Jump to content

snowman

Members
  • Content Count

    10
  • Joined

  • Last visited

Everything posted by snowman

  1. Using the example below; assuming an IP is getting blacklisted by spamcop, which IP is it? and why? How do the headers point to the guilty server? These are real; except I masked the guilty servers out of course. I am confused as to which IP is the problem source. The first? or the last who touched the email before arriving at my server? =============================================== Microsoft Mail Internet Headers Version 2.0 Received: from a-server.somewhere.com ([55.66.77.88]) by nowhere.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 11 Oct 2006 12:45:28 -0700 Received: from b-server.somewhere.com (b-server-34ds.somewhere.com [33.44.55.66]) by a-server.somewhere.com (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Apr 15 2004)) with ESMTP id <2A35FAS2LMJJHG0[at]a-server.somewhere.com> for me[at]nowhere.com; Wed, 11 Oct 2006 13:47:07 -0600 (MDT) Received: from bill ([11.22.33.44]) by b-server.somewhere.com (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Apr 15 2004)) with ESMTP id <2A35FA32LKJLL99[at]b-server.somewhere.com > for me[at]nowhere.com; Wed, 11 Oct 2006 13:47:07 -0600 (MDT) Date: Wed, 11 Oct 2006 12:47:06 -0700 From: bill <bill[at]somewhere.com> Subject: You just got a raise! To: <me[at]nowhere.com>
  2. Actually I did get a great deal of help from all of you. You gave me direction as to where to continue my inquiries about spamcop. I have a very real problem and I am trying to understand how to fix it - not just get delisted for cause of a stupid user is out of control. Maybe its not the kind of help you normaly give to people who have had their server listed but in my situation very helpful indeed. I am very thankful for the time people took to answer.
  3. I am used to building and deploying large secured and trusted systems. It seems to me that from personal experience and the discussion here that spamcop relies on untrusted data and possible inacurate data in a lot of cases where the site in question is not participating in the collection of bad emails. We all know spamcop has a hair trigger and is really good at catching obvious spam. But this hair trigger is probably also its greatest weakness when it lists servers that if it had more information about the volume and quality of the outgoing email it would not. My guess, and it is only a guess, is that if you statisticly analysed the spamcop algoritm you would find that people who participate in the collection of data about email on their servers get the best results from the spamcop blacklist. This is because you contribute to the bad email profiles. Conversly, if you do not participate in collection of data about email you can get blacklisted for false-postives more easily. So the quesitons remains, how does a legitemate email relay server like my example at the start of the tread send to spamcop data about the good emails it processed so when a bad one comes along it is reviewed in the proper volume context??
  4. this is what I meant: (http://email.about.com/cs/spamfightingtips/qt/et061201.htm) Report spam with SpamCop To submit a correct and efficient spam report using SpamCop: 1. Open the source of the junk email in your email program. 2. Highlight the full source and press Ctrl-C (Windows), Command-C (Mac) or Alt-C (Unix) to copy. 3. Paste the source of the spam you received in the SpamCop input field. 4. Press Process spam. 5. Click Send spam Report(s) Now.
  5. That is not what I am asking excatly. My question centers around the fact that if a server has lots and lots of good-not-reported email and a few bad-reported emails how does that server make sure the spamcop knows about the good when it does its calculations about listing. Clearly 3 bad out of 7,000 good does not mean much of a problem. Just because somebody labels a message as spam using a email tool does not mean it really is. Some stuff is obviously spam, and everybody knows that, but there is a lot that can go either way depending on the receiver attitudes I am sure we can all agree.
  6. So I gather that the right answer depends on soley on what spamcop knows about the various IP's along a messages path at the time the message is being transmitted. That makes sense now that you have all explained it. Also it is clear that an IP of a server can sometimes be clean with no reports and sometimes be listed because the user reports. Another question if I may: If a server that relays >7,000 of non-spam, not-reported-as-spam messages an hour, and maybe a few <3 reported as spam messages in the same hour how does one make sure that spamcop system knows about the good? It is being told about the bad reported-as-spam by humans somewhere, and they may not be real spam, just that somebody labeled them as spam with one of the email tools? If the overwellming majority of the messages go to other domains that do not report good messages, then the 3 can look like a lot if they all went to some poor soul at a single domain. How does one make sure spamcop knows about the good messages?
  7. Thanks. That gives me more more information to review and things to ask quesitons about. I will go look at the dns entries and see how the system as a whole is setup. One thing you wrote surprises me. That the last address considered NOT to be forged is the one that spamcops picks. It would seem to me (in a general way of course) to be two kinds of spam messages. One that is purposely forged and overtly designed to fool a server into delivery. The second, one that is really 100% correct in the headers and come from real servers but just has spam in the message because some computer has been compromised on a otherwise valid network. Would the second kind be most likely to trigger a false-positive?
  8. Amazing assumptions. I actually read for 2 hours before I posted today. ALL the FAQ's I could find. That is not counting countless hours of studying the subject over the last year. I don't understand why you want to argue about the header data. It is exactly the same as the email except for the ip and server names. Why can't somebody explain the spamcop logic of determining what server sent the email that caused the complaint. Is this a big secret or something? Are you mad at me for asking a quesitons or at the question itself? This logic has to be well understood by somebody. If you Google the topic "spamcop parser" you will read two opinions. The first is to report the first server to touch the data from the sender and the second the last server to send it to the receipient server both ignoring the middle relay servers. I don't know which is best, I just need to know what the programmers at spamcop think is best. What do they do and why if that is possible. It will help me determine if the headers are formated correctly and spamcop's parser can handle them correctly.
  9. What parser? Is there a tool that answers my question about who gets listed in the blacklist using the headers? Can you post the URL for me and I will go play with it for a while. About the games, just because its a computer it does not mean you or I can slander the owner by posting thier ip addresses all over the place. Some respect is required even if the system owner has made a configuration mistake - or maybe they did not and it is the spamcop code that is incorrect. Could be, it has happened before. Why you so defensive anyway? It is just a computer.
  10. Actually your wrong. But I would have guessed that same answer. So we both got fooled . Spamcop set 55.66.77.88 as blacklisted. It is the last server to touch the email before it was delivered to email system that rejected it using spamcop. I have not removed any trust factors or text to play games here. I just replaced the IP and server names to hide the ISP. I also replaced the email server with an Microsoft Exchange Server - Microsoft SMTPSVC to hide the owenership out of courtesy. We are just solving a technical problem here not starting a war! 55.66.77.88 is a firewall/bridgehead server that has 7 or so large email servers behind it. Over 8,000 emails an hour go through the 55.66.77.88 server and it got listed because a ISP customer somewhere behind the two layers of email servers sent a spam messages. Thus this message was blocked by a-server. Maybe there was lots of spam through 55.66.77.88 who knows to be honest, but is 10, 100 or 1000 lots if you send over 100,000 good ones? I don't think so. However the point is why list the firewall/bridgehead IP. Should not spamcop list the actual source and be more accurate? Nail spamer instead of a firewall/bridgehead? Can anybody tell me why this is the case? Is there something wrong with these headers that the ISP servers made? Format maybe that caused such a problem in the parsing?
×