Jump to content
Sign in to follow this  
starion

First time blocked...

Recommended Posts

Our servers at 24.123.106.83 and 85 have been blocked for the first time. Since we use SpamCop on our own server, I have had to disable it to allow our user's email to go through.

Both reports (if you could call them reports) state 10 complaints or less.

We (as the ISP) have never received ANY communication or emailed reports from SpamCop.

We believe a 2-hour error in setup may have allowed our system to be compromised for relaying.

Please advise as to how we can get the reports (if there are legitimate problems, we will respond to them) and get de-listed.

Thank you.

Jeff J.

Share this post


Link to post
Share on other sites

Unfortunately hits that only go to spam traps do not generate reports. You need to contact deputies at spamcop.net to find out exactly what kind of hits they were (common causes: automatic virus reports or sending email bounces, SMTP/Auth exploits or open proxies/relays). You might check with them just in case it was not the relay problem.

If you have fixed the relay problem, your listing will probably age off quickly (when no more reports of spam are made). Since the list is automatic, unless there is an error on spamcop's part, nothing can be done about the listing. The purpose of the listing is to prevent others from getting spam while you fix the problem. I am not sure, but I think delisting takes into account the history as well as how fast the problem gets fixed - no history and fast correction will mean a shorter stay on the bl - the longest is 48 hours after the last spam report - which is based on the date stamp in the spam, not when it was reported).

Next time you have a problem, check the spamcop bl as the last thing you do after fixing the problem to see if spammers have used your computers. Since I am not an admin, I don't have any more specific advice.

Miss Betsy

Share this post


Link to post
Share on other sites

According to the information found in the ARIN database and Abuse.net, reports would be sent to: abuse[at]rr.com

Your account seems to be a commercial RoadRunner account, so you'll need to ask them for copies of any reports sent by SpamCop...those reports would have the details.

I just looked at the "history" on the first IP and found some spams like this:

Submitted: Sunday, July 25, 2004 17:30:33 -0700:

Enlarge yo-ur* pe`n,i_s _. today .-. ptayeefp

1136069687 ( 24.123.106.83 ) To: abuse[at]rr.com

(that's the report number that RR.com might need)

Most of the items in the "history" on that IP are from a very brief time window on Sunday, as you described, but there are two older reports still on file:

Submitted: Wednesday, July 21, 2004 16:46:57 -0700:

Lose 19%, powerful weightloss now available where you are.

1127696645 ( 24.123.106.83 ) To: abuse[at]rr.com

Submitted: Tuesday, July 13, 2004 16:21:50 -0700:

Lose 19%, powerful weightloss now available where you are.

1111720697 ( 24.123.106.83 ) To: abuse[at]rr.com

Was that IP also yours on those two dates? In any case, unless you can get RoadRunner to change the contact information in the ARIN database for those IP numbers, you won't receive reports...but wait...there's a way for "interested third parties" to get reports on specifid IP addresses...I don't know much about it, but you might contact a SpamCop deputy at:

deputies (at) admin.spamcop.net

David T.

Share this post


Link to post
Share on other sites

Yes, that is our STATIC IP. So I guess spamcop has listed us as a result of my own reporting. Just great.

Jeff J.

Share this post


Link to post
Share on other sites

Yes, always.

But it's not unusual to see spam reports go to our upstream provider. So why would I have flagged it mentally?

Edited by starion

Share this post


Link to post
Share on other sites

Okay, so I'm a bonehead for submitting a faulty report on my own IP.

BUT, what kind of a parser can't even check to see if the reports about an IP are from the same IP that's reporting? How simple is that???

Jeff J.

Share this post


Link to post
Share on other sites

Not as simple as you seem to think, since the reporter does not need to be at the IP that receives the messages.

There is the mailhost configuration that was designed (in part) to eliminate this problem. Have you configured it yet?

Share this post


Link to post
Share on other sites

It's not the sender's IP I'm concerned about.

If I'm sitting at 192.168.1.1 (or any other IP on the planet) and sending a report about 24.123.106.83 using the mail server at 24.123.106.83, then I'm probably reporting myself.

I guess I can see that in the scenario of a large provider, one AOL user could be sending reports about spam coming out of the same server...

In any case, our listing was removed, and our abuse email address was added as an interested party, so at least I can see where the problem is if it happens again.

Jeff J.

Share this post


Link to post
Share on other sites
It's not the sender's IP I'm concerned about.

Not sure what this line is referring to. You were responding to a suggestion to run through the mail-host configuration, which relates to "your" IP / mail host string of your incoming e-mail ....

Share this post


Link to post
Share on other sites
Not as simple as you seem to think, since the reporter does not need to be at the IP that receives the messages.

This is what I was referring to.

Jeff J.

Share this post


Link to post
Share on other sites
If I'm sitting at 192.168.1.1 (or any other IP on the planet) and sending a report about 24.123.106.83 using the mail server at 24.123.106.83, then I'm probably reporting myself.

1. The parser does not look at the headers of the message being used to submit the spam message. This could be changed if it were worth the effort, but....

2. Many people don't use any mail server to report spam. The only time that would work was during email submission of spam, not for web based submission or for submission from the email system (VER or webpage).

3. Many people use a different mail server to submit their spam than they received it on. Think forwarding.

4. Many ISP's use different servers for incoming and outgoing so the IP's would not match. The reports only look at the incoming (Received) headers.

Again, your problem is one of the reasons that the maihost configuration was implemented. You show spamcop all the paths that a message can get to you and it stores that information so it can compare during the parse.

In the end, it is YOU that is sending the report to the ISP claiming the IP is a source of spam. It is YOUR responsibility for that information to be accurate, or YOUR reporting privlidges can be revoked.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×