Hi Guys,

Background:
We run a small "virtual" ISP for pharmacy (retail) businesses.
Most clients are NATted behind FortiGate firewalls but some demand public IPs.
Note: its currently very hard to get public IPs so NATting is an easy choice.

However most SMTP traffic comes out of one IP (210.11.58.16), hence we are vulnerable to any SPAM from the 3000 sites behind this address.

Our details:
Blocked IP: 210.11.58.16

Actions performed:
We changed the outgoing SMTP rules to "drop" any detected SPAM messages instead of just marking them as SPAM.

Several questions:

How do you register your admin details for an IP address / range?
Our range is owned by a large telco (connect.com.au). the SPAMCOP "potential admin address" listed the connect.com.au address, however they don't care about our issue. How can i get SPAMCOP's list to know we're the admins for that IP range.

How sensitive is the blocking?:
According to the daily report, we've sent 24 messages to the trap since the 6th.
I would not think this is a huge amount as we blocked about 30 a minute on the firewall.

Are the details even correct?
Viewing the report, the % increase changes on each refresh, although the message states SPAMCOP has not received a message in the last 4 hours. How accurate/inaccurate is this stuff???

Are detected SPAM counted?
I noticed some reports listed "detected" SPAM where our severs listed [SPAM] in the header with an explanation? Is the only safe option to drop SPAM messages (not just mark the subject or MIME header)?
I thought this was not good practice (for false positivies)?

How can i get details of the alleged SPAM?
I don't seem to be able to find any evidence of activity (from SPAMCOP) apart from a "count". What details can i get to help track the messages?

I am not going to be very helpful to you because I am not a server admin, but I might be able to give you some information.

First of all, SPAM is the Hormel trademark for its meat product. spam is unsolicited email.


IIUC, what you were doing before was sending messages marked as 'spam' to other people? Usually, I think, incoming email is tagged as 'spam'. Any outgoing messages that look like spam are dropped and the account closed.


The 'detected' spam in the headers was probably placed there by the incoming server of the reporter's email service. The reporter then reported it via spamcop. Many people prefer to 'tag' incoming email as spam to avoid false positives. Myself, I prefer that it be returned at the server level so that the sender knows it wasn't delivered. (It can't be returned after acceptance because the spammer has forged the return path.)


You mentioned a 'report' above. If the server admin who is getting the reports is passing them on to you, then you should have the entire headers and be able to identify whoever is getting reported. Perhaps you have a rogue pharmacy (one of the more popular spams) or a compromised computer on your network since you are identifying outgoing mail as spam.

Generally, however, the problem is spam trap hits and spam traps do not send reports. The spam trap hits come from misdirected bounces and other auto replies. If some of your clients are using out of office replies indiscriminately and notifying all those forged addresses, that could account for being blocked. You won't get any details about spam trap hits except the subject line or information except what type of auto reply it looks like.

The rest of your questions would be better answered by someone else.

Miss Betsy

Thanks for that useful bit of information. I did assume most people on this forum were not looking for a meat fix, but were intelligent humnan beings. How wrong was I!


Because these blacklists are NOT perfect and legitimate emails might get blocked. Hence why I am posting this message. We don't manage the server doing the sending but provide the network the send via. I understand the reason for blocking the marked messages, but a flawed method is still a flawed method, no matter how you justify it.


So basically the system is easily mistaken as it only takes into account the messages that hit the trap, not proportional to the legitimate traffic from that IP. right?
24 messages in 3 days doesn't seem to be a reason to distrupt my business.

more than likely. I have scheduled techs to visit a few sites with high SMTP traffic to check their systems, but again..

we have around 3000 sites using this firewall with an average of 5 PCs per site.
We sent 24 messages to the trap in 3 days.
15000 PCs sending 24 messages in 3 days?

Do we get notification when we are blocked? No.
Do we get any/sufficent warning to prevent an issue? No
Once a mistake is found, can are IP be quickly removed form the list? No

We're doing our best to react to issues as they appear but incidents like this only force our clients to presume its the anti-SPAM systems that at are at fault.
Hence they request to be completely unfiltered on public IPs. How is this better?

No, because Hormel protect their trademark, Miss Betsy was simply acknowledging their rights in the capitalised version of the word.

The system reports:

210.11.58.16 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 21 hours.
Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

That suggests you have a continuing problem with misdirected messages reaching spam traps. So, either your mail servers are sending junk to spam trap addresses or you are accepting messages from spammers and then bouncing them back to the forged addresses in their headers. Either will get your ip added to the blocklist. Based on that listing other ISPs are choosing to reject any Email arriving from your ip.

Senderbase statistics show a large change in the volumes of mail passing through your ip. That may indicate a wider problem.

Volume Statistics for this IP
....................Magnitude Vol Change vs. Average
Last day............4.2 742%
Last 30 days......3.3 ........-8%
Average 3.3

Have you seen the FAQ entry on misdirected bounces? http://www.spamcop.net/fom-serve/cache/329.html

If you address that problem then you may well find you resolve the issue completely. You need to drop any spam and all undeliverable messages at the SMTP stage rather bounce them back.

Andrew

Guys (and girls) ...thanks again for the trademark lesson, but can we keep to the topic please.

I have blocked all outgoing spammessages. Apart from stopping all SMTP traffic form my clients (or reading each email), what else can i do?

Our Fortigate clients update (at least) hourly, so 99.999% of spam (you'll note the lowercase) will be blocked.
How can I get updated statistics to ensure the measures are working at SPAMCOP's end?


I generated the report manually after finding our IP blocked. Noone sent it to me.
This is what is says:

210.11.58.16 Nov 6 06h/1 24 0 0 0 blocklisted
nus138540-5.gw.connect.com.au

This is basically all the information i've got to go by. I've only got one report (i chose the hourly option).

I would suggest that you are pulling bits of facts in from all over the place and trying to use enough of them to try to start some kind of argument. That's pretty much a lost cause.

There is the SpamCop FAQ available here that a lot of folks spent time on trying to build and populate with answers to Frequently Asked Questions. You make it appear that none of that was looked at before posting.

One if those FAQ items is titled "What's on the list?" .... I suggest you takie a look at that before continuing to try to waste everyone else's time in here.

Are you going to try to address the traffic increase noted by agsteele?

The ISP Account / Control Center / Summary Report has become such an issue that a Wiki page was created last week to address some of those issues.

Our 30 day average is down 8%. Its only the last day that has increased.

i have blocked multiple clients completely.
I have changed all outgoing rules to drop messages.

i'd love to get ANY details on this so i could address it.
i need information on what SPAMCOP is seeing, especially recently.
Are the changes having any effect? I have to wait 24 hours to see if a single percent value is going up or down...not really proactive?

Note: the traffic leaving the firewall has dropped dramatically (5% of this morning AEST)
However i haven't seen a drop in the percentage reported.

Is the "day" calendar day based or a rolling period?
Is the "day" for US timezones only?

I hope these questions are not wasting your time. i searched the FAQ and count not find any helpful answers.

Question:

Lookup julianhaight.com (same IP address as bl.spamcop.net) and it has a 1205% increase in the last day.
yet it is not blocked.

How do they get around it?
Note: i found this while checking the IP 216.127.43.94 (which bl.spamcop.net resolves to).

You are looking at SenderBase data. You are then complaining about SpamCop.net data. Notice how the spelling changed between those two company names.

"last 24 hours" does usually indicate some correlation to "a day" in most parts of the world.

I can't guess at what you might mean by "search the FAQ and can't find any helpful answers" .... compounded by then asking more questions that are in fact within the previously referenced FAQ, Wiki, etc.
If "What's on the list?" didn't help, what about the "Why am I Blocked?" entry, also available as a separate Pinned item?

Your answer on the increased traffic seen in the last 24 hours really doesn't say much .... what was that massive increase all about? (again, trying to relate it from your perspective to "24 spamtrap hits")

Sorry I was replying to the quoted statistics you and Andrew provided (which were from SenderBase).
I can't actually find any stats or details for SPAMCOP.

I understand why the IP was blocked and hopefully fixed the issue.
But i would now like to move forward with determining whether the fixes has worked.

That's good. Thanks for the information. Have you contacted deputies[at]spamcop.net to check the messages that are hitting spam traps? If they are satisified that you have fixed the problems then they can sometimes be persuaded to de-list your ip early.

They can also provide a general indication of the nature of the messages received.


The percentages I referred to are from SenderBase rather than SpamCop. I believe that the algorithms for calculating what will happen to your listing and when are different on Senderbase.


This is a good question and which, sadly, I don't have an answer to. I see that the daily increase on Senderbase hasn't changed since my earlier post. The SenderBase pages give a general explanation of how the calculations work but little else. Of course, if averaging is involved then even a 100% reduction in traffic will only reduce the average by half. But the question is a good one to understand the information provided.

I understand the SpamCop calculations are dynamic and respond to the number of reports received and spam trap hits recorded.

You may wish to know that you are also now listed on the CBL blocklist - http://cbl.abuseat.org/lookup.cgi?ip=210.11.58.16 but it looks like you'll delist very soon.

I see your SCBL time out has increased by an hour to 22 hours so that suggests you are still bouncing stuff which is hitting spam traps I'd suggest the deputies would be the best port of call for information on the messages involved.

Andrew

Thanks for your help Andrew.

I'm hoping the "day" period is calendar based so it will reset after midnight (US time i assume).
It hasn't moved since all the changes made.


Yeah. the CBL list is on and off this afternoon. We're off the list, but SenderBase still lists us as on.

If you know of any further details /stats for SPAMCOP, can you list them here?
this is the only details i have
http://www.spamcop.net/w3m?action=checkblo...ip=210.11.58.16

It only mentions that "22 hours" timeframe.

Because the hits are linked to spam traps you'll need to contact the deputies. Even paying contributors don't have access to greater detail.

You coud sign up for an ISP account but that really dones't provide a great deal more information :-(

Andrew

Since those of us on the forum can only see the same data you see, there is no way that we can help you here. A lot of the data is 'not there' because spammers were using it to game the algorithym and the deputies will not tell you anything more about spam trap hits, apparently, than the subject line and what type of email is causing it.

As someone told you, the paid deputies are the only ones who can give you any help in determining if the problem has been fixed without waiting to see if the IP address delists and then if it relists. Be sure you load your first email to them with all the data that they might need and also that you show that you are the admin in charge of the IP address.

I sure hope that you have found the problem and fixed it. a spamcop listing is often an early warning system that something has gone wrong and, if the problem is addressed, prevents a listing on other lists which are not dynamic.

Miss Betsy

PS I know correction about the Hormel trademark seems off topic, but they have been really good sports about their trademark being used for unsolicited email and just ask the difference in capitalization.

Ok, you still haven't addressed the misdirected bounce scenario which is the most likely cause of your listing, so I will ask the question directly. What happens if I send a message to one of your customers domains to a non-existant address?

Do you reject it during the SMTP transaction with a 500 error, guaranteeing that it goes to the original sending server?

Do you accept the message, and then generate a new message to the (probably forged) "FROM" address stating that it wasn't delivered?

If you are doing the later, then those non-delivery messages are going to people who didn't initiate any communication and are by definition unsolicited and reportable, and are almost guaranteed to cause you to be listed in numerous blocklists.

Note: I tried testing this, but 210.11.58.16 does not accept incoming connections on port 25, so I'm guessing incoming mail is handled by a different server than the outgoing. Which could still indicate a problem if the bounces are routed through the regular outgoing email. I would be happy to test the bounce behavior if you provide me with the IP for the incoming SMTP server.

You are now also listed on the UCEProtect.net blocklist

http://www.uceprotect.net/en/rblcheck.php?ipr=210.11.58.16

And also dnsbl.net.au

http://www.dnsbl.net.au/lookup/?210.11.58.16

Andrew

Data point: 1500 GMT -6
http://spamcop.net/w3m?action=checkblock&ip=210.11.58.16
210.11.58.16 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 12 hours.

Still only showing spamtrap hots as the issue.

http://www.senderbase.com/?searchBy=ipaddr...ng=210.11.58.16
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ........ 4.2 .. 744%
Last 30 days .. 3.3 .... -9%
Average ........ 3.3

Traffic is still "up" .. actually increased a bit since the last data seen/posted.

Who is actually on 'control' of that server? the firewall?
Just noting that the 'decrease' you've noted in direwall traffic doesn't seem to match the SenderBase data ... so where else might traffic be leaving this IP address that is bypassing the firewall?

Yet another data point;
Report on IP address: 210.11.58.16

Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ....... 4.3 .. 782%
Last 30 days . 3.3 .... -6%
Average ....... 3.3

traffic still going up ...?????

Yes, i asked for an explanation/report. We only have 1 hour before we're delisted on SPAMCOP so that indicates the changes we made yesterday fixed the issue.

However some systems may continue to report our ip for a time to come.

FYI: SPAMCOP emailed me the email title. I traced the issue to 7 emails sent from one site.
The tech found 5 virus on one of their PCs (a POS register) which are now removed.

Along with the other changes made to our policies i can assure you we will be delisted once the backlog settles down.

Also FYI:

We are lised on two blacklists currently SPAMCOP and and UCEPROTECT1
http://www.dnsstuff.com/tools/ip4r.ch?ip=210.11.58.16

However UCE only delist after 1 week or if you pay them.
So again i think it may just take time for old traffic reports to disappear.

7 e-mails????

Once again, I point to the FAQ that you could find nothing of value in .... SenderBase's "Magnitude" Explained ..... a Volume of 4.3 equates to something over 20,000+ e-mails a day ...???? Pretty darn hard to work your 7 and the 20,000 into the math found at What is on the list? .... same information avaulable on the SCWiki, in a bit of a different format, seeing as how you don't like the FAQ ....

and just in the time it tool me to make this post (and edit it) ...
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.3 783%
Last 30 days 3.3 -6%
Average 3.3

Still on the rise .....

Yes SPAMCOP listing is based on traps. and yes there have only been 7 emails with that title sent in the last week to the trap. This will not be inidcative of the volume as a whole, but of the count of messages that caused the issue.

SenderBase is a different thing. I haven't got any details to go on from them apart form the %.
I agree their rating would be on different metrics, but i've got no details.

It would be great if you could drill down to an hour by hour count/percentage or at least provide a trend.
Of course their rating is also based on reports not traps (??), so an email sent last week could still be report today?

I await their reply.

Geeze ..... spamtrap hits are but one variable in the formula .....

The FAQ, the Wiki, etc. etc. etc. never mind web-sites ... SenderBase data is yet another variable in the formula

????? "trend" is still going up ... listing on the SpamCopDNSBL is based on the math involved of the 'total traffic seen' and the traffic reported/spamtrap hits .... this information is available in many FAQ entries .... all you are really saying thus far is that the spamtrap addresses are not currently being hit .. you haven't said squat about any justification for the traffic increase, suggesting that there is still an issue, evidence being somewhere you've not looked at yet ....

Listen DH. i have turned off every NRD , auto reply reply possible. i have added tarpits.
I have blocked every client completely. i have blocked ALL outgoing SMTP.
I have had tech visit sites to ensure they have update to date protection.

I have NO evidence that the statistics are current or just an delayed effect. I have queried SenderBase about this. no reply yet.
As you noted in the previous posts, this is different to SPAMCOP.

YES i have acknologed we had a problem but i can only assume it is fixed. Hence our pending delisting on SPAMCOP (any minute now).

If you haven't got anything helpful to provide, please do not reply to this post.
I am not finding your replies very helpful or proactive.

???? not even going to try to guess at what DH means ....
the point is, as shown all along, the SenderBase data is "live" .... if you truly "shut down all SMTP, that 'last day traffic' should start going down rapidly ...... http://www.senderbase.com/?searchBy=ipaddr...ng=210.11.58.16 .. you can check it yourself also ...

0433 GMT -6
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.3 784%
Last 30 days 3.3 -6%
Average 3.3

0504 GMT -6
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.3 787%
Last 30 days 3.3 -6%
Average 3.3

An email sent last week would not 'count' on the scbl. The algorithym for the scbl only counts reports (whether from spam traps or reporters) dynamically, in real time, according to the date stamp of when it was sent. Therefore if you have fixed the problem and no more unsolicited emails are being sent, then the delisting process will start. AFAICT, it works by hours (not days). IIRC, there is a lag between what the bl that is used does and what the screen says of whether it is still listed when it gets down to the last few hours. I didn't understand the explanation of why that was so.

I understand your frustration at being listed. However, you have to admit that being listed was a good thing because you were able to clean several computers of viruses. I do hope that the Senderbase stats that Wazoo has posted don't mean that you missed one or two.

Miss Betsy

Thanks Miss Betsy

although we have full antivirus and spam scanning active on all ports, we have basically blocked all client services.

They can only use the proxy and our DMZ mail server (which all ports are activily scanned with ForitGate and reported on using FortiAnalyser).

Out of 15000 PC at client site, its inevitible that another will get a virus (not matter what we do at the network edge). However all ports are blocked so it shouldn't cause further issues (note before we noticed it anyway).

Believe me, i've had directors and store owners complaining to me all day about the new restrictions, so i know its working.

I also checked reports from the Network (connect.com.au) and they back me up that the traffic has reduced (to normal levels).

Again. Hence why i have attempted to contact SenderBase to get some details of detected messages to invesigate.

Note: we are now delisted with SPAMCOP, so i assume this topic is closed.

0705 GMT -6
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.3 792%
Last 30 days 3.3 -6%
Average 3.3

And up yet another point at this d/t. Something strange with SenderBase? Considering http://www.dnsstuff.com/tools/ip4r.ch?ip=210.11.58.16+ shows just one other DNSBL http://www.uceprotect.net/en/rblcheck.php?ipr=210.11.58.16 which offers up the (days old, I guess) dataMaybe that would have been useful a day or two ago. But note, again, spamtraps being hit.

Reading other peoples posts and i noted they get all sorts of strange values out of SenderBase.

I can only guess that it takes time to collected and complile their "3 billion messages daily".
Unless they have a farm of servers that make goolge look small??

It valuable data, but at this point its just a single percentage figure that i've got no data for.
Its a shame they don't have any forums themselves.

Just got a reply from IronPort.


Being the 10th now, it suggests their data is not realtime but delayed.
they also haven't indicated any further data since the 8th so once again i can only presume the issue is resolved.

I'm a bit disappointed thats all they said.
I requetsed at least one message header to help track the source, but they didn't supply anything but their "comments".

...Not necessarily true. IronPort HQ is in the US, and it's still 9 November here....Information about spam hitting SpamCop spam traps is available only from the SpamCop Deputies (deputies[at]admin.spamcop.net) and as I understand it they will not give you full headers because they must protect the integrity of their spam traps.

Either way, its not real time.

the 8th is when the issue was fixed.
the 8th is when i started this post.

seems like years ago.

Its not SPAMCOP I requested information from, but SenderBase.

According to their "help" information they compile data from 50,000 ISPs and then collate the information.
Anyone thinking they do this in realtime is fooling themselves.

They do not use traps but messages from ISPs.
They are not a blacklist (according to their Help), so they have nothing to protect.

1550 GMT -6
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.3 823%
Last 30 days 3.3 -5%
Average 3.3

Spoke to Patrick from SenderBase.

He emailed me the header from the recent messages.
The timestamp is 08 Nov 2006 01:xx:xx with exactly the same title ("SmallCap vvatch") as tripped SPAMCOP.

Once again, shows the data is still based on the initial outbreak.

This is really getting old ... SenderBase monitors/reports 'traffic' .. SenderBase does not handle SpamCop.net reports (unless they are the recipient of a specific report) ... SenderBase data is just one variable used on the calculation of the tripping point of a SpamCopDNSBL listing, which has nothing to do with SenderBase displayed data.

The traffic reports noted thus far are "real time". Traffic from that IP address is still on the increase, despite you statement that "all SMTP traffic was stopped" (which you then changed a post or two later)

What has yet to be noted is that how, even with all the things you say you've done, traffic could have gone from the approximately 2,000+ e-mails day to 20,000+ a day, and is still increasing. On one hand, it could be that due to your restrictions, more e-mail is being funneled to/through that server because you shut down so many other paths. On the other, as previously suggested, it may be that you have not found the sorce of these extra thousands of e-mails a day ....


Curious as to where you found this data, this explanation .... that number is no where close to other data they provide. Collecting/collating is real time.

Once again, where did you find this information? Monitoring "traffic" is not done by "messages from ISPs"

They also would have to ask SpamCop.net for data dealing with a SpamCopDNSBL listing.

Please stop replying to this post unless you have something productive to add.
I'm quite capable of reading a single percetage figure.

...Sorry, this is a public forum. You don't get to determine who may and who may not reply. Besides, you're addressing the Forum Administrator. It's not a good idea to risk alienating the person who runs the shop (although I seriously doubt that Wazoo would react to your intemperate replies to him by banning you).
...Nevertheless, IMHO you offer good advice to Wazoo albeit for the wrong reason -- he shouldn't be wasting his time replying to someone who isn't interested in his attempts to explain things; he's got far too many useful things to do. <g>

Assume you can, yet .. the question is how to correlate your previous statements of:

i have turned off every NRD , auto reply reply possible. i have added tarpits.
I have blocked every client completely. i have blocked ALL outgoing SMTP.

with the fact that the "last day" numbers are still increasing.

I am still replying (and asking questions) such that some of your misconceptions can be cleared up.

In fact, I just sent an e-mail upstream asking for some input from the paid SpamCop.net staff, as you don't seem to be handling input from other users very well .....

Hey hey! A decrease finally seen!
1739 GMT -5
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.2 732%
Last 30 days 3.3 -3%
Average 3.3

down from 823% at 1550 GMT -6

1540 GMT -6
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 3.9 266%
Last 30 days 3.3 -5%
Average 3.3

Something appears to have finally been done. Thanks.