Jump to content
Sign in to follow this  
mrmaxx

Reporting problems today?

Recommended Posts

Looks good this morning in Italy, quick and nimbble!

Just wait a bit.

I am getting Gateway timeouts now. I have not seen a change in 2 and half weeks .

Share this post


Link to post
Share on other sites

On some web form spam submissions, it's still taking a loooong time to parse and then timing out necessitating revisiting the SpamCop page, at which point I'm seeing the Report Now option ... which AGAIN takes forever once clicked. *Sometimes* it goes through after clicking that, *sometimes* it take a loooong time again & times out again, & sometimes it reports the spam is too old ... on a spam I just received THAT day.

SpamCop is still broken, apparently.

Share this post


Link to post
Share on other sites

I sent to early this morning and they went through fine.

An hour later, time out time out time out.

Oh well. Will try tonight.

Share this post


Link to post
Share on other sites

exactly, at first all gone, now

got sigalarm, taking too long to process, aborted

Share this post


Link to post
Share on other sites

I will say this its been almost a week, since I been able to process spamm. Today 1/3 of the spams I reported actually worked the rest are getting the gateway timeout.

Not sure what is up but there still apears to be problems.

Share this post


Link to post
Share on other sites

I have to say I haven't bothered with trying to parse emails while this has been going on. I have simply used the VER interface of the email system to quick-report or just using the "report as spam" button in the webmail interface. THAT seems to be working nearly flawlessly, or maybe it's just submitting it to a quick-report queue. In any case, quick-reporting seems to be working (mostly -- occasionally I'll see a 10-15 second "hiccup" before a spam goes away.)

Share this post


Link to post
Share on other sites

Yes, SpamCop performance is still erratic sometimes. I'm seeing the same things you are.

On the bright side, things are running really well much of the time.

Other notes...

Old spam is old news. Please just delete anything over 24 hours old.

The suspended users have all been reinstated.

I can't take credit for that. Even when I was still having trouble getting into my admin tools, our lead engineer was able to dig directly into the database and reinstate the suspended users. He gave me a list of the email address so that I could notify them.

Gotta like that! He really came through for us!

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Share this post


Link to post
Share on other sites

I am not going to do any detective work..but just say that this is really the most persistent spammer and throughout this incident the spam from them has gone up greatly, maybe someone else can find out who they are:

http:// onrpnhfozy.medicpostb. ru/ (Administrator of network hosting website referenced in spam)

To: heibaizhuli[at]yahoo. com. cn (Notes)

Share this post


Link to post
Share on other sites

  • medicpostb.ru registrant - protected behind http://www.reg.ru/whois/admin_contact
  • Hosting 116.255.233.200 - ZhengZhou GIANT Computer Network Technology Co., Ltd no abuse.net record
  • Landing page terse ("Server: Apache")
  • Landing page does not suffer extended analysis (connection times out in process)
  • Endless list of "alphabet soup" super-domains.

Ownership? Anyone's guess at this stage. Russian Federation, India, China, North America?

WOT Trustworthiness, vendor reliability, privacy and child safety of this site (medicpostb.ru) is very poor.

medicpostb.ru Listed on URIBL black

medicpostb.ru is on SURBL lists: JP WS

Share this post


Link to post
Share on other sites

It is important to say, that was not a DOS attack, but a load attack. From the information we have, the spammer used the same protocol and same mimic of normal users, so was not a DOS, and this complicate to the engineers distinguish good traffic from bad one.

Engineers shoud discover from where came the bad traffic attack, hope more news on this regards.

Edited by efa

Share this post


Link to post
Share on other sites
a load attack. From the information we have, the spammer used the same protocol and same mimic of normal user
Please explain. I don't know what you mean by "same protocol."

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

Share this post


Link to post
Share on other sites

I managed to report 32 spams through the web parser about an hour ago this morning.

The process went quite quickly until the last four or five, when it slowed down appreciably. :(

Those last few were quite slow, but there were no timeouts, and all my spam is cleared.

Overall the process took about half an hour, reporting each spam manually, which is about right

in my experience.

Also, last night, I was finally able to access my mailhosts page, and re-enable quick reporting.

Overall, I'm quite happy with the performance at the moment. :)

BTW, I have one quick question. I'm sure someone will know the answer to this:

Our individual reporting address are in this format:

submit.XXXXXXXXXXXXXXXX[at]spam.spamcop.net

IIRC, our quick reporting addresses are in the same format, except that they start with

"quick" instead of "submit", which gives this format:

quick.XXXXXXXXXXXXXXXX[at]spam.spamcop.net

Am I correct? (I haven't used quick reporting for a few years, and I've forgotten how

to set it up, or to find out what my quick reporting address is).

Thanks in advance for any help or advice! :D

[EDIT]:

I just found the answer in the SpamCop FAQ, so just ignore my question.

Sorry for any inconvenience! :blush:

Edited by csouter

Share this post


Link to post
Share on other sites

Yes. The "quick" address is the same as the "submit" address, except one starts with "quick" and the other starts with "submit."

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Share this post


Link to post
Share on other sites

SC performance is still dismal, I am getting Gateway Timeouts and am unable to analyse or submit spam. The statistics also has not shown a significant improvement in the last 24 h. Are we going to see SC come back from this?

Share this post


Link to post
Share on other sites

Yes. The "quick" address is the same as the "submit" address, except one starts with "quick" and the other starts with "submit."

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Thanks, Don! :D

Share this post


Link to post
Share on other sites

Please explain. I don't know what you mean by "same protocol."

I understood that the spammer sent spam mails like normal users, but they send a lot. In this sense is the same protocol and mimic of normal SC server load.

Normally a DOS is different, the attacker "connect" the server so it has to open a socket for him (allocate memory, resources, and so on), then open another one, another one, and so on ... sometimes they send ping with garbage, but never close any socket, so is the server that has to timeout or dead, see:

$ man 2 connect

Edited by efa

Share this post


Link to post
Share on other sites

I'm trying to send the 2 day backlog of spams, I can send all with intermittent behavior. Some went through fastly, most take a long time (more than the promised 6 sec nag screen and the browser reload do not change the situation), few time end in gateway timeout where a reload finally sent. The "Send spam Report Now" button always sent in normal time, is the parsing phase that took lot of time, hope this help diagnosing.

Note: As all the spams in these down days are about the same, with only 3 .ru and .ua spamvertized domains, I have the doubt that are innocent domains.

Edited by efa

Share this post


Link to post
Share on other sites

I'm trying to send the 2 day backlog of spams, I can send all with intermittent behavior. Some went through fastly, most take a long time (more than the promised 6 sec nag screen and the browser reload do not change the situation), few time end in gateway timeout where a reload finally sent.

Note: As all the spams in these down days are about the same, with only 3 .ru and .ua spamvertized domains, I have the doubt that are innocent domains.

Could it be divided out that your slow ones were in the RIPE area?

Share this post


Link to post
Share on other sites

Could it be divided out that your slow ones were in the RIPE area?

RIPE area for the mail source IP or for the host of the spamvertized links?

Share this post


Link to post
Share on other sites

RIPE area for the mail source IP or for the host of the spamvertized links?

either/or. I do not have enough spam to tell for sure, but I think my slow ones might be having whois issues with RIPE. This will include both the mail source IP and the link host as the whois portion of the parser works the same on both.

Share this post


Link to post
Share on other sites

might be having whois issues with RIPE. This will include both the mail source IP and the link host as the whois portion of the parser works the same on both.

mail source was: airtel.in, sanchernet.in, bol.net.in, saudi.net.sa, ttnet.net.tr and sjrb.ca

so not all by RIPE.

Update: for the last ones, all went through very fast

Share this post


Link to post
Share on other sites

>- I understood that the spammer sent spam mails like normal users, but they send a lot.

OK. I see what you mean.

That hasn't happened for years. We still defend against it, but spammers haven't tried that trick for a long time.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

.

Share this post


Link to post
Share on other sites
Our individual reporting address are in this format:

submit.XXXXXXXXXXXXXXXX[at]spam.spamcop.net

IIRC, our quick reporting addresses are in the same format, except that they start with

"quick" instead of "submit", which gives this format:

quick.XXXXXXXXXXXXXXXX[at]spam.spamcop.net

Am I correct? (I haven't used quick reporting for a few years, and I've forgotten how

to set it up, or to find out what my quick reporting address is).

Thanks in advance for any help or advice! :D

[EDIT]:

I just found the answer in the SpamCop FAQ, so just ignore my question.

Sorry for any inconvenience! :blush:

May I have the direct URL to quick reporting in SpamCop FAQ?

Share this post


Link to post
Share on other sites

That hasn't happened for years. We still defend against it, but spammers haven't tried that trick for a long time.

I hope net engineer identified the account responsible of flooding, and maybe the source of the attack

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×