Jump to content

Richard W

Forum Admin
  • Content Count

    78
  • Joined

  • Last visited

Everything posted by Richard W

  1. Richard W

    SpamCop FAQ problem

    Okie-dokie, I've rewritten this FAQ. Critique away!! Richard
  2. Richard W

    SpamCop FAQ problem

    Pretty close, Wazoo. Way back when, I declined the invite to become a deputy, mainly because I was still early in the learning phase of spam fighting. Instead I took on the challenge of the faqs. Deputies at the time were Don, Ellen (I won't remind everyone of her handle since she's now known as Ellen <g>), Michael, Pete, Kevin, Bill and Dollface. I didn't have access to any of the deputy stuff and only I and Julian could access the faqs. (originally they were open to anyone, but Julian closed that door when he made me moderator). A few years ago the invite to become a deputy came again and this time I accepted. Things were fine for a while. I had lots of time for the faqs, newsgroups and deputy functions, but eventually it dwindled down to just Ellen and myself. As the use of SpamCop became more popular and more changes were made, our focus also changed. Ellen had a number of responsibilities added to her duties and the mail queue continued to grow -- to the point that 200 emails per day is not unusual. I still don't know how Ellen manages to accomplish so much in a day, but basically she plugs away through the day and I try to clean up the queue at night, along with the night's mail. Something had to give and unfortunately that ended up being my time spent in the newgroups (and now the forums). I admit that means the faqs have suffered, but I do still plug away when things are brought to my attention. My "when I have time" does not mean 'when I have time for SpamCop'. It means when I have time for things not directly related to deputy duties. I still spend four to five hours plus per day on SpamCop related things, so it is not a case of my abandoning SpamCop. Since I don't use the mail system to its design capacity, responsibility for the Mail system faqs was handed over to someone else, Slootsky(?). He wrote all the existing mail faqs, but I'm not sure if he is even around anymore. As for the remaining faqs, we are in the process of handing that over to someone from Ironport. I'll still have access, but she has been tasked to do a major cleanup. One other thing, Julian pointed out the faq on mole reporting is technically correct, that's why I never changed it again. ISPs are given aggregate numbers for mole reports and they do show up in the BL stats. All reports are weighted as to how they are applied in the listing calculation. spam reports = 1, traps = x and mole = y. Currently y = 0, but that could change. Richard
  3. Under the new system there is no real "upgrade" with accounts. To convert your account to a pay account and do away with the nag screens, simply click the "Preferences" link and "Add Fuel". As long as there is fuel in your account you won't get the nag screen or the ads. Richard
  4. I would take Steve's word on this as an experienced user of the mail system. My post was based on information as I understood it, but don't have the applied practical experience with working with rules in system. Richard
  5. Richard W

    New to Spamcop...big problem

    There has been no new spam from your IP in the last three days. My opinion is that you are secure. Richard
  6. Thanks Wazoo. A couple of interesting conflicting statements in the parse. I've sent this latest example to Julian. We'll see what he can come up with. Richard
  7. Richard W

    New to Spamcop...big problem

    Just because they authenticated a mail transmission as "administrator" does not mean they gained administrator access to the machine. The account "administrator" in Exchange and "administrator" in W2000/XP are not the same account and are not accessed the same way and does not necessarily allow them to create users and do other nefarious deeds in the guts of the system. Richard
  8. Your mail was going into held mail because 80.82.140.240 is on the bl. The listing is because you have been reporting the IP yourself, probably because of the forementioned failure to register the mailhost in your account. The reported spam now parses correctly. I've delisted the IP. Richard
  9. Richard W

    Spamtrap addresses

    A lot of issues and questions have been raised, so I'm not going to quote anyone's post. I'll provide some general information to answer many of these questions, though they may be lacking in depth due to our proprietory information policy. What is a spamtrap, what are the qualifications? For SpamCop, spamtrap addresses must be clean, never used addresses. They cannot have appeared publicly in emails, newsgroups, websites, etc. Where a 'catchall domain trap' is involved, any addresses that were ever used are explicitly excluded in the trap feed. Where are spamtraps? Spamtraps are located all over the world, in all kinds of different domains. Many of the domains are the property of SpamCop, having been bought or donated by their previous owners. There are also some trusted feeds from outside sources, but they must stand up to the same tests as SC owned traps. How are they seeded? The bulk of trap mail received is the result of dictionary attacks, but many trap addresses are also hidden in the source code of various websites. The addresses are not visible in the rendered html of the page (what you view) so no one should have any reason to have these in their address books as a contact address they picked up off a page. The addresses will get picked up by harvesting bots. We do not use the addresses in emails, newsgroup posts, etc., and we do not feed the addresses to forms on websites. If a list operator ends up with one of our trap addresses from a webform entry it is completely by accident. No one monitors the mail received by traps so it would be impossible for a trap address to confirm a subscription to any mailing list. Why are so many mail servers suddenly getting listed? I believe Merlyn has made a correct correlation between a currently widespread trojan, bounces to our traps and Ralsky. How they all fit together we're not sure yet, but I am actively trying to get a copy of the trojan so we can put this all together. However, the bounces that are causing mail servers to be listed are because of the operators method of handling mail and bounces. Instead of issuing a 550 during the smtp transaction stage, they are accepting the mail and then bouncing it back to the forged return address. This means the bounce message is coming from "their" server, straight to our traps, resulting in their servers getting nailed and listed. If they rejected the mail during the smpt operation, the bounce would come from the sending machine, not the receiving server -- if there were any bounce at all. Chances are there would not be because most of the sending machines are trojanned hosts, not mail servers. Their purpose is to send mail, not handle bounces so they would just take the dropped connection and move on. This delayed bounce policy is causing problems for mail operators all over the Internet, particularly those domains that are a favorite for forging return addresses such as Hotmail, Yahoo, AOL and MSN. This is discussed in detail at http://www.spamcop.net/fom-serve/cache/380.html Will we ever drop a trap? Yes, if we are suspicious as to the addresses virginity we may remove an address as a trap. The fact they are being forged into spam or causing problems because of spam related bounces is not reason to be suspicious. Some of the trap addresses have been around for years and do show up on many spammer's lists, millions cds, etc. I know this doesn't answer all questions or relieve all concerns, but it is what I can offer right now. Richard
  10. Richard W

    New to Spamcop...big problem

    216.114.75.99 delisted on Wednesday morning and then relisted Wednesday afternoon because more spam was relayed to traps. As someone else mentioned, see http://www.spamcop.net/fom-serve/cache/372.html. According to dsbl.org, they relayed through your server authenticating as "administrator". You probaby have/had a weak, default or non-existant password on that account. We've seen no new spam for 27 hours, so I trusted your shutting down authentication has solved the problem. Based on that, I've delisted your server. If you turn authentication back on, make sure to check your administrator and all default accounts and make sure the guest account is disabled. Richard
  11. Richard W

    No Links found

    We can't do anything without seeing the complete spam, as the headers play a big part in what will/won't parse. It seems this would be a good example of what we've asked for samples of in http://forum.spamcop.net/forums/index.php?showtopic=1549
  12. Richard W

    SpamCop processing delay

    I had a look through your account and see only one report that you have cancelled. There are five reports sitting in there waiting for you to review and send and there are two reports from Friday that timed out of the system. The time delays are a known issue, but a cause hasn't yet been pinpointed. Julian and Michael are working on it as I type. Richard
  13. The mailhosts is a function of the Reporting system, while the mail is held by the mail system. The mail system can't see your settings in the reporting system, so this isn't possible and vice versa (other than you can import your held mail into the reporting system). I'm not sure if what you want to do is available through whitelisting, but I don't think so. Richard
  14. Richard W

    Our mailservers blocked

    Handled by email. Richard
  15. A problem seems to have developed very recently with the reporting system accessing the various databases needed to bring up user accounts, as well as report history information. I've set off the pagers to get Julian's or Michael's attention for a fix ASAP. This is generally a communication problem between the servers and does not mean any information has been compromised or lost. Richard SpamCop Deputy
  16. To clarify, when you report spam that shows mail being relayed, and it's the first time SpamCop sees that host as a relay, it will send the IP to ORDB for testing. You can 'uncheck' the box to send it for testing, but it will be offered up for testing every time you submit spam until you give in. Once sent, SpamCop remembers and will never send it again. Richard
  17. Richard W

    Cannot report message

    Gary, if you want us to have a look at this, post some tracking urls or send your username to us at the deputies address. Best guess without more information is the only IP addresses in the headers you are submitting are all IANA reserved internal network IPs.
  18. Richard W

    More about Freeserve...

    Yes, I have had many discussions with their admins without success. The problem isn't so much with the number of spammers or amount of spam, rather it's with the way their servers are set up that is affecting their other users. If they would follow the example set by other webmail providers, i.e. Hotmail, Yahoo, etc., and add a received line showing the IP address of the user connecting to their system, the user's IP would end up listed and not their servers. As it is, SC can only trace the spam back to the Freeserve servers, so their servers get identified as the source and wind up listed when the stats exceed the listing thresholds. BTW, this is the same issue as with the LaPoste and Rain.fr servers. It must be a European thing ;-)
  19. Richard W

    I'm VERY angry!

    We've tried :-( Richard
  20. Richard W

    Did mistake reporting spam :-(

    The IP timed off the BL because the last report was for mail received 3.3 days ago. There was no manual delist done. I have flagged your IP as a trusted relay, which is a temporary fix, but the other problems should be done as a permanent fix. Richard
×