Jump to content
Sign in to follow this  
ABoswell

Continuous IP block, SpamCop does not help.

Recommended Posts

SpamCop,

We have contacted you on numerous occasions about your system automatically blocking our IP 69.93.70.226, which is used by the anti-spam service www.0spam.com. This server is used to send verification messages (like mailer daemon) to thwart spammers from spamming our users. During the last year, spamcop has added this IP to their blocklist many times. This IP has never sent any spam nor will it ever as long as it is used for the 0spam.com network. What really makes this hard is that I am unable to see the messages that your users claim are spam that were sent from our server.

What does SpamCop recommend we do? Buy a new and separate IP block to send the verification messages? Or is there a IP whitelist feature of spamcop where they can add our IP?

Awaiting your advice.

PS: here is an interesting statistic about spamcop: around 3% to 4% of all email servers check the spamcop RBL before they accept a mail.

Regards

Allen B.

Network Admin.

0Spam.com

Edited by ABoswell

Share this post


Link to post
Share on other sites

G'day, mate!

We have contacted you on numerous occasions

How did you attempt those contacts? Did you post to the newsgroups, or did you perhaps send emails to a SpamCop administrative address, and if so, which one was it? (BTW, this is a "user supporting user" forum. There is basically one volunteer moderator, and a few SpamCop "deputies" who bop in to answer messages, but very little presence of the owners/administrators of SpamCop itself.)

about your system automatically blocking our IP 69.93.70.226, which is used by the anti-spam service 0spam.com.

Technically, SpamCop doesn't block anything or anyone. SpamCop maintains a DNS BL that lists IP addresses that have either been reported as sources of spam or that have been used to sent to "spamtrap" addresses. Other, third-party ISPs who are not affiliated with SpamCop must be using the SCBL as a blocking tool and are the ones blocking your messages.

This server is used to send verification messages (like mailer daemon) to thwart spammers from spamming our users.

Actually, you're sending "challenge" messages, aren't you? I think the common jargon for what you do is a "challenge/response" system.

In any case, I took a look at some of the "report history" for you IP address, and yes, what I saw was that SpamCop users are mistakenly reporting your challenge, and even your "welcome" messages as spam, which is probably why your IP keeps getting listed in the SCBL.

I think you need to work with the SC Deputies on this one. The one most likely to see this message here in the forum is Ellen, but you can try writing to:

deputies (at) admin.spamcop.net

to establish direct contact regarding this issue. They really out to work out some sort of whitelisting of your IP, assuming that's possible (and if it's not, then the SpamCop BL is really stupid, IMO).

Other answers here will be coming from mere users, such as myself, so take them with a grain of salt. :-)

DT

Share this post


Link to post
Share on other sites

Some additonal details, specific to the IP address you gave us:

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 69.93.70.226 is 226.69-93-70.reverse.theplanet.com but 226.69-93-70.reverse.theplanet.com has no DNS information

Listing History

In the past 246.3 days, it has been listed 6 times for a total of 13.8 days

Other hosts in this "neighborhood" with spam reports

69.93.70.98

Hmmmm....I wonder why your system would be sending to secret "spamtrap" addresses? If this is a normal C/R system, in order to hit a spamtrap, somone would have to spoof the spamtrap address in the "From" of their message sent to one of your users, causing a challenge to be sent to the spamtrap address. You'll be able to discuss this with a deputy.

There are some problems inherent with C/R systems, in that they can be used to abuse innocent third parties if your system responds to forged messages with challenges to people who never actually sent a message in the first place. I personally dislike them intensely, and never communicate with someone who is using a C/R setup on their email. In fact, it's been a very long time since I even received a challenge (and I've never reported one as spam), so I don't think that anyone I correspond with is using a C/R service.

Here's a link to previous forum discussions regarding C/R:

http://forum.spamcop.net/forums/index.php?...653entry12653

DT

Edited by DavidT

Share this post


Link to post
Share on other sites
PS: here is an interesting statistic about spamcop: around 3% to 4% of all email servers check the spamcop RBL before they accept a mail.

Regards

Allen B.

Network Admin.

0Spam.com

If I accept your quote as valid and make the assumption that 100% of them incorrectly block mail instead of filtering it as recommended by SpamCop, then what you are actually complaining about is that the portion of your mail that is handled by 3-4% of the email servers in the world is causing a small protion of your mail not be be delivered.

If you are using a mail server to fight spam as you claim, you should by all means be using a separate dedicated IP address for that server that has no other relationship to the rest of your valid email you are trying to send.

And if you insist on sending bounces after they have gone throught the "smtp conversation", they too should be directed through a separate IP address so that if they are hitting spamtraps (very likely with all the forgered reply addresses these days) it will only be that IP address that gets blocked

Please see Why are auto-responders (and delayed bounces) bad?

Share this post


Link to post
Share on other sites

One correspondence was from Ellen, deputies at admin.spamcop.net:

=======

Ah, OK this is challenge/response -- that is what I was not clear about and

now understand. If you continue to send C/R emails to the spamtraps then

there is always the possibility of the IPs listing/relisting.

Ellen

=======

Unfortunately our system is also automatic, and I can only assume that spammers forge these spamtrap addresses so that our system tries to verify them then gets blacklisted. I highly doubt they will whitelist our IP, since I bought up that issue in the E-mail to Ellen and she did nothing about it, but we can keep trying.

There are people reporting the welcome message as spam? That is sad.

We are reluctant to buy a new different IP block to send the verification messages, since many mail servers might reject the mails for a different reason: the domain "0spam.com" (in the From headers) would not match MX records, and I know that some servers use this matching to block spam.

Regards

Allen B.

0Spam.com

Share this post


Link to post
Share on other sites

As mentioned before, there are some old Topic/Disussions here that may fill in some of the blanks for you. Please try the search function .. "mailblocks" is one term that will bring up a number of posts covering both sides of the issue. "challenge / response" may bring up some others, but as this is usually abbreviated as C/R and this search engine doesn't do three letter functions ...

Basically, the bottom line is that the C/R system seems to be a wonderful item for the users behind that system .... to the rest of the world, it sucks. And with spammers doing everything to get the spew through, make anti-spam efforts look like failed technology, and in general, screw up anything that may be good for the rest of the planet, ... sorry ... and if it's of any value, SpamCop itself was a Challenge/Response system a number of years ago. This was dropped as it was a failure (again, see some of those previous discussions as to why)

As a matter of fact, if you take a look at the FAQ item "Why am I Blocked" .. you'll find that these C/R responses are one of the items involved, right up there with the stupid anti-virus notifications, out-of-office replies, etc.

Share this post


Link to post
Share on other sites
Unfortunately our system is also automatic, and I can only assume that spammers forge these spamtrap addresses so that our system tries to verify them then gets blacklisted.

The spammers are not trying to get /you/ listed. Spammers don't care who gets spam - they just send it out by the millions. Some people get 4 and 5 and 20 and 200 copies of the exact same spam. And they send it to all the addresses they can get their hands on which is why spamtraps work.

Unfortunately, spammers don't only forge spamtrap addresses in the return path that your system uses, they also forge other people's addresses. So when your system sends a message, some poor soul whose name was forged (or more probably thousands of poor souls) get a challenge message from you in addition to the spam sent directly to them.

Of course, they report them as spam. Your emails are unsolicited and not in response to any email they sent and because they are being sent by spammers, they generally come in bulk.

Miss Betsy

Share this post


Link to post
Share on other sites

IMHO:

www.0spam.com promotes the use of challenge response but it is not 0 spam for the rest of the web. In fact 0 spam is part of the problem. If I receive a challenge response from someone I don't know that IP goes into my personal blocklist. If I know tham I do not respond untill they email me from an unchallenged email.

Spamcop might recommend tagging instead of blocking but most admins will not do that beacause the spam still comes through the server takes time to process and still goes to everyones inboxes. Blocking is the most efficient way and responsible admins place an error message on the blocking to point the sender to where they can get info on why they were blocked.

Share this post


Link to post
Share on other sites
There are people reporting the welcome message as spam?  That is sad.

16376[/snapback]

Actually there are people in other forums complaining that they are missing real e-mail because of auto-responders like challenge response systems and misconfigured virus scanners have filled up their e-mail quota. That is what is really sad, when they can not delete the junk from the auto-responders fast enough on their dialup accounts.

A mailing list that I am on has had to block at least one challenge response system because it continues to respond in bulk to viruses.

We are reluctant to buy a new different IP block to send the verification messages, since many mail servers might reject the mails for a different reason: the domain "0spam.com" (in the From headers) would not match MX records, and I know that some servers use this matching to block spam.

16376[/snapback]

First spamcop.net does not list blocks, just the I.P. address, as do most DNSbls, so a new block of I.P. addresses would not be needed, except that the challenges to spamtraps would still cause them to get listed.

And spamcop.net is not the only DNSbl that uses spamtraps.

Second:

The mail servers that do that check are the ones that do strict rDNS checking. And all that means is that the mail server gives the same name at connect time as the rDNS for their address matches. The rDNS name does not have to have any relationship to the domain name on the e-mail, it just needs to be correct for the I.P. address.

Since it was reported that your rDNS information is incorrectly configured, many mail servers are probably rejecting your e-mail for that right now. It has been measured that 80% of spam has bad rDNS, and apparently it is an RFC requirement to have a correct rDNS.

And it is possible that many other spam filters are silently deleting your challenges because of the rDNS mis-match.

Now getting the rDNS correct is a very elementary part of running a mail server. Your statement about using a separate netblock indicates that you do not have an elementary understanding on how SMTP mail works.

Challenge repsonse systems that generate new e-mail messages for the challenges have proven to be a failed method, and there are a number of posters on usenet that have stated that the mail servers they control will not accept any e-mail from any thing that issues challenge responses to a forged address on their network.

Mailing lists are incompatable with Challenge Response systems, as the mailing list robot will not respond to the challenges when it tries to deliver administrative notices, and it is extremely annoying to get a challenge back from a post on a mailing list from some unknown person.

Other systems are also incompatable with Challenge Reponse Systems, as they may send e-mail from a different e-mail address than what the original person mailed to. Support e-mail addresses frequently operate that way, and there may not be an obvious connection. And those answering services may not answer challenges.

The only non-abusive way to issue a challenge is to use an SMTP 5xx reject code with an explanation text as to how to answer the challenge. That way if a real person is sending the e-mail, their own mail server will deliver the challenge.

Even if the sending mail server is poorly configured, the sender will realize that their mail did not get through.

Essentially mail server that use DNSbls to reject e-mail are challenge response systems, but unlike your system, only the sender of a real e-mail will ever see the reject message, so they are not abusive.

And usually that reject message is alerting them to a critical security problem with their mail server.

At the current reported spam rates, if you are issuing a challenge for every e-mail coming in, you are responding to about 3 forged addresses for every real one.

Postings by Steve Linford, and internationally recognized expert on spam control indicate that over 80% of spam can be rejected with out looking at the content before it even enters the mail server and almost all the remainder by checking the I.P. addresses that URLs in the e-mail resolve to against the same spam database, and issuing SMTP rejects.

This is a non-abusive and proven accurate method of separating spam from real e-mail, which is also lower cost to operate than a challenge response system.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites

Nice reply John!

I will add by saying last month in our area there was a little gathering of Admins/IT people and many of them stated they will not accept C/R mail.

Share this post


Link to post
Share on other sites

For what little it's worth: When I get a "challenge" from an unrecognized sender (perhaps generated in response to spam sent with one of my email addresses forged as the sender) which contains an advertisement for the challenge-response system, I report it as spam.

(Funny, all these C-R services seem to include an ad in their "challenge", turning spam backscatter into more spam!)

Edited by sommerfeld

Share this post


Link to post
Share on other sites
Funny, all these C-R services seem to include an ad in their "challenge", turning spam backscatter into more spam!

There's one who actually did much worse than that. Someone at the "spam Arrest" company decided it would be OK to send UCE to all the people who had ever sent email to any of their C/R service customers. Here's the message:

Subject: ADV: Enjoy a spam-free inbox

Date sent: Thu, 13 Feb 2003 02:17:09 -0800

You may remember recently sending an email to a spam Arrest customer,

and receiving a response asking you to visit our website and type in

a word that was shown to you in a picture.

It was pretty easy, wasn't it?

Did you know that that one simple step stops virtually all spam from

entering our customers' inboxes?

You too can enjoy the benefits of a spam-free inbox.

We are so confident you'll like our product, that we'd like to offer

you a 30-Day free trial. If you are un-satisfied for any reason, just

cancel your account before the end of the trial and you'll pay nothing.

Click here to visit our website and start your trial:

(url deleted)

spam Arrest

Take control of your inbox!

----------------------

You are receiving this email in response to an email you recently

sent to a spam Arrest customer.

If you do not wish to receive further promotional emails from

spam Arrest, please click the following link:

(url deleted)

They sent this to a LOT of people, and they got into a LOT of trouble for it. I immediately banned all spam Arrest users from the mailing lists that I was administering at the time.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

What I found even more interesting was the statement

bounces are generally a good thing...

in light of the MS discussion started in the lounge!

Share this post


Link to post
Share on other sites
Interesting side-note .... the FAQ at http://www.spamcop.net/fom-serve/cache/14.html was just updated today ... Rules are now that Challenge/Response traffic are NOT to be reported as spam.

17157[/snapback]

So now that C/R spam can't be reported as spam, even though it is automated and bulk, anyone know of a BL that handles reporting C/R systems?

Personally, I hate em, even though I had a potential client e-mail me from one. I think that if I'm responding to an e-mail he originated, I shouldn't have to deal with the C/R. Too bad, he'll never find out we can't provide what he wants. His mail system was added to my personal BL that I keep.

Share this post


Link to post
Share on other sites

Just a comment -- I use the 0spam service as well as SpamCop (say hi to Jeff for me), but I have the challenge / response mechanism turned off. Yes, that means that I end up having to whitelist people by hand, but it's quite painless after a week or two, and having it turned off doesn't cause the problems you've got now.

I think you should make it more apparent to your users that the C/R system has its enemies, and that they might be better off leaving it turned off. You should certainly encourage them to look on the 0spam site to see if there are any "pending" messages that they think are from people they know, and whitelist them.

If you could find out whose "verification" (C/R) messages are resulting in spam reports, you should definitely tell them to go the 0spam web site and manually whitelist their friends.

You might ask your ISP to let you see some of the spams that have been reported; they presumably have been receiving each message that SpamCop has been counting towards your "spammer-ness." I hope they understand that you are distinctly "white hat" in the spam battle and won't worry that they might be delivering info that could cause retaliation or whitelisting etc.

Good luck.

Share this post


Link to post
Share on other sites
So now that C/R spam can't be reported as spam, even though it is automated and bulk, anyone know of a BL that handles reporting C/R systems?

17194[/snapback]

cbl.abuseat.org

Share this post


Link to post
Share on other sites
<snip>

I think you should make it more apparent to your users that the C/R system has its enemies,

17196[/snapback]

...Done and done! If you do a Search on "Challenge" and "C/R" you'll see what I mean. :) <g>

and that they might be better off leaving it turned off.<snip>

17196[/snapback]

...From what I have read, SpamCop used to do C/R. It definitely does not any longer. Edited by turetzsr

Share this post


Link to post
Share on other sites
...Done and done!  If you do a Search on "Challenge" and "C/R" you'll see what I mean.  :) <g>

If you can get this search thingy to actually run with "C/R" for a keyword, I need to see what you're running and how you're using it <g>

Share this post


Link to post
Share on other sites
If you can get this search thingy to actually run with "C/R" for a keyword, I need to see what you're running and how you're using it <g>

17217[/snapback]

...Hmm: "C/R*" (without quotes) works but not "C/R" (with quotes).

Share this post


Link to post
Share on other sites
If you can get this search thingy to actually run with "C/R" for a keyword, I need to see what you're running and how you're using it

The "search thingy" on this Invision software if pretty frustrating. On the SpamCop "Help" page there's a Google site search form that will allow either a search of "www.spamcop.net" (SpamCop and FAQ) or "news.spamcop.net" (Old discussion archive) but NOT these Forums (that page needs updating!).

Here are some direct URLs for the customized Google searches:

1. Google Search Form offering searches of www.spamcop.net, news.spamcop.net,

or forum.spamcop.net (an improvement on the one on the Help page):

http://www.google.com/custom?domains=news....rum.spamcop.net

(note: it's similar to the one you get after executing a search from the Help page, but I've stripped away some of the unnecceary junk, such as the SpamCop logo)

2. Google Search Form that executes a search of just the Forums (although it's not obvious from looking at it):

http://www.google.com/custom?sitesearch=forum.spamcop.net

The "C/R" search search works there, with or without quotes. :-)

(Wazoo, perhaps there's a better place you can find for the links above...maybe in your FAQ, perhaps?)

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×