Jump to content
Sign in to follow this  
hbutz

116.1.100.251 not properly blocked

Recommended Posts

I subscribe to the China country blocklist, yet received spam unfiltered from 116.1.100.251. This IP is in China. I received a quick response from the owner of the list after explaining the problem. He says,

Then check your setup, it resolves as it should:

apj[at]zaphod:~$ host -t any 251.100.1.116.zz.countries.nerd.dk

251.100.1.116.zz.countries.nerd.dk descriptive text "cn"

251.100.1.116.zz.countries.nerd.dk has address 127.0.0.156

apj[at]zaphod:~$ host -t any 251.100.1.116.cn.countries.nerd.dk

251.100.1.116.cn.countries.nerd.dk descriptive text "Your IP is in cn, rejected based on geographical location"

251.100.1.116.cn.countries.nerd.dk has address 127.0.0.2

Henry

Share this post


Link to post
Share on other sites

Hi, Henry!

...Personally, I don't think I can help you but I'm pretty sure that those that might be able to do so will need some additional information. I'd suggest you look at [How-to] Post a Question (and prevent stupid/rude answers). Also helpful will be for you to tell us what Operating System software and version and e-mail client software and version you are using.

Share this post


Link to post
Share on other sites

Hi, Henry!

...Personally, I don't think I can help you but I'm pretty sure that those that might be able to do so will need some additional information. I'd suggest you look at [How-to] Post a Question (and prevent stupid/rude answers). Also helpful will be for you to tell us what Operating System software and version and e-mail client software and version you are using.

Hi,

This is in regard to the blacklist filtering on Spamcop which is independent of my email software. I am looking at my held mail folder vs my inbox folder at webmail.spamcop.net. Held email displays the reason why it is held in (parenthesis). I had expected email from the IP address of China to display (blacklist.china), but instead it displayed () nothing.

Henry

Share this post


Link to post
Share on other sites
...I am looking at my held mail folder vs my inbox folder at webmail.spamcop.net. Held email displays the reason why it is held in (parenthesis). I had expected email from the IP address of China to display (blacklist.china), but instead it displayed () nothing. ...
Thanks for the clarification Henry, this belongs in the SpamCop Email System & Accounts forum where other users who know that system can respond. Alas, I am not one. Moving it there with this post. [edit - beaten by Wazoo who was nowhere to be seen but, like a stooping falcon, snatched it away while I was yet fumbling with the controls. Ah well.]

I can confirm the countries.nerd.dk blocklist is functioning exactly as they said it does for that IP address. For a Windows system you can check that, for any IP address, from the command prompt with nslookup, any time you want. I can tell you how if you want. It seems to me that if the message was moved from your inbox to your held mail (is that what you are saying?) then the filtering is working and something in your filters or SpamAssasin did that (that is before it got to the blacklist.china). But I don't use the mail system so I'm just supposing. If that message was in your inbox (was it?) then I am completely off target.

Someone who knows will answer, when they can.

Share this post


Link to post
Share on other sites
This is in regard to the blacklist filtering on Spamcop which is independent of my email software. I am looking at my held mail folder vs my inbox folder at webmail.spamcop.net.

And with that remark, this is being moved out of the SpamCopDNSBL Help Forum section and moved to the E-mal System & Accounts Help Forum section, with a repeated nod to Steven's suggestion/link about what to include in a query here.

OK, and now my edit: once again, a specific request for a Tracking URL. As Farelf states, if the e-mail in question is in fact in the Held Folder, something happened. Your question seems to be "what happened" and the prevailing winds here suggest that the answer should be hiding in the Disposition Line: in the headers .... but at this point, only you can see those.

Share this post


Link to post
Share on other sites

Thanks for the clarification Henry, this belongs in the SpamCop Email System & Accounts forum where other users who know that system can respond. Alas, I am not one. Moving it there with this post. [edit - beaten by Wazoo who was nowhere to be seen but, like a stooping falcon, snatched it away while I was yet fumbling with the controls. Ah well.]

I can confirm the countries.nerd.dk blocklist is functioning exactly as they said it does for that IP address. For a Windows system you can check that, for any IP address, from the command prompt with nslookup, any time you want. I can tell you how if you want. It seems to me that if the message was moved from your inbox to your held mail (is that what you are saying?) then the filtering is working and something in your filters or SpamAssasin did that (that is before it got to the blacklist.china). But I don't use the mail system so I'm just supposing. If that message was in your inbox (was it?) then I am completely off target.

Someone who knows will answer, when they can.

Here is what I have observed. In webmail.spamcop.net, inbox, I saw a spam email. I manually moved it to my held mail folder. Then, from mailsc.spamcop.net I looked at held mail. It displayed () meaning that the email was not recognized as being associated with any blacklist. I processed the spam and it told me that the originating IP was 116.1.100.251. This IP should have been blocked by China country blacklist, but instead it appeared in my inbox.

This is independent of the operating system I am using. I am using webmail.spamcop.net. I was just curious as to why it was not held in my held mail folder since the China blacklist is functioning?

Share this post


Link to post
Share on other sites

Here is what I have observed. In webmail.spamcop.net, inbox, I saw a spam email. I manually moved it to my held mail folder. Then, from mailsc.spamcop.net I looked at held mail. It displayed () meaning that the email was not recognized as being associated with any blacklist. I processed the spam and it told me that the originating IP was 116.1.100.251. This IP should have been blocked by China country blacklist, but instead it appeared in my inbox.

First, any message that was not trapped by the SpamCop filtering system, but was moved there by other means will display the () reason because the header used to fill that space is not there.

A possible reason it was not caught... perhaps the lookup, when performed by the SpamCop system, was too slow and did not return in time.

Since I turned on greylisting (again) I have not received a spam message in over a week. I know I have seen spam caught by that BL in the past, however.

Share this post


Link to post
Share on other sites
This is in regard to the blacklist filtering on Spamcop which is independent of my email software.

<snip>

...No, actually, it isn't, this (that the email software you are using is SpamCop e-mail) is a highly relevant datum! For one thing, it told us that this was about SpamCop e-mail, which significantly increases the number of people here who are likely to be able to help you (other users of SpamCop e-mail).

Share this post


Link to post
Share on other sites
Here is what I have observed.

from what I observed .. user Registers so as to Post a query. Several Topics ad Pinned items were ignored in the haste to make the Post (into a non-relevant Forum Help section.) Several folks responded, suggesting a look at those previously ignored items that identify several items desired whan asking a 'good' question. My last even went on to specificly identify the request for a Tracking URL. All of this activity has thus far also been ignored.

Then we go to the changing story. First post said the e-mail was found in the Held Folder ... a further 'explanation' now states that the user moved that e-mail to the Held Folder him/herself.

I was just curious as to why it was not held in my held mail folder since the China blacklist is functioning?

You can continue to be curious, we could all wonder, but .... with no actual data to work with, none of this is going to get anywhere close to an actual answer or solution.

You have yet to identify in your explanations/definitions exactly how the e-mail made it to your SpamCop e-mail account, as yet another for instance of other things involved besides the parser output. Once again, a Tracking URL would have reflected this data without having to go on and on and on and getting nowhere.

Share this post


Link to post
Share on other sites

This is the Tracking URL for the email at issue:

http://www.spamcop.net/sc?id=z3281085810zf...d944bbddfd6de2z

These are the relevant header lines:

X-spam-Status: hits=6.9

X-SpamCop-Checked: 116.1.100.251

They tell me that SpamAssassin looked at the email, but didn't flag it as spam, and the IP filter looked at the headers and didn't flag the email as coming from China. The email was delivered to the user's Inbox.

And last, but not least...

I want to give a big Thumbs-Up to Wazoo for adding a positive and cheerful tone to the discussion by taking time to point out the user's various mistakes, failures, and omissions.

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites
Here is what I have observed. In webmail.spamcop.net, inbox, I saw a spam email. I manually moved it to my held mail folder. ...
Ah, definitely sounds like a lapse with the filter, but ... much still unknown. You should heed the requests to provide more information - presumably you reported it as spam through SC and can provide a Tracking URL which will answer much of what needs to be known (and that Wiki entry explains why it is key). Getting to the URL from your "Past reports" Report ID is mentioned in the Wiki entry with a link pointing to FAQ Entry: Getting a Tracking URL from a Report ID.

Since SC moved from the cn.rbl.cluecentral.net blocklist to cn.countries.nerd.dk in 2006 the reliability of the China blocking has improved greatly. But there could be an individual mail server playing up or some other explanation which your data might/should reveal and there is a possibility that it would affect others (so 'we' really want to know about it). At the least we might be able to work out why it didn't work for you.

[Ah, while writing Don has chipped in with the 'tracker' (thanks for that), so filter7 missed picking up the listing of 116.1.100.251 in cn.countries.nerd.dk. I have to type faster!]

Now there are ways you can keep that stuff out of your inbox in future, resetting your spam threshold, greylising (as mentioned by Steven Underwood), mabe more, but that doesn't answer why 116.1.100.251 slipped through. I wonder if filter7 still misses it (or anything else in inetnum: 116.1.0.0 - 116.1.255.255)? Or if we know how long that range has been in cn.countries.nerd.dk? Presumably other mail is (still) being blocked by reference to "blacklist.china" in your account?

Share this post


Link to post
Share on other sites

http://www.mxtoolbox.com/SuperTool.aspx?ac...3a116.1.100.251

It looks like 116.1.100.251 isn't on the Nerd China list.

Well, that contradicts the original post as well as my own testing:

C:\Users\sunderwood>nslookup 251.100.1.116.zz.countries.nerd.dk

Server: resolver1.opendns.com

Address: 208.67.222.222

Non-authoritative answer:

Name: 251.100.1.116.zz.countries.nerd.dk

Address: 127.0.0.156

Share this post


Link to post
Share on other sites

I think zz.countries.nerd.dk is a country lookup list, not a DNS Blocking List.

127.0.0.156 is China

According to Nerd.dk...

http://countries.nerd.dk/more.html

"Recently, a zz.countries.nerd.dk zone has been added, enabling you to do a single lookup and find the country of a given IP address - the zz-zone uses ISO 3166 Number codes encoded in the last two octets of the reply, for example a lookup of an IP address in Denmark would give a reply of 127.0.0.208 (208=Denmark), while a US IP would give 127.0.3.72 (3*256+72=840=USA)"

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites

I think zz.countries.nerd.dk is a country lookup list, not a DNS Blocking List.

127.0.0.156 is China

According to Nerd.dk...

http://countries.nerd.dk/more.html

"Recently, a zz.countries.nerd.dk zone has been added, enabling you to do a single lookup and find the country of a given IP address - the zz-zone uses ISO 3166 Number codes encoded in the last two octets of the reply, for example a lookup of an IP address in Denmark would give a reply of 127.0.0.208 (208=Denmark), while a US IP would give 127.0.3.72 (3*256+72=840=USA)"

- Don D'Minion - SpamCop Admin -

.

And according to the SpamCop BL list selection page, we are supposed to be using the specific country lookup (where this IP is also listed):

China (the country) cn.countries.nerd.dk countries.nerd.dk/more.html

C:\Documents and Settings\sunderwood>nslookup 251.100.1.116.cn.countries.nerd.dk

Server: dc1.carroll-ent.com

Address: 192.168.4.1

Name: 251.100.1.116.cn.countries.nerd.dk

Address: 127.0.0.2

If the OP has "China (the country)" selected, and if this is not a recent addition to the nerds listing (no indication either way), the messge should have been sent to the Held Mail folder. To figure out why it was not would likely require a look at the mail server logs which would mean either JT or Trevor needs to look at it (unless you also have access to the mail server logs that I an unaware of).

Share this post


Link to post
Share on other sites

Please feel free to ignore this. I'm floundering around like a carp out of water.

I'm thinking that we need JT or Trevor on this.

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites
...

C:\Documents and Settings\sunderwood>nslookup 251.100.1.116.cn.countries.nerd.dk

Server: dc1.carroll-ent.com

Address: 192.168.4.1

Name: 251.100.1.116.cn.countries.nerd.dk

Address: 127.0.0.2

...

Yep, I replicated all of the results from the list owner, reported by the O/P, with nslookup (address, type=a - which is the nslookup default - and text, type=txt, FWIW) not long after he first posted them - as my post then implied - and the 127.0.0.2 address on the "a"/default lookup on cn.countries.nerd.dk is apparently the critical test, going by the discussion when that "China" list first replaced the previous one back in 2006. It follows that the list consultation on filter7 (at least) was not to the list then current OR it snuck through just before a hypothetical update to the list OR there is something more generally wrong with filter7 OR something else I can't imagine.

If anyone is seeing successful .cn filtering in the 116.1.0.0 - 116.1.255.255 range (which is unlikely to be be a recent allocation to .cn, I would think) through filter7, then that might answer a few questions. But I guess many are using greylisting these days and never see such stuff. I'm thinking JT probably needs to be tipped off there is a possible problem with filter 7, supported by the detail of the O/P's sighting, unless there is more that can be found. I suppose more research is possible on the IP address range just to confirm its allocation has not been moved recently (looks to me like the entire range is currently on cn.countries.nerd.dk, as appropriate).

[deleted (quotes, responds to, deleted text)]

Edited by Farelf

Share this post


Link to post
Share on other sites
...I'm thinking that we need JT or Trevor on this.
Well, thanks for the tracking URL Don, we would have been fairly much stalled well before this without that.

I have emailed JT at support[at]spamcop.net. It may be premature - we haven't even asked the O/P (Henry) to check the remote possibility he has the spam source (somehow) whitelisted (well, unnecessary I'm thinking but confirmation would be nice) - but, who knows, may be further data to support some niggling suspicions JT already has about the particular server or bl access.

Share this post


Link to post
Share on other sites
...I have emailed JT ...
Update from JT:

The rsync server for that domain has stopped updating. I've queried them to find out if it can be restarted. Otherwise, we will have to start querying the zone differently.

So, big thanks to hbutz (Henry) for flagging this one - other members would be affected by it also (and not just on filter7). Sounds like it will be resolved pretty quickly. If Henry or anyone else could confirm when it comes good, that would be cool.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×