andrenth Posted August 8, 2013 Share Posted August 8, 2013 Hello I am a network admin for a web hosting provider. Recently (since about 2 weeks ago), we started having servers blocklisted for sending mail to SpamCop spam traps (eg. http://www.spamcop.net/w3m?action=blcheck&...=187.73.32.164). We've never had SpamCop problems before, and we're trying to find out how to fix this, but since there's no report for this kind of blocking, it becomes hard to find who is the misbehaving customer. Is there any way I can find more info about the reasons for these IPs being blocked? Last night we added a new server (187.73.32.201) and this morning it was already blocked (although it doesn't show as blocked right now). Thanks in advance, Andre Link to comment Share on other sites More sharing options...
andrenth Posted August 8, 2013 Author Share Posted August 8, 2013 By the way, I tried contacting deputies[at] but haven't received any replies yet. Link to comment Share on other sites More sharing options...
turetzsr Posted August 8, 2013 Share Posted August 8, 2013 Hi, Andre, ...Thank you for being concerned enough to ask about pursuing the spamming. ...The Deputies are, I understand, rather busy, so it may take a day or three before you see a reply. If you still don't have one by then, you might try again, being brief and not asking for details about the spamtrap hits, which SpamCop will not provide so as to maintain the integrity of the spamtraps. Also include some evidence that you are an admin responsible for the IP address being identified as the spam source. You may also include in the "To" list of your e-mail "service[at]admin.spamcop.net," which is the e-mail address monitored by one of the key SpamCop Deputies, Don D'Minion. ...In the meantime, to find more information about what you can do about finding the spammers, please navigate to the "SpamCop FAQ," links to which appear near the top left of each SpamCop Forum page, and look for articles under the titles "Help for abuse-desks and administrators" and "Assistance stopping spam." ...Good luck! Link to comment Share on other sites More sharing options...
Farelf Posted August 9, 2013 Share Posted August 9, 2013 Hello Andre, Your servers listed at some time recently (but mostly not right now) are shown to be: 187.73.31.210 187.73.32.128 187.73.32.140 187.73.32.152 187.73.32.158 187.73.32.164 187.73.32.165 187.73.32.166 187.73.32.171 187.73.32.172 187.73.32.188 187.73.32.195 187.73.32.196 187.73.32.198 187.73.32.201 In all of those, you currently have no CBL listings (usually a good source of specific information and assistance) - that is unusual, as you say it must be individual "misbehaving" customers rather than zombies using your network. While you are waiting for response from the SpamCop staff, have you looked at SenderScore information? There may be clues there (you need a free account to see much). For instance most - but not all - sending domains using your servers have SPF authentication. Is there anything significant about those few that do not? Link to comment Share on other sites More sharing options...
andrenth Posted August 9, 2013 Author Share Posted August 9, 2013 For instance most - but not all - sending domains using your servers have SPF authentication. Is there anything significant about those few that do not? Thanks for reporting this. We enforce default reject policies in SPF, DKIM and DMARC for all our customers by default, and while they can change the policies, they shouldn't be able to remove the SPF records. I'll investigate what happened to those. Just for the record, the 187.73.31.210 address is not ours. Thanks, Andre Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.