, I see just the opposite, "Received line accepted". When the next header fails, it seems to fallback 2 headers. That might be a bug, but I am still learning to deal with forged headers so I may be wrong on this point.

Anyway, is there a simple method to avoid reporting spam without having my domain blocked again?

You should be checking all the reports you send out (after the parse) to make sure that your ISP is not being reported. You can also use the Mailhost configuration to tell spamcop what a normal route for your messages to take is.

[WFerrari]

Thank you all for the replies.

Sorry for posting the entire mail, it was not my intention to "promote" that spam.

Just one clarification. When I said that the server is not used as SMTP, I was referring to the fact that my home computers uses the roadrunner SMTP server for outbound mail. In case I had some virus and trojans infecting my PCs, it would more likely result in Roadrunner blocking my home IP.

As I said before my domain is hosted by an ISP on a shared server. What scared me is that the entire IP address has been blacklisted, and I was worried that this would have influenced oll the domains hosted by that IP.

As StewenUnderwood mentioned the problem seems to be how "presumed" forged addresses are haldled. It may be a bug, but it certanly feel strange that the notification was sent to Dixiesys.

[Wazoo]

As I said before my domain is hosted by an ISP on a shared server. What scared me is that the entire IP address has been blacklisted, and I was worried that this would have influenced oll the domains hosted by that IP.

Well, again, it isn't that the "Domains" are the tergeted action item, it's the IP of the e-mail server. If the hosting ISP is small enough that only one e-mail server is used for all the hosted Domains, then one could make that leap of tying things together. The various Hosting ISPs I deal with are a bit bigger then that, some servers for web pages, other servers for FTP access, other servers for e-mail, and each of these servers only handle a certain sub-section of their client list ...

According to the "rules and definitions" it takes a minimum of two different reporters to flag an IP as being "bad" ... But Ellen recently de-listed an IP as the only reports were submitted by one individual ... not explained, but I'm having to guess that it was something like this, where the e-mail was forwarded from one account to another, and somehow the mix of these ended up with the parser "seeing" that the reports came from different places but matching up on the 'bad" IP ... again, pure conjecture mode here, as this isn't supposed to happen.

[StevenUnderwood]

But Ellen recently de-listed an IP as the only reports were submitted by one individual ... not explained,

One explanation could be a reporter who has multiple accounts. I have a work account and a home account and before mailhosts could have reported the same spam on both accounts if I were so inclined. I don't know how closely the listing agent looks at the different reports to determine whether they are multiple people reporting. I always assumes it was simply 2 different reporting accounts.

With mailhosts, I could not do that as the configurations are completely different. I suppose, if I really wanted to, I could configure my mailhosts to do it, but I am not interested in that.

[WFerrari]

You can also use the Mailhost configuration to tell spamcop what a normal route for your messages to take is.

I've tried to set-up the mailhost for my server, but obviously I was not able to send anything, since my domain is inactive.

I was wondering how long it'll take before the IP address is unblocked, or if there is a procedure I can go through to unblock it.

I'm 99% positive that the IP address was blocked by my reporting, and the ISP disabled my domain because of it.

Another question: If I specify all the mailhosts involved in the routing of the messages, will I ever incurr in the same problem. I love to spamcop to fight spammenrs, but I don't have too much time to verify every spam mail header for the presence of forged addresses.

[StevenUnderwood]

If you contact deputies<at>spamcop.net and explain what you think happened, they can look at the reports and determine if it was indeed your reporting (or faulty spamcop logic) that listed the server. If that is the case, they MIGHT lift the block early. You might also find out there is a spammer sharing your IP address in which case you should discuss it with your hosting company.

I don't have too much time to verify every spam mail header for the presence of forged addresses.

The least you should be doing is confirming that the reports are not complaining about your ISP or hosting company.

[Wazoo]

Ummm, there's a world of difference between "blacklisted" and "disabled"

If I specify all the mailhosts involved in the routing of the messages, will I ever incurr in the same problem

As is the case with any "tool" .. stuff can happen. There is a lessening of the chance that that you can report yourself, but .... one would guess that you pay attention to where the front end of the car is pointed when you're driving down the road ...????

[WFerrari]

The least you should be doing is confirming that the reports are not complaining about your ISP or hosting company.

Thank you for the tip!

Believe it or not, I actually looked for that in the reports. I got fooled by the fact that mfn.com and gnax.net were used "abuse" reporting addresses instead of dixiesys.com. From now on I will do text search on the reports for those particular domains (and for the IP address obviously).

[StevenUnderwood]

I got fooled by the fact that mfn.com and gnax.net were used "abuse" reporting addresses instead of dixiesys.com.

One of the first things I did when I started was to send myself an email from another account and parse each message to see where the reports for my ISP would go, then canceled the report of course. It also helped me learn how to parse the messages on my own and learn how spamcop did things.