Jump to content
Sign in to follow this  
bsdaddict

Server blocked...

Recommended Posts

I am the sysadmin for Glen Group. Today one of my users informed me that his emails weren't getting thru to a particular destination. He forwarded me the error he recieved and upon reading it I discovered that our mail server was listed on spamcop. Here's the email...

------ Forwarded Message

From: MAILER-DAEMON[at]smtp.glengroup.com

Date: 15 Feb 2005 16:13:05 -0000

To: [edited][at]glengroup.com

Subject: failure notice

Hi. This is the qmail-send program at smtp.glengroup.com.

I'm afraid I wasn't able to deliver your message to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.

<[edited][at]nhpr.org>:

64.80.51.140 failed on DATA command.

Remote host said: 554 Blocked - see

http://www.spamcop.net/bl.shtml?66.216.65.177

--- Below this line is a copy of the message.

Return-Path: <[edited][at]glengroup.com>

Received: (qmail 5489 invoked from network); 15 Feb 2005 16:13:04 -0000

Received: from unknown (HELO ?10.0.1.2?) (216.107.208.145)

by 10.0.2.77 with SMTP; 15 Feb 2005 16:13:04 -0000

User-Agent: Microsoft-Entourage/10.1.4.030702.0

Date: Tue, 15 Feb 2005 11:17:29 -0600

Subject: Follow up

From: [edited] <[edited][at]glengroup.com>

To: [edited] <[edited][at]nhpr.org>

Message-ID: <BE378AC9.9299%kevind[at]glengroup.com>

In-Reply-To: <000001c5109b$d3ac31e0$9dbcad45[at]yourw92p4bhlzg>

Mime-version: 1.0

Content-type: text/plain; charset="US-ASCII"

Content-transfer-encoding: 7bit

<snip>

I followed the link provided, hoping that I'd get some helpful information as to why our server was listed on spamcop's rbl. What I found was less than helpful, to say the least...

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.

Reading the FAQ entry provided didn't really help. There are a few users on our server that are using autoresponders, however the "Causes of listing" references misdirected bounces, so my understanding is that that's not the issue. Just last week I implemented rblsmtpd into our qmail installation, so my suspicion is that that's somehow related. However, that does not send bounce emails, it sends a 553 error during the initial SMTP handshake.

Basically, I don't know why we've been listed, so I don't know what I need to address in order to get delisted. I take it the deputies know the specifics, do I need to send them an email or do they read this board? Is there any additional information I need to provide that would help figuring this out?

Thanks in advance for the help resolving this issue...

Daniel Frazier

[edit]

While typing this post http://www.spamcop.net/w3m?action=blcheck&ip=66.216.65.177 went from stating "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 1 hour" to "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours" to "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately zero time." It appears as if we'll be automagically delisted soon, however I still need to know what happened so that I can prevent it from happening again.

Edited by bsdaddict

Share this post


Link to post
Share on other sites

The easiest thing to do here is to suggest that you start with the Forum Faq & Pinned item "Why am I Blocked?" .... There's a lot of ground covered there. You have found one of the "special" features of the SpamCop system, being automated, as compared to most other BLs. Answering your other questions here is redundant ... this is what the FAQ - Read before Posting items were developed to handle.

Share this post


Link to post
Share on other sites
I am the sysadmin for Glen Group.

It appears as if we'll be automagically delisted soon, however I still need to know what happened so that I can prevent it from happening again.

24376[/snapback]

ATM there's nothing that 'we' can see that would help. The evidence pages have not been 'real-time' for a while because spammers were using it to avaoid being listed. Senderbase shows an 88% increase in traffic from normal - is that reasonable or might there be a trojanned machine behind that IP? As Wazoo says, the FAQ lists a number of ways to end up on the list!

As the IP seems to belong exclusively to you, why are abuse reports going to rackspace? is this something you could change so that you get the early warning in future?

Share this post


Link to post
Share on other sites
The easiest thing to do here is to suggest that you start with the Forum Faq & Pinned item "Why am I Blocked?" .... There's a lot of ground covered there.  You have found one of the "special" features of the SpamCop system, being automated, as compared to most other BLs.  Answering your other questions here is redundant ... this is what the FAQ - Read before Posting items were developed to handle.

24395[/snapback]

I admit, I didn't read *every* FAQ in the "Read before posting" section. There's a heckuva lot to read there and I simply don't have the time to read every topic. I did scan them, however, and even read a few of 'em, but I didn't find anything pertinant to the Misdirected Bounces question.

I have fully read the "why am I blocked" FAQ. Didn't mention anything about misdirected bounces. What it did say, however, was to "Post the IP address that is blocked in the Spamcop web forum or newsgroup. There are many knowledgeable people in the SpamCop groups who will help you figure out why and offer solutions." . Thanks for your help...

ATM there's nothing that 'we' can see that would help. The evidence pages have not been 'real-time' for a while because spammers were using it to avaoid being listed. Senderbase shows an 88% increase in traffic from normal - is that reasonable or might there be a trojanned machine behind that IP? As Wazoo says, the FAQ lists a number of ways to end up on the list!

As the IP seems to belong exclusively to you, why are abuse reports going to rackspace? is this something you could change so that you get the early warning in future?

24408[/snapback]

Hrmmm, understandable about the evidence pages not being realtime... Damn spammers... Even so, should I still be able to email the deputies for the evidence?

As to the 88% increase in traffic, the only recent change has been incorporating rblsmtpd into our qmail setup. But that doesn't really explain the increase, since rblsmtpd does it's thing during the SMTP handshake and if it blocks anything sends a 553 error to the originating server. Unless somehow the resulting bounces (which should be from the originating server, not ours) are counted towards Glen Groups traffic?

As to the possibility of a trojan being responsible, I suppose that's remotely possible. Not very likely, however, and I'm assuming that the results of a trojan would be more severe than misdirected bounces.

I have no idea why the abuse reports would be going to rackspace, unless it's because Rackspace shows up before Glen Group in a whois lookup. Why wouldn't they go to abuse[at]glengroup.com, or does that make too much sense? ;)

Thanks for taking the time to try to shed some light on this situation, Derek. I appreciate the effort...

Daniel Frazier

Systems Administrator

Glen Group

[edit]

I've registered with abuse.net so that I should recieve any future reports...

Edited by bsdaddict

Share this post


Link to post
Share on other sites
I have fully read the "why am I blocked" FAQ. Didn't mention anything about misdirected bounces.

I don't know about you, but the very first lines of that FAQ shows me the following:

Why Am I Blocked? Probable Causes

If your email has suddenly been blocked by the SpamCop blocklist, it is probably because you share an IP address with other email users and there is someone who:

is using auto-responses that are replying to spam with forged spamtrap email

addresses (such as Out-of-Office/Vacation notices, virus notifications, and 'created email' bounces);

has a computer with a virus that sends spam without the owner's knowledge;

has a computer that has been compromised and spammers are remotely controlling it to transmit their spew;

is sending unsolicited emails and your internet service provider is allowing it;

or because, as in all systems, there may have been a mistake. (very rare)

Share this post


Link to post
Share on other sites

And to pile on, the "Why am I Blocked" FAQ/Pinned entry also includes the Deputies address to request further data if the problem was spamtrap hits. This is Frequently Asked Question, thus the development of a FAQ list.

Share this post


Link to post
Share on other sites

uh, ok... so I didn't realized I'd need to put my perl hat on before reading the FAQ...

whille (<FAQ>) { s/created\semail/misdirected/; print; }

How silly of me... :blink:

nevermind... looks like people on this board (with the exceptin of Derek, at least he made an effort) are more concerned with semantics than actually helping people resolve problems... I'll email the deputies and see if they'll send me a sample of a Misdirected Bounce that hit the spamtrap. At least that will give me some information to go on... If they don't reply I'll have to resort to telling people to stop using your service if we get blocked again, and recommend to them a different RBL to use...

<rant>

what the heck is a "created email bounce", anyways? Google it and you'll see... There is NO SUCH THING! You guys must have a pretty high opinion of yourselves to assume that you can coin a phrase and expect people to understand what the heck you're talking about...

Not that any of you even care, but consider me one more sysadmin (who spends a considerable amount of his time trying to stop the flow of spam) who's royally torqued at the attitudes on this board. We're on the same team, for crying out loud!!! You guys are simply amazing, thanks for wasting my time.

</rant>

Share this post


Link to post
Share on other sites
And to pile on, the "Why am I Blocked" FAQ/Pinned entry also includes the Deputies address to request further data if the problem was spamtrap hits.  This is Frequently Asked Question, thus the development of a FAQ list.

24433[/snapback]

you posted while I was writing my last reply. If you even bothered to read my first post, in it I asked a simple question.

I take it the deputies know the specifics, do I need to send them an email or do they read this board?

a simple yes or no would have sufficed, and taken less effort...

Edited by bsdaddict

Share this post


Link to post
Share on other sites

Just for giggles, the "FAQ - Please read before posting" was put into place to help stop wasting everybody's time. You could have looked at any number of previous postings in this same Forum section and seen what other folks have done, what questions were asked, what answers were offered, what changes were made to solve the problem .... Had you looked at the FAQ, you should have noticed something along the lines that it is an item that's always under work. Input is accepted, though <rant> mode doesn't really get things moved to the top of the list. Had you done any looking at all, you'd have found that the "Why am I Blocked" item was pieced together by a woman that describes herself as "technichally nonfluent" .. yet she took the time to try to piece that thing together for both end users and admin folks. A bit more reading and you'd have found that a request to the Deputies does not get you "a copy" of anything.

But as you suggest, there's not a lot gained by spending time preaching to the choir about having many other things that require attention. Good luck in resolving your issues.

Share this post


Link to post
Share on other sites

I spent a good 2 - 3 hours reading various posts and faq's before I started this topic. Nothing I read specifically covered the Misdirected Bounce question, other than the "why auto-responders are bad" page. Still wasn't specific enough though... The only suggestion that was possibly applicable was to apply the spamcontrol or qmail-ldap patch, which I'm not comfortable doing unless I know exactly what it's supposed to fix... That's all I'm trying to understand, what specifically hit the spam trap so that I can address that specific issue.

You say that a request to the Deputies does not get me "a copy" of anything. Why then does the Why am I Blocked FAQ state "If you need to know what triggered the report from a spamtrap, email deputies <at> spamcop.net."??? Get your story striaght...

At this point I don't really care anymore... I can't afford to spend any more time trying to appease you... Please close this topic.

Share this post


Link to post
Share on other sites
"created email bounce"

It was a non-technical persons way of describing the opposite of a reject since many non-technical people use bounce and reject interchangably.

Basically, it is exactly what it says it is, the system has created a new message, with it's own text, and sends it to the return address of the original message, even if that is not where the original message came from.

If you wish to submit a change to the wording that will be understood by all, be my guest. This is the first time I am aware of that someone has brought up this wording as a problem.

I'll email the deputies and see if they'll send me a sample of a Misdirected Bounce that hit the spamtrap.

They will not send you a sample. They may confirm to you what type of message hit the trap. The identity of the spamtrap addresses is heavily protected.

Share this post


Link to post
Share on other sites
Reading the FAQ entry provided didn't really help. There are a few users on our server that are using autoresponders, however the "Causes of listing" references misdirected bounces, so my understanding is that that's not the issue.

One more attempt to be helpful in case you come back....

If the user's autoresponder sends a NEW email to the alleged sender of spam (always forged) rather than rejecting at the time of the SMTP transaction then I'm afraid that it is precisely what may end up hitting spamtraps. IOW it could very well be 'the issue'. Regettably, these days autoresponders are simply bad news. We all wish it were otherwise.

Share this post


Link to post
Share on other sites

Thanks again for trying to help, Derek. I got a reply back from the deputies and it appears the misdirected bounces were standard "Mailbox does not exist" messages. I'll have to look into having this handled during the SMTP phase so that the bounce doesn't come from our server.

I apologize to everyone for ranting a bit there... It's just that this whole process could have gone so much smoother... All I needed was specific comfirmation as to what was bouncing so that I knew what I needed to fix, and noone except for Derek seemed willing to spend a few brain cycles to help me get that information.

I'd recommend changing the wording on the Why am I Blocked FAQ by editing this paragraph...

Post the IP address that is blocked in the Spamcop web forum or newsgroup. There are many knowledgeable people in the SpamCop groups who will help you figure out why and offer solutions. If you need to know what triggered the report from a spamtrap, email deputies <at> spamcop.net. Only they can see. However, a post will generally get you faster replies and more specific help on what is the problem.

...and removing any suggestions to post to the message board. Emailing the deputies got me exactly the information that I needed, and that paragraph in the FAQ makes it sound like the message boards are the better/faster option.

just my 2 cents...

Thanks again, Derek. The rest of you need to get off your high horses and lose the elitist attitude. It's not professional to say the least...

Daniel Frazier

Share this post


Link to post
Share on other sites

The passage you posted is at the END of the FAQ entry for people running servers. Most people wil use the information above that and know that they use autoresponders or bounce non-existent mailbox messages and see why it is bad to do that (you are sending messages to accounts that did not send them to you). Almost all the answers to the question are in the FAQ, and normally will only be repeated here. The additional information sometimes provided will be that some people will investigate your IP urther to determine, for instance, that you have open ports allowing spammers to send messages, etc.

It's not professional to say the least...

I'm sorry you feel that way. With a couple exceptions, none of us here are spamcop employees. We are all just other users who volunteer our time here to help others through the spamcop maze.

Share this post


Link to post
Share on other sites
it appears the misdirected bounces were standard "Mailbox does not exist"  messages.  I'll have to look into having this handled during the SMTP phase so that the bounce doesn't come from our server.

That's the key to keeping those things from getting your server IP listed. The ones that are generated as outgoing emails *after* the SMTP transaction is already finished are simply too prone to abuse, both from spammers, and also from worm email activity. Glad that you're seeing the light on that issue.

DT

Share this post


Link to post
Share on other sites

Just to add my 2¢:

http://www.spamcop.net/sc?action=showroute...typecodes=21,16 shows the following, perhaps a Deputy or Admin can change the routing again just for you:

Reports routes for 66.216.65.177:

routeid:1565099 66.216.64.0 - 66.216.98.116 to:rackspace.net<at>abuse.net

Administrator interested in all reports

Wednesday, December 31, 1969 7:02:20 PM -0500

(px1nr.wp.shawcable.net.)]

Wednesday, December 31, 1969 7:01:58 PM -0500

routed to optinamerica

Friday, November 01, 2002 12:26:09 AM -0500

Interestingly, the "[report history]" link on http://www.spamcop.net/sc?track=66.216.65.177 after login shows no history details in the Slice with Issue ID 24210364.

Also, abuse.net is not yet showing a record for glengroup.com.

In addition, those wishing to further explore the relationship between RFCs, BCPs, and SMTP bounces should see the following Section of Request For Comments (RFC) 2505 AKA Best Current Practice (BCP) 30, "Anti-spam Recommendations for SMTP MTAs" by G. Lindberg:

1.5. Where to block spam, in SMTP, in RFC822 or in the UA

Our basic assumption is that refuse/accept is handled at the SMTP

layer and that an MTA that decides to refuse a message should do so

while still in the SMTP dialogue. First, this means that we do not

have to store a copy of a message we later decide to refuse and

second, our responsibility for that message is low or none - since we

have not yet read it in, we leave it to the sender to handle the

error.

Share this post


Link to post
Share on other sites
The passage you posted is at the END of the FAQ entry for people running servers.

which is precisely what I am, a person operating a mail server.

Most people wil use the information above that and know that they use autoresponders or bounce non-existent mailbox messages

The information above that does not mention non-existant mailboxes. It mentions 'created email' bounces. That phrase makes absolutely no sense, and this is coming from a sysadmin who's been admining unix systems for quite some time... I strongly suggest you reword that section. Replace "created email" with "non-existant mailbox" and that section becomes much more clear.

I'm sorry you feel that way. With a couple exceptions, none of us here are spamcop employees. We are all just other users who volunteer our time here to help others through the spamcop maze.

When a user belongs to the Admin or Moderator group I feel that it's generally safe to assume that that user has some sort of professional relation to the parent entity. It's your responsibility to act/speak accordingly, as you're more or less speaking for that parent entity. Basically, whatever your employment status, on these boards you are a representative for Spamcop. I identified myself as a sysadmin so that it was clear that I wasn't some irate, ignorant end-user, and I expected some professional courtesy. As I said previously, we ARE on the same team... With one exception (and he isn't even an Admin or a Moderator, just a regular user), what I got was an elitist attitude, assumptions that I hadn't read any FAQs, and general lack of effort. As I said, not very professional...

Regardless, all this is besides the point now. I now know that the Misdirected Bounces (as they were referred to in the "Cause of Listing") were, in fact, bounces due to non-existant mailboxes. As they say, "Knowing is half the battle..." (so far this certainly has felt like a battle), and now that I know what the problem was I can fix it.

Have a good day.

Daniel Frazier

Share this post


Link to post
Share on other sites
Replace "created email" with "non-existant mailbox" and that section becomes much more clear.
That would limit the meaning of the wording used. Some systems create a bounce mesage for ANY error message. Those bounce messages are what are described in:
is using auto-responses that are replying to spam with forged spamtrap email addresses
Then it goes on to give several (not an exclusive list) of examples. Even though your specific cause was not listed as a specific example, it is caused by an auto-response replying to (a message) with forged spamtrap (return) email addresses.

Perhaps that line should be re-written as follows:

is using auto-responses that are replying to messages with forged spamtrap retrun email addresses (such as Out-of-Office/Vacation notices, virus notifications, and other bounces);

Comments?

Share this post


Link to post
Share on other sites
http://www.spamcop.net/sc?action=showroute...typecodes=21,16 shows the following, perhaps a Deputy or Admin can change the routing again just for you:

66.216.64.0 - 66.216.98.116 is Rackspace's ip space. Glen Group only has a sub-set of that range, 66.216.65.160 - 66.216.65.191. If it is possible to change the routing information just for our range that would be great. I have, however, submitted abuse[at]glengroup.com as the contact for glengroup.com, I'm assuming abuse.net just hasn't updated their database yet. I'm thinking that this should be sufficient, once the database is updated...

Share this post


Link to post
Share on other sites
That would limit the meaning of the wording used.  Some systems create a bounce mesage for ANY error message.  Those bounce messages are what are described in:Then it goes on to give several (not an exclusive list) of examples.  Even though your specific cause was not listed as a specific example, it is caused by an auto-response replying to (a message) with forged spamtrap (return) email addresses.

Perhaps that line should be re-written as follows:

is using auto-responses that are replying to messages with forged spamtrap retrun email addresses (such as Out-of-Office/Vacation notices, virus notifications, and other bounces);

Comments?

24475[/snapback]

That would work, but I'd also change the line in the "For people who are operating servers" section from...

If the blocklist only lists spamtraps, then auto responses are the likely culprit.

...to...

If the blocklist only lists spamtraps, then auto-responders or misdirected bounces (such as "no such user", "non-existant mailbox" or "quota reached") are the likely culprit.

See, when I hear "auto-response" I don't think "bounce". To systems administrators the two are different animals, as a bunch we tend to be anal like that... ;) Auto-responders are something users set up when they won't be reading their email for a period of time, and bounces are something generated by a system event such as an unknown user or a user over his quota. Details like that make all the difference...

Edited by bsdaddict

Share this post


Link to post
Share on other sites

I like your edit. I think that at the time that was written 'auto responses' were the most likely culprit. However, things have changed and expanding it is a good idea. (or that was the language used by the technically fluent that I didn't think was a good idea to edit).

Wazoo, I vote for the change (the topic is closed so I can't edit it without Wazoo's help).

I think that it might be better to spell out: 'misdirected bounce'

If the blocklist only lists spamtraps, then the likely culprits are auto-responders or email bounces (that is, bounce emails written after acceptance of the email instead of being 'bounced' by rejection at the server - and would include emails such as "no such user", "non-existent mailbox" or "quota reached").

Will that pass the 'technically fluent' inspection?

Miss Betsy

Share this post


Link to post
Share on other sites

I felt it important to include "misdirected bounce" due to the fact that that's the wording that was used in the "Causes of listing". Also, "email bounces (that is, bounce emails written after acceptance of the email instead of being 'bounced' by rejection at the server" sounds self-contradictory. How's this:

If the blocklist only lists spamtraps, then the likely culprits are auto-responders or misdirected bounces (that is, bounce emails sent after acceptance of the email instead of being rejected by the server during the SMTP phase - and would include emails such as "no such user", "non-existent mailbox" or "quota reached").

I did mention that sysadmins are an anal bunch, didn't I??? ;)

Share this post


Link to post
Share on other sites

Yes, you did, but it is no surprise to me!

Yes, since the spamcop page does say misdirected bounces, it would be better to use that terminology.

so Wazoo (unless there are other edits) - it is ready for the FAQ.

Thanks for your input, bsdaddict.

Miss Betsy

Share this post


Link to post
Share on other sites

My edit of the proposed language is slightly more anal that bsdaddict's (edit in red, would be black in final version):

If the blocklist only lists spamtraps, then the likely culprits are auto-responders or misdirected bounces (that is, bounce emails sent after acceptance of the email instead of being rejected by the server during the SMTP phase, which would include emails such as "no such user", "non-existent mailbox", and/or "quota exceeded").
Edited by Jeff G.

Share this post


Link to post
Share on other sites

Added in Jeff G's version .. though noting that it hadn't been closed from a while back, still debating the additional harder language from John M's newsgroup additions and/or the split into the two versions (end-user and Admin) ...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×