Jump to content
Sign in to follow this  
mark

ERROR-Domain reported by spoofed email address.

Recommended Posts

JeffG,

I just wanted to say thanks for your dedication to this thread.

I'm sure you can appreciate our situation as a result of this issue.

Our users cannot sent to spamcop subscribers, and its affecting the normal business activity.

I need to report to our management why this happened, and when it will be resolved.

Is there any way I can determine the status of our ip address in the database.?

If new reports are occuring, then I am not being notified from the arin address you provided.

The link to edit the arin entry doesn't appear to work for me.

I must insure this issue will be resolved asap. I expect if new reports are occuring, then I will need the full headers to analyse and determine the cause.

If no new reports are occuring, then since when? How much of the 48 hour period has lapsed, or is the counter being reset?

Thanks.

Share this post


Link to post
Share on other sites

Mark,

I wish I could help you further regarding this issue. Emailing the Deputies is definitely the way to go in this case. Please do. Thanks!

Share this post


Link to post
Share on other sites

Jeff,

Below is the only information SPAMCOP is providing. Can you tell me how often this posted information is updated.?

http://www.spamcop.net/w3m?action=checkblo...=66.241.135.153

A sample sent sometime during the 24 hours beginning Wednesday, January 28, 2004 7:00:00 PM -0500:

Received: from -.-.com (-.-.com [66.241.135.153])-

by -.-.-.- (-.-.-.-.-) with - id -

for <-[at]-.com>- Thu, - Jan 2004 - -

Subject: business - specialists - id -

From: de.. at ..li.fr

Share this post


Link to post
Share on other sites
Ok Jeff,

Can you provide a contact who can assist me further?

Thanks again.

"deputies at spamcop.net" constructed as an email address.

Share this post


Link to post
Share on other sites
Jeff,

Below is the only information SPAMCOP is providing.  Can you tell me how often this posted information is updated.?

http://www.spamcop.net/w3m?action=checkblo...=66.241.135.153

A sample sent sometime during the 24 hours beginning Wednesday, January 28, 2004 7:00:00 PM -0500:

Received: from -.-.com (-.-.com [66.241.135.153])-

by -.-.-.- (-.-.-.-.-) with - id -

for <-[at]-.com>- Thu, - Jan 2004 - -

Subject: business - specialists - id -

From: de.. at ..li.fr

Last I heard, it was as realtime as possible. However, there are sometimes synchronization or propagation delays between the true database and the dns and web representation of its contents. The pages you should be checking are as follows:

http://www.spamcop.net/w3m?action=checkblo...=66.241.135.153

http://openrbl.org/ip/66/241/135/153.htm

http://moensted.dk/spam/?addr=66.241.135.153

Share this post


Link to post
Share on other sites

Thanks again for the links.

Are you seeing some reason why our ip is still listed at spamcop.

The only place our ip is listed from the links provided is spamcop.

The only information provided with any reference to date is below.

~~~~

A sample sent sometime during the 24 hours beginning Wednesday, January 28, 2004 7:00:00 PM -0500:

~~~~~

This appears to be the same information, and is not being updated.

Are you seeing something I don't?

I have sent mail to the address you suggested, asking for assistance in determining if we are queued for delisting, or if new reports are being added.

I am unable to update the abuse contact info, as the link fails.

http://www.abuse.net/addnew.html

You did provide a me with header information that allowed me to find the cause of the listing in the first place. Do you have any additional headers indicating our ip address is still routing spam?

Thanks.

Share this post


Link to post
Share on other sites
I am unable to update the abuse contact info, as the link fails.

http://www.abuse.net/addnew.html

You did provide a me with header information that allowed me to find the cause of the listing in the first place.  Do you have any additional headers indicating our ip address is still routing spam?

I think John is having some server or connectivity problems with his abuse.net domain. That page is cached at http://216.239.41.104/search?q=cache:gCjG-...&hl=en&ie=UTF-8

I don't work for SpamCop, I am a volunteer. I don't have access to any more information about your listing than you do. I wish I did. Given the timing, I would suspect that there's been at least one mole report in the past 48 hours.

Share this post


Link to post
Share on other sites
Thanks again for the links.

Are you seeing some reason why our ip is still listed at spamcop.

...

Do you have any additional headers indicating our ip address is still routing spam?

The reason your IP is listed is due to spam reports from before you sorted things out.

There aren't any additional headers to show - your IP should be off the list shortly.

Share this post


Link to post
Share on other sites

Michaell,

I appreciate the reply.

Also, thanks to all for the attention to this matter.

I must congratulate all involved, in providing excellent resources to assist me in resolving this issue.

If I had some assurance that all the necessary steps have been taken to have this IP removed from the spamcop database, I would stop bothering everyone.

Access to the date and time of the last abuse report would prove helpful.

Is this information available anywhere?

Share this post


Link to post
Share on other sites

Dnsstuff.com reports that our IP is not listed at SpamCop as of roughly 11am est, Feb 1st.

SpamCop website shows the following information for our ip.

~~~~~~~~

66.241.135.153 not listed in bl.spamcop.net

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 94.7 days. In the past 2.9 days, it has been listed once for a total of 2.8 days

In the past week, this system has:

Been reported as a source of spam less than 10 times

Been witnessed sending mail about 280 times

A sample sent sometime during the 24 hours beginning Wednesday, January 28, 2004 7:00:00 PM -0500:

Received: from -.-.com (-.-.com [66.241.135.153])-

by -.-.-.- (-.-.-.-.-) with - id -

for <-[at]-.com>- Thu, - Jan 2004 - -

Subject: business - specialists - id -

From: de.. at ..li.fr

~~~~~~~~

I have been asked to interpret the information above.

Please correct me if I have it wrong.

My interpretation of the text above is indicated by the 3 >>> characters.

>>>my comment here.

***********START OF TRANSLATION**************

66.241.135.153 not listed in bl.spamcop.net.

>>>IP address 66.241.135.153 is not blocked by subscribers to SpamCop.

Since SpamCop started counting,

this system has been reported less than 10 times by less than 10 users.

>>>IP address 66.241.135.153 has been reported to SpamCop

>>>less than 10 times, from less than 10 recipients of spam.

It has been sending mail consistently for at least 94.7 days.

>>>IP address 66.241.135.153 was first reported to SpamCop 94.7 days ago.

In the past 2.9 days, it has been listed once for a total of 2.8 days

>>>IP address 66.241.135.153 was reported to SpamCop

>>>once in the past 2.9 days.

????????for a total of 2.8 days?????????? ( Please clarify)

In the past week, this system has:

Been reported as a source of spam less than 10 times

>>>IP address 66.241.135.153 was reported to SpamCop less than 10 times

>>>in the past 7 days.

Been witnessed sending mail about 280 times

>>>IP address 66.241.135.153 has 280 spam reports logged at SpamCop

>>>in the past 7 days.

A sample sent sometime during the 24 hours beginning

Wednesday, January 28, 2004 7:00:00 PM -0500:

>>>IP address 66.241.135.153 sent the following smtp header information

>>>between Wednesday, January 28, 2004 7:00:00 PM -0500:

>>>AND

>>>Thursday, January 29, 2004 7:00:00 PM -0500:

Received: from -.-.com (-.-.com [66.241.135.153])-

by -.-.-.- (-.-.-.-.-) with - id -

for <-[at]-.com>- Thu, - Jan 2004 - -

Subject: business - specialists - id -

From: de.. at ..li.fr

>>>The smtp header above has been stripped of all information except the IP >>>address being tested. The "Received from" indicates the actual sender IP.

************END*******************

Corrections Welcome.

Thanks in advance.

Share this post


Link to post
Share on other sites

Corrections follow.

It has been sending mail consistently for at least 94.7 days.

>>>IP address 66.241.135.153 was first reported to SpamCop 94.7 days ago.

>>>IP address 66.241.135.153 was first seen sending email to an SCBL subscriber (looked up using 153.135.241.66.bl.spamcop.net) 94.7 days ago.

In the past 2.9 days, it has been listed once for a total of 2.8 days

>>>IP address 66.241.135.153 was reported to SpamCop

>>>once in the past 2.9 days.

????????for a total of 2.8 days?????????? ( Please clarify)

Fixing "now" as the moment you did the lookup ("roughly 11am est, Feb 1st."):

Some time between 7pm EST on the 28th and 7pm EST on the 29th, a report was filed (evidently by a non-mole).

2.9 days ago (roughly 1:30pm EST on 1/29), the second report was filed (possibly the non-mole one above) and 66.241.135.153 was listed by the SCBL.

2.1 days ago (roughly 8:30am EST on 1/30), the last report was filed (evidently by a mole).

0.1 days ago (roughly 8:30am EST on 2/1, 48 hours after the last report was filed), the listing was removed.

Been witnessed sending mail about 280 times

>>>IP address 66.241.135.153 has 280 spam reports logged at SpamCop

>>>in the past 7 days.

>>>IP address 66.241.135.153 was seen sending email to an SCBL subscriber (looked up using 153.135.241.66.bl.spamcop.net) about 280 times total.

Edited by JeffG

Share this post


Link to post
Share on other sites

Given Michael's previous post, "8:30am" was probably shortly after 10:43am.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×