Blacklisted... where are the header details?

[jeffjustice]

I'm not about to argue with the Deputies, and things change over time ... However, in the FAQ about the BL, I once challenged the word "reputation" ... and the response was that this word was actually the correct one.  I believe that this 'discussion' is (at least partially) posted somewhere within this Forum structure .. the word 'reputation' should generate a search return ....

22007[/snapback]

I've seen that and when we changed IPs I asked that our reputation points carry over as well.

I was told this was not possible.

So I sat back and watched the system for a month figuring our rep would start to catch up. It obviously hasn't, but that may be due to the recent spam trap hits.

[Wazoo]

I've seen that and when we changed IPs I asked that our reputation points carry over as well.

I was told this was not possible. 

That would go back to the development of such data based on the activities of an IP address, not a Domain.

So I sat back and watched the system for a month figuring our rep would start to catch up.  It obviously hasn't, but that may be due to the recent spam trap hits.

Yes, this current situation has started this IP address with a bit of a hurdle to get back to a 'clean' reputation ... on the other hand, the numbers involved in 'seen' traffic should tip the scales a bit quicker ...???

[Miss Betsy]

Good ideas but it could be hard to implement as the majority of complaints are one person's word against another's.

I am not sure that I understand. I thought that since you have the spamcop report (one person's word), you have more information to make a decision on whether this mailing is using unsolicited lists. For instance, I thought, in order to show that the list is confirmed subscription, the owner of the list could come up with a unique token showing that the person did answer a confirmation email. If they can't do that, then they aren't using a confirmed subscription list. Of course, if the content of the email is the confirmation message or some other message which looks obviously like a mistake on the reporter's part, you can question the reporter about whether he was aware he reported this email before you even bother the owner of the list. I don't see how it ever comes down to one person's word against another.

Miss Betsy

[Ellen]

Internal handoff.  System is not compromised.

SpamAssassin can be configured to automatically submit reports to SpamCop.  So if the message rates higher than a 5.0 it can get reported.

http://www.spamcop.net/fom-serve/cache/331.html

Agreed, that is the definition of spam after all. 

21949[/snapback]

This is not an automatically submitted SA spam and if it were there would be no report nor would it count towards the blocklist.

That said I am looking at your IP 67.43.151.116. One of the reported emails has a subject line of: SunTrust - Protect your account

and looks barely distinguishable from a phish. Is this a real mail? I have no clue; if I had received it I would probably assume it's a phish. In the text mime part there are several pages worth of white space -- why? I have no idea. No links, no text beyond:

Copyright =C2=A9 2004 SunTrust Banks, Inc.

<many blabk lines>

his email was sent to x, by=20

SunTrust Banks, Inc

1st Avenue SunTrust HQ=20

RIchmond, VA 23285 United States=20

If you do not wish to receive future e-mail=20

from SunTrust Banks, Inc, please use the link below.

and your standard footer.

In the html part there appears to be a link that directs me to a blank page. The visible text indicates https but the actual link doesn't seem to be.

In any case were I a suntrust customer I am not sure in this day and age that I would have any faith that this was legit.

Continuing thru the reports for this IP -- we have the same people sending to a spamtrap that you an I have discussed previously and some other reports from earlier last week.

[jeffjustice]

Ellen,

Regarding SunTrust. I mentioned in my response to Richard that it was fraud and they were cancelled immediately.

What other customer's have you provided spam trap data for? I thought we clarified all issues you sent me via email and if I recall there was only one who you provided details for that hit a trap and I cc'd you on the cancellation notice I sent them.

If you wish to provide more examples of email sent from our system hitting a spam trap please provide confirmation they hit a trap (just say yeah, this one hit a trap), date/time, and subject and we will remedy the situation by cancelling accounts.

Thanks,

Jeff

[Ellen]

The point I really meant to make -- and somehow got sidetracked -- was that you seemed to be focusing on the SA thing and I didn't think that was all that relevant. The suntrust thing caught my eye and I wandered off on that.

[jeffjustice]

Ah ok.

Well if SA isn't that relevant do we agree then that the root of our issue has been a couple of customers hitting spam traps?

We have rooted out two customers thanks to your help. Can we continue to receive reports of dates/times, subjects, for those that do hit traps?

Using harvested email lists is not only a violation of our terms of service but it also falls under the 'aggrevated' offense section of the CAN-spam law (meaning if it is found that the law is violated and it is also found that the addresses were harvested the fines per email triple).

I appreciate the discussion we have all had here. Thanks for all the input to help clarify what is going on.

Have a Happy New Year!

Jeff

[StevenUnderwood]

Well if SA isn't that relevant do we agree then that the root of our issue has been a couple of customers hitting spam traps?

That could be some of it. It could also be some people on those same lists that contain the spamtraps also contain unsolicited addresses of spamcop reporters and are being reported as such.

It could also be that someone is reporting messages received at an address that was subscribed by the previous owner of that address. This is where dropping bounced mesages off of actie lists becomes important.

It could also be someone reporting traffic that they did agree to accept but either forgot or have changed their mind or is being held by something like spamcops Held Mail. That would be against spamcops reporting rules and punishable by the deputies if reported to them.

SpamAssassin really only comes into play if the receiver is using SpamAssassin and reporting on that fact.

There are amny reasons for being reported, some valid, some not.

[Merlyn]

If you are only counting spamtraps as evidence of a bad list then when does a human complaint come into view?

[Wazoo]

SenderBase data today;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.5 .. 173%

Last 30 days .. 4.7 .. 402%

Average ........ 4.0

Recalling the "less than 10 user reports" and the previously cpatured high of 609% increase in traffic, I would suggest that yes, spamtrap hits were the largest reasons for the BL listing. Looking at the drop in traffic after dropping two accounts, some might point to the massive size of the server and/or firewall logs could / should have been a clue .. but of course, from this side of the screen, there's no way to know just how these two accounts were pitched at the time they came knocking on your door ... or maybe there was that one question that didn't get asked <g>

[jeffjustice]

SenderBase data today;

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day ........ 4.5 .. 173%

Last 30 days .. 4.7 .. 402%

Average ........ 4.0

Recalling the "less than 10 user reports" and the previously cpatured high of 609% increase in traffic, I would suggest that yes, spamtrap hits were the largest reasons for the BL listing.  Looking at the drop in traffic after dropping two accounts, some might point to the massive size of the server and/or firewall logs could / should have been a clue .. but of course, from this side of the screen, there's no way to know just how these two accounts were pitched at the time they came knocking on your door ... or maybe there was that one question that didn't get asked <g>

22105[/snapback]

Volume decrease is due to the Holidays. There hasn't been a lot of activity this week or last as a result.

The accounts we dropped were not that large in terms of volume and our daily average volume is still in line with what we'd consider "normal".

[jeffjustice]

That could be some of it.  It could also be some people on those same lists that contain the spamtraps also contain unsolicited addresses of spamcop reporters and are being reported as such.

Possibly. Hard to know though w/o the report details.

It could also be that someone is reporting messages received at an address that was subscribed by the previous owner of that address.  This is where dropping bounced mesages off of actie lists becomes important.

Hard bounces are unsubscribed immediately. This is not only good practice in general but is a requirement for us to stay on the Yahoo, AOL, etc whitelists.

It could also be someone reporting traffic that they did agree to accept but either forgot or have changed their mind or is being held by something like spamcops Held Mail.  That would be against spamcops reporting rules and punishable by the deputies if reported to them.

Interesting to note that the majority of email users define spam as something they initially wanted but then becomes too frequent. I think the number is like 60% of email users quote this as one definition of spam.

SpamAssassin really only comes into play if the receiver is using SpamAssassin and reporting on that fact.

Agreed, and of the report details I have seen, the majority have had SA scores over 5.0.

[jeffjustice]

If you are only counting spamtraps as evidence of a bad list then when does a human complaint come into view?

22104[/snapback]

That isn't quite my point. We don't only look at traps. Spamtraps are 100% undeniable proof that the list is bad and if I'm notified I can act immediately w/o further investigation.

We have cancelled accounts in the past based on "human complaints". It is very obvious when someone has a list they are spamming. Open rates and bounce rates are extremely telling signs coupled with complaints sent to our abuse address etc.

[Ellen]

We have rooted out two customers thanks to your help.  Can we continue to receive reports of dates/times, subjects, for those that do hit traps? 

22101[/snapback]

Sure -- you can always write to me at the address in my sig if you have questions which is likely to get a faster response because I only hit the forums once a day and tend to skim which means I may or may not see a post here.