Blocking spam from hostingsolutionsinternational.com

[Vladimir]

Since the outage I'm getting a lot more spam passing the filters than before. About 90% of them are coming from hostingsolutionsinternational.com servers as reported by the Spamcop reporting tool.

What would be the best way to block emails from these servers?

[turetzsr]

Hi, Vladimir,

...My suggestion to you would be to review SpamCop Wiki article "How I Use SpamCop - A Detailed Example - RconneR," especially the section labeled "Improving SpamCop's performance by changing your filter settings." If you have any questions after reading that article, please do not hesitate to follow-up by replying here.

...Good luck!

[Farelf]

Probably best for you to post a tracking URL so other users can see the headers - also your SpamAssassin level etc.

What filters do you have set? (Not a user myself & you would need to log in but I believe that is the right link.)

Some of the spam from Brazil (routing to the hostingsolutionsinternational.com abuse address) has UTF-8 encoding which might offer a context filtering option - just conjecture, you can see the value of the headers in getting to specifics.

Are you using the greylisting feature? That may need to be re-applied after the outages (other SC mail users may be able to advise).

More detail needed for others to get their teeth into the problem.

[Vladimir]

Hi, Vladimir,

...My suggestion to you would be to review SpamCop Wiki article "How I Use SpamCop - A Detailed Example - RconneR," especially the section labeled "Improving SpamCop's performance by changing your filter settings." If you have any questions after reading that article, please do not hesitate to follow-up by replying here.

...Good luck!

That's a great article, thanks!

[turetzsr]

...Glad you found it helpful; thanks for taking the time to let me know! <g>

[Vladimir]

Probably best for you to post a tracking URL so other users can see the headers - also your SpamAssassin level etc.

What filters do you have set? (Not a user myself & you would need to log in but I believe that is the right link.)

Some of the spam from Brazil (routing to the hostingsolutionsinternational.com abuse address) has UTF-8 encoding which might offer a context filtering option - just conjecture, you can see the value of the headers in getting to specifics.

Are you using the greylisting feature? That may need to be re-applied after the outages (other SC mail users may be able to advise).

More detail needed for others to get their teeth into the problem.

Hi Farelf,

one of the tracking URLs is:

http://www.spamcop.net/sc?id=z5846804987z7...8e4480e6c0fd3bz

I have all the blacklists turned on except for brazil and Spamhaus PBL (I have Spamhaus XBL turned on and the instructions say to pick one or the other)

My SpamAsassin level is 3.

I"m not using the greylisting feature. Does that feature work well in your opinion? I want to prevent as many false positives as possible.

The other half of my spam currently comes from itdnet.net, which looks like its located in Bulgaria.

Here's the tracking code for one of them:

http://www.spamcop.net/sc?id=z5849143909z5...c6e43e8ff23459z

Thanks again for all your help!

Vladimir

[DavidT]

Vladimir,

Two comments from me: first, for reducing incoming spam, I've seen lots of positive comments from other CESMail email account customers about greylisting, but it's only useful if the messages being delivered are coming directly to your "spamcop.net" (or "cesmail.net") address, rather than through some sort of forwarding arrangement. If the latter is the case, you wouldn't want to use greylisting.

Second, I've noticed that despite having the SpamCop Blacklist continuously selected in my options for many years, inbound messages originating from SCBL-listed IPs have not been routed into my Held Mail for some months. Most of my incoming messages are automatically forwarded to my spamcop address, so that may be a factor, but it used to work and now it simply doesn't.

According to SenderBase, the IP from one of your samples was indeed on the SCBL, but if your experience is like mine, the messages wouldn't be properly routed to your Held folder, which I consider to be a bug, but the only time anyone gets very excited around here is when the entire system crashes, an increasingly-frequent phenomenon, unfortunately.

DT

[petzl]

Hi Farelf,

one of the tracking URLs is:

http://www.spamcop.net/sc?id=z5846804987z7...8e4480e6c0fd3bz

http://www.spamcop.net/sc?id=z5849143909z5...c6e43e8ff23459z

Thanks again for all your help!

Vladimir

Since Cisco have taken over SpamCop tends more often than not to wrong reporting address?

Could be RIPE denying updates also (limits updates/look-ups)

ip 69.64.53.30 United Arab Emirates (?)

should Go to abuse[at]chociz.com abuse[at]plusserver.de abuse[at]ip-pool.com abuse[at]ippool.com (for ip-pool.com)

Greylisting should but not always stop this mostly does (probably not a email server)

IP 94.155.46.147 (Botnet or zombie) Was going to abuse[at]itdnet.net

REFRESH now gives abuse[at]herehost.com

Greylisting should but not always stop this, mostly does

You need to set-up a Whitelist (friends/contacts) which bypasses ALL block/blacklists including Greylisting

Non-Whitelisted emails get delayed unless they have a (I don't know) but it bypasses Greylisting. Some spammer botnets are onto it? A lot more spam is now by compromised email accounts (USE SECURE PASSWORDS SC email PW limit is 30 Alphanumeric characters Capitals Lower case and Characters like = -

Get a windows program to check abuse addresses

Also send to CERT abuse address these are Government agencies not all take SC reports but you can forward spam to them from your trash folder (include in forward body the SpamCop "message"

Re: IP_ADDRESS (Administrator of network where email originates)

Windows MailWasher is a must have (easy auto mated reporting from SpamCops Email server not your email client