caquino Posted August 25, 2004 Author Share Posted August 25, 2004 Well ... what can I do to prevent such problem?.. I´m blocked but I´m not an spammer.. 15787[/snapback] ...Have you done what I suggested in my reply in this thread? 15788[/snapback] Yeah.. but We have about 1 million of users.. I think agnew is not the only one thats reports spam to spamcop.. My server has 1 report.. and the report is made today.. The server is blocked without any time to do the reply to the spamcop mail. My problem is if another use do the same thing and I have to stay another 48hrs blocked. Link to comment Share on other sites More sharing options...
turetzsr Posted August 25, 2004 Share Posted August 25, 2004 ...Have you done what I suggested in my reply in this thread Yeah.. but We have about 1 million of users.. I think agnew is not the only one thats reports spam to spamcop.. My server has 1 report.. and the report is made today.. The server is blocked without any time to do the reply to the spamcop mail. My problem is if another use do the same thing and I have to stay another 48hrs blocked. 15789[/snapback] ...Wazoo was trying to lead you to what you can do to correct the problem. I would suggest you write to the SpamCop deputies (deputies <at> spamcop <dot> net) to explain the problem and perhaps s/he can explain what you should do. Link to comment Share on other sites More sharing options...
Wazoo Posted August 25, 2004 Share Posted August 25, 2004 You have block 200.155.11.195 http://www.spamcop.net/w3m?action=checkblo...=200.155.11.195 200.155.11.195 not listed in bl.spamcop.net However; http://www.senderbase.org/?searchBy=ipaddr...=200.155.11.195 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day .......... 3.9 ...... 376% Last 30 days .... 4.0 ...... 514% Average .......... 3.3 I think agnew is not the only one thats reports spam to spamcop.. My server has 1 report.. and the report is made today The SpamCop formula for listing/de-listing doesn't work like this. Looking at the Senderbase data, those types of numbers usually represent a new server (not likely as Senderbase also shows "Date of first message seen from this address 2004-07-05") or a problem with either a compromised server or infected machine on your network. Link to comment Share on other sites More sharing options...
Merlyn Posted August 25, 2004 Share Posted August 25, 2004 Wazoo, I have a question. Isn't the bottom line here the spam still went through their server. All they want to do is let the person who is sending it get blocked and leave their server alone even though if the source is blocked it will still go through their server which isn't blocked and the sh** will still flow like diarrhea. Is this just a crappy outlook or am I missing something? Link to comment Share on other sites More sharing options...
Wazoo Posted August 25, 2004 Share Posted August 25, 2004 No, you're right. This server does appear to be passing the wrong stuff. But I was just trying to focus on the alleged problem of one of the network's users reporting and the resultant output was being mis-directed. The commentary so often seen over in the newsgroups is that blocking these output servers isn't really the right thing to do for SpamCop .. theory being that a situation like this will get picked up by one of the other BLs, be it proxy or relay issues. That's the way I'm looking at it, anyway. There's been a note dropped to Deputies for a heads up anyway, so hopefully, there'll be some kind of additional data provided from whatever they can see from the logs there. (Though fearing that all we might see is a "handled via e-mail" note) Link to comment Share on other sites More sharing options...
dbiel Posted August 25, 2004 Share Posted August 25, 2004 Received: (qmail 11205 invoked from network); 25 Aug 2004 19:43:33 -0000 from unknown (192.168.1.101) by blade1.cesmail.net with QMQP; 25 Aug 2004 19:43:33 -0000 from waxbill.mail.pas.earthlink.net (207.217.120.41) by mailgate.cesmail.net with SMTP; 25 Aug 2004 19:43:32 -0000 from [10.4.120.184] (helo=crow) by waxbill.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1C03gC-00045a-00 for xxxx[at]spamcop.net; Wed, 25 Aug 2004 12:43:32 -0700 from specialoffers.onvia.com ([66.250.53.37]) by crow (EarthLink SMTP Server) with SMTP id 1c03Gxxxxx3NZFlS0 for <xxxxx[at]uffdxxxx.com>; Wed, 25 Aug 2004 12:43:29 -0700 (PDT) I will color code the headers so you can see how a chain should flow You should be able to follow a direct hand off between servers. You will notice a problem with the last hand off in this message, but since it is an internal Spamcop handoff it is take care of Is there any way that you servers and acknowledge each other in a consistant way? Check the way Earthlink hands off between servers. Link to comment Share on other sites More sharing options...
Wazoo Posted August 25, 2004 Share Posted August 25, 2004 This back from Ellen; Hi - thanks I fixed this. Re the SB numbers -- they may have a spammer(s) or compromised machine(s) smarthosting thru 200.155.11.195. Every other ISP in the world seems to so I don't know why they would be immune to that. If you want to post the above go ahead -- I won't be over to the forums til later tonite or early tomorrow. Thanks Ellen Please include all previous correspondence with replies ----- Original Message ----- From: "Wazoo" To: "SpamCop, Deputies" Sent: Wednesday, August 25, 2004 3:29 PM Subject: 200.155.11.195 issues > http://forum.spamcop.net/forums/index.php?showtopic=2464 > Just so you're not caught unaware .... just checked and this > IP is NOT listed, but Senderbase shows probable issues (?) Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 26, 2004 Share Posted August 26, 2004 Delivered-To: CLUSTERHOST bloco-02.gmail.comdominio.com.br agnew <at> supernet <dot> com <dot> br -> BLOCO-02 DELIVERYNG TO THE OTHER CLUSTER MACHINE I believe this is your problem. There is no RFC compliant (Received:) header inserted by bloco-02 saying it received the message from bloco-05. The delivered To: would be inserted by bloco-05 saying where it put the message, not the way the spamcop parser wirks. Spamcop can only implicitly trust the last server (because that would be the server of the reporter) and work the parse backward until it no longer can trust what it is being told. 0. You say you get your mail from A (A trusted implicitly) 1. Received from B by A (A says A got it from B, B trusted)) 2. Received from C by B (B says B got it from C, C trusted) 3. Delivered to C (C does NOT say where it got the message from, no chain) 4. Received from E by D (D got it from E, ignored as forgery, trust can not be determined) Link to comment Share on other sites More sharing options...
Merlyn Posted August 26, 2004 Share Posted August 26, 2004 Thanks Wazoo! Link to comment Share on other sites More sharing options...
Ellen Posted August 26, 2004 Share Posted August 26, 2004 You've explained your setup well, you even admit seeing the problem, as you attempted to explain it again .... but you're missing the point. The SpamCop parser is an automated tool to perform this analysis, and as such, doesn't make these judgment calls, or make decisions on things that might "look" OK to you, me, or anyone else. The parser just tries to follow the flow of the spew from one server to the next .. and what I'm pointing out to you is that this "chain" is broken in your example. Instead of each server reporting where it got the e-mail from, your sample show that it came in here, ducked into a hole there, and popped out on the other side, and arrived in the user's InBox. The SpamCop parser doesn't do "holes" ..... 15775[/snapback] Tagging on here in the thread -- we've got this one solved. Link to comment Share on other sites More sharing options...
Wazoo Posted September 2, 2004 Share Posted September 2, 2004 Tagging on here in the thread -- we've got this one solved. Can "we" ask for something to help close out and explain the actual issue/solution? The whole day spent on this one, 3 pages worth of postings, and only a "solved" remark? One is left with the question as to whether this whole attempted support attempt was juts spitting in the wind because the right question wasn't asked or was the solution a magical flag set on one of the SpamCop engines? Link to comment Share on other sites More sharing options...
Ellen Posted September 2, 2004 Share Posted September 2, 2004 Can "we" ask for something to help close out and explain the actual issue/solution? The whole day spent on this one, 3 pages worth of postings, and only a "solved" remark? One is left with the question as to whether this whole attempted support attempt was juts spitting in the wind because the right question wasn't asked or was the solution a magical flag set on one of the SpamCop engines? 16225[/snapback] sure I would be happy to tell you what I did if I could figure out the IP and remember what I did ... hrmmmmm what I did was to set a flag to say that 200.155.11.195 was a valid relaying server which forces the parser to continue. I guess I thought that was obvious when I answered your email, I guess it was only obvious to me. Link to comment Share on other sites More sharing options...
Wazoo Posted September 2, 2004 Share Posted September 2, 2004 OK, you got me <g> I was heading towards dropping a note that I hadn't seen e-mail from anybody there since .... then noticed that I had actually posted your response to this one ... sorry, there's been so many servers listed lately and I was obviously thinking of another Topic when I posted that last request for additional data .. apologies and thanks. Link to comment Share on other sites More sharing options...
Ellen Posted September 2, 2004 Share Posted September 2, 2004 OK, you got me <g> I was heading towards dropping a note that I hadn't seen e-mail from anybody there since .... then noticed that I had actually posted your response to this one ... sorry, there's been so many servers listed lately and I was obviously thinking of another Topic when I posted that last request for additional data .. apologies and thanks. 16228[/snapback] NP -- and you don't have to tell me about "so many servers" :-) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.