Jump to content
Sign in to follow this  
rsachris

Why are my emails blocked if smtp service used

Recommended Posts

I have a dedicated web server 41.86.112.72. My customers are advised to use mail.theirdomainname as incoming server and smtp.theirispname as outgoing. Some persist in using mail.theirdomainname as the outgoing server.

If a customer then sends out mail deliberately or unintentionally that is regarded as spam it can result in the server being blocked.

I accept that this can happen and try to discipline customers to not send out possible spam, but obviously have little control over this.

I have a number of questions:

1. How can I identify which email address is responsible for the problem?

2. I was told that most smtp services use a bank of mail servers and randomly pick a server to send out from, thus limiting the chances of being blocked. Is this correct?

3. I've told my customers that if they use their ISP's smtp service there is little chance of being blocked. Ids this correct?

4. I use my ISP's smtp service (smtp.afrihost.co.za) but my emails are now being returned because my web server (41.86.112.72) is blocked. How can this be? Here's one message:

A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:

rogerc[at]rolyfin.co.za

(ultimately generated from roger[at]certsa.co.za)

SMTP error from remote mail server after RCPT TO:<rogerc[at]rolyfin.co.za>:

host mxc02.mxrc.co.za [196.35.198.158]: 550-rejected because 41.86.112.72 is in a black list at bl.spamcop.net

550 Blocked - see http://www.spamcop.net/bl.shtml?41.86.112.72

If I am using smtp.afrihost.co.za (which is not on my server) and not mail.mydomain why is the web server reported? Is it possible that spamcop has identified the web server of my domain (and therefore my email address) and listed it as the offending server? If that's the case won't that affect all domains on my server, even if they are using their ISPs?

I'm very confused, help please.

Share this post


Link to post
Share on other sites

I've now established that one of the email accounts on our server was hacked and was sending out spam. We've changed the password.

I've also been told that the spam vigilantes ignore the actual sending server and blacklist the server that owns tyhe sending domain. This would explain why my web server has been blacklisted.

Now I'm told that UCE Protect will only de-list the server on 5 March unless we pay something over $100 (I can't remember the actual amount, but it might be $ 180. Nothing short of blackmail, especially as we've stopped the violation.

I'd still welcome comments and answers to my questions above.

Thanks

Share this post


Link to post
Share on other sites

When I looked up IP address 41.86.112.72 it wasn't listed on Spamcop's list, but it was listed on the dnsbl-1.uceprotect.net list. Their lookup page mentions that the IP address had tried to deliver mail to spamtraps. If what the uceprotect folks have reported is correct, this is something that will need to be investigated.

Spamcop doesn't actually block mail, it's usually the recipient's email provider who blocks email. It's possible that the server that has blocked your email has taken a look at the received header lines in the incoming email, and identified your server as one of the systems through which the blocked email has passed. (Blocking mail on the basis of received headers other than the most recent one is something that makes me mildly uneasy, but that's another issue.)

edit: it looks like you discovered the Uceprotect listing before I submitted my reply. My advice is to save your money, seeing as an automatic delisting will happen in a few days.

Edited by lisati

Share this post


Link to post
Share on other sites

Hi rsachris,

Since the overwhelming majority of all SMTP traffic is spam (see, as an attempt to "sample" the flow, http://www.senderbase.org/static/spam/), the "spam vigilantes" are (effectively) the intended receiving networks trying to retrieve some "signal" from the "noise" on behalf of their clients. And yes, when it comes to SpamCop, the relaying server tends to be the one singled out for listing - it can't really be otherwise when you're looking at 200 billion messages a day from a potential 4294967296 (232) sources in IPv4 space alone. Many ISPs/networks block/disallow port 25 SMTP outgoing from dynamically-allocated IP addresses anyway (if not, there are other blocklists just for those).

SC actually tries to help mail administrators by "instantly" providing detailed reports of all (human) reported spam which would fairly-well identify the specific, individual, accounts responsible - often before listing on the SCbl and usually before listing on any of the "sterner" RBLs (sorry, if a spamtrap has been hit no such report of that instance and listing is rapid, but only dyed-in-the-wool spammers hit those and SC listings auto-expire within 24 hours of the spam stopping anyway). You are within the aserv.co.za netspace and reports for that go to abuse[at]mweb.com (per whois.afrinic.net) which was dumbly "bouncing" each and every one and SC has now stopped sending them. Maybe the abuse.net contact was tried earlier (abuse[at]aserv.co.za), only the professional SC staff could say - but that still isn't you.

You can get your own summary reports (not as useful of course), see http://www.spamcop.net/fom-serve/cache/94.html - in fact you would do well to glance at all of Help for abuse-desks and administrators. Unfortunately not "just anyone" can get the detailed reports. Spammers would just love to get their hands on those (allowing them to "listwash" and then the entire internet community can forget about the "bother" of e-mail confirmed opt-in for the mass-marketing of moody goods and services too illegal or too lame to compete in the open market).

Hope that resolves some of the confusion. Feel free to put on your kicking boots and talk to aserv/mweb. If they didn't want reports all they had to do was say so. If they wanted to help you (and their other clients) then they would want reports.

Share this post


Link to post
Share on other sites

Hi rsachris,

Since the overwhelming majority of all SMTP traffic is spam (see, as an attempt to "sample" the flow, http://www.senderbase.org/static/spam/), the "spam vigilantes" are (effectively) the intended receiving networks trying to retrieve some "signal" from the "noise" on behalf of their clients. And yes, when it comes to SpamCop, the relaying server tends to be the one singled out for listing - it can't really be otherwise when you're looking at 200 billion messages a day from a potential 4294967296 (232) sources in IPv4 space alone. Many ISPs/networks block/disallow port 25 SMTP outgoing from dynamically-allocated IP addresses anyway (if not, there are other blocklists just for those).

SC actually tries to help mail administrators by "instantly" providing detailed reports of all (human) reported spam which would fairly-well identify the specific, individual, accounts responsible - often before listing on the SCbl and usually before listing on any of the "sterner" RBLs (sorry, if a spamtrap has been hit no such report of that instance and listing is rapid, but only dyed-in-the-wool spammers hit those and SC listings auto-expire within 24 hours of the spam stopping anyway). You are within the aserv.co.za netspace and reports for that go to abuse[at]mweb.com (per whois.afrinic.net) which was dumbly "bouncing" each and every one and SC has now stopped sending them. Maybe the abuse.net contact was tried earlier (abuse[at]aserv.co.za), only the professional SC staff could say - but that still isn't you.

You can get your own summary reports (not as useful of course), see http://www.spamcop.net/fom-serve/cache/94.html - in fact you would do well to glance at all of Help for abuse-desks and administrators. Unfortunately not "just anyone" can get the detailed reports. Spammers would just love to get their hands on those (allowing them to "listwash" and then the entire internet community can forget about the "bother" of e-mail confirmed opt-in for the mass-marketing of moody goods and services too illegal or too lame to compete in the open market).

Hope that resolves some of the confusion. Feel free to put on your kicking boots and talk to aserv/mweb. If they didn't want reports all they had to do was say so. If they wanted to help you (and their other clients) then they would want reports.

Hi Farelf, Lisati

Thanks for the responses. I'll be checking the links and following up with MWeb (not that I expect to get anywhere with them). I'm certainly not going to give in to extortion (UCEProtectL) and will just have to wait until we're unblocked.

The strange thing is that some emails are getting through to seriously protected networks; those are the ones I'd expect to be rejected?

Ho hum.......

Share this post


Link to post
Share on other sites

...

The strange thing is that some emails are getting through to seriously protected networks; those are the ones I'd expect to be rejected?

Ho hum.......

The networks are all different in the protection they use at any given time. All part of life's rich tapestry, eh? :) All the more reason to get on top of spammer abuse. Once your server starts getting reported it tends to get listed on more and more RBLs and reputation scores go down too. Before long you might be widely blocked and, as you know, it is not so easy to fight your way back out of some of those lists.

Good luck!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×