Jump to content
Sign in to follow this  
EricM

Multiple reports from same user gets IP blocked

Recommended Posts

Hello.

I sell web hosting and we today had a customer who used his account to send ebay fraud spam.

The problem is ONE spamcop user reported the same email 8 times within 5 minutes and got our server IP blocked.

I know that spamcop blocks an IP automatically after a certain # of results but spamcop should make sure that these reports come from different user.

A single user should not have the power to block any site he wishes by submitting the same spam multiple times.

His user name is "Allan Holm".

Thanks,

Eric

Share this post


Link to post
Share on other sites
The problem is ONE spamcop user reported the same email 8 times within 5 minutes and got our server IP blocked.

I know that spamcop blocks an IP automatically after a certain # of results but spamcop should make sure that these reports come from different user.

A single user should not have the power to block any site he wishes by submitting the same spam multiple times.

I quite often get 10-20 identical spams to spamtraps, all delivered at the same time, and all reported as quickly as possible. I do not think that SC will make an SCBL entry on just one reporter's submissions, even if they do 10 in a row. There must have been a 2nd or 3rd reporter involved.

Share this post


Link to post
Share on other sites

Glad to see that Allan is reporting all of his spam instead of just one and deleting the dupes.

Share this post


Link to post
Share on other sites
Hello.

I sell web hosting and we today had a customer who used his account to send ebay fraud spam.

The problem is ONE spamcop user reported the same email 8 times within 5 minutes and got our server IP blocked.

I know that spamcop blocks an IP automatically after a certain # of results but spamcop should make sure that these reports come from different user.

A single user should not have the power to block any site he wishes by submitting the same spam multiple times.

His user name is "Allan Holm".

Thanks,

Eric

24118[/snapback]

Care to share the IP address that is listed? 'We' could then look at the evidence.

Share this post


Link to post
Share on other sites
I sell web hosting and we today had a customer who used his account to send ebay fraud spam.

The problem is ONE spamcop user reported the same email 8 times within 5 minutes and got our server IP blocked.

If you have gotten rid of the customer, I don't see what the problem is. Your server was only listed while the spam was being sent so that others did not receive it. Some of your other customers may have inexperienced a slight delay in sending email while you took care of the situation, but it was probably not more inconveniencing than a backhoe or thunderstorm and, unfortunately because of the spammers, is one of the realities of internet life.

The purpose of the spamcop blocklist is to prevent other people from receiving the ebay fraud spam. As long as it was being sent, the IP address was blocklisted (though the listing should be based on more than one reporter. OTOH, one report to a spamtrap will list a server and you will not receive a report.) When you received the first report, presumably you did something about it so the spam stopped. Then it doesn't matter how many other reports are made. The listing is based on when the last spam came from that IP address.

Miss Betsy

Share this post


Link to post
Share on other sites

As original poster has yet to respond, not a lot of time right now, I'll just add this if someone wants to spend the time trying to dig out the specific (making an assumption that there is a relationship) ...

route: 83.70.0.0/15

descr: eircom, Ireland

origin: AS5466

Share this post


Link to post
Share on other sites

The IP is 69.57.134.80

After removing the site i went to check if the IP was blocked.

I guess it could have been a spamtrap i dont know.

The only reports i got from spamcop was the 8 dupes of the same spam all within 5 minutes. So i just assumed that the block was based on those reports from that one user seeing as i did not get any others.

The problem is that i did not even get a chance to deal with the problem before it was blacklisted.

Share this post


Link to post
Share on other sites
The IP is 69.57.134.80

Thanks, but would have been nice to know at your first post.

The only reports i got from spamcop was the 8 dupes of the same spam all within 5 minutes. So i just assumed that the block was based on those reports from that one user seeing as i did not get any others.

Assumptions sometimes suck. You say "8 dupes" .. where it was more likely 8 people reporting the same spam ... but again, I didn't see the reports.

The problem is that i did not even get a chance to deal with the problem before it was blacklisted.

Again, short on data here, but ... SenderBase shows some increase in traffic ... would you have any other reason for this increase beyond your "single spammer" ..???

http://www.senderbase.org/?searchBy=ipaddr...ng=69.57.134.80

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.5 .. 70%

Last 30 days ... 3.3 .. 20%

Average ........ 3.3

Share this post


Link to post
Share on other sites
The IP is 69.57.134.80

After removing the site i went to check if the IP was blocked.

I guess it could have been a spamtrap i dont know.

The only reports i got from spamcop was the 8 dupes of the same spam all within 5 minutes. So i just assumed that the block was based on those reports from that one user seeing as i did not get any others.

The problem is that i did not even get a chance to deal with the problem before it was blacklisted.

24182[/snapback]

Yes, we see only the 8 e-bay phishes within 5 minutes. Duplicate spam to the same address is very common. Spamtrap evidence is not available to us but it seems very likely that if there is only one 'human' reporter spamtraps were also involved. Mole reporters could also have fed the blocklist. I notice that this is not the first phishing trip from your server: there were 5 duplicated phishes on 24 November last too. You'd be classed as a re-offender.

As for your last point, I don't know why you're unhappy: this is SpamCop doing exactly what it says on the tin: the listing gave you the 'heads-up', you dealt with it and were de-listed within a few hours. SpamCop exists to stop current spews, no-one makes a judgement or 'puts' you on the list: it's all automatic, as is de-listing. IMHO you should be thanking SpamCop for a job well done: without the quick warning you might have ended up on other lists that are a lot more difficult (or costly) to get off!

Share this post


Link to post
Share on other sites

I see more than 8 reports and I also see phishes for sun trust bank along with ebay phishes and reports from more than 1 person!

Also reports for this IP go to the EV1 abuse desk so you would probably only see what they send you.

Share this post


Link to post
Share on other sites
I see more than 8 reports and I also see phishes for sun trust bank along with ebay phishes and reports from more than 1 person!

Also reports for this IP go to the EV1 abuse desk so you would probably only see what they send you.

24200[/snapback]

Aye but the Sun Trust phishes are from Nov 04 so can't conribute to this listing surely?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×