Worldstream.nl

[kenwood]

Why don’t I see many of the IP addresses assigned to worldstream.nl being rejected by the major DNSBLs I use? Even after waiting several hours before checking one of their addresses they still come up clean most times at dnsbl.info. Occasionally I do see the odd single IP address blocked at one of DNSBLs but considering the number of spams my mail server has received relayed through them, it is if they are somehow escaping detection. This is not something new. It has been going on for several months. I finally put a stop to all of them using by using nl.countries.nerd.dk but that is like taking an ax to slice a tomato. It works but isn’t very pretty.

[turetzsr]

Hi, kenwood,

...Well, I don't have any idea how other DNSBLs decide what goes on their list but SpamCop's algorithm is well hinted at in the article in the SpamCop FAQ (links to which appear near the top left of each SpamCop Forum page) labeled "What is on the list?" -- especially in the last section labeled "SCBL Rules." IIUC, the reason any individual IP address that seems to be the source of a great deal of spam does not appear on the SCBL is that the ratio of reported spam to "good e-mail" traffic is relatively low. If Worldstream is a very large e-mail provider, that may be why. Think something like 1 million spam across 30 billion e-mails (I'm not sayting that's the relevant ratio for Worldstream, I just use it as an illustration of the kind of thing that can keep a prolific spam source off the SCBL).

[Farelf]

Hard to say without some specifics but in general absence of listings might indicate one or more of three things

• they're not very prolific spammers on the larger scale
  
• most receiving the stuff do not complain
  
• the ISP has not volunteered dynamic IP ranges for "policy" blocking.
  

Their designated mail exchanger does not seem to be doing much: http://www.senderbase.org/lookup?search_string=93.190.136.4 (not seen by SenderBase) so spam is spread around. Reputation-based blocking would pick up a few of them: http://www.senderbase.org/lookup?search_st...=worldstream.nl (and note ISP's "dereliction" in DNS terms in using a single generic server name for most, none at all for others).

Tempting to imagine they are the internet equivalent of a "rooms by the hour" hotel, yet there is no real evidence. You can "drill down" through http://www.spamcop.net/w3m?action=map to http://www.spamcop.net/w3m?action=map;mask...200;sort=ipsort and go to 217.23.6.0/24 one of the worst of their ranges (note the spam:ham ratio is pretty low), then to http://www.senderbase.org/senderbase_queri...217.23.6.0%2F24 Taking one of those bad IP addresses at random, you will see that one is indeed well-listed: http://multirbl.valli.org/dnsbl-lookup/217.23.6.229.html

I guess you have been hit by spam from outside of the mainstream or there is some "snowshoe" program, perhaps not yet detected by Spamhaus'es specialist detection. Further conjecture seems fruitless at this stage but perhaps the above exploration indicates some of the tools you could use to home in on real answers.

[kenwood]

Thanks to both of you for replying and your suggestions and explanations. After a further check of the logs based on what you said it appears that the spam does originate from worldstream.nl dynamic DHCP type addresses and not from any of their mail servers. It just seemed strange that even though I use several of the more well know DNSBLs in my sendmail.cf including dyna.spamrats.com that there would be so many from worldstream that were not blocked but you mention a lot of valid reasons why that could be that I had not considered. For now blocking all .nl IP addresses is not that big a deal since the only mail I have ever seen pass through our server from .nl has been spam. Thanks again

[ri89]

Thanks to both of you for replying and your suggestions and explanations. After a further check of the logs based on what you said it appears that the spam does originate from worldstream.nl dynamic DHCP type addresses and not from any of their mail servers. It just seemed strange that even though I use several of the more well know DNSBLs in my sendmail.cf including dyna.spamrats.com that there would be so many from worldstream that were not blocked but you mention a lot of valid reasons why that could be that I had not considered. For now blocking all .nl IP addresses is not that big a deal since the only mail I have ever seen pass through our server from .nl has been spam. Thanks again

serious question - why don't people just click the opt out link? there are two - one for the advertiser and one for the company sending the message...just opt out from both.

[Farelf]

serious question - why don't people just click the opt out link? there are two - one for the advertiser and one for the company sending the message...just opt out from both.

Spammers lie. At best (if the request is honoured) this is "list washing" - allowing the spammer to continue in his illicit activities with progressively reduced risk of being held to account. But, all too often, the "opt-out" link is simply used to verify that the address is responsive. Lists of such "verified" addresses have enhanced commercial value. As a general principle, people who never opted in should never opt out. To do so aids the spammers, in generality.

There certainly are instances when opt-out requests are honoured, perhaps without the address being "sold on" - but it is a risk if you don't know how the "advertiser" or list manager got the address in the first place. Why take that risk, why step out of the herd when herd protection is about the only thing you have going for you?

[ri89]

Spammers lie. At best (if the request is honoured) this is "list washing" - allowing the spammer to continue in his illicit activities with progressively reduced risk of being held to account. But, all too often, the "opt-out" link is simply used to verify that the address is responsive. Lists of such "verified" addresses have enhanced commercial value. As a general principle, people who never opted in should never opt out. To do so aids the spammers, in generality.

There certainly are instances when opt-out requests are honoured, perhaps without the address being "sold on" - but it is a risk if you don't know how the "advertiser" or list manager got the address in the first place. Why take that risk, why step out of the herd when herd protection is about the only thing you have going for you?

If you sit in the herd dormant then nothing will change.

You may be confused because you aren't just being hit by one "spammer"...there are several and everyone shares the same advertisers, subject lines, etc so it appears you aren't getting opted out. Most opt out links are legitimate and do work. Obviously this is not in the case of the nigerian scammers offering to send you millions of dollars. Seriously though, what is the big deal? Delete it and get on with your day. Its such a waste of negative energy.

Another point - spamcop retracts the email address of where the mail was sent..if you REALLY want to stop getting mail...leave the address in there. Spammers don't want complaints because thats what gets servers and ESP accounts shut down. Spammers don't want to send you mail if you're going to complain. Plus if someone is complaining and obviously not happy about getting promotions...no one else is going to want to send mail to that record either because they don't want the backlash. Its just not common sense. They already have your e-mail anyway and would be more inclined to pass it on if they believe you *aren't* complaining.

Click every opt out link your can, it goes a long way.

[Farelf]

...You may be confused because you aren't just being hit by one "spammer"...there are several and everyone shares the same advertisers, subject lines, etc so it appears you aren't getting opted out. Most opt out links are legitimate and do work. ...

For worldstream.nl? That's not the case generally but yes, it does work for some - but as you say, it would be hard to tell with such an outfit.

...Seriously though, what is the big deal? Delete it and get on with your day. Its such a waste of negative energy. ...

Most of the diminishing number of mail users who actually see spam these days do just that. This is a place for the "others", the ones who walk away from Omelas, in a figurative sense, though undoubtedly inflating the moral stance somewhat in that analogy. The "negativity" comes from being spammed, we each have our own stories and motivation deriving from that.

...Another point - spamcop retracts the email address of where the mail was sent..if you REALLY want to stop getting mail...leave the address in there. Spammers don't want complaints because thats what gets servers and ESP accounts shut down. ...

Redaction of the receiving address (munged personal detail) is the default, some networks don't accept such reports and there are several ways to address that. Some/many reporters have switched to turning munging off for all their reports.

... Spammers don't want to send you mail if you're going to complain. Plus if someone is complaining and obviously not happy about getting promotions...no one else is going to want to send mail to that record either because they don't want the backlash. Its just not common sense. ...

That's listwashing - an anathema to SpamCop for obvious reasons and as already mentioned. You're not seeing the bigger picture. Fair enough, the topic is worldstream.nl but I have extended it to general philosophy in my comments.

...They already have your e-mail anyway and would be more inclined to pass it on if they believe you *aren't* complaining. ...

They don't have a confirmed, responsive address unless you tell them it is.

...Click every opt out link your can, it goes a long way.

For worldstream.nl, purely on your say-so at this point. Most of us are not so familiar with them as to be able to differentiate between them and all the other spammers out there. I would be willing to give it a try with some reservations - they give no actual indication they are concerned to be seen as spammers, except to perhaps "snoweshoe" their operations to avoid RBL listing which is the opposite to a reassuring sort of concern. But then I'm not actually being spammed by them at the moment.