Jump to content
Sign in to follow this  
vidarh

What can I do to make sure I receive reports?

Recommended Posts

Yesterday I discovered one of our hosts was in the SCBL. I looked things over, and thought we'd eliminated the source, and requested delisting. But this morning it was listed again, and with some more work I uncovered a compromised user account that was being used to send spam. Killed the processes, and I'm in the process of wiping everything clean, and I've amped up our logging of mail activity on our firewall.

(The ip address is 195.224.183.208)

However, I'm wondering what I can do to ensure I receive reports in the future?

In the past our ISP has forwarded reports as they've received them, with suitably ominous language about "taking it very seriously", but recently they seem to have gotten quite useless at this. We've heard nothing about this most recent block, for example, despite the summary report listing 1695 spamtrap hits. I'm not happy about that, and we're requesting an explanation for why they've not passed anything on.

And as much as I'd love to change colo (not *just* because of this, but it's part of a pattern), that's not a quick process... Our /29 is registered to them, and so I assume that's why we've not seen any reports even though the IP in question in this case reverse maps to our domain name.

Is there a general way of requesting full reports even if the net block is not registered to us? (sorry if this is in the faq's - I couldn't find it) I receive summary reports now, but the full reports would make it much faster for us to track down the exact source.

If there's no general way, is there anyone I can talk to who could help with this? I'm of course happy to provide full details.

Thanks in advance.

Share this post


Link to post
Share on other sites

Yesterday I discovered one of our hosts was in the SCBL. I looked things over, and thought we'd eliminated the source, and requested delisting. But this morning it was listed again, and with some more work I uncovered a compromised user account that was being used to send spam. Killed the processes, and I'm in the process of wiping everything clean, and I've amped up our logging of mail activity on our firewall.

(The ip address is 195.224.183.208)

However, I'm wondering what I can do to ensure I receive reports in the future?

Is there a general way of requesting full reports even if the net block is not registered to us? (sorry if this is in the faq's - I couldn't find it) I receive summary reports now, but the full reports would make it much faster for us to track down the exact source.

If there's no general way, is there anyone I can talk to who could help with this? I'm of course happy to provide full details.

Thanks in advance.

The email server appears to be infected (Botnet)

http://cbl.abuseat.org/lookup.cgi?ip=195.224.183.208

This link advises how to eliminate infection

How can I get SpamCop reports about my network?

http://www.spamcop.net/fom-serve/cache/94.html

Share this post


Link to post
Share on other sites

In the past our ISP has forwarded reports as they've received them, with suitably ominous language about "taking it very seriously", but recently they seem to have gotten quite useless at this. We've heard nothing about this most recent block, for example, despite the summary report listing 1695 spamtrap hits. I'm not happy about that, and we're requesting an explanation for why they've not passed anything on.

Is there a general way of requesting full reports even if the net block is not registered to us? (sorry if this is in the faq's - I couldn't find it) I receive summary reports now, but the full reports would make it much faster for us to track down the exact source.

If there's no general way, is there anyone I can talk to who could help with this? I'm of course happy to provide full details.

Thanks in advance.

First, thank you very much for your efforts to clean up your server and reduce the amount of spam in the world. It really is very much appreciated.

As regards spamtrap hits, don't blame your ISP - NO REPORTS ARE SENT! This is to protect the security of the spamtraps.

Lastly, this from the FAQ, but I don't know if it helps as it refers only to summary reports:

How can I get SpamCop reports about my network?

Report routing

Anyone may receive summary reports about any netspace they specify. To receive reports, first create an ISP account.

Once you have logged in with your new account, use the "Request Reports" menu item to specify which networks you would like to receive reports about. At any time, you may use the "show routes" menu item to view which networks you are configured to receive reports about.

In addition, your ISP account allows you to spot-check any IP address for recent reports. 

Share this post


Link to post
Share on other sites

The email server appears to be infected (Botnet)

http://cbl.abuseat.org/lookup.cgi?ip=195.224.183.208

This link advises how to eliminate infection

Thank you for the reply, but please see the first paragraph I wrote. I am fully aware of this. I did find the "infection" (actually it was a stupid user with an insecure password that had been guessed) after it was blocked again this morning.

How can I get SpamCop reports about my network?

http://www.spamcop.net/fom-serve/cache/94.html

As I said in my original message, I have already signed up for the summary reports. My question is about the full reports, to make it easier for me to respond and identify the source quickly.

I've read that link, and it only covers the summary reports.

Thanks anyway.

Edited by vidarh

Share this post


Link to post
Share on other sites

As regards spamtrap hits, don't blame your ISP - NO REPORTS ARE SENT! This is to protect the security of the spamtraps.

I knew they wouldn't send out much details, but no reports at all? Oh well.

In any case, according to the summary report there were user reports as well, and we haven't see those either and I know my ISP has forwarded those in the past.

Hopefully there is a way... I've raised this with both our account manager and our ISPs support/abuse team but I'm not holding my breath about getting them to react.

Thanks anyway.

Share this post


Link to post
Share on other sites

As I said in my original message, I have already signed up for the summary reports. My question is about the full reports, to make it easier for me to respond and identify the source quickly.

Looks to me the IP is still hitting SpamTraps?

https://www.senderscore.org/lookup.php?look...mp;ipLookup.y=2

The reports sent are going to abuse[at]gxn.net ?

SpamCop block list are least of problems!

Hit Hotmails and they block your server IP permanently

Same has happened to SpamCop email you are not alone

Is there a way for you to limit your customers to say a maximum 10 recipient list?

Naive users are a problem in giving passwords away or using insecure ones

Suggest a format that all user passwords start with

first letter of name

Joe

Number of home post box

007

A equal sign

=

then their alphanumeric password containing a capital letter no less than 8 alphanumerals

paSSword10

J007=paSSword10

Edited by petzl

Share this post


Link to post
Share on other sites

Doesn't appear to be an abuse.net entry for aardvarkmedia.co.uk - if you are able to set one up that may go some way to you being able to access reports (from some sources at least).

Also, there appears to have been changes to the abuse handling of your network IP address allocation, according to RIPE lookup. SpamCop, as has been said, would forwarded reports (concerning reporter submissions only, not spamtrap hits) to abuse[at]gxn.net. But RIPE says

% Information related to '195.224.183.0/24AS5413'

route: 195.224.183.0/24

descr: Vialtus Solutions

origin: AS5413

member-of: AS5413:RS-CUSTOMER

remarks:

remarks: ------------------------------------------------------

remarks:

remarks: Please direct Abuse complaints to mailto:abuse[at]vialtus.com

remarks: Complaints directed elsewhere will not be actioned.

remarks:

remarks: ------------------------------------------------------

remarks:

mnt-by: AS5413-MNT

source: RIPE # Filtered

So maybe that is part of the problem?

Actually, although SCbl listing may have been due to spamtrap hits, there has been a number of reporter submissions (generating reports) in recent days which could have helped you with their detail - only the earliest of those was "on the books" when you first registered with this forum, they are in summary:

________________________________________________________________

Submitted: Thursday, 17 January 2013 12:28:45 AM +0800:

Attention please

5902339514 ( 195.224.183.208 ) To: [concealed user-defined recipient]

5902339513 ( 195.224.183.208 ) To: abuse[at]gxn.net

________________________________________________________________

Submitted: Wednesday, 16 January 2013 8:50:17 AM +0800:

I liked your photos

5902126777 ( http://rallyrollef.okis.ru/index.html) To: postmaster[at]mnogobyte.ru

5902126776 ( 195.224.183.208 ) To: abuse[at]gxn.net

________________________________________________________________

Submitted: Tuesday, 15 January 2013 8:25:04 AM +0800:

I am looking for a serious relationship with a man

5901628967 ( http://vk.cc/1bL43z) To: cfo[at]vkontakte.ru

5901628966 ( 195.224.183.208 ) To: abuse[at]gxn.net

________________________________________________________________

Submitted: Tuesday, 15 January 2013 8:25:02 AM +0800:

Lady looking a man for serious relationship

5901628910 ( http://7chmqv0.pisem.su/) To: abuse[at]relax.ru

5901628909 ( http://7chmqv0.pisem.su/) To: abuse[at]mtu.ru

5901628908 ( 195.224.183.208 ) To: abuse[at]gxn.net

________________________________________________________________

Submitted: Monday, 14 January 2013 10:27:35 PM +0800:

Pending Invoice

5901512529 ( http://itliterate.com.au/pending/notifications/... ) To: abuse[at]aussiehq.com.au

5901512528 ( http://itliterate.com.au/pending/notifications/... ) To: abuse[at]aussiehq.com.au

5901512527 ( http://itliterate.com.au/pending/notifications/... ) To: abuse-arf[at]aussiehq.com.au

5901512526 ( http://itliterate.com.au/pending/notifications/... ) To: abuse-arf[at]aussiehq.com.au

5901512525 ( http://itliterate.com.au/pending/notifications/... ) To: abuse-arf[at]uber.com.au

5901512524 ( http://itliterate.com.au/pending/notifications/... ) To: abuse-arf[at]uber.com.au

5901512523 ( http://itliterate.com.au/pending/notifications/... ) To: abuse[at]uber.com.au

5901512522 ( http://itliterate.com.au/pending/notifications/... ) To: abuse[at]uber.com.au

5901512521 ( 195.224.183.208 ) To: abuse[at]gxn.net

________________________________________________________________

Perhaps you should write to the SpamCop Administrator (Don D'Minion) to about the report routing - looks like it has been unchanged since 2004 - his address is: service[at]admin.spamcop.net

Thanks for your anti-spam efforts and I hope this helps you to further progress them.

Share this post


Link to post
Share on other sites

...Another approach that might work for you: review my reply in SpamCop Forum article "Summary Reports Received."

...Good luck!

The reality is that this provider sucks at email

needs to consider turning over accounts to people who can provide reliable email service

http://multirbl.valli.org/dnsbl-lookup/195.224.183.208.html

presently seems near a world record at being listed by 26 blacklists?

Gmail will handle this problem cheaply and effectively

Edited by petzl

Share this post


Link to post
Share on other sites
...presently seems near a world record at being listed by 26 blacklists? ...
I think practically all of those listed in the past several days, it was effectively only listed on CBL and (IIRC) Technovision ST when the O/P started looking for answers - we all know what damage a spammer/hacker can do and how quickly, when they get a chance. The network/domain (aardvarkmedia.co.uk) appears to have been remarkably "clean" for years before that AFAICT and should be given credit for that, I reckon.

Share this post


Link to post
Share on other sites

I think practically all of those listed in the past several days, it was effectively only listed on CBL and (IIRC) Technovision ST when the O/P started looking for answers - we all know what damage a spammer/hacker can do and how quickly, when they get a chance. The network/domain (aardvarkmedia.co.uk) appears to have been remarkably "clean" for years before that AFAICT and should be given credit for that, I reckon.

Senderscore is turning up now 5 from 2 so less spamtraps being hit

SpamCops SMTP is 99

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×