Jump to content

Sender was blocked by not on BL


Recommended Posts

The following email was blocked. I am curious to know why. I read the FAQs. The sender's address is my brother's as is the bikeparks.co.nz domain. He has been having issues with his ISP and I'd like to know if there is something problematic in their email routing.

Obviously I released it only today (Friday in Singapore) but it was sent Tuesday NZ time.

I hope somebody can talk me through this.

Stefan

Return-path: <ichangedthisaddress[at]bikeparks.co.nz>

Received: from mac.com (smtpin26-en2 [10.13.11.71])

by ms22.mac.com (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004))

with ESMTP id <0IIL00GKMDSF0G[at]ms22.mac.com> for ichangedthisaddress[at]mac.com;

Fri, 24 Jun 2005 07:05:03 -0700 (PDT)

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by mac.com (Xserve/smtpin26/MantshX 4.0) with ESMTP id j5OE52Di022166 for

<ichangedthisaddress[at]mac.com>; Fri, 24 Jun 2005 07:05:02 -0700 (PDT)

Received: from unknown (HELO beta.cesmail.net) (192.168.1.150)

by c60.cesmail.net with SMTP; Fri, 24 Jun 2005 10:05:01 -0400

Received: (qmail 1802 invoked by uid 0); Fri, 24 Jun 2005 14:05:01 +0000

Received: (qmail 5238 invoked from network); Mon, 20 Jun 2005 20:48:27 +0000

Received: from unknown (192.168.1.101) by blade1.cesmail.net with QMQP; Mon,

20 Jun 2005 20:48:27 +0000

Received: from loadbalancer1.orcon.net.nz (HELO dbmail-mx1.orcon.net.nz)

(219.88.242.3) by mailgate.cesmail.net with SMTP; Mon,

20 Jun 2005 20:48:26 +0000

Received: from Desktop (60-234-136-101.bitstream.orcon.net.nz [60.234.136.101])

by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1)

with ESMTP id j5KKmtjN026607; Tue, 21 Jun 2005 08:49:22 +1200

Date: Tue, 21 Jun 2005 08:48:37 +1200

From: Xxxx Xxxxxxxx <ichangedthisaddress[at]bikeparks.co.nz>

Subject: RE: cool clothing

In-reply-to: <000001c57556$2cbfc610$d71ebb09[at]sg.ibm.com>

To: ichangedthisaddress[at]spamcop.net, ichangedthisaddress[at]noelleeminggroup.co.nz

Cc: 'Xxxxx Xxxxxxx' <ichangedthisaddress[at]spamcop.net>

Reply-to: ichangedthisaddress[at]bikeparks.co.nz

Message-id: <001101c575d9$746e0ed0$0301a8c0[at]Desktop>

Organization: Bike Parks Ltd

MIME-version: 1.0

X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

X-Mailer: Microsoft Outlook, Build 10.0.2616

Content-type: multipart/alternative;

boundary="----=_NextPart_000_0012_01C5763E.09A5FC10"

Importance: Normal

X-Priority: 3 (Normal)

X-MSMail-priority: Normal

Delivered-to: spamcop-net-ichangedthisaddress[at]spamcop.net

Received-SPF: none

X-Virus-Scanned: ClamAV version 0.85.1,

clamav-milter version 0.85 on dbmail-mx1.orcon.net.nz

X-Virus-Status: Clean

X-spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade1

X-spam-Level:

X-spam-Status: hits=0.0 tests=HTML_MESSAGE version=3.0.2

X-SpamCop-Checked: 192.168.1.101 219.88.242.3

X-SpamCop-Disposition: Blocked bl.spamcop.net

Original-recipient: ichangedthisaddress[at]mac.com

Link to comment
Share on other sites

X-SpamCop-Checked: 192.168.1.101 219.88.242.3

IP on the right was the IP that caused the action, which in this case is explained by the next line;

X-SpamCop-Disposition: Blocked bl.spamcop.net

http://www.spamcop.net/w3m?action=checkblock&ip=219.88.242.3 currently shows;

219.88.242.3 not listed in bl.spamcop.net

There are some 419 type spam examples offered up in the "sightings" newsgroup ...

so it would appear that this e-mail server was allowing spam to be sent out, for whatever reason (hopefully action taken by the ISP) has dropped the reported spam levels down to a point where the SpamCopDNSBL listing requirements are no longer met, thus the listing has been dropped.

Link to comment
Share on other sites

The following information (with more details) is available with your paid reporting account. Enter the IP address (219.88.242.3) and click [report history].

Report History :

--------------------------------------------------------------------------------

Submitted: Tuesday, June 21, 2005 8:47:45 PM -0400:

Your Kind Attention.

--------------------------------------------------------------------------------

Submitted: Tuesday, June 21, 2005 11:07:25 AM -0400:

Your Kind Attention.

--------------------------------------------------------------------------------

Submitted: Monday, June 20, 2005 2:16:20 PM -0400:

Your prompt response!

--------------------------------------------------------------------------------

Submitted: Monday, June 20, 2005 11:29:07 AM -0400:

Your Kind Attention.

--------------------------------------------------------------------------------

Submitted: Sunday, June 19, 2005 9:53:32 AM -0400:

Your Kind Attention.

--------------------------------------------------------------------------------

Submitted: Wednesday, June 15, 2005 3:53:51 PM -0400:

MRS.STELLA JOHNSON.

--------------------------------------------------------------------------------

Submitted: Friday, June 10, 2005 7:57:19 AM -0400:

urgent

--------------------------------------------------------------------------------

Submitted: Friday, June 10, 2005 3:21:52 AM -0400:

Wartford & Wartford Chambers

--------------------------------------------------------------------------------

Submitted: Thursday, June 09, 2005 8:36:30 AM -0400:

From: Evangelist Sandra Nura.

--------------------------------------------------------------------------------

Submitted: Monday, May 23, 2005 4:25:47 AM -0400:

Urgently Reply

--------------------------------------------------------------------------------

Link to comment
Share on other sites

Steven,

The following information (with more details) is available with your paid reporting account. Enter the IP address (219.88.242.3) and click [report history].

Thanks but I can't find where I get those details from. Can you please give me directions?

Thanks - Stefan

Link to comment
Share on other sites

The following information (with more details) is available with your paid reporting account [emphasis mine -- Steve T].  Enter the IP address (219.88.242.3) and click [report history].

<snip>

29580[/snapback]

Steven,

Thanks but I can't find where I get those details from. Can you please give me directions?

Thanks - Stefan

29607[/snapback]

Hi, Stefan,

...StevenUnderwood found that information because he has (as he implied in his post) "a paid reporting account" (see text, above, that I italicized and bolded). In other words, he has registered with SpamCop and paid to have this, as well as other capabilities. Others (as is true of me) are using the free reporting service -- we do not have the capabilities StevenUnderwood has.

...Unless these spam were sent to "spam Traps," more detailed reports should have gone to the following e-mail addresses:

  • mark[at]digital-edge.co.nz
  • seebyips[at]orcon.net.nz

because either they are the registered abuse e-mail addresses for the IP address 219.88.242.3 or because the owner of those IP addresses has asked SpamCop to forward the messages to them. If they were sent to spam traps, then only the SpamCop deputies would have the detailed information available to them and they will only release that information, at their discretion, to those who can convince them are the responsible authorities. My guess is that your best course is to write to the above e-mail addresses, explain this situation, and ask for more details (explaining why you need them).

...Good luck!

Link to comment
Share on other sites

Steven,

Thanks but I can't find where I get those details from. Can you please give me directions?

Thanks - Stefan

29607[/snapback]

Google will also show you spam sightings of this IP

ISP does not wish to receive report regarding 219.88.242.3

For an IP to be listed means the Provider is another usless leech who needs dumping. These type only wish to milk Bank accounts and should be fined and closed down (It will gradually be added to more and more SpamLists

the IP "loadbalancer1.orcon.net.nz" is a email server which is spam friendly.

Link to comment
Share on other sites

Steven,

Thanks but I can't find where I get those details from. Can you please give me directions?

Thanks - Stefan

29607[/snapback]

As Steve T has mentioned, this only works with a paid reporting account. However, your headers seem to indicate that you have a spamcop email account which comes with a paid reporting account so this should work for you.

Log into your reporting account ( http://mailsc.spamcop.net/ or http://www.spamcop.net ) using the username/password you use to access your email.

Paste the IP address (219.88.242.3) into the form and click Process spam.

At the top of the next page, you should see:

SpamCop v 1.466 © Ironport Systems Inc., 1998-2005 , All rights reserved.

Parsing input: 219.88.242.3

host 219.88.242.3 = loadbalancer1.orcon.net.nz (cached)

[report history]

Click on that [report history] link to see the information (plus additional report ID's and where the reports were sent to)

Link to comment
Share on other sites

I checked the "report history" today and found more "Please, Assist!" messages being reported from that IP. Those are 419 scams...most agregious...and the ISP doesn't want to hear about anything bad coming from their system. It's time to stop doing business with that ISP.

DT

Link to comment
Share on other sites

Gents,

I did find those reports. I agree this ISP is totally irresponsible. I have now passed on the information to my borther and recommended that he (at the very least) uses another ISP for emailing. Since he hosts his business website with them too it is not straight forward to move to another hoster, but that is something he has been considering doing. As I said earlier, there had been other issues related to poor service/performance in terms of the hosting service this ISP has provided.

Thanks for everyone's help. I appreciate it.

Stefan

Link to comment
Share on other sites

probably wasted effort, but since the isp doesn't want to hear about anything bad coming from their system, might they listen a little more (or at least pretend to) if your brother threatens to pull his business from them because of their irrresponsibility? (my guess is they're taking too much cash from the crap-senders, and will happily show him the door anyway)

Link to comment
Share on other sites

....and here is the ISP's reply. I drafted a response for my brother but I'd appreciate people's remarks. I liked the workaround they have to "get things going for the users". I bet that's all they do since they tell Spamcop they don't want to be notified. I also like the remark "blacklist is more annoying than anything else as it does not target the problem". I'd have thought that was their responsibility and since they issue DHCP client IP addresses they are the only party that can reconstruct which account sent the spam. Then they try to steer my brother down a road that (to the best of my knowledge) requires a static IP address, since many ISPs bounce mail received from SMTP servers at dynamic IP addresses. He could relay through I an ISPs server but then he couldn't use theirs or he'd be back at square one. Perhaps this is the way they drum up revenues: run a sloppy email service then encourage business users they need their own dedicated mail server $$$

Stefan

From: Louie Schutte [mailto:lschutte[at]orcon.net.nz]

Sent: Tuesday, 28 June 2005 09:24 a.m.

To: xxxxx[at]bikeparks.co.nz

Subject: RE: Undeserved blacklisting

Hi Tony

Any ISP would have someone trying to abuse the system, and at some point the mail server's IP address would be black listed. The blacklist is more annoying than anything else as it does not target the problem. All ISP's have this issue and Xtra is no exception as they have been blacklisted many time before as well. The way ISP's get around the problem would be to change the IP address of the SMTP server to allow valid traffic and then to contact the Spammer whom in many cases would be an end users' computer infected by a virus.

The only way to get around being blacklisted would be to run your own mailserver with it's own IP address. You would then need to implement strict security rules to block anyone from using your server to relay messages and have the box running on Linux which will be less prone in getting infected.

You can also run an SMTP software application on your existing machine and there are thousands of free SMTP applications on the net that you can use.

Hope this helps

Regards

Louie Schutte

Corporate Account Manager

Orcon Internet Limited

09 444 44 74 ext 704

021 366 123

Link to comment
Share on other sites

<snip>

From: Louie Schutte [mailto:lschutte[at]orcon.net.nz]

Sent: Tuesday, 28 June 2005 09:24 a.m.

To: xxxxx[at]bikeparks.co.nz

Subject: RE: Undeserved blacklisting

Hi Tony

Any ISP would have someone trying to abuse the system, and at some point the mail server's IP address would be black listed. The blacklist is more annoying than anything else as it does not target the problem. All ISP's have this issue and Xtra is no exception as they have been blacklisted many time before as well. The way ISP's get around the problem would be to change the IP address of the SMTP server to allow valid traffic and then to contact the Spammer whom in many cases would be an end users' computer infected by a virus.

The only way to get around being blacklisted would be to run your own mailserver with it's own IP address. You would then need to implement strict security rules to block anyone from using your server to relay messages and have the box running on Linux which will be less prone in getting infected.

You can also run an SMTP software application on your existing machine and there are thousands of free SMTP applications on the net that you can use.

Hope this helps

29711[/snapback]

Thank you for your suggestions. I disagree with you on the value of blocklists. Only the *sender* of email can control spammers since only the *sending ISP* can identify the culprit. As you point out, unless the ISP knowingly supports spammers by giving them connectivity, the most likely culprit is a client with an infected computer. Blocklists that return a message are very effective in alerting people that there is something wrong. ISPs who respond appropriately to customer complaints that email is being blocked (by alerting the infected customer and cutting connectivity until the problem is fixed) help reduce the amount of spam being sent. The amount of time on a blocklist is usually minimal, not much more than an outage caused by interruption of power (such as a back hoe or thunderstorm). In addition, ISPs can help their customers to avoid getting infected in a number of ways.

[then depending on whether you intend to remain with this ISP or not, a paragraph about why you are cancelling your account or a strongly worded complaint about unreliable service]

My $.02 USD

Miss Betsy

Link to comment
Share on other sites

<snip>

[then depending on whether you intend to remain with this ISP or not, a paragraph about why you are cancelling your account or a strongly worded complaint about unreliable service]

My $.02 USD

Miss Betsy

29714[/snapback]

Agrre wholeheartedly with Miss Betsy I would also add (in this case) something along the lines of:

As you refuse to receive reports from SpamCop you are denying yourselves one of the best 'early warning systems' that you have an infected client and thus contributing to the world-wide spam problem. A responsible ISP welcomes SpamCop reports and acts quickly to disconnect 'zombied' machines from its network.

Link to comment
Share on other sites

Agrre wholeheartedly with Miss Betsy

<snip>

29715[/snapback]

...Miss Betsy's reply is far too nice, IMHO. The reply from Orcon is complete b.s. (again IMHO) -- it seeks to deflect the responsibility of the ISP for the spam spew. It is not inevitable that any ISP will be blacklisted -- since it is normally caused by a zombie (what Orcon's representative describes as a "virus" -- it may or may not be a virus; it could be another type of malware), proactive steps can be taken to avoid customer PCs being taken over by the malware but this is rarely done, apparently because of the perceived cost and effort of doing so (the assumption being that the cost and effort would exceed the cost of the zombie-ing and resulting spam spew, an assumption I myself am not at all convinced is true, but at least should be admitted by ISPs as the controlling factor as to why they are not proactive in avoiding the situation).
Link to comment
Share on other sites

Here's the ISP's comeback. My brother has moved on causing a disruption to his business.

Comments please:

1. I have not heard of spammers using "infected" machines, open-relays unbeknown to the owner yes, but has there been viruses developed in anticipation of using them as open-relays later. Do you think the writer means to say viruses can spawn spam from infected machines?

2. The writer cites mx4.hotmail.com as an example of server name spoofing. To my knowledge a server name or an IP address can get onto a black list. Is it a fair question to ask whether the Chinese IP address or the server mx4.hotmail.com deemed this email as spam in this case? I am not sure this demonstrates more than the fact that email headers can be forged. In any case, the wording clearly is designed to imply Hotmail gets black listed too (which I am sure they do).

3. The writer implies it is impossible to identify the subscriber guilty of spamming because he obscures the email address. As far as I am aware ISPs log the IP addresses assigned to a given account against a timeline. Shouldn't that allow them to see who really sent the mail or at least give them a starting point?

***TOP***

Hi Tony

It feels as if I have been misunderstood in the comments that I have given in regards to the blacklists. Let me try and explain. If a spammer wants to send spam, the last thing he wants is somebody to catch him. Instead of using his own e-mail address as a return address, he would try to use any domain as an alternate reply address. Spammers have automated software applications that they use to accomplish this. They also use infected computers as "relay agents" to send their spam from. When this happens, companies like Spamcop places the domain in a list of known domains from with spam have originated from. The blacklists are updated every 48 hours, so after that time a domain or IP is removed and everything would be normal.

The problem with companies like Spamcop, is that putting a domain or IP on the list effects valid mail from going through to end users thereby " being more annoying than anything else" All ISP's have an abuse e-mail address, in our case it is abuse[at]orcon.net.nz. where network abuse notifications should be sent. We have always given these notifications top priority in dealing with as we know it would effect business continuity of the end user. Changing the IP address of our mail server is not to avoid the notification of being blacklisted, is is purely done to get mail through

spam is a worldwide problem effecting all ISP's and everyone with a valid e-mail address or domain would be a target. The majority of e-mails currently sent worldwide are spam. we are constantly working on our own systems and also work with other ISP in trying to combat spam.

I gave the option of running your own mailserver purely as alternative as apposed to running your mail services through an ISP being us or anybody else for that matter.

To prove to you that it's not only us having a problem, the included header information is from a spam message that I have received just a few seconds ago. The offending SMTP server is mx4.hotmail.com, however the IP address 219.136.146.86 of that mail server belongs to an IP range from an ISP in china (Chinanet-GD).

Microsoft Mail Internet Headers Version 2.0

Received: from dbmail-mx1.orcon.net.nz ([219.88.242.3]) by exchange02.exchangeservers.orcon.net.nz with Microsoft SMTPSVC(6.0.3790.1830);

Thu, 30 Jun 2005 09:30:35 +1200

Received-SPF: none

Received: from smtp2.orcon.net.nz (smtp2.orcon.net.nz [219.88.242.60])

by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with ESMTP id j5TLV8PB005158

(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)

for <staff[at]orcon.net.nz>; Thu, 30 Jun 2005 09:31:08 +1200

Received: from mx4.hotmail.com ([219.136.146.86])

by smtp2.orcon.net.nz (8.13.1/8.13.1/Debian-14) with ESMTP id j5TC9QWJ015563

for <staff[at]orcon.net.nz>; Thu, 30 Jun 2005 09:26:59 +1200

Message-Id: <200506292126.j5TC9QWJ015563[at]smtp2.orcon.net.nz>

From: gercment[at]wanadoo.es <mailto:gercment[at]wanadoo.es>

Subject: Trust Needed/Investment pkcugk

To: staff[at]orcon.net.nz

Content-Type: text/plain

Date: Wed, 29 Jun 2005 23:29:39 -0700

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

X-Virus-Scanned: ClamAV 0.86/960/Wed Jun 29 16:31:06 2005 on dbmail-mx1.orcon.net.nz

X-Virus-Status: Clean

Return-Path: sexyztcy[at]hotmail.com <mailto:sexyztcy[at]hotmail.com>

X-OriginalArrivalTime: 29 Jun 2005 21:30:35.0501 (UTC) FILETIME=[C93B81D0:01C57CF1]

We do appologise for any inconvenience we may have caused.

Regards

Louie Schutte

Corporate Account Manager

Orcon Internet Limited

09 444 44 74 ext 704

021 366 123

***END***

Link to comment
Share on other sites

Sample spam parse / results seen at http://www.spamcop.net/sc?id=z780267150z46...8be3b2b6a9f385z

As seen in that parse, it it the sending IP address that is located, reported, and (would have been) added to the SpamCopDNSBL count. As far as spam spew sourcing, there is no "Domain" data involved ...

Item #1: geeze, the teaming up of spammers and virus writers started a long time ago. Virus infections that included using thir own SMTP engine go back years, the additional "remote control" aspect started well over a year, maybe two years ago ...

Item #2: see the results in the Tracking URL provided.

Item #3: it is the norm that an ISP would have logs that would show who was connected and using an IP address at any particular time. However, those logs can be turned off, it takes someone time and effort to search them for specific data, date/timestamps are critical and toimezones do tend to confuse some folks immensely, .... on and on ... let's just leave it that a legitimate ISP with even a slightly trained/knowledgable staff should have no problem pulling up "the responsible party"

The included description of the SpamCopDNSBL isn't really vaild ... IP addresses, not Domains, are what get listed. It is updates in real time, not "every 48 hours" .... the SpamCopDNSBL "blocks" no one, "blocking" being determined by folks deciding to incorporate use of that database in the fashion .... it's already been pointed out that although an abuse address does exist, someone there chose to turn off SpamCop notifies, which also then dis-allowed any early-warning mechanism ... any of that can only be resolved at their end.

Someone needs to take a look at the FAQ ...

Link to comment
Share on other sites

spam is a worldwide problem effecting[sic] all ISP's and everyone with a valid e-mail address or domain would be a target. The majority of e-mails currently sent worldwide are spam.  we[sic] are constantly working on our own systems and also work with other ISP[sic] in trying to combat spam.

29766[/snapback]

Umm, no, "spam" is a Registered Trademark of Hormel, Inc. for its canned SPiced hAM product, and the full-uppercase version "spam" should not be used to refer to email or newsgroup postings.
Link to comment
Share on other sites

...Miss Betsy's reply is far too nice, IMHO.  The reply from Orcon is complete b.s. (again IMHO) -- it seeks to deflect the responsibility of the ISP for the spam spew.  <snip>

29716[/snapback]

The reply from Orcon, apparently from the next reply, wasn't just b.s., but total ignorance and incompetence. He didn't even try to sugarcoat (or deflect the responsibility); he had no conception of the problem.

And while the temptation to 'make it clear' what one thinks of bsser's or incompetents is great, it doesn't really accomplish anything. With bsser's if you are clear about what you want and don't give them anything to spin off on, you are more likely to get what you want. With incompetents, then there is little that you can do, except cut your losses and move on. Once in a while, you will penetrate their ignorance and they will listen to an explanation - but not if the first communication was too strongly worded.

I did miss a couple of good points, but didn't have time to really think it through.

I am sorry that the client's business was disrupted by having to move, but it sounds to me as though it will be worth it in the long run!

Miss Betsy

Link to comment
Share on other sites

Item #1: geeze, the teaming up of spammers and virus writers started a long time ago.  Virus infections that included using thir own SMTP engine go back years, the additional "remote control" aspect started well over a year, maybe two years ago ...

Sorry Wazoo... I knew that viruses were now carrying their own smtp servers but missed the whole "remote control" aspect in relation to sending of spam. This is how we learn so I appreciate you pointing that out. I'll take a walk through the FAQ but perhaps you can cite some viruses/worms/trojans that exhibit this behaviour. I'd like to look at what Symantec/McAfee etc have to say on these.

Stefan

Link to comment
Share on other sites

I am sorry that the client's business was disrupted by having to move, but it sounds to me as though it will be worth it in the long run!

Miss Betsy,

I totally agree. Tony recognised it was better to move on and has now done so. From a learning perspective it was important to understand what occurred and why so I think this exercise was valid. Personally I needed to be sure I understood this issue too so thank you all for your contributions and patience. I'm glad forums like this exist.

Stefan

Link to comment
Share on other sites

Sorry Wazoo... I knew that viruses were now carrying their own smtp servers but missed the whole "remote control" aspect in relation to sending of spam. This is how we learn so I appreciate you pointing that out. I'll take a walk through the FAQ but perhaps you can cite some viruses/worms/trojans that exhibit this behaviour. I'd like to look at what Symantec/McAfee etc have to say on these.

Stefan

29822[/snapback]

OK... to answer my own question... for the benefit of others who don't live & breath this day-in-and-day-out...

See http://securityresponse.symantec.com/avcen...jan.kalshi.html

"Discovered on: October 10, 2003

Last Updated on: October 24, 2003 10:39:59 AM

Trojan.Kalshi is a Trojan Horse that spammers use to anonymously send spam messages. This Trojan may arrive in an install package that includes Backdoor.HackDefender, a rootkit used to hide its malicious activities.

Definitions dated October 13, 2003 or earlier may detect this threat as W32.Kalshi.A[at]mm."

As Wazoo points out... been happening for some time now.

Stefan

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...