Jump to content
Sign in to follow this  
caquino

Error in spamcop block

Recommended Posts

Well ... what can I do to prevent such problem?.. I´m blocked but I´m not an spammer..

15787[/snapback]

...Have you done what I suggested in my reply in this thread?

15788[/snapback]

Yeah.. but We have about 1 million of users.. I think agnew is not the only one thats reports spam to spamcop.. My server has 1 report.. and the report is made today..

The server is blocked without any time to do the reply to the spamcop mail.

My problem is if another use do the same thing and I have to stay another 48hrs blocked.

Share this post


Link to post
Share on other sites
...Have you done what I suggested in my reply in this thread
Yeah.. but We have about 1 million of users.. I think agnew is not the only one thats reports spam to spamcop.. My server has 1 report.. and the report is made today..

The server is blocked without any time to do the reply to the spamcop mail.

My problem is if another use do the same thing and I have to stay another 48hrs blocked.

15789[/snapback]

...Wazoo was trying to lead you to what you can do to correct the problem. I would suggest you write to the SpamCop deputies (deputies <at> spamcop <dot> net) to explain the problem and perhaps s/he can explain what you should do. Edited by turetzsr

Share this post


Link to post
Share on other sites
You have block 200.155.11.195

http://www.spamcop.net/w3m?action=checkblo...=200.155.11.195

200.155.11.195 not listed in bl.spamcop.net

However;

http://www.senderbase.org/?searchBy=ipaddr...=200.155.11.195

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day .......... 3.9 ...... 376%

Last 30 days .... 4.0 ...... 514%

Average .......... 3.3

I think agnew is not the only one thats reports spam to spamcop.. My server has 1 report.. and the report is made today

The SpamCop formula for listing/de-listing doesn't work like this. Looking at the Senderbase data, those types of numbers usually represent a new server (not likely as Senderbase also shows "Date of first message seen from this address 2004-07-05") or a problem with either a compromised server or infected machine on your network.

Share this post


Link to post
Share on other sites

Wazoo, I have a question.

Isn't the bottom line here the spam still went through their server.

All they want to do is let the person who is sending it get blocked and leave their server alone even though if the source is blocked it will still go through their server which isn't blocked and the sh** will still flow like diarrhea.

Is this just a crappy outlook or am I missing something?

Share this post


Link to post
Share on other sites

No, you're right. This server does appear to be passing the wrong stuff. But I was just trying to focus on the alleged problem of one of the network's users reporting and the resultant output was being mis-directed. The commentary so often seen over in the newsgroups is that blocking these output servers isn't really the right thing to do for SpamCop .. theory being that a situation like this will get picked up by one of the other BLs, be it proxy or relay issues. That's the way I'm looking at it, anyway.

There's been a note dropped to Deputies for a heads up anyway, so hopefully, there'll be some kind of additional data provided from whatever they can see from the logs there. (Though fearing that all we might see is a "handled via e-mail" note)

Share this post


Link to post
Share on other sites

Received: (qmail 11205 invoked from network); 25 Aug 2004 19:43:33 -0000

from unknown (192.168.1.101) by blade1.cesmail.net with QMQP; 25 Aug 2004 19:43:33 -0000

from waxbill.mail.pas.earthlink.net (207.217.120.41) by mailgate.cesmail.net with SMTP; 25 Aug 2004 19:43:32 -0000

from [10.4.120.184] (helo=crow) by waxbill.mail.pas.earthlink.net with smtp (Exim 3.36 #1) id 1C03gC-00045a-00 for xxxx[at]spamcop.net; Wed, 25 Aug 2004 12:43:32 -0700

from specialoffers.onvia.com ([66.250.53.37]) by crow (EarthLink SMTP Server) with SMTP id 1c03Gxxxxx3NZFlS0 for <xxxxx[at]uffdxxxx.com>; Wed, 25 Aug 2004 12:43:29 -0700 (PDT)

I will color code the headers so you can see how a chain should flow

You should be able to follow a direct hand off between servers. You will notice a problem with the last hand off in this message, but since it is an internal Spamcop handoff it is take care of

Is there any way that you servers and acknowledge each other in a consistant way?

Check the way Earthlink hands off between servers.

Share this post


Link to post
Share on other sites

This back from Ellen;

Hi - thanks I fixed this. Re the SB numbers -- they may have a spammer(s) or compromised machine(s) smarthosting thru 200.155.11.195. Every other ISP in the world seems to so I don't know why they would be immune to that.

If you want to post the above go ahead -- I won't be over to the forums til later tonite or early tomorrow. Thanks

Ellen

Please include all previous correspondence with replies

----- Original Message -----

From: "Wazoo"

To: "SpamCop, Deputies"

Sent: Wednesday, August 25, 2004 3:29 PM

Subject: 200.155.11.195 issues

> http://forum.spamcop.net/forums/index.php?showtopic=2464

> Just so you're not caught unaware .... just checked and this

> IP is NOT listed, but Senderbase shows probable issues (?)

Share this post


Link to post
Share on other sites
Delivered-To: CLUSTERHOST bloco-02.gmail.comdominio.com.br agnew <at> supernet <dot> com <dot> br -> BLOCO-02 DELIVERYNG TO THE OTHER CLUSTER MACHINE

I believe this is your problem. There is no RFC compliant (Received:) header inserted by bloco-02 saying it received the message from bloco-05.

The delivered To: would be inserted by bloco-05 saying where it put the message, not the way the spamcop parser wirks. Spamcop can only implicitly trust the last server (because that would be the server of the reporter) and work the parse backward until it no longer can trust what it is being told.

0. You say you get your mail from A (A trusted implicitly)

1. Received from B by A (A says A got it from B, B trusted))

2. Received from C by B (B says B got it from C, C trusted)

3. Delivered to C (C does NOT say where it got the message from, no chain)

4. Received from E by D (D got it from E, ignored as forgery, trust can not be determined)

Share this post


Link to post
Share on other sites
You've explained your setup well, you even admit seeing the problem, as you attempted to explain it again .... but you're missing the point.  The SpamCop parser is an automated tool to perform this analysis, and as such, doesn't make these judgment calls, or make decisions on things that might "look" OK to you, me, or anyone else.  The parser just tries to follow the flow of the spew from one server to the next .. and what I'm pointing out to you is that this "chain" is broken in your example.  Instead of each server reporting where it got the e-mail from, your sample show that it came in here, ducked into a hole there, and popped out on the other side, and arrived in the user's InBox.  The SpamCop parser doesn't do "holes" .....

15775[/snapback]

Tagging on here in the thread -- we've got this one solved.

Share this post


Link to post
Share on other sites
Tagging on here in the thread -- we've got this one solved.

Can "we" ask for something to help close out and explain the actual issue/solution? The whole day spent on this one, 3 pages worth of postings, and only a "solved" remark? One is left with the question as to whether this whole attempted support attempt was juts spitting in the wind because the right question wasn't asked or was the solution a magical flag set on one of the SpamCop engines?

Share this post


Link to post
Share on other sites
Can "we" ask for something to help close out and explain the actual issue/solution?  The whole day spent on this one, 3 pages worth of postings, and only a "solved" remark?  One is left with the question as to whether this whole attempted support attempt was juts spitting in the wind because the right question wasn't asked or was the solution a magical flag set on one of the SpamCop engines?

16225[/snapback]

sure I would be happy to tell you what I did if I could figure out the IP and remember what I did ... hrmmmmm what I did was to set a flag to say that 200.155.11.195 was a valid relaying server which forces the parser to continue. I guess I thought that was obvious when I answered your email, I guess it was only obvious to me.

Share this post


Link to post
Share on other sites

OK, you got me <g> I was heading towards dropping a note that I hadn't seen e-mail from anybody there since .... then noticed that I had actually posted your response to this one ... sorry, there's been so many servers listed lately and I was obviously thinking of another Topic when I posted that last request for additional data .. apologies and thanks.

Share this post


Link to post
Share on other sites
OK, you got me <g>  I was heading towards dropping a note that I hadn't seen e-mail from anybody there since .... then noticed that I had actually posted your response to this one ... sorry, there's been so many servers listed lately and I was obviously thinking of another Topic when I posted that last request for additional data .. apologies and thanks.

16228[/snapback]

NP -- and you don't have to tell me about "so many servers" :-)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×