Jump to content

Blocked again


ankur

Recommended Posts

Hi,

I'm a webhost and my server has been blocked again by spamcop.

I haven't received any of the spam mails or headers from spamcop and so, can't even start locating the spammer.

Does anyone know how I can get this information?

Ankur

Link to comment
Share on other sites

The bad part is that you say "again" ... I was going to go see if I could delve up some of the data that you didn't provide, but also noted that this is Post #1 for you, so there wouldn't appear to be anything previous here to go look at.

You say "web-host" but then say "server is blocked" ... First of all, SpamCop doesn't have the capability to block anything, much less get involved with blocking of a web-site/host. SpamCop does run a DNSbl, but this is a list of IP addresses associated with sourcing spam spew. So is it possible that you are also running an e-mail server? This would have been much easier had you provided an IP to look up, a rejection notice that stated who and why they stated that you were blocked .. please follow SteveT's advice, then follow up with some data that can be looked at in order to try to offer an answer.

Link to comment
Share on other sites

Hi,

I'm sorry for not being clear.

I am running a mail server too and people that host with us get access to the POP and SMTP server too.

In this case, one of them has been sending spam.

Someone reported this spam and spamcop added my IP address (67.18.128.178) to the blocked list.

From the link http://www.spamcop.net/w3m?action=blcheck&ip=67.18.128.178 this has happened 3 times.

Now, I understand that spamcop doesn't and can't block any server.

It's the servers that use spamcop's blocked list that block out mails from my IP.

I'm not blaming spamcop or the ISPs that use the spamcop blocked list (I apologize if the wording of my first post implied this)

So, let me explain what happened this time round:

Firstly, I got to know that spam was being sent from my server when I couldn't send mails to some addresses and received a link to spamcop in the mail delivery failure message.

When I checked at that time, my IP had been listed 2 times in 5-6 days or so.

So, I setup better mail logging and waited.

When the user spammed again, I was able to figure out who it was and warned them (next step is to terminate their account, if they spam again).

As you can see, I got to know about the spam situation after it was reported 2 times in 5-6 days and was able to catch them after another round of spamming.

I was wondering if there is a quicker way - if I could get the email headers of the mail when spam from my IP is reported, I could check my logs and get to the bottom of the problem faster.

I don't care about the TO and CC headers - just the FROM, timestamp and subject.

As I understand it, spamcop does send spam reports.

So, my question is how can I signup to start receiving spam reports for 67.18.128.178 ?

Thanks in advance.

Ankur

Edit: I'm also aware that if the user doesn't spam again, my IP will be delisted in 48 hours.

Link to comment
Share on other sites

Thanks for the excellent follow-up and the actions taken thus far in handling the situation. The first issue starts with the following data ...

Parsing input: 67.18.128.178

host 67.18.128.178 = calvin.globedomain.com (cached)

Reporting addresses:

abuse[at]theplanet.com

Do you have direct relations with these folks? You can also ask to be set up as an "interested thrid-party", but will note that due to past abuse of this option, a large number of reporters will uncheck this address in the outgoing reports. But, you can head to http://www.spamcop.net/fom-serve/cache/94.html to check this option out.

Now the 'evidence' pages is showing

Listing History

In the past 8.6 days, it has been listed 3 times for a total of 6.6 days

This listing is based on a bit of a mathematical model, including things like e-mail traffic "seen", spam reported, spamtrap hits, and time .... Last I knew, there was a 2% threshold ,, and the listing times itself ranges from a minimum of a half-hour to the maximum of 48 hours after the spew stops ... it appears that you've been close to the tipping point thoughout most of this listing time, so if you've your spammer's attention, you'll probably drop off the list fairly quick.

Link to comment
Share on other sites

Just to add another possible avenue of exploration to Wazoo's excellent post:

if you follow the senderbase link on the blocklist lookup page you will see an almost 1500% increase in output in the last day. Could it be that you have a compromised machine with hacked/unauthorised throughput rather than a spamming customer? woirth exploring? what server software are you using? therre is a very helpful faq on sealing down Exchange which comes with some very nasty defaults set 'on'. Sorry if this is teaching my grandmother to suck eggs but I was alarmed by the increase in taffic.

Edit: sorry, make that 2000%

Link to comment
Share on other sites

Hi all,

Thanks for your help and patience.

I've sent a mail to sign up for third party reports and will try to get my datacenter (thePlanet.com) guys to allow me to receive administrative reports for my IPs.

Yes, I think I had better check if the server's been compromised, while I'm at it.

Doesn't hurt to check more, but does hurt to check less :)

Thanks a lot

Ankur

Link to comment
Share on other sites

Hi all,

Thanks for your help and patience.

I've sent a mail to sign up for third party reports and will try to get my datacenter (thePlanet.com) guys to allow me to receive administrative reports for my IPs.

Yes, I think I had better check if the server's been compromised, while I'm at it.

Doesn't hurt to check more, but does hurt to check less :)

Thanks a lot

Ankur

Hi, Ankur,

...We thank you! This thread is a shining example of how this forum should work. Your patience and willingness to work to solve the problem is very much appreciated.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...