[Resolved] Composite Blocking List (CBL) - listing discrepancy

[GusB]

I ticked the "CBL" box on my Spamcop service.

Spamcop blocked several emails arriving through IP 82.110.105.65 yesterday & the day before, on the grounds:

"CBLX-SpamCop-Checked: n.n.n.n n.n.n.n. 82.110.105.65 X-SpamCop-Disposition: Blocked cbl.abuseat.org"

- But, when I checked, none of the three IPs were listed on the CBL.abuse.org website.

- CBL support assisted with "of the three, only the last IP has ever listed. IP 82.110.105.65 was detected most recently at: 2006/06/23 08:xx UTC sending email in such a way as to strongly indicate that the IP itself was operating an open http or socks proxy, or a trojan spam package...."

- And with "the listing expired on June 29, 2006. I'd be very surprised if Spamcop reported it as listed by the CBL. The listing has been expired for almost a month, and SpamCop runs better than that... but yes, you need to take this up with SpamCop."

Since CBL indicate the other 2 IPs were never listed, is the application by Spamcop of a version of the CBL which was a month+ old, or intended another purpose, likely to be the reason for this discrepancy?

[GusB]

Are u there, Spamcop Support? The people from CBL show Spamcop's "CBL list" giving a false positive on an email; they checked that the only IP address in its header which ever appeared in the real CBL list was delisted a month ago. How so?

Another false positive has arrived (with Spamcop = "blocked" but CBL website = "not listed"), from email using other IP addresses. It's not feasible for me, a user, to keep asking CBL Support to explain why IP addresses not in their list are being shown as being in it by Spamcop .... can Spamcop please respond to the original incident?

Thanks - GusB

[Wazoo]

Are u there, Spamcop Support?

Amd you scrolled by this how many times?

This is a User to User Support Forum

The primary mode of support here is peer-to-peer, meaning users helping other users.

(please remember this at all times!)

Another try:

This forum is composed of people who have used spamcop and those who are learning

about anti-spam efforts.

Section 8 - SpamCop's System & Active Staff User Guide

Original SpamCop FAQ & Added Forum Items, Never up to date, changes often - contains entries on "contacting Staff"

Another false positive has arrived (with Spamcop = "blocked" but CBL website = "not listed"), from email using other IP addresses. It's not feasible for me, a user, to keep asking CBL Support to explain why IP addresses not in their list are being shown as being in it by Spamcop .... can Spamcop please respond to the original incident?

You first posted, made remarks bout three items, chose only to post a single IP address. This post continues that mode, making a statement about further incident, but offer no details.

At this point in time, you are alone in complaining about this issue.

You have provided no data for any analysis to be performed .... for us "other users" that would be a Tracking URLs so that "we" can see what you see. If you are going to contact JT, he'd need to also see the e-mails in question. (For example, are all your samples coming from this 'single' IP address?)

There are a number of experienced SpamCop.net e-maI Account users here, a number of them also residing in the UK, if that makes a difference. While wearing my 'systems analyst' hat, I've been waiting for one of them to possible chime in here ... that hasn't happened. So basically, I'm stuck here with the lack of details provided by you, no one else either receiving e-mail from the same places, noticing that there is an issue, or simply not having the same problem with their account ....

On another track, data copied from a recent spamcop newsgroup post;

Also, I received a mail from support at spamcop. They _are_ rejecting hosts

listed on CBL to prevent "large attacks of spam", apparently CBL is a very

accurate, so, something must be bad at my web host. I was instructed to

contact my host provider with samcop's contact info in case the can fix it

themselves.

Then one can also see an interesting newsflash at http://cbl.abuseat.org/ that you didn't mention;

News (2006/06/15): NEWS ALERT

For a brief period from approximately 4:10 to 6:00 UTC on June 15th, a number of entirely erroneous CBL listings occured due to parsing problems in a new CBL process.

All CBL listings associated with that process were immediately purged, and the process eliminated. It will not be reinstated.

If you encountered email problems during that interval or shortly afterwards, and a lookup shows that it is not currently listed, this is what happened, and no further action is required.

Our profuse apologies for this occurance. It will not repeat.

Timeframe doesn't quit match, but then again, there's that lack of data provided again ....????

[StevenUnderwood]

There are a number of experienced SpamCop.net e-maI Account users here, a number of them also residing in the UK, if that makes a difference. While wearing my 'systems analyst' hat, I've been waiting for one of them to possible chime in here ... that hasn't happened. So basically, I'm stuck here with the lack of details provided by you, no one else either receiving e-mail from the same places, noticing that there is an issue, or simply not having the same problem with their account ....

I don't know how I missed this thread, but I just scanned my mailbox and do not have any that were caught by cbl so I can not test against their on-line one.

I suppose it is possible that the cache on whatever DNS server JT uses (his own???) has not cleared for some reason.

[Wazoo]

I suppose it is possible that the cache on whatever DNS server JT uses (his own???) has not cleared for some reason.

Agreed, that's one possiblity ... but not knowing if the same IP address, country of origin, ISP/Domain, etc. is involved, the same blade server is involved, possibly which version of the application might be involved, on and on ....

[StevenUnderwood]

Agreed, that's one possiblity ... but not knowing if the same IP address, country of origin, ISP/Domain, etc. is involved, the same blade server is involved, possibly which version of the application might be involved, on and on ....

Just to repeat directly, Gus:

Please post (cancelled if they are not spam) tracking URL's for these specific messages you see being blocked by yhe cbl but which are not currently listed. Perhaps by comparing the messages we might see a trend you are missing between these messages.

[GusB]

Just to repeat directly, Gus:

Please post (cancelled if they are not spam) tracking URL's for these specific messages you see being blocked by yhe cbl but which are not currently listed. Perhaps by comparing the messages we might see a trend you are missing between these messages.

Apols for the dodgy etiquette & thanks for the comments! FYI I'm new to forums; also new to the web parsing interface for producing tracking URLs for non-spam (normally a Spamcop email service user) but learning fast ...

Here as Steven asked are the tracking URLs. Since it's not spam, message bodies & local-names in the email addresses are munged.

RE INCIDENT 1 - Here's the Tracking URL: http://www.spamcop.net/sc?id=z1019221677zf...79902bf5c4126ez . Spamcop presented "blocked. CBL.abuseat.org", which is a false positive as CBL Support confirmed in writing (also below) that none of the IP address were listed from a month before the incident till after it occurred. This is the issue I reported.

RE INCIDENT 2 - Here's the Tracking URL: http://www.spamcop.net/sc?id=z1019205689z1...e8c0323bbeb71cz Similar behavior as before: in theory this one could be explained by CBL delisting just after Spamcop interrogated the list: I can ask CBL Support to look at the history of these IP addresses also, if people think that's likely to be useful.

RE INCIDENT 1 - Here's email from CBL Support confirming that the IP addresses were not listed:-

>From: CBL Team [mailto:xxx]

>Sent: 31 July 2006 01:49

>To: xxxx

>Cc: xxxxl[at]cbl.abuseat.org

>Subject: Re: CBL listing for 82.110.105.65

>You write:

>> X-SpamCop-Checked: 192.168.1.101 82.110.105.33 82.110.105.65

>> X-SpamCop-Disposition: Blocked cbl.abuseat.org

>[Of the three, only the last IP has ever listed. The first one (192.168.x.x) is a private network IP, isn't routable on the >internet, and would never be listed.]

>The IP 82.110.105.65 was detected most recently at:

> 2006/06/23 08:xx UTC

>sending email in such a way as to strongly indicate that the IP itself

>was operating an open http or socks proxy, or a trojan spam package.

[agsteele]

>> X-SpamCop-Checked: 192.168.1.101 82.110.105.33 82.110.105.65

>> X-SpamCop-Disposition: Blocked cbl.abuseat.org

>[Of the three, only the last IP has ever listed. The first one (192.168.x.x) is a private network IP, isn't routable on the >internet, and would never be listed.]

>The IP 82.110.105.65 was detected most recently at:

> 2006/06/23 08:xx UTC

>sending email in such a way as to strongly indicate that the IP itself

>was operating an open http or socks proxy, or a trojan spam package.

The X-SpamCop-Checked line will always quote all the potential ip addresses and it is always that last one that is the cause of the message being trapped.

In this case the CBL folk confirm that 82.110.105.65 was listed in the cbl so this is a correct action by your SpamCop mailbox given that you have asked it to check against the cbl.

The other two ip addresses are ones that your SC mail checked before the problem ip. Being in the checked list does NOT mean it is listed anywhere.

Andrew

[GusB]

The X-SpamCop-Checked line will always quote all the potential ip addresses and it is always that last one that is the cause of the message being trapped.

In this case the CBL folk confirm that 82.110.105.65 was listed in the cbl so this is a correct action by your SpamCop mailbox given that you have asked it to check against the cbl.

The other two ip addresses are ones that your SC mail checked before the problem ip. Being in the checked list does NOT mean it is listed anywhere.

Andrew

I wanted to avoid information overload, but here's CBL's "very surprised" view, replying to me, of Spamcop's blocking of 82.110.105.65 a month after it came off the real list.

The views in the forum so far still seem to support a false positive - no algorithm's involved, it's listed or it is isn't, and it isn't....

From: CBL Team [mailto:cxxx[at]cbl.abuseat.org]

Sent: 31 July 2006 14:58

To: Axxxx[at]highup.co.uk

Cc: Cxxxx[at]cbl.abuseat.org

Subject: Re: CBL listing for 82.110.105.65

You write:

> * Many thanks for the information in your email below.

> This is very useful, but I 'm not sure what the

> current status of 82.110.105.65 is - could you please

> clarify whether this is actively on the the CBL list,

> or whether the behavior detected last month was as

> recent history of the IP which is however not now

> positively listed?

the listing expired on June 29, 2006.

> * If it's positively listed then (as in my email) this

> fact doesn't show on the CBL website, so does the

> website version need updating? [i can then approach

> the mail hosting service responsible for the IP]

> * If it's not positively listed, then I can take this

> up with my Spamcop service, which reported that it

> was and put Blocked cbl.abuseat.org in several

> email headers.

I'd be very surprised if Spamcop reported it as listed by the CBL.

The listing has been expired for almost a month, and SpamCop runs better than that.

But yes, you need to take this up with SpamCop.

--

Rxxx, CBL Team

[StevenUnderwood]

In this case the CBL folk confirm that 82.110.105.65 was listed in the cbl so this is a correct action by your SpamCop mailbox given that you have asked it to check against the cbl.

Yes, it WAS listed but was cleared a month before the message was received.

Here as Steven asked are the tracking URLs. Since it's not spam, message bodies & local-names in the email addresses are munged.

RE INCIDENT 1 - Here's the Tracking URL: http://www.spamcop.net/sc?id=z1019221677zf...79902bf5c4126ez . Spamcop presented "blocked. CBL.abuseat.org", which is a false positive as CBL Support confirmed in writing (also below) that none of the IP address were listed from a month before the incident till after it occurred. This is the issue I reported.

RE INCIDENT 2 - Here's the Tracking URL: http://www.spamcop.net/sc?id=z1019205689z1...e8c0323bbeb71cz Similar behavior as before: in theory this one could be explained by CBL delisting just after Spamcop interrogated the list: I can ask CBL Support to look at the history of these IP addresses also, if people think that's likely to be useful.

You may have munged too much. Neither of these samples have the X-Spamcop-* headers showing they were blocked incorrectly or why.

[GusB]

Yes, it WAS listed but was cleared a month before the message was received.

You may have munged too much. Neither of these samples have the X-Spamcop-* headers showing they were blocked incorrectly or why.

Yes, Steven's right. From the unmunged versions run just now:

Incident 1

X-SpamCop-Checked: 192.168.1.101 82.110.105.33 82.110.105.65

X-SpamCop-Disposition: Blocked cbl.abuseat.org

Incident 2

X-SpamCop-Checked: 192.168.1.101 82.110.105.33 212.67.121.107 127.0.0.1 127.0.0.1 127.0.0.1 88.144.66.221

X-SpamCop-Disposition: Blocked cbl.abuseat.org

[StevenUnderwood]

Yes, Steven's right. From the unmunged versions run just now:

Incident 1

X-SpamCop-Checked: 192.168.1.101 82.110.105.33 82.110.105.65

X-SpamCop-Disposition: Blocked cbl.abuseat.org

Incident 2

X-SpamCop-Checked: 192.168.1.101 82.110.105.33 212.67.121.107 127.0.0.1 127.0.0.1 127.0.0.1 88.144.66.221

X-SpamCop-Disposition: Blocked cbl.abuseat.org

I don't have time for this right now. IF that was all you had munged out of the messages, then there is nothing to go on but to keep monitoring the situation.

In the future, please provide tracking URL's for the full messages. Spamcop munges the address for you in the tracking URL (even when you do not munge the reports). You can look at the tracking URL yourself if you wish before posting to be sure nothing you are trying to hide is released.

[Wazoo]

I gave up when I saw the same thing that Steven pointed out. I thought it was pretty clear that the 'real' data as a complete package was what 'we' were looking for. Couldn't find those specific lines, saw the Outlook/Eidora work-around in use, looked at possibly taking some data and trying to tun my own parse, but ... too much missing/inconsistent data involved. Went on to other issues.

[GusB]

I don't have time for this right now. IF that was all you had munged out of the messages, then there is nothing to go on but to keep monitoring the situation.

In the future, please provide tracking URL's for the full messages. Spamcop munges the address for you in the tracking URL (even when you do not munge the reports). You can look at the tracking URL yourself if you wish before posting to be sure nothing you are trying to hide is released.

Will do. Here are two better tracking URLs (the emails are not spam, so the local-names in "from" and "return path" addresses are munged):-

RE INCIDENT 1

http://www.spamcop.net/sc?id=z1019538452z1...b5c37b72f49b3bz

Spamcop flags "blocked. CBL.abuseat.org". This is not as per CBL's list, as CBL Support confirmed in two emails (posted) that none of the IP addresses have been listed by CBL since June 29 (to July 31, and a check at their website today confirms this status).

RE INCIDENT 2

http://www.spamcop.net/sc?id=z1019888603z4...c060161142c3eaz

Same problem as Incident 1. CBL Support confirms in an email (extract posted below) that none of these IP addresses have been listed since March 2006.

RE INCIDENT 2 - new email from CBL Support:-

"From: CBL Team [mailto:cbl[at]cbl.abuseat.org]

Sent: 04 August 2006 15:24

To: Axxx

Cc: 'CBL Team'

Subject: Re: Listed in Spamcop but not listed in CBL - 2

Of the IPs listed below, only 88.144.66.221 has ever been on the CBL, and that was almost 5 months ago.

At that time, it behaved as if it was infected with a virus."

>> X-SpamCop-Checked: 92.168.1.101 82.110.105.33 212.67.121.107

>> 88.144.66.221

>> X-SpamCop-Disposition: Blocked cbl.abuseat.org

[StevenUnderwood]

Of the IPs listed below, only 88.144.66.221 has ever been on the CBL, and that was almost 5 months ago.

At that time, it behaved as if it was infected with a virus."

Thank you for the updates. As mentioned previously, if an address is blocked, it will be the very last one listed in the X-SpamCop-Checked: line. That would be the only IP you would need to ask cbl (or any blocklist about.

I am sending an email to JT on this issue now. He will not be able to look at your account unless he can figure it out from the information already posted here, but he may not need to.

[GusB]

Thank you for the updates. As mentioned previously, if an address is blocked, it will be the very last one listed in the X-SpamCop-Checked: line. That would be the only IP you would need to ask cbl (or any blocklist about.

I am sending an email to JT on this issue now. He will not be able to look at your account unless he can figure it out from the information already posted here, but he may not need to.

Noted, & thanks for the guidance throughout.

CBL came back today after my enquiry to them to say they'd approach Spamcop about the problem, so hopefully it'll get resolved shortly.

[Wazoo]

Actually had this under composition, but got involved with a bit of a local emergency .. so sent out much later .... possibly also over ran by events, but ...

From: "Wazoo"

To: "SpamCop Support - JT"

Subject: CBL.abuseat.org results questioned

Date: Fri, 4 Aug 2006 14:06:53 -0500

GusB (elided)

SpamCop e-mail address provided

Members (6 Posts)

Joined: 31-July 06

http://forum.spamcop.net/forums/index.php?showtopic=6764

Raises the complaint that incoming e-mail is blocked based

on a positive listing result. However, dialog with the CBL

folks tells tales of the IP addresses in question as not having

been listed there in months.

Finally got a couple of Tracking URLs posted that weren't

too damaged/munged ... one e-mail was handled be blade3,

the other by blade6 .. of course both coming in via the mailgate

server. (Still not sure why there's a Outlook/Eudora hack line

seen on the parses provided, but .....) If it helps isolate them;

http://www.spamcop.net/sc?id=z1019538452z1...b5c37b72f49b3bz

http://www.spamcop.net/sc?id=z1019888603z4...c060161142c3eaz

The question / accusation comes in about the accessing of the

cbl.abuseat.org data .... the dialog would seem to indicate that

there's a local copy in use ... there's the 'news' on the CBL site

of various outages, types of rsynch downloads being removed,

but this all seems to be back around last December.

[GusB]

As posted above, I'm a Spamcop email service user and so new to the web parsing interface, which in my usage I now require only for producing tracking URLs for non-spam emails e.g. for a forum. So I was new too to the 2-screen interface needed for Outlook, and to munging friendly senders' details from tracking URLs. Many thanks for the enabling help with several of these!

It looks like a quick solution to the substance of the CBL/Spamcop discrepancies. CBL updated me that they'd established with Spamcop that SpamCop was retrieving their copy of the CBL from a 3rd party, whose "copy of the CBL hasn't updated in months"...

[StevenUnderwood]

As posted above, I'm a Spamcop email service user and so new to the web parsing interface, which in my usage I now require only for producing tracking URLs for non-spam emails e.g. for a forum. So I was new too to the 2-screen interface needed for Outlook, and to munging friendly senders' details from tracking URLs. Many thanks for the enabling help with several of these!

It looks like a quick solution to the substance of the CBL/Spamcop discrepancies. CBL updated me that they'd established with Spamcop that SpamCop was retrieving their copy of the CBL from a 3rd party, whose "copy of the CBL hasn't updated in months"...

Thanks for coming back with the reply. I assume JT is also taking care of this from his end.

[Farelf]

CBL updated me that they'd established with Spamcop that SpamCop was retrieving their copy of the CBL from a 3rd party, whose "copy of the CBL hasn't updated in months"...

Nice work GusB, thanks for your perseverence.

[turetzsr]

Nice work GusB, thanks for your perseverence.

...And when you've confirmed that things are working correctly, please post that information here and one of the Forum Moderators will flag this thread as "Resolved." Thanks! <g>

[GusB]

...And when you've confirmed that things are working correctly, please post that information here and one of the Forum Moderators will flag this thread as "Resolved." Thanks! <g>

Will report back when ok against the original incidents.

In the meantime, as the problem affects both CBL's & SC's reputations but its 3rd party origin means it can occur any time without SC or CBL knowing it has, I suggest that SC could usefully be asked:-

- the target time for changes in CBL's listing to be picked up by SC.

- whether it's feasible for SC to pick up CBL data from CBL rather than from a 3rd party.

[petzl]

Will report back when ok against the original incidents.

In the meantime, as the problem affects both CBL's & SC's reputations but its 3rd party origin means it can occur any time without SC or CBL knowing it has, I suggest that SC could usefully be asked:-

- the target time for changes in CBL's listing to be picked up by SC.

- whether it's feasible for SC to pick up CBL data from CBL rather than from a 3rd party.

I've not noticed CBL stop catch anything?

Perhaps it can be dropped altogether?

[Wazoo]

This from JT;

Sorry, guys.

Yes, we had a local copy of the CBL here. Without my knowledge, the

source stopped updating and so our copy got stale. Of course, it takes a

while, but eventually someone notices.

Anyway, we are now updating our local copy directly from the CBL people

themselves, so it should all be up to date.

Jeff

[GusB]

This from JT;

Can we please know the ongoing approx target time for changes in CBL's listing to be picked up by SC?

- The original incidents failed again just now (I'll repeat each day or two) but, without SC's approx target refresh time, it's not clear whether this observation is bad or just indifferent....