Does Apptix condone spammers, or is Spamcop badly flawed?

[jahesh]

I'm an IT consultant and I use Apptix as my hosted Exchange provider. Over the past 3 years, I've found them to be reliable and honest. As far as I know, they're one of the largest (if not the largest) providers of hosted Exchange products. I also believe them to have a very strict no-spam policy and they seem to take swift action to get rid of spammers.

Over the past 2 weeks, several of their IPs have been listed in Spamcop's RBL. Obviously this is a serious problem for me and my users, since we're routinely having our mail blocked seemingly without any real recourse. Apptix has assured me that they are absolutely not sending out any spam since they killed the compromised user account, and they seem to have taken every reasonable measure to notify Spamcop of this. Seemingly incomprehensibly, their servers continue to show up in the Spamcop blacklist, and even more incomprehensibly the IPs - that Apptix have assured me are absolutely secure and not spamming - keep reappearing.

So, is Apptix sending spam? Or is Spamcop accepting faulty reports, or accepting old data as new? I trust Apptix's legitimacy so I guess I question Spamcop's practices here.

Any comments?

[SpamCop 98]

Over the past 2 weeks, several of their IPs have been listed in Spamcop's RBL. Obviously this is a serious problem for me and my users, since we're routinely having our mail blocked seemingly without any real recourse. Apptix has assured me that they are absolutely not sending out any spam since they killed the compromised user account, and they seem to have taken every reasonable measure to notify Spamcop of this. Seemingly incomprehensibly, their servers continue to show up in the Spamcop blacklist, and even more incomprehensibly the IPs - that Apptix have assured me are absolutely secure and not spamming - keep reappearing.

I'm not quite sure what is incomprehensible about this. It appears that Apptix's mail servers are in the block 66.231.80.0/20. According to Senderbase, there is currently nothing blocked from there by any DNSBL. However, it's also the home of mail servers for ExactTarget, a very large email marketing firm. Though SC and many other DNSBLs block by single IP#s only, some DNSBL's will "expand" listings around single IPs, and any email marketing firm, no matter how good a job they do preventing spam, is going to be hit with a listing once in awhile. In other words, hosting an email service within a block also used for a major email marketing firm is not really a bright idea.

So, is Apptix sending spam?

It doesn't have to be spam—it could be virus notices, vacation messages or other autoacks that Exchange makes it so easy for users to activate.

I trust Apptix's legitimacy so I guess I question Spamcop's practices here.

Apptix was founded in 1997 and Spamcop launched in 1998. Spamcop has survived the rise and fall of many DNSBL giants who were less bulletproof in their methods. Spamcop's DNSBL has more actual human decision-making involved than any other DNSBL, IMNSHO. And lastly, though it doesn't really signal alot, Google finds 189,000 instances of Apptix on the net and about 1,740,000 instances of Spamcop.

[Wazoo]

So, is Apptix sending spam? Or is Spamcop accepting faulty reports, or accepting old data as new? I trust Apptix's legitimacy so I guess I question Spamcop's practices here.

Any comments?

Hard to do much research/evaluation with so little data provided. As in the various How to ask a good Question links, and as you even hint at in your starting Post, what are the IP Addresses in question?

http://www.senderbase.org/senderbase_queri...g=216.166.12.31 seems to show some pretty bad conditions involved in that part of the net.

[jahesh]

My outgoing server with them is out001.collaborationhost.net, which has the IP range 216.166.12.0/24

The POOR results all seem to point to Spamcop. None of other blacklists list them. I doubt any hosting provider can have 100% perfect record over time, but their policies and actions when something inevitably does go wrong must have some weight, no?

If they were still sending spam, wouldn't they be on more blacklists than just Spamcop?

[Wazoo]

My outgoing server with them is out001.collaborationhost.net, which has the IP range 216.166.12.0/24

The POOR results all seem to point to Spamcop. None of other blacklists list them. I doubt any hosting provider can have 100% perfect record over time, but their policies and actions when something inevitably does go wrong must have some weight, no?

If they were still sending spam, wouldn't they be on more blacklists than just Spamcop?

http://www.senderbase.org/senderbase_queri...orationhost.net

I see one also listed at cbl.abuseat.org ....

Picking one at random;

http://spamcop.net/w3m?action=checkblock&a...p=216.166.12.72

216.166.12.72 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 18 hours.

Causes of listing

•System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

•SpamCop users have reported system as a source of spam about 20 times in the past week

Express-delisting is not available

Listing History

In the past 17.1 days, it has been listed 5 times for a total of 9.0 days

Other hosts in this "neighborhood" with spam reports

216.166.12.31 216.166.12.32 216.166.12.69 216.166.12.97 216.166.12.98 216.166.12.99 216.166.12.178 216.166.12.180

Both spamtraps and user Reports, express-delisting suggests that someone may have already tried the "fix-it" by hitting the button, but didn't actually fix the real issue. None of this is considered 'good' by anyone involved, especially those still receiving the spam spew.

Ecery BL has its own determining factors as to listing/de-listing, etc.

Report History snippet on the above 'random' IP Address;

Submitted: Thursday, June 09, 2011 10:41:26 AM -0500:

Security Message •5529727139 ( http://team-lmpp.fr/chase.com-restore ) To: cabuse[at]tatacommunications.com

•5529727138 ( http://team-lmpp.fr/chase.com-restore ) To: abuse[at]ovh.net

•5529727137 ( http://team-lmpp.fr/chase.com-restore ) To: abuse[at]gblx.net

•5529727136 ( 216.82.255.3 ) To: abuse[at]messagelabs.com

•5529727135 ( 216.166.12.72 ) To: abuse[at]datafoundry.com

-----------------------------------------------------

Submitted: Thursday, June 09, 2011 9:07:10 AM -0500: \

[spam] Mr. Andy Turner •5529654824 ( 216.166.12.72 ) To: abuse[at]datafoundry.com

-------------------------------------------------

Submitted: Thursday, June 09, 2011 8:50:38 AM -0500:

Security Message •5529630371 ( http://www.sitedesing.com/site/images/chase.com ) To: nomaster[at]devnull.spamcop.net

•5529630328 ( http://team-lmpp.fr/chase.com-restore ) To: cabuse[at]tatacommunications.com

•5529630291 ( http://team-lmpp.fr/chase.com-restore ) To: abuse[at]ovh.net

•5529630258 ( http://team-lmpp.fr/chase.com-restore ) To: abuse[at]gblx.net

•5529630218 ( 216.82.242.99 ) To: abuse[at]messagelabs.com

•5529630164 ( 216.166.12.72 ) To: abuse[at]datafoundry.com

[SpamCop 98]

My outgoing server with them is out001.collaborationhost.net, which has the IP range 216.166.12.0/24

216.166.12.178 is pretty scummy, with Spamcop human reporters identifying spam coming from that server about 30 times in the past week. At least seven servers in that block have sent to spamtraps in the past week.

If you want to see actual, honest-to-goddess spam items from 216.166.12.178, google the IP#. Here's just one example (the first one listed on that page was sourced from 216.166.12.178).

The POOR results all seem to point to Spamcop. None of other blacklists list them.

One of the benefits of the Spamcop DNSBL that experts have identified is the canary in the coal mine effect. ISP tech folks have come here frequently to say that a Spamcop report was their first tip that they had a problem on their server (check the comments on this page by Al Iverson, for example). On the other hand, we have also seen SC-identified IP#s grow to other lists when the problem isn't dealt with.

I doubt any hosting provider can have 100% perfect record over time, but their policies and actions when something inevitably does go wrong must have some weight, no?

That is why the SCBL works on a weighted average. See "SCBL Rules" at the bottom of this page.

If they were still sending spam, wouldn't they be on more blacklists than just Spamcop?

Give it some time, they will!

[SpamCop 98]

If you want to see actual, honest-to-goddess spam items from 216.166.12.178, google the IP#. Here's just one example (the first one listed on that page was sourced from 216.166.12.178).

By the way, the second item on that page was sourced from 216.166.12.98. Both are collaborationhost.net mail servers.

[jahesh]

They've been telling me how difficult it's been to contact you, and that these have been false positives, but I must admit your (very quick) replies have been convincing.

I've pointed them to this thread.

Anyone care to recommend a reliable hosted Exchange provider with good reseller support?

[turetzsr]

They've been telling me how difficult it's been to contact you

<snip>

...Oops -- "we" here in the SpamCop Forums (well, most of us -- the few SpamCop staff who do contribute here are identified by a "SpamCop" image below their names) are not SpamCop!

I've pointed them to this thread.

<snip>

...Thank you.

[jahesh]

Here's an excerpt from correspondence received from my Partner Account Manager at Apptix:

"We make every effort to prevent unsolicited mail, bulk mail, and the like to originate from our platform. Because we are a self sign up, hosted Exchange provider, the occasional spammer does get in. As soon as they are detected however, they are shut down right away. Unfortunately, in some cases the damage is already done."

This seems to be at odds with the evidence provided to me by the Spamcop admins. And it looks like these messages continue to arrive.

It seems obvious that the messages are ongoing, that they are unsolicited, and - worse - that they are condoned. Those messages didn't look like a vulnerability exploit offering V14G4R4. They look like unsolicited messages and that they aren't likely to stop anytime soon.

But, before I simply jump ship to another provider that might have similar issues - I've been with Apptix for 3 years mostly trouble free - how can I do enough due diligence to ensure that the other provider isn't ultimately as bad or worse?

Thanks, all.

[petzl]

But, before I simply jump ship to another provider that might have similar issues - I've been with Apptix for 3 years mostly trouble free - how can I do enough due diligence to ensure that the other provider isn't ultimately as bad or worse?

Would help if you could provide a reject notice

I suspect that there a a number of organizations/companies/spammer using your allocated mail servers.

Just takes a email marketer who is using a "email" list that has been obtained legitimately (double opt-in).

Fact is it is individual SpamCop members reporting spam, with EVERY report a email was sent to that IP's address owner (if not disabled).

It would take a massive amount of reported and ignored spam to get listed by the "SpamCop Block List" (SCBL).

Providers are like a restaurant with a good Chef. Once that Chef leaves if the new one is not good customers then leave. It appears the "new Chef" don't care and don't listen (I would leave)

[jahesh]

Providers are like a restaurant with a good Chef. Once that Chef leaves if the new one is not good customers then leave. It appears the "new Chef" don't care and don't listen (I would leave)

Apptix is pretty huge. They've probably got dozens of chefs and hundreds if not thousands of employees or outsourced support people.

Simply leaving isn't as easy with hosted Exchange as it would be with a POP/IMAP provider. My users and I have gigabytes in mail, contact, calendar, task, and note data that we'd need to migrate to a new provider. I'd want to know that the hosted server has a fairly clean reputation first, and that seems to be impossible to do. The SCBL and others list specific IPs or even URLs for individual servers - not for companies as a whole. Sure, I can find a few URLs for other providers' servers and check their reputations, but I have no way to know the actual originating IP or IP range of the server I'll be put on.

Apptix has assured me that they'll be running all outgoing mail through MessageLabs servers starting mid/late July. It could take me that long to get comfortable with a new provider. The whole thing really sucks. Particularly considering that, after 4 weeks of pain now due to Spamcop listings, they're still only on Spamcop, not a single other BL.

[Wazoo]

Apptix is pretty huge. They've probably got dozens of chefs and hundreds if not thousands of employees or outsourced support people.

Apptix has assured me that they'll be running all outgoing mail through MessageLabs servers starting mid/late July. It could take me that long to get comfortable with a new provider. The whole thing really sucks. Particularly considering that, after 4 weeks of pain now due to Spamcop listings, they're still only on Spamcop, not a single other BL.

Looking at http://www.senderbase.org/senderbase_queri...orationhost.net currently shows 8 out of 30 servers listed.

Only Don/Deputies can talk to the spamtrap hits, but it seems that there is the real issue. User Reports Subject lines include;

216.166.12.31

Submitted: Saturday, June 11, 2011 1:20:15 AM -0500: Employment Opportunity Available

Submitted: Friday, June 10, 2011 11:59:29 AM -0500: Greetings

Submitted: Friday, June 10, 2011 1:51:35 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION..

216.166.12.32

Submitted: Friday, June 10, 2011 3:16:24 PM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION..

Submitted: Friday, June 10, 2011 5:07:10 AM -0500: Greetings

Submitted: Friday, June 10, 2011 5:01:58 AM -0500: Greetings

Submitted: Friday, June 10, 2011 2:13:42 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION..

216.166.12.69

Submitted: Saturday, June 11, 2011 2:45:30 AM -0500: Employment Project

Submitted: Friday, June 10, 2011 8:53:03 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION..

216.166.12.72

Submitted: Friday, June 10, 2011 9:19:48 AM -0500: Job Offer

Submitted: Friday, June 10, 2011 4:52:15 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION..

Submitted: Thursday, June 09, 2011 11:53:35 PM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION..

216.166.12.98Submitted: Friday, June 10, 2011 9:52:46 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION..

More of the same ..... Based on the complaints, it seems that it should be pretty easy for the staff involved to track down the source of these specific e-mails and take the appropriate action. Not sure that another output filter is the solution, but will note that some of the recent User Reports included the following targets exampled by;

Submitted: Friday, June 10, 2011 1:58:27 AM -0500: Job Offer

•5530473760 ( 216.82.255.3 ) To: abuse[at]messagelabs.com

•5530473759 ( 216.166.12.98 ) To: abuse[at]datafoundry.com

Also noting that most of these look-ups indicated a reduction in magnitude .... although another portion of the 30 listed servers seems to be showing "all new" traffic, which suggests another approach beng taken, not always for the best. To apply your "last 4 weeks" .. it would appear tht they have allowed someone to start using their services that doesn't play according to the rules. Why they can't seem to find that user (or multiple accounts?) based on the apparent spew of similar Subject: line content isn't readily apparent.

Later edit: refreshed the SenderBase page, and it's now showing 9 of 30 listed in a BL.

[SpamCop 98]

Looking at http://www.senderbase.org/senderbase_queri...orationhost.net currently shows 8 out of 30 servers listed.

From the top of that page, "Network Owners that use collaborationhost.net hostnames," YHC Corporation has five or so abuseat.org listings either side of the SC collaborationhost.net listings... and hosts fleshlight.com, not that there's anything wrong with that.

[petzl]

Particularly considering that, after 4 weeks of pain now due to Spamcop listings, they're still only on Spamcop, not a single other BL.

Actually it's nonsense if you are not engaged in spamming with your own computers secure and that the IP you send through is just listed only on the SCBL, it will be listed on others which are even harder to be released from(the SCBL only lists for 24 hours after last reported spam)? Need a reject notice for evidence and a way to identify your problem. There are some who use a false reject notice blaming SpamCop. It's important your own email list is clean and conforms to "Double Opt-In" for marketing and not obtained by a web spider/crawler

Apptix seems to be "shining" on you. They can easily assign a static IP for your use which means if you are clean and deal with your own spam reports (each cost around $50 or more to process) your problems are over.

Google offer a cheap alternative using existing domain name for email (remember advice is free- Till you act on it)

[michaelanglo]

Need a reject notice for evidence and a way to identify your problem. There are some who use a false reject notice blaming SpamCop

No such need in the instant case since SC reports that IP address as being on the SCBL and the report history shows the Spammy subjects and mentions spam trap hits.

Here's similar data for a different IP address, 6 days old, also collaborationhost.net

http://spamcop.net/w3m?action=checkblock&a...p=216.166.12.97

If there are no reports of ongoing objectionable email from this system

it will be delisted automatically in approximately 13 hours.

X-SpamCop-Checked: 64.88.168.84 62.24.139.64 62.24.139.126 8.5.124.4

216.82.242.115 216.166.12.97

X-SpamCop-Disposition: Blocked bl.spamcop.net

Using best contacts abuse[at]datafoundry.com

Statistics:

216.166.12.97 listed in bl.spamcop.net (127.0.0.2)

==

Submitted: Wed Jun 8 14:51:17 2011 GMT :

Job Offer

5528577466 ( 216.166.12.97 ) To: abuse[at]datafoundry.com

Submitted: Wed Jun 8 13:12:09 2011 GMT :

YOUR DIPLOMAT HAS NOW ARRIVE AT Louisville International Airport,CONTACT

HIM ...

5528428169 ( 216.166.12.97 ) To: abuse[at]datafoundry.com

==

What other evidence

[jahesh]

No such need in the instant case since SC reports that IP address as being on the SCBL and the report history shows the Spammy subjects and mentions spam trap hits.

Agreed. I've seen enough, and I'm convinced they're not stopping the flow of spam. I've looked up a couple other providers and I'll be biting the bullet in the next couple of days.

Thanks, all, for making the evidence clear and responding so promptly and enthusiastically.