Jump to content
Sign in to follow this  
jimmyz

hotmail.com servers are being blocked

Recommended Posts

this can't be right

I agree. Someone who took the time to register, took the time to make a post, surely would have provided some data to work with. Knowing for a fact that Microsoft/MSN/HotMail uses more than one server, I'm not inclined to spend time looking for just which server is in question .... Bottom line .. Got Data?

Share this post


Link to post
Share on other sites

Give me a few min's and i'll go through the logs on exchange and get the info. We have everything deleted when it gets flaged by spamcop so i don't have the e-mails to get the headers off them.

Share this post


Link to post
Share on other sites

servers that got blocked.

64.4.61.51

64.4.56.22

64.4.56.41

"07/07/05 12:57:11","Blacklist/Whitelist Module","mike_mahne[at]hotmail.com","mike.mahne[at]vericore.com","test to vericore and yahoo","Deleted","Sending mail server found on bl.spamcop.net"

"07/07/05 12:39:09","Blacklist/Whitelist Module","mike_mahne[at]hotmail.com","mike.mahne[at]vericore.com","test","Deleted","Sending mail server found on bl.spamcop.net"

"07/07/05 12:38:28","Blacklist/Whitelist Module","washmore[at]hotmail.com","aaron.vicknair[at]vericore.com","RE: hey","Deleted","Sending mail server found on bl.spamcop.net"

Edited by jimmyz

Share this post


Link to post
Share on other sites

64.4.56.22 not listed in bl.spamcop.net

64.4.56.41 not listed in bl.spamcop.net

64.4.61.51 not listed in bl.spamcop.net

Share this post


Link to post
Share on other sites
64.4.56.22 not listed in bl.spamcop.net

64.4.56.41 not listed in bl.spamcop.net

64.4.61.51 not listed in bl.spamcop.net

29985[/snapback]

Don't know what to say then. Logs showed that they where on the bl, and that was the ip address reported in exchange log that they where sent from.

Any know know of any problems in GFI MailEssentials that could have caused this?

Share this post


Link to post
Share on other sites
Don't know what to say then. Logs showed that they where on the bl, and that was the ip address reported in exchange log that they where sent from.

Any know know of any problems in GFI MailEssentials that could have caused this?

29986[/snapback]

It is possible they WERE listed and have since fallen off. You do understand how the Spamcop Bl works (since you are using it), correct?

Share this post


Link to post
Share on other sites
servers that got blocked.

64.4.61.51

64.4.56.22

64.4.56.41

"07/07/05 12:57:11","Blacklist/Whitelist Module","mike_mahne[at]hotmail.com","mike.mahne[at]vericore.com","test to vericore and yahoo","Deleted","Sending mail server found on bl.spamcop.net"

The first thing that you should realize is that the bl.spamcop.net is an aggresive blocking list and will on occasions list real mail servers.

A real mail server is typically listed for the following reasons in order of probaility:

1. Weak passwords on SMTP auth.

2. Mail server auto-responding or bouncing spam/viruses to the known forged addresses.

2. A multi-hop exploit where spamcop.net does not detect that it is only a relay. (Spamcop.net tries not to list muti-hop outputs)

3. A different security hole where spammers have control of the server.

4. A user of that mail server reports their own mail server.

A paying spamcop member can see if there is a past history for those I.P. addresses.

So if you are using b.spamcop.net, you are going to have noticable false positives from time to time.

"Deleted"

The second thing is that it is bad to silently delete detected spam, but not quite as bad as to bounce it to the forged address that it came from.

Detected viruses should be sent to a human to determine where to notify the proper network owner if you can not reject them in the SMTP transmission.

When a mail server is not going to deliver a message, it should end the SMTP session with a 500 series code like 550 to indicate such, and supply a brief text message as to why. This is part of the SMTP protocol.

If it is a mail server that is a gateway to other mail servers, if it can not determine that the end mail server can accept the message, then it should reject the SMTP session with a 400 series code like 440 with a text message. Then a real mail server will retry later. spam and viruses will usually not retry.

The 500 series code or too many 400 series codes will cause the sender's mail server (if it is a real e-mail) to send a notice to the original sender so that they know what happened.

That way when a real message is mis-classified as spam, the sender will be notified, and when you have intermittent network issues, the mail will eventually get through.

Since a real mail server usually is not on the bl.spamcop.net list long, some mail server operators reject mail from those listing with a 400 series code, so the real e-mail is only delayed by a little bit.

A mail server or spam filter that can not issue the 4xx or 5xx codes for detected spam or non-existant users is not robust enough for the current internet e-mail system as it has no way to non-abusively notify senders of real mail that gets mis-classified.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites

A bit confused by this last newsgroup posting;

From: "jimmy"

Newsgroups: spamcop

Subject: Re: spamcop is blocking hotmail.com servers!!!

Date: Thu, 7 Jul 2005 15:54:43 -0500

Message-ID: <dak4ql$fhh$1[at]news.spamcop.net>

NNTP-Posting-Date: Thu, 7 Jul 2005 20:54:45 +0000 (UTC)

Ok, just ran a new test. i had to BL running turned them off except

bl.spamcop.net.

hotmail was blocked from this server this time.

64.4.56.32

Module","mike_mahne[at]hotmail.com","jimmy.riley[at]vericore.com","spamcop

off","Deleted","Sending mail server found on sbl-xbl.spamhaus.org"

64.4.56.33

Is there a global shared list between the BL servers?

I thought the "work" definition said only SpamCopDNSBL was turned on, but the 'block' is based on a spamhaus listing ...

no, there is no connection between SpamCop and spamhaus ...

64.4.56.32 not listed in bl.spamcop.net

64.4.56.33 not listed in bl.spamcop.net

Share this post


Link to post
Share on other sites
64.4.51.220 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing

    * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

    * SpamCop users have reported system as a source of spam about 40 times in the past week

Automatic delisting

If you are the administrator of bigip.bay107.hotmail.com and you are sure it will not be the subject of any more reports of spam, you may cause the system to be delisted without waiting for us to review the issue.

Looking for potential administrative email addresses for 64.4.51.220:

    cannot find an mx for bigip.bay107.hotmail.com

    cannot find an mx for bay107.hotmail.com

    65.54.190.230 is an mx ( 5 ) for hotmail.com

Listing History

In the past 82.8 days, it has been listed 14 times for a total of 78.6 days

Other hosts in this "neighborhood" with spam reports

64.4.51.90

I didn't follow this thread before, but now I have received a legitimate email from hotmail that was tagged.

Just FYI

Miss Betsy

PS spamassassin analysis

0.9 FROM_ENDS_IN_NUMS From: ends in numbers

1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email

2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net

[blocked - see <http://www.spamcop.net/bl.shtml?64.4.51.220>]

0.8 MSGID_FROM_MTA_HEADER Message-Id was added by a relay

Share this post


Link to post
Share on other sites

They wouldn't be listed if they plugged whatever new hole they have. I only archive the stuff that makes it through to my server, but I remember reporting at least 10 others recently that got snagged by SC and ended up in held mail.

Two examples:

From info[at]ukwinningonline.org Sun Jul 24 16:22:23 2005

Return-Path: <info[at]ukwinningonline.org>

Received: from hotmail.com (bay16-f23.bay16.hotmail.com [65.54.186.73])

by dellboy.highspot.net (8.13.4/8.13.4) with ESMTP id j6OFMEAj008983

for <spamtrap[at]highspot.net>; Sun, 24 Jul 2005 16:22:23 +0100

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;

Sun, 24 Jul 2005 08:22:07 -0700

Message-ID: <BAY16-F2352898F722F839A701727CFCB0[at]phx.gbl>

Received: from 213.181.81.245 by by16fd.bay16.hotmail.msn.com with HTTP;

Sun, 24 Jul 2005 15:22:06 GMT

X-Originating-IP: [213.181.81.245]

X-Originating-Email: [info[at]ukwinningonline.org]

X-Sender: info[at]ukwinningonline.org

From: "BRIAN HUNT" <info[at]ukwinningonline.org>

Bcc:

Subject: WINNING NOTIFICATION.

Date: Sun, 24 Jul 2005 15:22:06 +0000

Mime-Version: 1.0

Content-Type: text/html; format=flowed

X-OriginalArrivalTime: 24 Jul 2005 15:22:07.0387 (UTC) FILETIME=[7418C6B0:01C59063]

X-spam-Flag: YES

X-spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on Dellboy

X-spam-Level: ******

X-spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_50,HTML_50_60,

HTML_MESSAGE,HTML_SHOUTING3,MIME_HTML_ONLY,MISSING_HEADERS,

MSGID_FROM_MTA_HEADER,NIGERIAN_BODY1,SUBJ_ALL_CAPS,URIBL_JP_SURBL

From [x][at]msn.com Tue Aug 2 03:52:08 2005

Return-Path: <[x][at]msn.com>

Received: from hotmail.com (bay105-f32.bay105.hotmail.com [65.54.224.42])

by dellboy.highspot.net (8.13.4/8.13.4) with ESMTP id j722pvC0014374

for <spamtrap[at]highspot.net>; Tue, 2 Aug 2005 03:52:07 +0100

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;

Mon, 1 Aug 2005 19:51:25 -0700

Message-ID: <BAY105-F32581D19F067509DCB2162CEC20[at]phx.gbl>

Received: from 65.54.224.200 by by105fd.bay105.hotmail.msn.com with HTTP;

Tue, 02 Aug 2005 02:51:24 GMT

X-Originating-IP: [65.54.224.200]

X-Originating-Email: [abacha21[at]msn.com]

X-Sender: abacha21[at]msn.com

From: "Mariam Abacha" <abacha21[at]msn.com>

Bcc:

Subject: URGENT RESPONSE.

Date: Tue, 02 Aug 2005 02:51:24 +0000

Mime-Version: 1.0

Content-Type: text/plain; format=flowed

X-OriginalArrivalTime: 02 Aug 2005 02:51:25.0171 (UTC) FILETIME=[128FCC30:01C5970D]

X-spam-Flag: YES

X-spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on Dellboy

X-spam-Level: ***********

X-spam-Status: Yes, score=11.6 required=5.0 tests=BAYES_50,DNS_FROM_RFC_POST,

MISSING_HEADERS,MSGID_FROM_MTA_HEADER,NIGERIAN_BODY1,NIGERIAN_BODY2,

NIGERIAN_SUBJECT2,RCVD_IN_BL_SPAMCOP_NET,SUBJ_ALL_CAPS,URG_BIZ

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×