Hi there,

One of my organisation's two MXes (203.2.32.108) has been listed in the SpamCop blacklist today, apparently for sending misdirected bounces, according to the lookup tool on the SpamCop website.

It's true - that server does send bounced email. It sends bounced email for unknown recipients, and for over-quota local users. We also use vacation messages. I don't yet have recipient whitelisting set up on our MXes, and don't use SPF or DKIM. I'd like to do these things, but I'm a Unix administrator, and email administrator is one of the many hats that I wear. Anyway...

I'd like to know if it's possible to find out exactly which bounces are causing me to get into the SCBL? Is there a web-based interface to do this? Also, can I find out if there are any user reports that have been lodged for this box?

Finally, a bit off-topic, but what measures would the gentle readers suggest for reducing bounces, other than recipient whitelisting, SPF and DKIM?

Thanks in advance,
G.

http://spamcop.net/w3m?action=checkblock&ip=203.2.32.108
203.2.32.108 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours.

Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it

Listing History
System has been listed for less than 24 hours.

http://www.senderbase.org/?searchBy=ipaddr...ng=203.2.32.108
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ......... 4.1 .. 173%
Last 30 days ... 3.7 ... -0%
Average ......... 3.7

Can you justify that last day incease?


You've pretty much covered the entire gamut of 'bad' stuff .... stuff that was fine until the spammers started abusing it a few years ago ...

That's a bit of a bad question based on the data showing at http://mailsc.spamcop.net/sc?track=203.2.32.108

Parsing input: 203.2.32.108
host 203.2.32.108 = atom.scu.edu.au (cached)
host 203.2.32.108 = atom.scu.edu.au (cached)
Routing details for 203.2.32.108
Cached whois for 203.2.32.108 : mpowell[at]alsvid.une.edu.au
Using last resort contacts mpowell[at]alsvid.une.edu.au
mpowell[at]alsvid.une.edu.au bounces (19 sent : 10 bounces)

Using mpowell#alsvid.une.edu.au[at]devnull.spamcop.net for statistical tracking.
Statistics:
203.2.32.108 listed in bl.spamcop.net (127.0.0.2)
More Information..
203.2.32.108 not listed in dnsbl.njabl.org
203.2.32.108 not listed in dnsbl.njabl.org
203.2.32.108 not listed in cbl.abuseat.org
203.2.32.108 not listed in dnsbl.sorbs.net
203.2.32.108 not listed in relays.ordb.org.

No valid email addresses found, sorry!

There are several possible reasons for this:
The site involved may not want reports from SpamCop.
SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
There may be no working email address to receive reports.

Add this to the "ignore the FAQ" scenario and you have a mess in our hands. Spamtrap data is not handed over freely, and the public availability of this data was removed due to spammers working and abusing the system ... How to ask for any 'official' help is covered in the FAQ ....

The only data available 'here' would be;


You're pretty much wasting everyone else's time if you're not going to look at the FAQ, look at the same ground covered in countless previous discussions, etc., etc., etc. Reject at SMTP receipt if you are not going to actually deliver the e-mail to a local user.

Ummm... don't know if you meant to use the word 'justify' here... perhaps 'explain'?

And no, I can't explain it either. Maybe IronPort could, given that it's their statistic



OK, thanks for that - I wasn't aware of that bad address - I'll fix it.

Are you saying that it's bounces to this address that caused this host to get listed in the SCBL?



OK, message understood. Just thought people might add an acronym or two to my short list for me to go and check out further.

Thanks for your reply.

Regards,
G.

No, but that's been preventing notifications to you and/or your admins of problems.OK, here's one: stop sending UUBE.

Helpful, thanks.

I meant 'justify' .... One reason may have been that another server was shut down and that traffic is now going through this server. Another might be that a monthly mail-list may have been sent out yesterday, thus bumping up the 'last 24 hour' statistic. The bad situation is that spammer is using/abusing this server. So the question was "Can you justify those numbers?" suggesting that you'd have researched where they were coming from, noting if there might be an association with getting listed on the SpamCopDNSBL.

Numbers today seem to show that the flow has not reduced, possibly taking the 'monthly mail-list' out of the equation .... you would/should know if servers have been reassigned/re-routed .... so that last scenario is still out there waiting for the results of your investigation ....

OK, using your words, can you explain why that server generated 173% more traffic yesterday than is normally seen coming from it?

Well, the server did generate around 3 times the amount of bytes on Monday compared to Sunday. The 'bytes sent out' figure varies by a magnitude of around 3 over the last 10 days - on a weekday, the bytes sent out is around 3 times what it sends out on a weekend, which makes sense, given that there are no staff here on the weekend.

Sorry for getting tetchy on the word 'justify', but to me, to 'justify' something means to explain why you've done something wrong. I don't see how the fact that my server has sent 3 times more traffic on a Monday than a Sunday is 'doing something wrong'

And after all, apart from sending bounces, the machine isn't sending spam, i.e. it isn't an open relay, and no-one at our workplace sends spam through it.

Regards,
G.

Hi, G!
...You seem to be using a different dictionary than I am. To me, "justify" simply means to explain something, whether that something is in fact right or wrong or even whether you have done it or someone else has. See, for example, http://dictionary.reference.com/browse/justify.
...In this case, I, personally, would accept your justification -- I think you have explained the observation of the increase in server activity, thereby justifying it....IMHO, that's like saying, "apart from the 50 bank robberies my buddies and I have committed over the past week, we are not thieves." <g>...That isn't the definition of spam. Spam is e-mail that someone receives that she or he did not request.

No, we're using the same dictionary. To quote from http://dictionary.reference.com/search?q=justify :
"1. to show (an act, claim, statement, etc.) to be just or right: The end does not always justify the means."

To have to show that you're right, someone must have claimed that you were wrong. As I said, I don't think that the fact that the server in question has sent out 3 times more traffic on a Monday than a Sunday is 'wrong'. And further on this, the statistic is IronPort's. They don't have a sniffer sitting next to my server, although I would agree that the statistic is a fair indication of the change in traffic coming from this server. The server isn't in any blacklists for sending spam, but regardless of that, to me this statistic bears no relation to whether the server is sending spam or not. I'm well aware that if it does start sending spam (apart from bounces), it will quickly make it into the blacklists.

Re: the '50 bank robberies' statement, yes, I know, the server does send bounces. Yes, I'd prefer that it didn't, at least not 'user unknown' bounces. And yes, I'll stop it doing that when I can.

Ciao,
G.

I'll admit that I'm not really following your numbers .. but what I'm looking at is your "more traffic Monday than Sunday" .. butnoting that the fisures being talked about are described as "Vol Change vs. Average" with the specifics of "last day" compared to something more than 30 days ..... having a bit of a hard time relating the two "statistic descriptions" ...???

as above, Monday versus Sunday is your interpretation ... I see it as an increase 'today' over what the "average" has been for something in exxcess of 30 days (seeing as how 30 days has its own stat) ....
If your issue with "justify" was that you felt you had to explain to "me" ... well, I could basically care less. The question was whether you could justify that "last day" (now extending a few days more) increase over what that server had been seen sending out. If you could, great. I don't think you have yet, suggesting that there is someone else using that server for whatevver reasons .... Again, I don't need an answer, I was just pointing at the what the data suggested.

To use your interpretation, can you justify why there is still the increase showing as compared to Tuesday versus Monday?

Yet, the server got listed due to some 'bad' traffic ...????

Yeah... I dunno, the stat is IronPort's - I don't know how they come up with it... I guess from all their appliances out there.


Do you mean you couldn't care less? Fer chrissake, let's forget the whole 'justify' issue, and IronPort's statistic along with it


Yes, bounces to a spamcop.net spamtrap, apparently.

http://forum.spamcop.net/scwik/SenderBase

I'm just a SpamCop.net user, volunteering my time and knowledge here.

That statistic you are trying to ignore is trying to tell you there is more traffic coming from your machine than is normally seen on average.

...And to use a less-offensive (to you) word for what we're asking you to do: are you able to explain to "our" satisfaction why there seems to be so much more traffic than "normal" coming from that machine (as I said, I'm satifsfied, but I don't' really count because I'm not nearly as knowledgeable as others here who can help you if you are willing and able to cooperate by answering their questions)? Thanks!