Jump to content
Sign in to follow this  
hapklaar

Netvisit server blocked, again

Recommended Posts

As of a week ago one of our mailservers is being put on the spamlist.

Spamcop's Ellen stated that it was because it was sending lots of user

unknown bounces. Ok fair enough, we stopped that. But now it has been

blocked again and there is no way I know of to check how this happened...

Has something in the spamcop policy been changed? We've been running this

mailserver for years like this and suddenly there seems to be a persistent

problem.

Please help me out here as we're no spammers and don't want to be seen as

such.

The server is 81.18.1.4 (in reply to Miss Betsy on nntp)

Share this post


Link to post
Share on other sites

Per this page: http://mailsc.spamcop.net/w3m?action=blcheck&ip=81.18.1.4

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

But it also mentions:
If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 1 hours.

The spamtrap could have been due to the bounces where the spamtrap address was in the From field.

Share this post


Link to post
Share on other sites
The spamtrap could have been due to the bounces where the spamtrap address was in the From field.

But, IIUC, that wouldn't happen unless the system involved is sending bounces as email messages, as opposed to simply rejecting bad deliveries during the initial SMTP handshaking. The only message currently reported by a SC user is indeed a bounce, and I see something like that in the "sightings" email abuse group (from May 2004). Perhaps you need reconfigure your mail server so that it doesn't send bounce messages as "after-the-fact" email messages.

DT

Share this post


Link to post
Share on other sites
Perhaps you need reconfigure your mail server so that it doesn't send bounce messages as "after-the-fact" email messages.

David, I believe they addressed that with:

Spamcop's Ellen stated that it was because it was sending lots of user

unknown bounces. Ok fair enough, we stopped that.

Share this post


Link to post
Share on other sites

I guess it would help if I read more carefully before responding... ;)

...but then why is their system is still sending *something* to those spamtraps, if they aren't bounces? I think this is only something that the deputies will be able to determine.

DT

Share this post


Link to post
Share on other sites

Interesting ... something I can't say I've seen before ...

http://www.senderbase.org/?searchBy=ipaddr...tring=81.18.1.4

Report on IP address: 81.18.1.4

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.9 .. -20%

Last 30 days .. 4.0 ... -1%

Average ........ 4.0

That's quite a reduction in traffic if one only points to the "fixing of user unknown bounces" ... I'd almost point out the obvious that your server has been used/abused to get the spew out...

Had my fingers crossed, but not enough time has elapsed yetl

http://www.spamcop.net/w3m?action=checkblock&ip=81.18.1.4 still showing the "in approximately 1 hour" ...

Share this post


Link to post
Share on other sites

Spamcop used to show more evidence but the problem with that was spammers were using the evidence files to avoid being blocked.

Spammers have spoiled it for everyone.

I believe your listing should come off any time now.

Currently shows:

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately zero time.

Share this post


Link to post
Share on other sites
It'll probably get listed again as I don't know what to do about it... It would really be helpful if there was a way to check for evidence.

I see in your newsgroup thread that Ellen suggested writing to Deputies and you responded with "I did twice . and got no answer" .... While I can tell you that dialog there is rarely instantaneous (even noting my last "answer" from there was something like three or four days after my query .. further noting that this query included over a half-dozen links to some monster discussions 'here' ...) the "no answer" is actually a rarity.

Little things ... are you an admin for the mail-server in question? If so, did you point that out? As the inclusion of an IP address was only done after it being pointed out that it wasn't provided, might the same data have been missing in those two e-mails? Mike Easter also provided some disturbing data about systems "close" to this IP .. do you have any control over those systems? Have you looked for the suggested problem areas?

Share this post


Link to post
Share on other sites
If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately zero time.

Now that's FUNNY :lol:

It would really be helpful if there was a way to check for evidence.

The only evidence that might be provided for a spamtrap report would come through the deputies again. It is possible it is a different kind of response (out of office, etc.).

Share this post


Link to post
Share on other sites

I'm currently in a email conversation with Spamcop, it apparently was another bounce. I think an over quota message.

SPF should have coverd this by now so no more blacklisting would be neccesary

Share this post


Link to post
Share on other sites

Why is Spamcop still blacklisting servers because of them sending bouncemail (no such user, account over quota, etc.)?

If SPF had been configured for the domains used in the from field, the mail would not have been accepted in the first place and no bounce mail would have landed in the spam trap.

Share this post


Link to post
Share on other sites

SPF is not a cure for bounces nor is it a cure for spam.

Everyone else is not getting on the blocklist what are you doing different?

Share this post


Link to post
Share on other sites
Why is Spamcop still blacklisting servers because of them sending bouncemail (no such user, account over quota, etc.)?

Because those errors should be reported directly to the sending system during the SMTP transaction, NOT afterwards in an actual email message. If you do it properly, the errors won't be transmitted to the forged addresses in the heades of spam and wormy messages. If you do it the second way, the bounces will go to innocent victims.

DT

Share this post


Link to post
Share on other sites

SPF doesn't figure into a DNSBL listing. Though you say it was a bounce at issue, is it dealing with the bounce going to a spamtrap? Another issue, again nothing to do with an SPF record.

Share this post


Link to post
Share on other sites

Some confusion / overlap here ... original poster started a new Topic .... I merged that discussion back into the one already started, as SPF had also already been mentioned ....

Share this post


Link to post
Share on other sites

And here we go again, again listed because of a bounce. Apparently a quota exceeded message triggered this %&*%*& trap again.

I don't see how you can say SPF has nothing to do with this in this case:

Our server recieves a mail from blabla[at]blabla.net for me[at]kabel.netvisit.nl through a SPF checking gateway.

blabla.net does not designate permitted sender hosts, so the gateway cannot check whether the sender host is really blabla.net.

The mailbox for me[at]kabel.netvisit.nl is over quota, so a bounce message is being sent to blabla[at]blabla.net and our server is on the blocklist again.

If blabla.net would have designated permitted sender hosts by means of SPF, the message would not have been accepted by the gateway in the first place, because apparently the sender was faking the from address.

Edited by hapklaar

Share this post


Link to post
Share on other sites

And if your host rejected the message becuase of the over-quota, rather than accepting and then trying to return it to a forged address, your server would not be blocked either.

SPF, while I will not try to figure out if it would have helped in this case (what happens in the case where you want replies sent to a different address?), you can not make the whole internet conform to it quickly (if at all). You would have a higher chance to get your host to stop sending out bounce messages, resulting in your server not being listed because it has sent messages to a spamtrap (or another innocent user).

Share this post


Link to post
Share on other sites
And if your host rejected the message becuase of the over-quota, rather than accepting and then trying to return it to a forged address, your server would not be blocked either.

Exactly! Servers must reject the message during the SMTP session, and it sounds like your server is not doing that.

DT

Share this post


Link to post
Share on other sites
Because those errors should be reported directly to the sending system during the SMTP transaction, NOT afterwards in an actual email message. If you do it properly, the errors won't be transmitted to the forged addresses in the heades of spam and wormy messages. If you do it the second way, the bounces will go to innocent victims.

Is there some RFC that states that systems must be set up this way? I've read RFC 821 and 2821 and neither require that bounces MUST be done during the initial SMTP conversation? What about instances of mailbox limits or out of office messages? How about if I place restrictions on who can send to a mailbox and need to generate an NDR?

While I agree that you SHOULD bounce during the initial SMTP conversation, there is nothing that states you MUST do that. To list someone for this places Spamcop as the standards body for the internet. I'm sorry, but they are not. IETF has committes that set forth the standards that "should" be followed. IEEE also does a lot of work in the interoperability standards area.

Share this post


Link to post
Share on other sites
To list someone for this places Spamcop as the standards body for the internet.

That is not the reason you are being listed. You are being listed for sending spam to addresses that never requested it.

You can run your server the way you want, people will block accordingly.

Share this post


Link to post
Share on other sites
That is not the reason you are being listed.  You are being listed for sending spam to addresses that never requested it.

You can run your server the way you want, people will block accordingly.

You should correct that statement to read, "You are being listed for complying to the RFC's in a way that Spamcop doens't agree with".

In your message earlier you said "If you do it properly, the errors won't be transmitted to the forged addresses in the heades of spam and wormy messages". Properly is defined by the RFC's and not a single persons opinion.

Share this post


Link to post
Share on other sites
While I agree that you SHOULD bounce during the initial SMTP conversation, there is nothing that states you MUST do that.

24375[/snapback]

If that is your attitude, you must live with the consequences. You will send bounces, vacation messages, etc. to innocent third parties who never requested them. These people will then take actions against you such as adding your IP to their blocklists or reporting you to SpamCop.

Some small Internet-based businesses had to halt their operations for days because they were being flooded with tens of thousands of misdirected bounces. This causes real economic harm to real people.

Share this post


Link to post
Share on other sites
If that is your attitude, you must live with the consequences. You will send bounces, vacation messages, etc. to innocent third parties who never requested them. These people will then take actions against you such as adding your IP to their blocklists or reporting you to SpamCop.

Some small Internet-based businesses had to halt their operations for days because they were being flooded with tens of thousands of misdirected bounces. This causes real economic harm to real people.

My attitude is that people should follow the rules that are set forth by the IETF. That's a standards body that many people contribute to so standards can be defined for all. To define your own standards violates this princple.

I here you. I've been the victim of those as well, but listing the way spamcop is doing can cause economic harm because they don't get valid traffic when they should. This also will cause lost business.

By Spamcop's rules, you need to just blacklist every Fortune 1000 since they almost all use Out of Office messages. Don't forget include Ironport since they also use OOF.

Share this post


Link to post
Share on other sites
I here you. I've been the victim of those as well, but listing the way spamcop is doing can cause economic harm because they don't get valid traffic when they should. This also will cause lost business.

24380[/snapback]

The SpamCop listing only puts a number in a list. That is all. The rest (blocking and filtering of email traffic) is done by people who choose not to receive email from people who sent unsolicited email to innocent third parties. People choosing to block email from you is very different from people having all your misdirected bounces forced upon them.

By Spamcop's rules, you need to just blacklist every Fortune 1000 since they almost all use Out of Office messages. Don't forget include Ironport since they also use OOF.

24380[/snapback]

Many of these companies are taking measures to make sure that they do not send automatic responses to forged email addresses. The rest will get listed if the innocent recipients report them to SpamCop.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×