Blacklisted twice can find no cause

[Nevill]

Our gateway 195.11.80.2 has been added to the blacklist twice, we can find no cause on our network and were wondering if non-deliverable replies might be going to honey-pots?

Examples of notifications below.

Your message could not be sent.

A transcript of the attempts to send the message follows.

The number of attempts made: 1

Addressed To: [at]lornies.co.uk

Wed, 14 Oct 2009 10:45:29 +0100

Failed to send to identified host,

[at]lornies.co.uk: [87.246.68.23], 554 5.7.1 Service unavailable; Your message was blocked. Please forward this notice to the provider you used for sending this message. Reason: bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?195.11.80.2 For more info, see https://www.lumison.net/node/218

--- Message non-deliverable.

Action: failed

Final-Recipient: rfc822;[at]carhirescotland.com

Diagnostic-Code: smtp; 550-"JunkMail rejected - mailgate.anderson-partnership.co.uk

550-(anderson-partnership.co.uk) [195.11.80.2] is in an RBL, see Blocked - see

550 http://www.spamcop.net/bl.shtml?195.11.80.2"

Status: 5.0.0

Action: failed

Final-Recipient: rfc822;[at]o2.co.uk

Diagnostic-Code: smtp; 550 mail not accepted from blacklisted IP address, see: http://spamcop.net/bl.shtml [195.11.80.2]

Status: 5.0.0

Is it possible to find more detailed information relating to the e-mail which has triggered our gateway being blocked?

Thanks

Nevill

[Derek T]

Our gateway 195.11.80.2 has been added to the blacklist twice, we can find no cause on our network and were wondering if non-deliverable replies might be going to honey-pots?

You are not currently listed and there are no 'human' reports in the last 90 days so yes, spamtraps are the most likely culprits. NEVER send a new 'undeliverable' message. Reject with a 5xx during the SMTP transaction: that way the true sender gets the notice, not an innocent third party or spamtrap.

Is it possible to find more detailed information relating to the e-mail which has triggered our gateway being blocked?

Drop an email to deputies[at]spamcop.net

[SpamCopAdmin]

Our traps aren't sending any mail to your system, so they shouldn't be getting any bounces. The bounces are being sent "delayed." Instead of refusing mail during the SMTP conversation, the server is accepting mail with forged headers and then later sending a bounce to what it thinks is the sender, but is in reality a forged return address. Delivery failure notices should be sent by the sending server that failed to deliver the message, not by the receiving server that rejected it.

These FAQs offer suggestions about solutions.

http://www.spamcop.net/fom-serve/cache/329.html

http://blogs.msdn.com/tzink/archive/2008/0...ting-to-it.aspx

Misdirected bounces are becoming a *huge* problem. The beleaguered victims of spammer forgery are being inundated with bounces, far in excess of their already overwhelming spam load. Allowing the system to send that mail is just not right.

- Don D'Minion - SpamCop Admin -

.

[Nevill]

Our traps aren't sending any mail to your system, so they shouldn't be getting any bounces. The bounces are being sent "delayed." Instead of refusing mail during the SMTP conversation, the server is accepting mail with forged headers and then later sending a bounce to what it thinks is the sender, but is in reality a forged return address. Delivery failure notices should be sent by the sending server that failed to deliver the message, not by the receiving server that rejected it.

These FAQs offer suggestions about solutions.

http://www.spamcop.net/fom-serve/cache/329.html

http://blogs.msdn.com/tzink/archive/2008/0...ting-to-it.aspx

Misdirected bounces are becoming a *huge* problem. The beleaguered victims of spammer forgery are being inundated with bounces, far in excess of their already overwhelming spam load. Allowing the system to send that mail is just not right.

What evidence does Spamcop have of this? Can you please provide proof so that I can justify taking the action suggested?

Thanks

Nevill

[agsteele]

What evidence does Spamcop have of this? Can you please provide proof so that I can justify taking the action suggested?

Sadly it is hard to prove the negative... spam traps are unused mailboxes that solely receive unsolicited Emails. So, once spammers start sending mail to them they must, by definition be unsolicited.

If a spam trap address gets picked up by spammers it is very common for that address to then be used as a forged 'from' address. So, now, if a spammer's bot sends a spam item pretending to originate from a spam trap and it is sent to a non-existent address on your system and you, in turn, bounce it back to the alleged sender (ie the spam trap) then your system is also seen to be spamming.

The correct approach would be to reject in the SMTP transaction and not bounce a reply back. In fact out of office replies can also cause the same problem.

Andrew

[Miss Betsy]

In the beginning when forged return paths were first used, even spamcop deputies defended the system of accepting email and then sending an NDR because of the advantages to the existing system. It wasn't long before they changed their mind - because it gets to be a 'huge' problem. Some domain owners are deluged with NDRs (how many in spam run? millions? and that could generate thousands of NDRs).

Very early on, even AOL was convinced to stop accepting and then rejecting. I am sure that if you looked around at some discussions, you would find sufficient reasons why it is not a good idea in the present spam environment. Just think that the percentage of spam to real email is something way above 75%. That means that at least 75% of your rejections are forged by spammers. How many legitimate emails are you usefully rejecting? I don't know how difficult it is to reject at the server level. I think there is some expense involved in getting hardware that can do it efficiently. However, if you don't do it, then you are like the car on the road with the loud muffler and spewing oil fumes - a big nuisance and possible hazard (if the spammer targets just one domain).

Miss Betsy

[Farelf]

... I am sure that if you looked around at some discussions, you would find sufficient reasons why it is not a good idea in the present spam environment. ...

Indeed, most mail admins would not require convincing these days. Except Mr. Nevill's mailgate, with its existing configuration, somehow doesn't seem to generally backscatter (Robtex - http://www.robtex.com/ip/195.11.80.2.html#blacklists - seems to confirm that by the lack of the IP address listings in other/any BLs). Except, when it does, it hits SpamCop spamtraps with uncanny precision (those traps being an infinitesimal part of the total volume of receptive email addresses). That might constitute some form of attack on the mailgate, if it was happening often (though it seems not to be).

http://www.senderbase.org/senderbase_queri...ing=195.11.80.2 seems to indicate to me that, starting as early as 12 September this year, there could have been as many as 30-40 SC spamtrap hits in a period of one or several days sometime within a month or so. But I don't actually know the detail of the methodology behind SenderBase estimates, they are, presumably, as unreliable as any statistic must be when dealing with small samples and infrequent or unique occurrences and SenderBase volume is not usually related directly/exclusively to SC hits though it could be in a given and unusual case.

Don (SpamCop Admin) sometimes helps out mailserver admins with clues about the subjects and general times of spamtrap hits when they are part of a (much) larger spam run and he can do so without risking revealing the spamtrap addresses. That (larger spam run) doesn't seem to be the case here and (he can talk for himself but for the purpose of discussion ...) he wouldn't want to do anything that might compromise the secrecy of a spam trap address. But he might retire one or two spamtraps if he believes/can be convinced that their addresses are compromised. I imagine that sort of thing happens sometimes, but I could be wrong.

In any event, it is not a good policy to send delayed NDRs and it hasn't been for quite some time, as the links Don provided indicate, and as is readily confirmed from many other sources, easily found. That is not merely 'received wisdom', it is the reality of today's internet.

[rconner]

What evidence does Spamcop have of this? Can you please provide proof so that I can justify taking the action suggested?

I don't know what evidence SpamCop has, but next time my own e-mail address gets forged by a spammer I will invite you over to look at my inbox.

A few times a year, one or another of my e-mail addresses gets dropped into the "From" field of spam mail, and I can thereafter get anywhere from one or two up to hundreds of delay bounces from mail operations all over the world that consider it acceptable practice to delay-bounce mail. Once, I got nearly 4,000 bounces in the space of 24 hours. This did not make me happy. Getting spam is infuriating enough, we should not also have to deal with blowback from improperly-run mail operations that do nothing but amplify the spam.

We know that the clear majority (as much as 90%) of e-mail these days is spam, and we know that the vast majority of the spam contains forged from-addresses. So, if a mail service is set up for delay bouncing rather than rejecting undeliverable mail, it is clear that nearly all of these bounces that this service sends are going to be misdirected to innocent parties. A complete waste of time for everyone involved, and doing no one any good (i.e., the spammer doesn't get the benefit of the bounce because of his forgery).

The choice is clear: either reject all undeliverable mail (no-such-user, queue-full, etc.) at SMTP with a 5xx message, or else make a good faith effort to identify the undeliverable message as non-spam before delay-bouncing it. I know I will thank you for doing so.

-- rick

[Nevill]

Can anyone at Spamcop provide the full address of the e-mails which were sent to the spamtraps? not the spamtrap address but the full address of the e-mails sent to the spamtrap?

"there could have been as many as 30-40 SC spamtrap hits in a period of one or several days sometime within a month or so" Too vague. When? how many? what addresses?

We are keen to stop spam but Spamcop is not helping us do that just by blocking our e-mail. I'm sure the robtex.com and senderbase.org links are useful to someone but they offer no assistance to us.

Moderator Edit: removed the quoted material and let the newly posted data appear as text typed in by the user. Problem was that the 'new' text was typed directly into the middle of the quoted previous post with no editing done whatsoever ... thus making it appear that this Post contained no 'new' data.

[Farelf]

Can anyone at Spamcop provide the full address of the e-mails which were sent to the spamtraps? not the spamtrap address but the full address of the e-mails sent to the spamtrap?

"there could have been as many as 30-40 SC spamtrap hits in a period of one or several days sometime within a month or so" Too vague. When? how many? what addresses?

We are keen to stop spam but Spamcop is not helping us do that just by blocking our e-mail. I'm sure the robtex.com and senderbase.org links are useful to someone but they offer no assistance to us.

You need to contact Don to see what he can do for you. That address: service[at]admin.spamcop.net

[Miss Betsy]

If Don doesn't provide any more information than he already has, it is still possible to find out to prevent a recurrence. I don't know very much about how real server admins do it since I am not one, but I think that using a really aggressive spam filter before returning any email accepted or only returning whitelisted addresses (for Out of Office replies) is the way that those who insist on accepting email and then automatically answering it are able to avoid sending to spam traps.

As I said before, I also think that it would be wise to invest in whatever hardware/software that allows you to reject email only at the server level. If Don says that it is a 'huge' problem, you know that the big boys like Comcast, RR, Time Warner, hotmail, yahoo, etc. are just dropping them. It is only the smaller ISPs who bother to send notifications that it is on spamcop bl. I never get a rejection to my spammy hotmail address and it must be forged on dozens of lists every day - not even with junk mail turned off completely.

Miss Betsy