Jump to content

andrew.badge

Members
  • Content Count

    17
  • Joined

  • Last visited

Community Reputation

0 Neutral

About andrew.badge

  • Rank
    Member
  1. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Please stop replying to this post unless you have something productive to add. I'm quite capable of reading a single percetage figure.
  2. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Spoke to Patrick from SenderBase. He emailed me the header from the recent messages. The timestamp is 08 Nov 2006 01:xx:xx with exactly the same title ("SmallCap vvatch") as tripped SPAMCOP. Once again, shows the data is still based on the initial outbreak.
  3. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Its not SPAMCOP I requested information from, but SenderBase. According to their "help" information they compile data from 50,000 ISPs and then collate the information. Anyone thinking they do this in realtime is fooling themselves. They do not use traps but messages from ISPs. They are not a blacklist (according to their Help), so they have nothing to protect.
  4. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Either way, its not real time. the 8th is when the issue was fixed. the 8th is when i started this post. seems like years ago.
  5. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Reading other peoples posts and i noted they get all sorts of strange values out of SenderBase. I can only guess that it takes time to collected and complile their "3 billion messages daily". Unless they have a farm of servers that make goolge look small?? It valuable data, but at this point its just a single percentage figure that i've got no data for. Its a shame they don't have any forums themselves. Just got a reply from IronPort. Being the 10th now, it suggests their data is not realtime but delayed. they also haven't indicated any further data since the 8th so once again i can only presume the issue is resolved. I'm a bit disappointed thats all they said. I requetsed at least one message header to help track the source, but they didn't supply anything but their "comments".
  6. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Thanks Miss Betsy although we have full antivirus and spam scanning active on all ports, we have basically blocked all client services. They can only use the proxy and our DMZ mail server (which all ports are activily scanned with ForitGate and reported on using FortiAnalyser). Out of 15000 PC at client site, its inevitible that another will get a virus (not matter what we do at the network edge). However all ports are blocked so it shouldn't cause further issues (note before we noticed it anyway). Believe me, i've had directors and store owners complaining to me all day about the new restrictions, so i know its working. I also checked reports from the Network (connect.com.au) and they back me up that the traffic has reduced (to normal levels). Again. Hence why i have attempted to contact SenderBase to get some details of detected messages to invesigate. Note: we are now delisted with SPAMCOP, so i assume this topic is closed.
  7. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Listen DH. i have turned off every NRD , auto reply reply possible. i have added tarpits. I have blocked every client completely. i have blocked ALL outgoing SMTP. I have had tech visit sites to ensure they have update to date protection. I have NO evidence that the statistics are current or just an delayed effect. I have queried SenderBase about this. no reply yet. As you noted in the previous posts, this is different to SPAMCOP. YES i have acknologed we had a problem but i can only assume it is fixed. Hence our pending delisting on SPAMCOP (any minute now). If you haven't got anything helpful to provide, please do not reply to this post. I am not finding your replies very helpful or proactive.
  8. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Yes SPAMCOP listing is based on traps. and yes there have only been 7 emails with that title sent in the last week to the trap. This will not be inidcative of the volume as a whole, but of the count of messages that caused the issue. SenderBase is a different thing. I haven't got any details to go on from them apart form the %. I agree their rating would be on different metrics, but i've got no details. It would be great if you could drill down to an hour by hour count/percentage or at least provide a trend. Of course their rating is also based on reports not traps (??), so an email sent last week could still be report today? I await their reply.
  9. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Yes, i asked for an explanation/report. We only have 1 hour before we're delisted on SPAMCOP so that indicates the changes we made yesterday fixed the issue. However some systems may continue to report our ip for a time to come. FYI: SPAMCOP emailed me the email title. I traced the issue to 7 emails sent from one site. The tech found 5 virus on one of their PCs (a POS register) which are now removed. Along with the other changes made to our policies i can assure you we will be delisted once the backlog settles down. Also FYI: We are lised on two blacklists currently SPAMCOP and and UCEPROTECT1 http://www.dnsstuff.com/tools/ip4r.ch?ip=210.11.58.16 However UCE only delist after 1 week or if you pay them. So again i think it may just take time for old traffic reports to disappear.
  10. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Thanks for your help Andrew. I'm hoping the "day" period is calendar based so it will reset after midnight (US time i assume). It hasn't moved since all the changes made. Yeah. the CBL list is on and off this afternoon. We're off the list, but SenderBase still lists us as on. If you know of any further details /stats for SPAMCOP, can you list them here? this is the only details i have http://www.spamcop.net/w3m?action=checkblo...ip=210.11.58.16 It only mentions that "22 hours" timeframe.
  11. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Sorry I was replying to the quoted statistics you and Andrew provided (which were from SenderBase). I can't actually find any stats or details for SPAMCOP. I understand why the IP was blocked and hopefully fixed the issue. But i would now like to move forward with determining whether the fixes has worked.
  12. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Question: Lookup julianhaight.com (same IP address as bl.spamcop.net) and it has a 1205% increase in the last day. yet it is not blocked. How do they get around it? Note: i found this while checking the IP 216.127.43.94 (which bl.spamcop.net resolves to).
  13. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Our 30 day average is down 8%. Its only the last day that has increased. i have blocked multiple clients completely. I have changed all outgoing rules to drop messages. i'd love to get ANY details on this so i could address it. i need information on what SPAMCOP is seeing, especially recently. Are the changes having any effect? I have to wait 24 hours to see if a single percent value is going up or down...not really proactive? Note: the traffic leaving the firewall has dropped dramatically (5% of this morning AEST) However i haven't seen a drop in the percentage reported. Is the "day" calendar day based or a rolling period? Is the "day" for US timezones only? I hope these questions are not wasting your time. i searched the FAQ and count not find any helpful answers.
  14. andrew.badge

    Blocked address for NATted firewall (small ISP)

    Guys (and girls) ...thanks again for the trademark lesson, but can we keep to the topic please. I have blocked all outgoing spammessages. Apart from stopping all SMTP traffic form my clients (or reading each email), what else can i do? Our Fortigate clients update (at least) hourly, so 99.999% of spam (you'll note the lowercase) will be blocked. How can I get updated statistics to ensure the measures are working at SPAMCOP's end? I generated the report manually after finding our IP blocked. Noone sent it to me. This is what is says: 210.11.58.16 Nov 6 06h/1 24 0 0 0 blocklisted nus138540-5.gw.connect.com.au This is basically all the information i've got to go by. I've only got one report (i chose the hourly option).
  15. andrew.badge

    Blocked address for NATted firewall (small ISP)

    more than likely. I have scheduled techs to visit a few sites with high SMTP traffic to check their systems, but again.. we have around 3000 sites using this firewall with an average of 5 PCs per site. We sent 24 messages to the trap in 3 days. 15000 PCs sending 24 messages in 3 days? Do we get notification when we are blocked? No. Do we get any/sufficent warning to prevent an issue? No Once a mistake is found, can are IP be quickly removed form the list? No We're doing our best to react to issues as they appear but incidents like this only force our clients to presume its the anti-spam systems that at are at fault. Hence they request to be completely unfiltered on public IPs. How is this better?
×