Jump to content

jseymour

Members
  • Content Count

    93
  • Joined

  • Last visited

Everything posted by jseymour

  1. My hosting company (Site5) does not appreciate the importance of rejecting bad email addresses at the SMTP level. Instead, they accept all messages and then generate a new bounce if the recipient is unknown. I'm sure we all know the problem with this method. Site5 is running cPanel and uses the Exim mail server. Does anyone know if this combination can be made secure with regards to invalid recipients? If it can, I'm going to try to get them to set it up properly. If it can't, I'll be looking for a new hosting company... (Their response to my problem ticket was not promising: "It is fairly common behavior for a server to accept a message and then bounce it after the fact as long as the domain is configured on the server.") -Jim Seymour
  2. jseymour

    Can cPanel/exim REJECT unknown addresses?

    Thanks. Unfortunately, I don't have access to cPanel. I believe my hosting company (Site5) uses cPanel, but the interface they provide to us is something they developed on their own. The closest analogy I see is in my "Email Forwarders" settings - where I have my wildcard address set to ":fail: No Such User Here". However, the mail server still accepts all incoming messages and then generates a bounce after-the-fact. Your reject entry above doesn't speak to me, either. I don't see a three-digit response code - which begs the question: Is this a SMTP reject or a "bounce" message? Finally, I sent a suggestion to Site5 that they should fix this deficiency, but they have (so far) ignored me. When my renewal comes up, I am considering switching to a more email-friendly host (if I can find one).
  3. jseymour

    Can cPanel/exim REJECT unknown addresses?

    Thanks. I did a search before posting and didn't see anything that looked useful. There's a lot of information available about how to set up an RBL (including the thread you pointed me to). However, I've not seen anything about rejecting based on recipient information. Part of my problem is that I'm a little out of my league. I'm familiar with mail servers in general (having run a couple of Postfix servers for several years), but I have no clue about cPanel and Exim. Based on the Exim documentation I've seen, it appears to be possible - but I don't know if cPanel provides access to the appropriate option(s).
  4. I don't recall seeing that before. However, I usually Quick-Report my Yahoo! messages, so I don't normally see that level of detail. Ah, yes. It took me awhile to grok what you were saying... If you follow the tracking URL and take the link to "View entire message", you can see my spamcop.net address plain as day - even though the same line is excised from the parse details. spooky. Is somebody doing something about this? I send all my messages unmunged, so I'm willing to take the risk of exposure there - but I'd rather not have my email addresses available to web crawlers...
  5. I have a Yahoo email address that is forwarded to my Spamcop account (I pay Yahoo for the account and have set up automatic forwarding). When I report spam that comes through that path, the reports often go back to Yahoo, not the true originating IP. It appears that Yahoo is sending through a series of IPs in the 216.39.53.* net and Spamcop's Yahoo mailhost does not know about them. I've seen ~50 different IP addresses used out of 63 messages in the past four weeks. What's the procedure for getting these IPs added as legitimate? Here are a couple of recent examples: Email from 216.39.53.112 / 11 Apr 2006 04:45:08 -0000 http://www. spamcop.net/w3m?i=z1716073746za...035a895230d10bz Email from 216.39.53.98 / 10 Apr 2006 13:00:42 -0000 http://www. spamcop.net/w3m?i=z1715137723zb...d545b68362fef4z Moderator Edit: link broken as they were not Tracking URLs, rather "Abuse Center" links for an ISP to take some action on the 'report' ....
  6. It looks like there are still some snags in this setup. On Wednesday, I reported a spam which came through Yahoo and the parser stopped at Yahoo. Here's the tracking URL: http://www.spamcop.net/sc?id=z933518046z01...7f7b5594d6c4b4z However, today it seems to be parsing properly, so I'll have to write this one off as a one-time hiccup.
  7. And thank you for helping resolve this.
  8. Sorry about the URLs. I thought the ones I had were tracking URLs. These should be better: http://www.spamcop.net/sc?id=z921034990zeb...66a415eb63ac58z http://www.spamcop.net/sc?id=z921034979z73...1ff86cf7d98e64z http://www.spamcop.net/sc?id=z920842227z1b...ff6121ade8c2b5z All three of these look to me as though the Received lines go back through Yahoo, yet Spamcop stops at the Yahoo IP since it's not on the list. I've gone through the mailhost configuration, but none of the test messages went through 216.39.53.* so nothing changed in my mailhost setup. Am I right in assuming that Spamcop maintains a list of "Yahoo" IP addresses and when a test message goes through one, it adds the list to your mailhost config?
  9. jseymour

    Another virus false positive?

    Thanks. That's a very cool resource!. I sent it the picture and the entire email and it found nothing (as expected).
  10. Awhile back, I posted a query about Spamcop's incoming virus filters catching (and silently discarding) phishing attempts. This was confirmed by the support folks. While this is annoying, it's not a huge deal. I keep copies of all email that my system forwards to spamcop, so I can manually drop the phishes into my "Held Mail" folder and then report them. It's an extra step - but it doesn't happen often enough to be a major hassle. However, today, a friend sent me a forwarded, tasteless picture that vanished into the Spamcop blackhole... My suspicion is that Spamcop's mail system decided it was a virus and silently deleted it, which begs the question: What criteria does Spamcop use for silently deleting a message? I understand (and agree) about deleting viruses - but this kind of false positive seems like something is misconfigured. (While the picture was tasteless, the message itself was harmless - a 2-part MIME message: one part plain text, the other part a JPG with a Michael Jackson joke). Additional technical details for those who care: I run two mail servers (one at home and one at work). Each system forwards certain messages to accounts at spamcop.net. In the case of my work email, Spamcop then filters the messages and returns the good ones back to a "secret" account on my mail server. This all works quite well - but outages in the past have made me paranoid, so I have a second copy of all such messages delivered to a special local holding account. The servers are running Mandrake Linux 9.1 and Postfix 2.0.6 and I have two different Spamcop accounts (one for each server).
  11. jseymour

    Another virus false positive?

    I don't think so. The subject didn't mention Michael Jackson at all.
  12. Twice in the last few days, I have received phishing attempts to an address that my mail server forwards along to Spamcop. In both cases, the message never appeared in my "Held Mail" folder - just as if it were a virus (but it's not). I checked my mail server logs and the forwarding was accepted by Spamcop's mail server with a 250 response. (In the past, I've noticed some forwarded messages are rejected by Spamcop, but this is not the case here). This makes me think it was either a couple of transient flukes, or Spamcop is doing some content-based silent rejection - which seems counter to the intent of spam reporting. Anybody see something similar? The two phishes were for Citibank and eBay respectively. Here's the tracking URL for the most recent one: http://mailsc.spamcop.net/sc?id=z732343727...07bcff545d55b3z
  13. Indeed. I did send an email to JT back in February (with the Subject of "Phishing attempts being silently deleted?"), but saw no response. After a few more phishes went missing, I tried the deputies. I didn't mean to sound like I was complaining about a lack of response. It's true, I got no "official" response to repeated postings here and one email - but I never considered this issue to be "grave", so I tried not to make a fuss. Sorry if I breached some etiquette by going to the deputies to get a resolution...
  14. For those keeping score at home, these vanishing phish emails keep showing up. I finally contacted the deputies and got an answer confirming that they are being deleted by the anti-virus software. It's not quite what they want - but apparently, it's not something they can change. Since I don't receive a lot of these, I can live with that explanation. It's frustrating, but since I keep local copies of all messages that I forward to Spamcop, I can still manually report the ones that go into the A/V black hole.
  15. And it keeps coming... http://www.spamcop.net/sc?id=z752359153ze3...e169f4bcde127bz I just can't understand why these are being deleted. There's no active content that I can see, so I don't believe they are being rejected as viruses. It seems that either there's a bug somewhere or Spamcop has made a conscious decision to delete phishing attempts.
  16. These are still infrequent, but I've seen about four over the last couple weeks. Here's another: http://www.spamcop.net/sc?id=z737269217z42...4a5a14fbd9ee5cz My system received this phish attempt this morning at 06:39:20. It was forwarded on to my Spamcop account two seconds later. Spamcop accepted the message with a 250, but it never showed up in my Held Items (nor was it returned to me). It is as if this phish was treated as a virus and deleted silently - which (to me) is a bug. I asked support[at]spamcop.net about this, but got no response.
  17. Got another one today. http://www.spamcop.net/sc?id=z733637039z71...3c56cc535f06e0z The message was silently deleted by Spamcop when my mail server forwarded it. I had to copy the message (using IMAP) into my Held folder so I could report it. Does Spamcop think this is normal? Is deleting phish attempts the desired behavior? Or is this a bug? I can see why Spamcop would get skittish about these messages, though. This one was peppered with links to valid eBay pages - and so I had to go through and uncheck several boxes before filing the reports. The casual user probably wouldn't bother, which would result in erroneous reports.
  18. Once in awhile, I get a spam that generates a "third party" report to mrbooger2002[at]yahoo.com. I always uncheck the boxes. I figure if he uses such a goofy email address, he's probably not serious about spam fighting. Anyone else seen this? Is there a way to report suspicious third parties to Spamcop? Here's a recent tracker: http://www.spamcop.net/sc?id=z733490170z76...593bb9bb26729fz
  19. Thanks for the reply. If anybody inside Spamcop sees this as a problem, I'd be happy to supply snippets of mail logs if that will help.
  20. Quick reporting sends a report only for the source of the message. It does not examine the body to report any websites. It still feeds the blacklist, though, so I consider it an adequate substitute if you don't have time to do "full" reporting. (I will usuually pick and choose certain messages for full reporting, then quick-report the rest). The biggest problem with quick-reporting (and reporting in general) is that Spamcop occasionally hiccups while traversing the Received: lines and incorrectly determines a legitimate relay as the source. The point of mailhosts is that you identify who is supposed to relay your messages. In the simplest case, you tell Spamcop who your ISP is. If a message arrives from the ISP, then Spamcop knows to keep going back when studying the Received lines. It is meant to minimize these hiccups and make quick reporting safer...
  21. This has been asked for many times and never implemented. I conclude, therefore, that it is either very difficult or the powers-that-be don't think it's important. I agree, though, that it would be nice. The big problem, though, is that people make stupid mistakes. If submissions are easier, then those same people can make those same stupid mistakes on a grand scale, and this degrades the quality of Spamcop reports. For those who are careful, the "quick reporting" feature is probably the best compromise. OK, so it looks like Steve beat me to the punch and said essentially the same things I did... But dammit! I'm posting this anyway since it's all typed up...
  22. jseymour

    SPF Rocks!

    This, by itself, is not very meaningful. Does it also not block legitimate mail? Don't get me wrong. I like SPF (though I haven't implemented it, yet). But aren't there a *lot* of people who haven't published SPF records?
  23. jseymour

    Drop in submissions?

    Well, one of my accounts has seen a noticeable decrease in spam. I suspect listwashing - but who knows? Also, Spamcop has had some hiccups recently. Perhaps reporting efficiency was hit hard enough to explain the lower numbers for June?
  24. jseymour

    new look!

    Assuming you mean the "Site Style" drop-down... with Mozilla (1.7), the change was instant. There's no need for a Submit button. I don't see that - or I don't understand what you're seeing. I agree. I like the new look.
  25. As I recall, Julian added an SPF record for reports.spamcop.net because nobody is supposed to be sending mail with those addresses except for Spamcop's servers. However, spamcop.net by itself is set to "v=spf1 ?all" - which is as it should be (since people send using their spamcop.net addresses from all over the world).
×