Jump to content
Sign in to follow this  
lars_holmqvist

Need to know reason for temporary blockade of 195.84.162.34

Recommended Posts

Hi,

I work for LINK Mobility a provider for messaging mainly in the nordics. Recently some of our outgoing IPs have been temporarily blocked.

When I check the URL: http://www.spamcop.net/bl.shtml?195.84.162.34 it simply say we aren't blocked and I see no history of why the blocking took place at all.

Yesterday one of our customers got blocked so they couldn't send mail to themselves. We have an SPF-record in place allowing us to send on their behalf.

fastighetsvarlden.se text = "v=spf1 mx a:regular a:socks1.sp247.net a:socks2.sp247.net a:socks3.sp247.net a:socks4.sp247.net ~all"

2013-10-24 08:16:19,857 WARN [com.teletalk.send.emailcontrolunit.SmtpConnection Id 195889 to mail.bahnhof.se/213.136.33.1, address:anki.eriksson[at]fastighetsvarlden.se] - RCPT for anki.eriksson[at]fastighetsvarlden.se 554 Service unavailable; Client host [195.84.162.34] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?195.84.162.34 (from noreply[at]fastighetsvarlden.se)

The IP 195.84.162.34 is socks1.sp247.net just to clarify.

So I wonder why this blocking has occured?

The mailcontent was this:

<html>

<head>

</head>

<body>

<p>Sista chansen. Idag klockan 15.00 stänger vi röstningen till att kora "Mäktigaste 2013". Har du inte röstat så är det alltså sista chansen nu. Det är tufft i toppen och även kring vilka som ska in på 50-listan. <a href="http://www-fastighetsvarlden-se.web.temp.st/cgi-bin/vote.cgi">Rösta här</a>!</p>

</body>

</html>

ANd there was a PDF-file attached.

Best regards,

Lars Holmqvist

LINK Mobility

Share this post


Link to post
Share on other sites

- Client host [195.84.162.34] blocked using bl.spamcop.net; Blocked

- see http://www.spamcop.net/bl.shtml?195.84.162.34

195.84.162.34 = socks1.sp247.net was removed from our list on

Thursday, October 24, 2013 00:38:33 -0600 because the spam

stopped for some reason.

I'm sorry to report that the server is sending spam to our spamtraps. We know for a fact that our trap servers accurately record the source IP when they get mail.

A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. Sending mail to nonexistent addresses is proof-positive that email addresses are being added to a mailing list without the address owner's permission. Or the machine has been compromised and is suddenly sending spam.

We guard our traps like gold for fear of revealing the email addresses, which is why we don't send any reports about the spam they get, so I'm afraid there aren't many details I can share with you.

This partial header is the most I can share with you:

Received: from socks1.sp247.net (socks1.sp247.net [195.84.162.34])

by [Our Trap Server] (Postfix) with SMTP id x

for <x>; Wed, 23 Oct 2013

Date: Wed, 23 Oct 2013

From: <noreply.cns[at]nasdaqomx.com>

Subject: =?utf-8?Q?KONECRANES_OYJ_-_KOLMANNELL?=

=?utf-8?Q?A_VUOSINELJ=C3=84NNEKSELL=C

These days, the most common problem is backdoor spam sending spyware that has been installed by a Trojan or Worm. The server may be suffering from an open proxy port exploit, or has been compromised by some other means. The reason the mail doesn't show up in your logs is because the spammer uses his own SMTP engine to send the mail after he connects to the open port.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

Share this post


Link to post
Share on other sites

Hi,

I work for LINK Mobility a provider for messaging mainly in the nordics. Recently some of our outgoing IPs have been temporarily blocked.

When I check the URL: http://www.spamcop.net/bl.shtml?195.84.162.34 it simply say we aren't blocked and I see no history of why the blocking took place at all.

There appear to be no 'human' reports in the last 90 days so the only thing I can suggest is that you (they) may have been hitting spamtraps. An email to admins[at]spamcop.net will confirm or deny this, but they make take a little while to reply so you should be patient. Senderbase currently shows a 238% increase of traffic from that IP, is there a good reason for this? If not you may have a zombied machine on your network.

Oops it seems Don has beaten me to it and I was right :)

Share this post


Link to post
Share on other sites

Hi,

Thank you for the information. Now I at least know that it was Nasdaq OMX that has hit one of your spamtraps. Since people need to sign up for their emails it is a bit odd your spamtrap has appeared on their lists though.

I will investigate further and see exactly what they have sent.

Thanks again or the help.

Best regards, Lars

Share this post


Link to post
Share on other sites
linkmobility.com' post='86339' date='Oct 28 2013, 09:15 AM']

Since people need to sign up for their emails it is a bit odd your spamtrap has appeared on their lists though.

I will investigate further and see exactly what they have sent.

It might pay you to investigate how 'people need to sign up'. There are 'best practice' suggestions in the FAQ. Confirmed opt-in is the way to go, apparently. If a never-used spamtrap is hit it strongly suggests that best pratice is not being followed as a spamtrap would never confirm an opt-in.

Share this post


Link to post
Share on other sites

It might pay you to investigate how 'people need to sign up'. There are 'best practice' suggestions in the FAQ. Confirmed opt-in is the way to go, apparently. If a never-used spamtrap is hit it strongly suggests that best pratice is not being followed as a spamtrap would never confirm an opt-in.

Indeed, I have asked them how this could have happened at all and am waiting for a reply. If they don't have validation on the entered address the most likelly explanation is that your spamtrap has been compromised and one of our competitors have added it to Nasdaqs list to hurt us but i really hope that isn't the case.

Share this post


Link to post
Share on other sites

Indeed, I have asked them how this could have happened at all and am waiting for a reply. If they don't have validation on the entered address the most likelly explanation is that your spamtrap has been compromised and one of our competitors have added it to Nasdaqs list to hurt us but i really hope that isn't the case.

Should be "Double opt-in" or sometimes called"Confirmed opt-in" (COI)

A legitimate marketer should be able to provide evidence of this!

Also if sent from/through your email server a compromised account perhaps?

Spamtrap addresses are harvested by programs called spiders so it don't matter if the trap gets "hit" they are never volunteered or used.

Nasdaq could be using a "bent" marketer or simply a joe job "Russian" crime gangs operate these

would takemuch much more than 1 SpamTrap hit for SCBL to activate. A reported spam submision counts a lot higher than a spamtrap hit. So this makes me think this is deliberate (spamtrap addresses are not that had to "scrape") That is why double opt-in is so important each email should contain a WORKING unsubscribe.

Share this post


Link to post
Share on other sites

...Good post, petzl, except, AIUI, for:

A reported spam submision counts a lot higher than a spamtrap hit.
...Actually, it's the other way 'round. See SpamCop FAQ article labeled "What is on the list?"
The SCBL uses Spamtrap reports to weight total reports. For spamtrap scores less than 6, the SCBL multiplies by 5 the quantity of spamtrap reports and adds this to the report score. For larger spamtrap scores, the SCBL squares the quantity. Examples:
  • If an IP address has 2 spamtrap reports and 3 SpamCop user-reported reports, its weighted score is 13: (2 * 5) + 3 = 13.
  • If a host has 7 spamtrap reports and 3 manual reports, its weighted score is 52: (7 * 7) + 3 = 52.

So spam Trap hits count as at least 5x a user report.

Share this post


Link to post
Share on other sites

...Good post, petzl, except, AIUI, for:...Actually, it's the other way 'round. See SpamCop FAQ article labeled "What is on the list?"So spam Trap hits count as at least 5x a user report.

The "equation" changes with no user reports was my understanding?

The eqaution provided is with a user reort

The SCBL once would not block without confirmation of a user report.

Now that it does and my reading in prior SC newsgroups that spamtrap reports alone are/were counted LESS than a actual report? But as people are now reluctant to report spam this maybe updated and rely more on Spamtrap hits

The equation then changes when backed up by a user report

http://www.spamcop.net/fom-serve/cache/297.html

The IP is a High volume sender so it must be hitting a lot of traps in 48 hour rotation to get blocked indicating a spam spider is feeding the mail list as it is spamtraps only it hitting

https://www.senderscore.org/lookup.php?look...mp;ipLookup.y=5

Share this post


Link to post
Share on other sites
The "equation" changes with no user reports was my understanding?

The eqaution provided is with a user reort

The SCBL once would not block without confirmation of a user report.

<snip>

...If you can find a reference to that, please let me know!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×