It appears any spoofed address can report a domain a a source of SPAM, crippling the domain for 48 hours, as stated in the FAQ.

Consider removing SPAMCOP as a method of blocking spam, as it appears the system may prevent legitimate mail.

Below is a response from the ISP, stating that they are not the reporting source.


http://www.spamcop.net/sc?track=66.241.135.153
~~~~~~~
We are not sure why our email address is listed although we are certain
that we did not report this to Spamcop. If we where to receive spam
from you we would contact you first. If there is any thing else we can
help you with please feel free to give us a call or email.

Regards,
Dennis

Network Operations Centre
Toronto Hydro Telecom Inc.
185 The West Mall, Suite 500
Toronto, Ontario, M9C 5L5
Tel: (416) 542-2525
Backup Tel: (416) 626-0450
Fax: (416) 626-5419
Email: noc[at]thtelecom.ca

-----Original Message-----
From: Mark Munro [mailto:Mark.Munro[at]AllianceAtlantis.com]
Sent: Friday, January 30, 2004 3:01 PM
To: NOC @ thtelecom; Mark Munro
Subject: RE: spamcop


Thanks, Dennis,
Can you explain why your email address is listed at SPAMCOP as the
address that reported us as a source of spam?

-----Original Message-----
From: NOC @ thtelecom [mailto:noc[at]thtelecom.ca]
Sent: Friday, January 30, 2004 2:59 PM
To: 'Mark Munro'
Subject: RE: spamcop


Hi Mark,

There is nothing we can do on our side to resolve this issue with
Spamcop. I do suggest that you contact Spamcop directly and resolve
this issue with them. It seems that you have been put on their blocking
list and you must convince them to take you off. If you have any
questions you can contact our NOC.

Please post the original message you received stating that you are on the Spamcop blocklist, with the IP address in question, and someone will be able to provide you with more assistance.

Thanks!

Hello!
...Please take a look at the post under "Important Topics" called "Pinned: FAQ Entry: Why is my email blocked?" at Help Forum Index. If after reading that you still have more questions, please return here and ask, and those of us who can will try to help.
...Good luck!

That's simply not correct.

The SpamCop parser completely and totally ignores any email addresses found in the headers of the spam. So, when email is sent with forged From: or sender addresses, that's not a problem since we ignore those anyway.

SpamCop also mostly ignores the domain names found in the headers of the message. It does use the domain names, but only to double-check the IP address found in the headers. The IP address is always considered the authoritative reference for where the email was each step of the way on its travels.

Spammers can't forge IP addresses into spam as they are automatically recorded by the receiving mail server, based on the IP address that connects to the mail server.

We can settle this pretty easily. What is the IP address that is on the blacklist?

JT

I have no idea why this is listed, I see no evidence indicating I am relaying, and I am recieving numerous reports that the spamcop database is the cause.

Can you please get this IP removed immediately!


-----Original Message-----
From: System Administrator
Sent: Friday, January 30, 2004 12:54 PM
To: lmenary[at]roots.com
Subject: Undeliverable: RE: Delivery Status Notification (Failure)

Your message did not reach some or all of the intended recipients.

Subject: RE:
Sent: 1/30/2004 12:53 PM

The following recipient(s) could not be reached:

lmenary[at]roots.com on 1/30/2004 12:53 PM
You do not have permission to send to this recipient. For assistance, contact your system administrator.
<webmail1.allianceatlantis.com #5.7.1 smtp;550 5.7.1 Rejected: 66.241.135.153 listed at bl.spamcop.net>

According to http://www.spamcop.net/w3m?action=checkblo...=66.241.135.153 :
Query bl.spamcop.net - 66.241.135.153
66.241.135.153 is webmail1.allianceatlantis.com
66.241.135.153 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 92.9 days. It has been listed for 26 hours.

In the past week, this system has:
Been reported as a source of spam less than 10 times
Been witnessed sending mail about 270 times
A sample sent sometime during the 24 hours beginning :
Received: from -.-.com (-.-.com [66.241.135.153])-
by -.-.-.- (-.-.-.-.-) with - id -
for <-@-.com>- Thu, - Jan 2004 - -
Subject: business - specialists - id -
From: de.. at ..li.fr

I am not an admin and I cannot see the email but the sample looks like the spam that has been going around with the subject "Web Business Programming Specialists" through hijacked machines. The link in it is to their email address at laposte.net. the faked from was probably developers03 at tiscali.fr

I am sure a deputy will confirm if it was spam or not.

Are you sure your machine is locked down?

Thanks Jeff, I did see this page.
If I understand this correctly, then the page states that some domain in .fr is highjacking our IP address?

Can you offer any suggestions on how this is possible?

I have tested for open relays on a number of test sites. I have also submitted our ip to the ordb.org site, and I dont see how the .fr domain highjacked our address.

Please help.

Your mailserver appears to be running Microsoft Exchange Server 5.0 -
according to http://west-pub.mail-abuse.org/tsi/ar-fix.html#exchange :
Microsoft Exchange Server
Status: Commercial (Microsoft Corp.)
Systems: Win/NT
Info: http://www.microsoft.com/
Versions through 5.0 are vulnerable to relay if they permit any local SMTP
users. (Servers that only act as a gateway between internal non-SMTP mail
and the Internet don't have relay problems.) In other words, if your
Exchange 5.0 server is connected to the Internet, it WILL relay for anyone,
and that cannot be stopped.
Starting with version 5.5, provisions have been made to prevent unauthorized
relay. These are described in detail in an article from Windows NT Magazine
http://www.exchangeadmin.com/Articles/Inde...?ArticleID=7696 . If you're
running an older version, it's time to upgrade.
Microsoft has an article
http://www.microsoft.com/technet/treeview/...il/excrelay.asp
or http://tinyurl.com/ywb5n on their TechNet site that discusses securing
Exchange 2000 and 5.5.

Mail server is running Exchange 2000 sp3.

Can you tell me why the address, Reporting addresses:
postmaster[at]thtel.ca <mailto:postmaster[at]thtel.ca>

-----Original Message-----
From: Mark Munro
Sent: Thursday, January 29, 2004 6:21 PM
To: 'noc[at]thtelecom.ca'
Subject: spamcop

http://www.spamcop.net/sc?track=66.241.135.153

Because that is who the IP is registered to in arin.

Can I confirm that no new reports are being added?
If not, can I expect the IP to be removed after the 48 hour period?

More specifically, per http://ws.arin.net/cgi-bin/whois.pl?queryi...=66.241.135.153 :

OrgName: Toronto Hydro Telecom
OrgID: THTI
Address: 185 THe West Mall
City: Toronto
StateProv: ON
PostalCode: M9C-5L5
Country: CA

NetRange: 66.241.128.0 - 66.241.143.255
CIDR: 66.241.128.0/20
NetName: THTI
NetHandle: NET-66-241-128-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DNS1.THTEL.CA
NameServer: DNS2.THTEL.CA
Comment:
RegDate: 2002-03-06
Updated: 2003-09-05

TechHandle: TECH15-ARIN
TechName: tech
TechPhone: +1-416-542-2525
TechEmail: tech[at]thtel.ca

OrgTechHandle: TECH15-ARIN
OrgTechName: tech
OrgTechPhone: +1-416-542-2525
OrgTechEmail: tech[at]thtel.ca

# ARIN WHOIS database, last updated 2004-01-29 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.


Now, since thtel.ca doesn't have an abuse.net contact, SpamCop sent the report to postmaster[at]thtel.ca per recommendations in Internet Standards 10 and 11.

You should create an abuse.net listing for each of the domains you manage per http://www.abuse.net/addnew.html.

It's not necessarily anything to do with .fr - the connections to your server are coming via exploited proxy servers in various places around the world.

If it helps, the spam headers look something like this:

Received: from webmail1.allianceatlantis.com [66.241.135.153] by <spam_recipient_server>
Received: from mail.salter.com ([172.16.180.23]) by webmail1.allianceatlantis.com with Microsoft SMTPSVC(5.0.2195.6713);
Wed, 28 Jan 2004 12:40:39 -0500
Received: from <open_proxy> by mail.salter.com with Microsoft SMTPSVC(5.0.2195.6713);
Wed, 28 Jan 2004 13:40:15 -0400

172.16.180.23 is a LAN address. That server is accepting email and relaying it to webmail1.allianceatlantis.com, which in turn relays it to the recipients of the spam.

The latest spam reported was sent just 5 hours ago, so I imagine the problem is ongoing.

The open proxy, then, would be the public interface of mail.salter.com at 142.176.128.51


According to http://www.spamcop.net/w3m?action=checkblo...=142.176.128.51 :
Query bl.spamcop.net - 142.176.128.51
DNS error: 142.176.128.51 has no reverse dns
142.176.128.51 not listed in bl.spamcop.net

Since SpamCop started counting, this system has been reported about 40 times by about 10 users. In the past 53.7 days, it has been listed 3 times for a total of 4.7 days

A sample sent sometime during the 24 hours beginning Tuesday 2003/12/09 19:00:00 -0500:
Received: from -.-.com ([142.176.128.51])
by -.net-.- (-.-.-.-.-) with - id -
for <-@-.com>- Wed, - Dec 2003 - -
Subject: james want - please the ladies
From: pa.. at ..l.net

A sample sent sometime during the 24 hours beginning Thursday 2004/01/15 19:00:00 -0500:
Received:
Subject: lowest price for - cartridges - administrator
From: ma.. at ..s.com


According to http://moensted.dk/spam/?addr=142.176.128.51 :
142.176.128.51 was found in 5 lists (of 259 tested)


According to its listing in RSL, 142.176.128.51 is the input of a two-stage open relay.


Testing reveals that 142.176.128.51 is running Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 but is not accepting mail for postmaster[at]mail.salter.com

No, that's not an open proxy - it is, as that RSL message says, the input point of an open relay.

An open proxy is something quite different - in this case, open proxies are being used to transmit the spam to 142.176.128.51.

Well, it's not a wide open relay. It could be an SMTP/AUTH issue with an open guest account or a weak password somewhere.

Jeff,
The information you provided was correct.
That external address, 142.176.128.51 was accepting inbound mail, and relaying over our internal network. The header information was key in finding this problem.

Can you also confirm the open relay is now closed?

Sorry, I couldn't get it to relay in the first place. Please try to get it delisted by RSL, and tell Al I said "Hi."

How can I check to if reports of UCE are still occuring?

66.241.135.153 is still listed, both web and dns. postmaster[at]thtel.ca should be getting any reports.

Can you tell me if I am scheduled to be removed from this database, and when?
Are you still receiving new reports of spam from this addres?

Sorry, I don't have access to that info. Only Deputies and Admins have access to that info.

Is there anything I can do to expedite the removal from this list?
How can I report on when I will be delisted.?

Having closed the relay, you can ask the Deputies (deputies at spamcop.net) to expedite removal. If they don't remove your IP Address, they should at least be able to tell you when you are scheduled to be delisted (assuming no more reports).

JeffG,
I just wanted to say thanks for your dedication to this thread.
I'm sure you can appreciate our situation as a result of this issue.

Our users cannot sent to spamcop subscribers, and its affecting the normal business activity.
I need to report to our management why this happened, and when it will be resolved.
Is there any way I can determine the status of our ip address in the database.?

If new reports are occuring, then I am not being notified from the arin address you provided.
The link to edit the arin entry doesn't appear to work for me.

I must insure this issue will be resolved asap. I expect if new reports are occuring, then I will need the full headers to analyse and determine the cause.
If no new reports are occuring, then since when? How much of the 48 hour period has lapsed, or is the counter being reset?

Thanks.

Mark,

I wish I could help you further regarding this issue. Emailing the Deputies is definitely the way to go in this case. Please do. Thanks!

Ok Jeff,
Can you provide a contact who can assist me further?
Thanks again.

Jeff,
Below is the only information SPAMCOP is providing. Can you tell me how often this posted information is updated.?

http://www.spamcop.net/w3m?action=checkblo...=66.241.135.153

A sample sent sometime during the 24 hours beginning Wednesday, January 28, 2004 7:00:00 PM -0500:
Received: from -.-.com (-.-.com [66.241.135.153])-
by -.-.-.- (-.-.-.-.-) with - id -
for <-@-.com>- Thu, - Jan 2004 - -
Subject: business - specialists - id -
From: de.. at ..li.fr

"deputies at spamcop.net" constructed as an email address.

Last I heard, it was as realtime as possible. However, there are sometimes synchronization or propagation delays between the true database and the dns and web representation of its contents. The pages you should be checking are as follows:
http://www.spamcop.net/w3m?action=checkblo...=66.241.135.153
http://openrbl.org/ip/66/241/135/153.htm
http://moensted.dk/spam/?addr=66.241.135.153

Thanks again for the links.
Are you seeing some reason why our ip is still listed at spamcop.
The only place our ip is listed from the links provided is spamcop.
The only information provided with any reference to date is below.
~~~~
A sample sent sometime during the 24 hours beginning Wednesday, January 28, 2004 7:00:00 PM -0500:
~~~~~
This appears to be the same information, and is not being updated.
Are you seeing something I don't?

I have sent mail to the address you suggested, asking for assistance in determining if we are queued for delisting, or if new reports are being added.

I am unable to update the abuse contact info, as the link fails.
http://www.abuse.net/addnew.html

You did provide a me with header information that allowed me to find the cause of the listing in the first place. Do you have any additional headers indicating our ip address is still routing spam?
Thanks.

I think John is having some server or connectivity problems with his abuse.net domain. That page is cached at http://216.239.41.104/search?q=cache:gCjG-...&hl=en&ie=UTF-8

I don't work for SpamCop, I am a volunteer. I don't have access to any more information about your listing than you do. I wish I did. Given the timing, I would suspect that there's been at least one mole report in the past 48 hours.

The reason your IP is listed is due to spam reports from before you sorted things out.

There aren't any additional headers to show - your IP should be off the list shortly.

Michaell,
I appreciate the reply.
Also, thanks to all for the attention to this matter.

I must congratulate all involved, in providing excellent resources to assist me in resolving this issue.

If I had some assurance that all the necessary steps have been taken to have this IP removed from the spamcop database, I would stop bothering everyone.

Access to the date and time of the last abuse report would prove helpful.
Is this information available anywhere?

Dnsstuff.com reports that our IP is not listed at SpamCop as of roughly 11am est, Feb 1st.

SpamCop website shows the following information for our ip.
~~~~~~~~
66.241.135.153 not listed in bl.spamcop.net

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 94.7 days. In the past 2.9 days, it has been listed once for a total of 2.8 days

In the past week, this system has:
Been reported as a source of spam less than 10 times
Been witnessed sending mail about 280 times
A sample sent sometime during the 24 hours beginning Wednesday, January 28, 2004 7:00:00 PM -0500:
Received: from -.-.com (-.-.com [66.241.135.153])-
by -.-.-.- (-.-.-.-.-) with - id -
for <-@-.com>- Thu, - Jan 2004 - -
Subject: business - specialists - id -
From: de.. at ..li.fr
~~~~~~~~

I have been asked to interpret the information above.
Please correct me if I have it wrong.

My interpretation of the text above is indicated by the 3 >>> characters.
>>>my comment here.

***********START OF TRANSLATION**************

66.241.135.153 not listed in bl.spamcop.net.
>>>IP address 66.241.135.153 is not blocked by subscribers to SpamCop.

Since SpamCop started counting,
this system has been reported less than 10 times by less than 10 users.
>>>IP address 66.241.135.153 has been reported to SpamCop
>>>less than 10 times, from less than 10 recipients of SPAM.

It has been sending mail consistently for at least 94.7 days.
>>>IP address 66.241.135.153 was first reported to SpamCop 94.7 days ago.

In the past 2.9 days, it has been listed once for a total of 2.8 days
>>>IP address 66.241.135.153 was reported to SpamCop
>>>once in the past 2.9 days.
????????for a total of 2.8 days?????????? ( Please clarify)

In the past week, this system has:
Been reported as a source of spam less than 10 times
>>>IP address 66.241.135.153 was reported to SpamCop less than 10 times
>>>in the past 7 days.

Been witnessed sending mail about 280 times
>>>IP address 66.241.135.153 has 280 SPAM reports logged at SpamCop
>>>in the past 7 days.

A sample sent sometime during the 24 hours beginning
Wednesday, January 28, 2004 7:00:00 PM -0500:
>>>IP address 66.241.135.153 sent the following smtp header information
>>>between Wednesday, January 28, 2004 7:00:00 PM -0500:
>>>AND
>>>Thursday, January 29, 2004 7:00:00 PM -0500:

Received: from -.-.com (-.-.com [66.241.135.153])-
by -.-.-.- (-.-.-.-.-) with - id -
for <-@-.com>- Thu, - Jan 2004 - -
Subject: business - specialists - id -
From: de.. at ..li.fr
>>>The smtp header above has been stripped of all information except the IP >>>address being tested. The "Received from" indicates the actual sender IP.
************END*******************

Corrections Welcome.
Thanks in advance.

Corrections follow.

>>>IP address 66.241.135.153 was first seen sending email to an SCBL subscriber (looked up using 153.135.241.66.bl.spamcop.net) 94.7 days ago.


Fixing "now" as the moment you did the lookup ("roughly 11am est, Feb 1st."):
Some time between 7pm EST on the 28th and 7pm EST on the 29th, a report was filed (evidently by a non-mole).
2.9 days ago (roughly 1:30pm EST on 1/29), the second report was filed (possibly the non-mole one above) and 66.241.135.153 was listed by the SCBL.
2.1 days ago (roughly 8:30am EST on 1/30), the last report was filed (evidently by a mole).
0.1 days ago (roughly 8:30am EST on 2/1, 48 hours after the last report was filed), the listing was removed.


>>>IP address 66.241.135.153 was seen sending email to an SCBL subscriber (looked up using 153.135.241.66.bl.spamcop.net) about 280 times total.

Given Michael's previous post, "8:30am" was probably shortly after 10:43am.