Jump to content
Sign in to follow this  
geo_splash_12

[Resolved] spam from 85.214.71.188

Recommended Posts

I'm getting spam from this IP yet they are not listed by spamcop

http://www.spamcop.net/w3m?action=checkblo...p=85.214.71.188

The reputation of these guys is tremendous, so others are getting a lot of spam as well:

http://www.senderbase.org/senderbase_queri...g=85.214.71.188

But still, they are not listed in any blocking list. Why is this the case? How long does it take to

stop these guys who are running a thriving cottage factory?

Ejo

Share this post


Link to post
Share on other sites

This is guess-work based on the listed reports.

There seems to have been no spam from there until about 7 this morning (GMT) and it stopped before 9.

My theory is that an infected machine was plugged in, SpamCop told them and they did something about it, fast. If so there's no need for it to continue being listed: SpamCop is working as it should and the server-owner acted as s/he should to stop the run. SpamCop automatically lists and de-lists very quickly in response to circumstances.

IOW this is how it /should/ happen!

Share this post


Link to post
Share on other sites

In addition to Derek T's helpful comments, it might be worth noting that the algorithm for listing in the SCBL is such that a number of factors need to come about before listing happens. IIUC these would include the volume of mail passing through an IP compared the amount of spam reported and the number of individuals reporting the IP.

So, for example, you could be submitting hundreds of reports but if you were the only person doing so then the IP wouldn't be listed.

Andrew

Share this post


Link to post
Share on other sites
This is guess-work based on the listed reports.

There seems to have been no spam from there until about 7 this morning (GMT) and it stopped before 9.

My theory is that an infected machine was plugged in, SpamCop told them and they did something about it, fast. If so there's no need for it to continue being listed: SpamCop is working as it should and the server-owner acted as s/he should to stop the run. SpamCop automatically lists and de-lists very quickly in response to circumstances.

IOW this is how it /should/ happen!

If you check the reported spam option under

http://www.spamcop.net/mcgi?action=showhis...type=0;offset=0

then you'll see that there is still incoming spam from 85.214.71.188. This is not guesswork, it is ongoing. At the same time senderbase says that they are not listed on any blocking list. That evidence is here:

http://www.senderbase.org/senderbase_queri...g=85.214.71.188

I can only repeat what I wrote earlier: why is this, is the reporting inaccurate, does the list work, are these delayed reports, is the algorithm broken. Etc etc.

Even more evidence that it is ongoing:

http://www.spamcop.net/sc?id=z3859635138z4...545cce23e63bf1z

and if you check the mail header:

from foothub.net.ms (h1743850.stratoserver.net [85.214.71.188]) by mx1.tudelft.nl (Postfix) with SMTP id 3ACE07F815E for <x>; Sat, 27 Mar 2010 11:56:08 +0100 (CET)

Thus sent around an hour ago.

Ejo

Share this post


Link to post
Share on other sites
But still, they are not listed in any blocking list. Why is this the case? How long does it take to stop these guys who are running a thriving cottage factory?

Time is but one factor in being an active entry in the SpamCopDNSBL. See What is the SpamCop Blocking List (SCBL)? .. try some of the math involved, perhaps also referencing SenderBase's "Magnitude" Explained

Share this post


Link to post
Share on other sites
85.214.71.188 went on the blocking list Saturday, March 27, 2010 11:07:28 -0600

I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week. In my case it kept on sending spam for several days until it was caught. It sounds like some infested system at the Strato Rechenzentrum in Berlin Germany

Ejo

Share this post


Link to post
Share on other sites
I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week. In my case it kept on sending spam for several days until it was caught. It sounds like some infested system at the Strato Rechenzentrum in Berlin Germany

It doesn't explain why SpamCop blocklist has become reluctant to list spam sources?

Share this post


Link to post
Share on other sites
It doesn't explain why SpamCop blocklist has become reluctant to list spam sources?

I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week.

"We" have no knowledge of the amount of spamtap hits, but do know that they score much higher in the calculations. Excluding those, then one would actually more have to wonder how it got listed.

going with the approximately "300 reports in the past week" as compared to the current magnitude listing of 4.8 which is in the ballpark of 100,000 e-mails-a-day .... as I stated before, try to do the math. If it was just the amount generated by SpamCop.net reporters, it would still not be listed, based on the ratio of good/bad traffic alone, even with the SenderBase "poor" reputation. Sure. perhaps "most" of the traffic was spam, but it was not reported through the SpamCop.net Parsing & Reporting System, therefore not available in sufficient quantity for the "bad part" of the calculations. In this case, the spammer did it him/herself by hitting the spamtrap addresses directly, and in sufficient quantity.

Share this post


Link to post
Share on other sites
You are quite right at the time you post. As was I - there had been no reports for over two hours at the time I posted. :blush:

And if you look at the SenderBase data, the flow is ever increasing ....

http://www.senderbase.org/senderbase_queri...g=85.214.71.188

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 5.3 .. 527%

Last month ... 4.5

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×