Jump to content

Blacklisted... where are the header details?


jeffjustice

Recommended Posts

Perhaps the recipient's system added the X-* Header Lines.

Also, why did that email appear to languish on smtp1.resultsmail.com for 8 hours, 30 minutes, and 17 seconds? Is its clock that slow? It's also possible that the clock on smtp2.dnd.ca is half an hour fast or that the clock on clover.marlant.hlfx.dnd.ca is half an hour slow.

Link to comment
Share on other sites

  • Replies 63
  • Created
  • Last Reply

I looked at your headers, started the head scratching. Who are the players involved here? I know, all you see is the headers, but that's all I'm looking at. I had the same question going on in my head that the SpamCop parser has with it, as it turns out. We must assume that Line 0 is from the spam recipient's location. How is the data in Line 2 (or worse, the data in line 1) below actually getting generated? Lines 0 and 1 look OK, but Line 2 is very troubling ... either it really is a local user or you have someone tapped directly into your server (from appearances [non-routable IP address, TimeZone differences, lack of a FQDN in the message-ID string]) ... I don't see how any other results could be gleaned from your sample. (Unless you are trying to describe a massive forgery and that the server at Line 0 is wide-open to abuse? Spamtrap hits make that appear unlikely though.)

Parsing header:

0: Received: from smtp2.dnd.ca (gps11.ndhq.dnd.ca [131.137.250.218]) by clover.marlant.hlfx.dnd.ca (8.11.2/8.11.2) with SMTP id iB91mX411459 for <x>; Wed, 8 Dec 2004 21:48:34 -0400

Hostname verified: gps11.ndhq.dnd.ca

dnd.ca received mail from dnd.ca ( 131.137.250.218 )

1: Received: from smtp1.resultsmail.com (smtp1.resultsmail.com [67.43.151.116]) by smtp2.dnd.ca with ESMTP id iB92IMD25277 for <x>; Wed, 8 Dec 2004 21:18:23 -0500 (EST)

Hostname verified: smtp1.resultsmail.com

dnd.ca received mail from sending system 67.43.151.116

2: Received: from nathan [10.1.2.101] by smtp1.resultsmail.com with ESMTP (SMTPD32-8.13) id AE56119C00B2; Wed, 08 Dec 2004 09:48:06 -0800

Internal handoff or trivial forgery

I don't recall if you mentioned your system details (too many windows opened up right now to try to trace back) ... if an Exchange server, multiple FAQ entries .. if a *NIX server, php-Nuke could be a starter search-phrase ...???? Or do you in fact have a machine sitting at 10.1.2.101 that's compromised beyond belief?

Link to comment
Share on other sites

Been in touch with deputies. That didn't end up leading anywhere other than them supplying me with small snippets of headers. I thought we had made some progress after one round they provided me full headers but then it just went back to limited detail which was not helpful at all (just telling me the subjects of offending messages).

I can understand your frustrations but the amount of data they can provide is dependant on the type of report it came from. If the report is a spamtrap, they will do NOTHING to jeopardize that account. It probably also depends upon your tone when the request is made, they are only human after all.

My hosting provider is forwarding some complaints. The majority of the ones forwarded to me have been scored false positives via SpamAssassin.

Here's a sample of the issue we are having with SpamAssassin scores

This is where I get lost. The message you are describing does not have any spamassassin headers within it so it does not appear to have passed through a spamassassin test on delivery. Also, spamassassin can not determine whether this message was requested or not, only a human can do that. What has some arbitrary set of spamassassin ratings have to do with anything? If I received that message it would be spam because I never requested it.

Link to comment
Share on other sites

2: Received: from nathan [10.1.2.101] by smtp1.resultsmail.com with ESMTP (SMTPD32-8.13) id AE56119C00B2; Wed, 08 Dec 2004 09:48:06 -0800

Internal handoff or trivial forgery

Internal handoff. System is not compromised.

Also, spamassassin can not determine whether this message was requested or not, only a human can do that. What has some arbitrary set of spamassassin ratings have to do with anything?

SpamAssassin can be configured to automatically submit reports to SpamCop. So if the message rates higher than a 5.0 it can get reported.

http://www.spamcop.net/fom-serve/cache/331.html

If I received that message it would be spam because I never requested it.

Agreed, that is the definition of spam after all. :)

Link to comment
Share on other sites

Looks like you are listed again!

You should rephrase about being totally white hat!

67.43.151.116 listed in bl.spamcop.net (127.0.0.2)

In the past 50.9 days, it has been listed 17 times for a total of 16.0 days

I call that pretty spammy.

21950[/snapback]

Actually Merlyn the reality is that since we've changed our IP address in November we receive one report on average per day on a "high" volume day. We send on average 100,000 opt-in emails on behalf of our customers on a daily basis.

1 SpamCop report per 100,000 messages sent is spammy? (I have confirmed we get listed after 1 report by the way as I get the summary details every 24 hours with the box scores)

The reality of the email/spam landscape right now is that people would rather complain than click an unsubscribe link. After researching some complaints we've received recently we have found that in some instances the recipient who has complained has been on our customer's list for over a year. Why all of a sudden are they complaining when I can prove they opened, read, and clicked on links within prior emails for the past year?

Combine this recipient behavior with false positives on SpamAssassin, which is now automatically reporting to SpamCop, with a couple of our customers who have indeed sent to traps (and for those we received details on from the deputies we have immediately suspended their accounts) and you can get the totals you see.

I think you are forgetting that we have operated for over 2 years. It has only been recently (since changing IP blocks and SpamAssassin has been updated in October I believe) that we have been consistently on the block list. If you look at similar services to ours you will see similar track records for the same period of time (the exception being Constant Contact who is a Bonded Sender reseller... though their IPs are not bonded per senderbase)

Keep in mind our prior IP (same customers, same lists, same volume) was blocked about 15 days out of a full year last year. Those 15 days were pretty much attributed to customers of ours who we found to be in violation of our terms of services and we terminated their accounts. You can't see the stats on that anymore as we've moved off the IP and SpamCop doesn't provide details like that for the old IP.

Link to comment
Share on other sites

Internal handoff.  System is not compromised.

The point I was trying to make is that with one IP / server being that of the recipient, the other being from a non-routable address, that only leaves one IP address to point at for a complaint. As far as the compromised scenario ... are you the sole user of that IP address? Is there an explanation other than compromise for the SenderBase numbers? Again, no accusations, just pointing at another indicator that 'something' is going on. These kinds of increases and spamtrap hits have generally been a result of "uninvited access" .. again, just historical fact.

http://www.senderbase.org/?searchBy=ipaddr...g=67.43.151.116

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.9 .. 609%

Last 30 days .. 4.7 .. 427%

Average ........ 4.0

SpamAssassin can be configured to automatically submit reports to SpamCop.  So if the message rates higher than a 5.0 it can get reported.

I can kick a note up, you can kick something also <g> ... but in all honesty, the spamtrap hits don't help your case. As I pointed out earlier, this SpamAssassin thing is 'new' and I've no doubt Julian will be interested in this situation, but .... suspecting that in his busy, busy state, that first glance at statistics and history for this IP may not get too much more than that .. not speaking for him at all ....

Link to comment
Share on other sites

Actually Merlyn the reality is that since we've changed our IP address in November we receive one report on average per day on a "high" volume day.  We send on average 100,000 opt-in emails on behalf of our customers on a daily basis.

SenderBase agrees with the date;

Date of first message seen from this address 2004-11-06

1 SpamCop report per 100,000 messages sent is spammy? (I have confirmed we get listed after 1 report by the way as I get the summary details every 24 hours with the box scores)

Again, the problem is a bit more than the "one report" .... Showing right now, both spamtrap hits and reports are indicated. The mathematical model heavily weights the spamtrap hits, which is about the only way to balance your one report for 100,000 e-mails a day. Note that the basis for the formula is based on traffic "seen" so there is no doubt that it's only a portion of that traffic counted (for what used to be a 2% threshold level) http://www.spamcop.net/fom-serve/cache/297.html But that's also offset by the like proportion of recipients that "just hit delete" of report/complaints by other than the SpamCop parser.

The reality of the email/spam landscape right now is that people would rather complain than click an unsubscribe link.  After researching some complaints we've received recently we have found that in some instances the recipient who has complained has been on our customer's list for over a year.  Why all of a sudden are they complaining when I can prove they opened, read, and clicked on links within prior emails for the past year?

An alternate view of that is the e-mail address has changed hands ... or you have a user that finally has had enough and has gone over the edge. The unsubscribe link situation has been totally destroyed by spammers. Sorry.

Combine this recipient behavior with false positives on SpamAssassin, which is now automatically reporting to SpamCop, with a couple of our customers who have indeed sent to traps (and for those we received details on from the deputies we have immediately suspended their accounts) and you can get the totals you see.

I'm not sure that the auto-reporting by SpamAssassin is causing as much damage as you're suggesting . then again, I'm referencing another Topic I'd pointed out earlier, and yes, time has gone by, and I don't know what Julian's been up to. I fo not believe that he would point these SpamAssassin reports as spamtrap hits, rather just handled as yet another user complaint ... and that would be under the "less than 10 reports" data item. And again, bounced against your 100,000 e-mails a day, this doesn't appear to be the main problem.

I think you are forgetting that we have operated for over 2 years.  It has only been recently (since changing IP blocks and SpamAssassin has been updated in October I believe) that we have been consistently on the block list.  If you look at similar services to ours you will see similar track records for the same period of time (the exception being Constant Contact who is a Bonded Sender reseller... though their IPs are not bonded per senderbase)

No idea of the merit of this observation. I don't know what a Bonded Sender reseller offers either <g>

Keep in mind our prior IP (same customers, same lists, same volume) was blocked about 15 days out of a full year last year.  <snip> You can't see the stats on that anymore as we've moved off the IP and SpamCop doesn't provide details like that for the old IP.

Agreed that there's not much value in trying to snake up old stats .. the issue is today's situation. The quick look at 'sightings' shows complaints about e-mail that originated from the same place .... from nathan [10.1.2.101] .. those unwanted e-mails may account for the "less than 10" user complaints .... the spamtrap hits, you know the story there .. nothing I can offer to help other than all the above and previous words ... there's something going on ... bad bounces, (anti-)virus, hacked, compromised, or you've got a dirty list in use somewhere/by someone using this server

Link to comment
Share on other sites

I see lots of examples of people showing header details to help track down spam and cut it off.

One of our IP addresses is listed but I can't find any of the header info for the people who have submitted reports (which makes it hard to track down a culprit and also make sure the recipient isn't contacted again).  There have been 4 total (3 users and 1 mole) based on the daily summary report I receive.

I have tried using the "find report" and "close issues" features within my account but no further details are ever displayed.

What am I missing?

Thanks in advance.

Jeff

20844[/snapback]

Jumping into this late, but I have scanned through most of the posts to date.

Quite simply, we are out of necessity very protective of the data we have on file. We don't supply information to just anyone and have to make sure it falls only into the hands of someone in a position to make all the spam stop.

The trouble I have is in your statement, "make sure the recipient isn't contacted again", which to me equates to list washing.

SpamCop does not and will not support list washing as this only solves our users' problem, not the overall problem of unsolicited mail coming from a server. We're in this for the long haul, trying to make email a better place for everyone, not just the minority who use our service.

Specific to 67.43.151.116, the mail hitting our traps all have "Ziba Music" in the subject line, so I suspect that is your customer with the dirty list (as far as spamtraps go).

I also see recently reported mail from SunTrust, a realtor and a travel agency, as well as something from "publisher[at]forbes.com" <info[at]life2where.com>, which to me looks downright deceitful.

As I mentioned, we have to have trust that reports are being used for the right reasons, not to simply aid a customer to "stay out of trouble". While you state you have cancelled a few spammer accounts, I'm not convinced that would be the case for problem customers.

Richard

Link to comment
Share on other sites

Specific to 67.43.151.116, the mail hitting our traps all have "Ziba Music" in the subject line, so I suspect that is your customer with the dirty list (as far as spamtraps go).

21955[/snapback]

Three similar emails have hit NANAS recently. Per http://groups-beta.google.com/groups?q=%22...afe=off&num=10& their headers (as munged but vertically compressed to avoid headaches) are as follows:
From zibamu...[at]bounce.resultsmail.com Wed Dec 22 17:40:06 2004

Return-Path: {zibamu...[at]bounce.resultsmail.com>

Received: from localhost (r...[at]localhost [127.0.0.1])

        by jupiter.$munged$.demon.co.uk (8.12.9-20030917|8.12.9) with ESMTP id iBMHe4Kc009914;

        Wed, 22 Dec 2004 17:40:06 GMT

Received: from pop3.demon.co.uk

        by localhost with POP3 (fetchmail-6.2.1)

        for l.f-em...[at]localhost (by default); Wed, 22 Dec 2004 17:40:06 +0000 (GMT)

Received: from punt-3.mail.demon.net by mailstore

        for "repo..."$munged$[at]$munged$.demon.co.uk id 1ChAF4-0004Zw-9B;

        Wed, 22 Dec 2004 17:25:42 +0000

Received: from [194.217.242.71] (helo=anchor-hub.mail.demon.net)

        by punt-3.mail.demon.net with esmtp id 1ChAF4-0004Zw-9B

        for $munged$[at]$munged$.demon.co.uk; Wed, 22 Dec 2004 17:25:42 +0000

Received: from [67.43.151.116] (helo=smtp1.resultsmail.com)

        by anchor-hub.mail.demon.net with esmtp id 1ChAF4-00007j-66

        for $munged$[at]$munged$.demon.co.uk; Wed, 22 Dec 2004 17:25:42 +0000

Received: from nathan [10.1.2.101] by smtp1.resultsmail.com with ESMTP

(SMTPD32-8.13) id AE6EEC60090; Wed, 22 Dec 2004 09:27:10 -0800

Message-ID: {13788561.1103736430421.JavaMail.SYSTEM[at]nathan>

Date: Wed, 22 Dec 2004 09:27:10 -0800 (PST)

From: Ziba Music Online {...[at]zibamusic.com>

Subject: Ziba Music Presents: New Years Eve 2004 & SASA 2005

Mime-Version: 1.0

Content-Type: multipart|alternative;

        boundary="----=_Part_375550_24235918.1103736430390"

X-mTrak-mID: 3b3f8e2e-c487-4ac0-9021-77b5fab5a94f

X-mTrak-cID: 10d74f78-8b04-4667-ae6f-f0336f908023

X-SpamType: Escaped HTML

X-Domains:

To: $munged$

From zibamu...[at]bounce.resultsmail.com Fri Dec 17 02:55:10 2004

Return-Path: {zibamu...[at]bounce.resultsmail.com>

Received: from localhost (r...[at]localhost [127.0.0.1])

        by jupiter.$munged$.demon.co.uk (8.12.9-20030917|8.12.9) with ESMTP id iBH2t4Kf005558;

        Fri, 17 Dec 2004 02:55:10 GMT

Received: from pop3.demon.co.uk

        by localhost with POP3 (fetchmail-6.2.1)

        for l.f-em...[at]localhost (by default); Fri, 17 Dec 2004 02:55:10 +0000 (GMT)

Received: from punt-3.mail.demon.net by mailstore

        for "repo..."$munged$[at]$munged$.demon.co.uk id 1Cf8DH-0007kj-Q7;

        Fri, 17 Dec 2004 02:51:27 +0000

Received: from [194.217.242.210] (helo=lon1-hub.mail.demon.net)

        by punt-3.mail.demon.net with esmtp id 1Cf8DH-0007kj-Q7

        for $munged$[at]$munged$.demon.co.uk; Fri, 17 Dec 2004 02:51:27 +0000

Received: from [67.43.151.116] (helo=smtp1.resultsmail.com)

        by lon1-hub.mail.demon.net with esmtp id 1Cf8DG-00001h-ER

        for $munged$[at]$munged$.demon.co.uk; Fri, 17 Dec 2004 02:51:27 +0000

Received: from nathan [10.1.2.101] by smtp1.resultsmail.com with ESMTP

(SMTPD32-8.13) id A9F945D0084; Thu, 16 Dec 2004 18:52:41 -0800

Message-ID: {19531853.1103251965359.JavaMail.SYSTEM[at]nathan>

Date: Thu, 16 Dec 2004 18:52:45 -0800 (PST)

From: Ziba Music Online {...[at]zibamusic.com>

Subject: Ziba Music Presents: New Years Eve 2004 & SASA 2005

Mime-Version: 1.0

Content-Type: multipart|alternative;

        boundary="----=_Part_76373_32399906.1103251965312"

X-mTrak-mID: e0a1bd10-64ba-450f-a792-3d017c122ee0

X-mTrak-cID: 10d74f78-8b04-4667-ae6f-f0336f908023

X-SpamType: Escaped HTML

X-Domains:

To: $munged$

From zibamu...[at]bounce.resultsmail.com Thu Dec 9 17:25:08 2004

Return-Path: {zibamu...[at]bounce.resultsmail.com>

Received: from localhost (r...[at]localhost [127.0.0.1])

        by jupiter.$munged$.demon.co.uk (8.12.9-20030917|8.12.9) with ESMTP id iB9HP5Kd031468;

        Thu, 9 Dec 2004 17:25:08 GMT

Received: from pop3.demon.co.uk

        by localhost with POP3 (fetchmail-6.2.1)

        for l.f-em...[at]localhost (by default); Thu, 09 Dec 2004 17:25:08 +0000 (GMT)

Received: from punt-3.mail.demon.net by mailstore

        for "do-not-use-this-addre..."$munged$[at]$munged$.demon.co.uk id 1CcRxf-0006gi-QC;

        Thu, 09 Dec 2004 17:20:15 +0000

Received: from [194.217.242.72] (helo=anchor-hub.mail.demon.net)

        by punt-3.mail.demon.net with esmtp id 1CcRxf-0006gi-QC

        for $munged$[at]$munged$.demon.co.uk; Thu, 09 Dec 2004 17:20:15 +0000

Received: from [67.43.151.116] (helo=smtp1.resultsmail.com)

        by anchor-hub.mail.demon.net with esmtp id 1CcRxe-00021h-EM

        for $munged$[at]$munged$.demon.co.uk; Thu, 09 Dec 2004 17:20:15 +0000

Received: from nathan [10.1.2.101] by smtp1.resultsmail.com with ESMTP

(SMTPD32-8.13) id A9672E30096; Thu, 09 Dec 2004 09:20:39 -0800

Message-ID: {22184551.1102612845843.JavaMail.SYSTEM[at]nathan>

Date: Thu, 9 Dec 2004 09:20:45 -0800 (PST)

From: Ziba Music Online {...[at]zibamusic.com>

Subject: Ziba Music Presents: New Years Eve 2004

Mime-Version: 1.0

Content-Type: multipart|alternative;

        boundary="----=_Part_1411282_30782674.1102612845828"

X-mTrak-mID: c3a49923-9d2e-4a03-ba5d-4cdeae7c5ad2

X-mTrak-cID: d3f2d36d-3566-4865-9346-6c0e79b668be

X-SpamType: Work-at-home|general spam Escaped HTML

X-Domains:

To: $munged$

The emails appear to be promoting a New Years Eve shindig in Los Angeles, California, USA to a Demon Internet customer in the UK (presumably England), and pushing the URL http://www.conceptk.net/nye/ on sky.tonservers.com [208.179.66.189] hanging off AboveNet in Los Angeles. SpamCop reports would go to abuse at loudpacket.com, abuse at pajo.com, and possibly interested third party abuse at staminus.net. Note the strong correlation between the poster's email address and the destination of the the last email, both of which contain "do-not-use-this-addre" and ".demon.co.uk", possibly indicating that the spammer is scraping addresses from Usenet, specifically NANAS. Also, please note that you would have arrived with much more credibility if you had previously registered with abuse.net and if Mr. Darrow had used his 2405 N. Eastwood Ave. address rather than his PO Box 11193 address in his domain registrations.
Link to comment
Share on other sites

Here is another one from yesterday not reported through Spamcop.

http://groups-beta.google.com/group/news.a...e659cceb77caa68

BTW: Listwashing a dirty list will not help you. The only thing that works is removing spammers.

Are they using their list or yours?

It probably doen't matter because it's for a New Years eve party and you already received your spammer money and sent the email to persons who never asked for it.

Link to comment
Share on other sites

Richard,

Thank you for making it clear that Ziba Music has sent to spam traps. Their account has been suspended immediately as this is a direct violation of our terms of service.

Would it be possible for you to notify ResultsMail when one of our customers hits a spam trap? The data we would need is confirmation they hit a trap, date and time of message, and subject line. spam trap cases are clear cut violations of our terms. Other complaints must reach a certain volume threshold per customer.

Certainly you have some similar arrangement with our well known competitors such as Constant Contact. I have not seen their IP block listed in the bl when I've spot checked them and they do significantly more volume than we do.

Thanks for your help.

Jeff

ps. SunTrust was cancelled as well as it was fraudulent email. The forbes issue looks deceitful but it turns out the sender is a forbes partner and they misconfigured their account before sending. We have several realtors as customers, etc.

Link to comment
Share on other sites

BTW: Listwashing a dirty list will not help you.  The only thing that works is removing spammers.

We remove customers who violate our terms of service provided proper proof.

Are they using their list or yours?

We do not rent, sell, or otherwise provide email lists to our customers. Each customer is required to bring their own list to use our service. This list must meet the criteria laid out in our terms of service and permission policy. Specifically the recipients on the list must provide affirmative consent that they wish to receive messages or have a prior business relationship with the sender.

Jeff

Link to comment
Share on other sites

I kicked the note last night asking for Deputy help here. RW answered the call and my specific questions (noting that Don also stopped by). I was then stuck in trying to determine how much stuff to either pass on, post, or just hint at .. then saw that he'd posted some of the data himself (whew!) So I do have to suggest that perhaps your previous experience with Deputy assistance may have had something to do with the questions asked or how they were posed ...????

The request for spamtrap notifications kind of goes against the (SpamCop) definition of a spamtrap. The folks I deal with are not the type to handle things as you've now alleged twice with your competitor. And as this list of folks referenced is the owner, core, and staff ...????

Anyway ... you're welcome <g>

Link to comment
Share on other sites

I left out about 4 that list everyone but......

It is also in the following:

INTERSIL lists...spammers...who have pestered users at Intersil: blackholes.intersil.net -> roving.com.spam.blackholes.intersil.net. -> 127.0.0.2

roving.com.spam.blackholes.intersil.net.

2002Oct30; 204.167.97.64/29 genuity

2003Jan02; 63.251.135.96/27 pnap.net

Roving Software Inc./Constant Contact

idiots actually spammed blockme[at]relays.osirusoft.com

2002Jan13; 208.198.98/27 uunet

2002Jan13; 63.251.135.64/27 pnap

WYTNIJTO the biggest Polish database - spam.throw-away.this: spam.wytnij.to -> 127.0.0.1

SPAMBAG Spambags: blacklist.spambag.org -> pnap.blacklist.spambag.org. -> 127.0.0.2

pnap.blacklist.spambag.org.

Blocked - see http://www.spambag.org/cgi-bin/spambag?mailfrom=pnap

SNARK Lists IPs for various spam-related reasons: rbl.snark.net -> 127.0.0.7

Relayed spam to honeypot address, 2 attempts

JAMDSBL local bl at JAMMConsulting.com: dnsbl.jammconsulting.com -> 127.0.0.2

AHBL The Abusive Hosts Blocking List: dnsbl.ahbl.org -> 127.0.0.4

1067181843 (Sun Oct 26 16:24:03 2003) bruns - spam Source - 63.251.135.0/24 - roving.com

CSMA McFadden Associates, IPs of mailservers that send spam twice in a short timefram: bl.csma.biz -> 127.0.0.2

http://bl.csma.biz/cgi-bin/listing.cgi?ip=63.251.135.74

CSMA-SBL McFadden Associates, IPs of mailservers that send spam once in a short timefram: sbl.csma.biz -> 127.0.0.2

http://bl.csma.biz/cgi-bin/listing.cgi?ip=63.251.135.74

KROPKAALL Quite aggressive database, maintained by a few private persons: all.rbl.kropka.net -> 127.0.0.1

KROPKAIP kropka ip: ip.rbl.kropka.net -> 127.0.0.1

SORBS spam and Open Relay Blocking System: Aggregate zone: dnsbl.sorbs.net -> 127.0.0.6

spam Received See: http://www.dnsbl.sorbs.net/lookup.shtml?63.251.135.74

SORBSSPAM List of hosts that have been noted as sending spam/UCE/UBE to the admins of SORBS. : spam.dnsbl.sorbs.net -> 127.0.0.6

spam Received See: http://www.dnsbl.sorbs.net/lookup.shtml?63.251.135.74

SORBSSPEWS-L1 spam Prevention Early Warning System - Level 1 Mirror: l1.spews.dnsbl.sorbs.net -> 127.0.0.2

! [1] roving/constantcontact, see http://spews.org/ask.cgi?S1641

SORBSSPEWS-L2 spam Prevention Early Warning System - Level 2 Mirror: l2.spews.dnsbl.sorbs.net -> 127.0.0.2

! [1] roving/constantcontact, see http://spews.org/ask.cgi?S1641

DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

63.251.135.74 See http://dnsbl.ahbl.org/ and http://dnsbl.net.au/lookup/?ip=63.251.135.74

PLEASE SEE http://www.dnsbl.net.au/lookup/?63.251.135.74

see http://dnsbl.net.au/rmst/ and http://dnsbl.net.au/lookup/?63.251.135.74

DNSBLAURMST dnsbl.net.au Multiple spam Traps: rmst.dnsbl.net.au -> 127.0.0.2

see http://dnsbl.net.au/rmst/ and http://dnsbl.net.au/lookup/?63.251.135.74

[removal]

DNSBLAUSPEWS spam Prevention Early Warning System: spews.dnsbl.net.au -> 127.0.0.2

63.251.135.74 See http://spews.org/ and http://www.dnsbl.net.au/spews/

DRBL-VOTE-SANDY Distributed RBL node: sandy.ru: vote.drbl.sandy.ru -> 127.0.0.2

roving.com

DRBL-WORK-SANDY Distributed RBL node: sandy.ru: work.drbl.sandy.ru -> 127.0.0.2

zaraza:roving.com

DRBL-VOTE-GREMLIN Distributed RBL node: gremlin.ru: vote.drbl.gremlin.ru -> 127.0.0.2

spam source

DRBL-WORK-GREMLIN Distributed RBL node: gremlin.ru: work.drbl.gremlin.ru -> 127.0.0.2

vote.drbl.gremlin.ru[at]ns.gremlin.ru:spam source

BUSSPEWS spam Prevention Early Warning System: spews.blackholes.us -> 127.1.0.1

[1] roving/constantcontact, see http://spews.org/ask.cgi?S1641

Link to comment
Share on other sites

Looks like Roving/constant contact has lots of blocks in SPEWS:

roving/constantcontact

|--------------------

1, 208.198.98.3, Roving Software / mail.constantcontact.com

1, 208.198.98.0 - 208.198.98.31, Roving Software / mail.constantcontact.com (UUNet)

1, 208.252.55.64 - 208.252.55.95, Roving Software / mail.constantcontact.com

1, 63.251.135.75, Roving Software / mailface.roving.com

1, 63.251.135.84, Roving Software / rs6.net

1, 63.251.135.71, Roving Software / constantcontact.com

1, 63.251.135.74, Roving Software / ccm01.roving.com

1, 63.251.135.115, Roving Software / ccm09.roving.com

1, 63.251.135.70, Roving Software / ccprod.roving.com

1, 63.251.135.64/27, Roving Software / constantcontact.com (InterNAP)

1, 63.251.135.96/27, Roving Software / constantcontact.com (InterNAP)

1, 63.251.135.0/24, InterNAP (Roving Software / constantcontact.com)

1, 63.251.133.0 - 63.251.137.255, InterNAP (Roving Software / constantcontact.com)

1, 64.95.77.160/28, Roving Software / constantcontact.com (InterNAP)

1, 66.151.184.32/27, Roving Software / constantcontact.com (InterNAP)

2, 66.151.184.0/24, InterNAP (Roving Software / constantcontact.com)

1, 204.167.97.64 - 204.167.97.71, Roving Software (genuity.net)

---------------------|

Spammers for hire.

Link to comment
Share on other sites

Exactly my point Merlyn. They have the same business model we do and as far as I know we are more vigilant about cancelling customers than they are. We have far less complaints on abuse at google and to my knowledge we don't show up on spews.

So my question is how is it that Constant Contact remains off of the spamcop.net black list?

The only difference that I am aware of between Constant Contact and ourselves is they are Bonded Sender reseller partners.

Link to comment
Share on other sites

I kicked the note last night asking for Deputy help here.  RW answered the call and my specific questions (noting that Don also stopped by).  I was then stuck in trying to determine how much stuff to either pass on, post, or just hint at .. then saw that he'd posted some of the data himself (whew!)  So I do have to suggest that perhaps your previous experience with Deputy assistance may have had something to do with the questions asked or how they were posed ...????

The request for spamtrap notifications kind of goes against the (SpamCop) definition of a spamtrap.  The folks I deal with are not the type to handle things as you've now alleged twice with your competitor.  And as this list of folks referenced is the owner, core, and staff ...????

Anyway ... you're welcome <g>

21988[/snapback]

Wazoo, thanks for your help. I really do appreciate it. I don't expect all the kinks to be worked out immediately. This is a complex and difficult problem. I don't envy those who labor on the SpamAssassin code. They have a huge task and it remains a daily challenge for them to stay ahead of the spammers.

I also don't envy the deputies here.

It makes sense that if our system has sent to spam traps that our scores are weighted differently. This in turn must be why a single report in a 24 hour period gets us on the block list.

If we can not receive at least some notice of which customer of ours hits a spam trap then there really is no way for us to police our own system. If this is the case it is a pretty big dissapointment.

To be clear, I personally don't mind if our IP is listed on the block list. If mail is sent that is unwanted it should be stopped, period. Mail admins that use SpamCop's list know what they are doing and the "consequences" involved.

What I do mind is a customer of ours violating our terms of service. I look to every agency possible to receive meaningful feedback about our users' behavior and I'm hoping to get such feedback from SpamCop.net as well.

Thanks again,

Jeff

Link to comment
Share on other sites

JeffJustice:

Another difference is that you are using a newer IP address. Spamcop does use a percentage of spam reports to messages sent as basis for the listing.

I am also wondering if they use a rolling set of IP's to send their email as most of the servers shown in your senderbase link have negative "Vol Change vs. Average" numbers saying they are not being used to their average use. Of the list I was seeing, 10/11 were under their 1 day average and 7/11 were under their 30 day average. Perhaps they have a slightly different business model.

For your operation, I only see one server (67.43.151.116, is this correct?). The stats for that one right now are up about 400% over your running averages:

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.7 409%

Last 30 days 4.7 427%

Average 4.0

Link to comment
Share on other sites

I am sure they go on and off the Spamcop list but I am not going to search hundreds of IP's to find one :D

They are also widely blocked and are probably in thousands upon thousands of private blocklists. Once you get into someones private blocklist or router deny table chances are you will never be removed.

You do have to admit In the past 51.6 days being listed 17 times for a total of 16.7 days (32.4%) is quite a lot. You have to understand tens of thousands of email/spam go unreported for every one that is reported to Spamcop. This is a "for sure" sign things are not the way they should be. It would suggest someone is not watching the abuse reports or money means more than ethics or someone just doesn't care.

Personally it does not matter to me as your range is already in our list but the numbers do not look good. I am sure everyone appreciates your awareness of the problems and your willingness to achive a good rep for mass mailing which is a feat in itself.

If someone uses your services and they are spamming then you remove them from your services which is a very good thing and everyone will agree with that. But this also invites spammers to at least 1 paid spam run and probably more. Maybe you should add some penalties to your terms of sevice and charge a deposit/retainer of some kind that they will lose if they indeed spam.

Link to comment
Share on other sites

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day 4.7 409%

Last 30 days 4.7 427%

Average 4.0

As compared to my posted results yesterday of "last day change of 609%" and the note that two accounts were killed in between suggests a lot <g>

Link to comment
Share on other sites

Steven,

I originally thought the same thing myself.

I was assured from a deputy via email that this is not the case.

Hi -- even if there were a penalty for a new source of email that would last a couple of days until the stats caught up.

I was also told via a deputy in email that our "seen" volume per day is about 3,700 msg/day. So our complaint rate is about 1/3,700 or 0.027%.

edit: Yes we only use one IP address. That's a bit more up front and honest from our perspective.

Link to comment
Share on other sites

I'm not about to argue with the Deputies, and things change over time ... However, in the FAQ about the BL, I once challenged the word "reputation" ... and the response was that this word was actually the correct one. I believe that this 'discussion' is (at least partially) posted somewhere within this Forum structure .. the word 'reputation' should generate a search return ....

Link to comment
Share on other sites

You do have to admit In the past 51.6 days being listed 17 times for a total of 16.7 days (32.4%) is quite a lot.

I admit this. It definately has our attention here and is cause for alarm. Which is why I'm here B)

Maybe you should add some penalties to your terms of sevice and charge a deposit/retainer of some kind that they will lose if they indeed spam.

Good ideas but it could be hard to implement as the majority of complaints are one person's word against another's. Now if they hit spam traps that's another matter entirely but brings me back to my current catch 22.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...