I'm Blocked--Can I get a copy of headers?

[durandel]

I help maintain a virtual hosting company, which means that we have many web sites using shared mail servers.

A couple of our mail servers keep getting blocked by SpamCop. I want to get a copy of the mail headers so I can identify who the offending domain is and give them the boot, but from what I can tell SpamCop's automatic delisting doesn't give you any of this info.

How can I get a copy of the mail headers? I know that SpamCop doesn't give you the full headers (i.e. the recipient), but could they at least give you the full "From" headers?

Thanks!

[dra007]

Moderators, shouldn't this be posted in the Why am I Blocked thread?

[turetzsr]

Hi, durandel!

...Please have a look at the entry on the first page of the "SpamCop Reporting Help" or the "SpamCop Blocklist Help" forum (the latter being where your inquiry would have been better to have posted) labeled Pinned: Original SpamCop FAQ Plus - Read before Posting. In the section labeled Interacting with SpamCop and it's users: there is an entry labeled How can I get SpamCop reports about my network? which I think may answer your question. If not, or you still have questions, please follow up here. <g>

[turetzsr]

Moderators, shouldn't this be posted in the Why am I Blocked thread?

30663[/snapback]

...Or, at least, moved to the "SpamCop Blocklist Help" forum.

[Jeff G.]

I moved this Topic from the "SpamCop Reporting Help" Forum.

[Merlyn]

I help maintain a virtual hosting company, which means that we have many web sites using shared mail servers.

30662[/snapback]

What is the difference between a virtual hosting company and a hosting company?

A couple of our mail servers keep getting blocked by SpamCop. I want to get a copy of the mail headers so I can identify who the offending domain is and give them the boot, but from what I can tell SpamCop's automatic delisting doesn't give you any of this info.

It is hard to help you if you don't give us any info :-)

How can I get a copy of the mail headers? I know that SpamCop doesn't give you the full headers (i.e. the recipient), but could they at least give you the full "From" headers?

Spamcop gives plenty of info. They used to give more info but the spammers used it to bypass their system and to listwash. Spammers spoil it for everyone.

What is/are the IP's in question?

[Jeff G.]

What is the difference between a virtual hosting company and a hosting company?

30679[/snapback]

It is my understanding that a virtual hosting company hosts multiple sites per IP Address, and a hosting company only hosts one site per IP Address.

[Merlyn]

Thanks Jeff, I been running humdreds of sites on each of our machines and never realized that :-)

[durandel]

Thanks for the help! Yes, the only difference is that in virtual hosting you can have hundreds of domains using the same mail server, as opposed to dedicated hosting.

I've been receiving "reports" from Spamcop, but all they seem to say is when one of those mail server IPs is blocked. Here's are the IPs in question:

209.239.38.232

209.239.38.113

209.239.45.15

If I can get the mail headers and the email (if the reason it was blocked is that it advertised one of our sites in the spam) I believe I can find/take care of the cause.

Thank you so much.

[StevenUnderwood]

Thanks for the help! Yes, the only difference is that in virtual hosting you can have hundreds of domains using the same mail server, as opposed to dedicated hosting.

I've been receiving "reports" from Spamcop, but all they seem to say is when one of those mail server IPs is blocked. Here's are the IPs in question:

209.239.38.232

209.239.38.113

209.239.45.15

If I can get the mail headers and the email (if the reason it was blocked is that it advertised one of our sites in the spam) I believe I can find/take care of the cause.

Thank you so much.

30725[/snapback]

It appears that is because someone decided not to receive spamcop reports. All reports are going to abuse<at>alabanza.com. Please contact them. The first 2 IP's have had 1 and 2 reports, but the third is showing many reports. Contact the deputies<at>spamcop.net address to see about receiving reports directly.

---

Parsing input: 209.239.38.232

host 209.239.38.232 = host10.thisismyserver.com (cached)

[report history]

ISP does not wish to receive report regarding 209.239.38.232

ISP does not wish to receive reports regarding 209.239.38.232 - no date available

Routing details for 209.239.38.232

Report routing for 209.239.38.232: abuse<at>alabanza.com

---

Parsing input: 209.239.38.113

host 209.239.38.113 (getting name) = host2.thisismyserver.com.

[report history]

ISP does not wish to receive report regarding 209.239.38.113

ISP does not wish to receive reports regarding 209.239.38.113 - no date available

Routing details for 209.239.38.113

Report routing for 209.239.38.113: abuse<at>alabanza.com

---

Parsing input: 209.239.45.15

host 209.239.45.15 (getting name) no name

host 209.239.45.15 = host11.thisismyserver.com (old cache)

[report history]

ISP does not wish to receive report regarding 209.239.45.15

ISP does not wish to receive reports regarding 209.239.45.15 - no date available

Routing details for 209.239.45.15

Report routing for 209.239.45.15: abuse<at>alabanza.com

---

[Wazoo]

Parsing input: 209.239.38.232

host 209.239.38.232 = host10.thisismyserver.com (cached)

ISP does not wish to receive report regarding 209.239.38.232

ISP does not wish to receive reports regarding 209.239.38.232 - no date available

Routing details for 209.239.38.232

Report routing for 209.239.38.232: abuse[at]alabanza.com

Parsing input: 209.239.38.113

host 209.239.38.113 = host2.thisismyserver.com (cached)

ISP does not wish to receive report regarding 209.239.38.113

ISP does not wish to receive reports regarding 209.239.38.113 - no date available

Routing details for 209.239.38.113

Report routing for 209.239.38.113: abuse[at]alabanza.com

Parsing input: 209.239.45.15

host 209.239.45.15 (getting name) = host11.thisismyserver.com.

ISP does not wish to receive report regarding 209.239.45.15

ISP does not wish to receive reports regarding 209.239.45.15 - no date available

Routing details for 209.239.45.15

Report routing for 209.239.45.15: abuse[at]alabanza.com

Reports routes for 209.239.45.15:

routeid:864365 209.239.32.0 - 209.239.63.255 to:abuse[at]alabanza.com

Administrator interested in all reports

It appears that there is a reason you're not seeing reports as they happen.

SenderBase shows traffic is way down on the three IPs identified, noting that SenderBase also includes the IP of 209.239.40.132 as an e-mail source for the same Domain ... traffic also down on that one.

[Merlyn]

Looks like your are batting zero!

Reports should go to abuse[at]alabanza.com

BUT

ISP does not wish to receive reports regarding 209.239.38.232

ISP does not wish to receive report regarding 209.239.38.113

ISP does not wish to receive report regarding 209.239.45.15

If your ISP doesn't care about hosting spammers then I would say no one cares if you get blocked. You can check your logs for the following examples.

Examples:

209.239.38.232:

Submitted: Wednesday, May 18, 2005 1:51:17 AM -0400:

Re: Microcap Idea for You

209.239.38.113:

Submitted: Thursday, July 21, 2005 2:03:37 PM -0400:

Re: [iMPORTANT] Your Mortgage Rate!

Submitted: Wednesday, July 06, 2005 3:11:39 PM -0400:

[MISDIRECTED BOUNCE] Re: Milwaukee Standard - note revealing Wall street & Fo...

209.239.45.15:

Submitted: Monday, July 11, 2005 8:04:21 PM -0400:

[MISDIRECTED BOUNCE] Re: Microcap Communiqu?Investor Communiqu?Stealth Microcap

Submitted: Saturday, June 25, 2005 11:46:09 AM -0400:

Girls loove it

Submitted: Saturday, June 25, 2005 11:36:10 AM -0400:

Any med for your girl to be happy!

Submitted: Saturday, June 25, 2005 11:18:10 AM -0400:

Neue Sommer-Modelle mit 50% Rabatt (Handgemachte 1A-Luxus-Ware!)

Submitted: Saturday, June 25, 2005 11:18:02 AM -0400:

Neue Sommer-Modelle mit 50% Rabatt (Handgemachte 1A-Luxus-Ware!)

Submitted: Friday, June 24, 2005 10:00:27 AM -0400:

Nur 2 Rappen pro Farb- A4-Seite: Jetzt unverbindlich testen!

[durandel]

Thanks for the info. I'll need more than the Subjects to track them down, so I've opened a ticket with Alabanza regarding this. Our servers are maintained within their network.

[loafman]

Thanks for the info. I'll need more than the Subjects to track them down, so I've opened a ticket with Alabanza regarding this. Our servers are maintained within their network.

30733[/snapback]

Short of nuking the spammers and actually acting on spam reports, there's absolutely nothing that Alabanza can do about the SC BL. Given that they ignore/reject spam reports, my guess is that they are at best gray hat. Good luck!

...Ken

[Jeff G.]

Where's Jerry when you need him?

[DavidT]

Where's Jerry when you need him?

Are you referring to Jerry Gilyeat, who was Alabanza's abuse person years ago? Some of the nonprofit orgs I work with finally moved all of our sites off their servers (after being hosted there for almost six years), partly due to our shared mail servers getting blocked fairly frequently, sometimes on the SCBL, but far more frequently by AOL. Alabanza also pretended for years that they had backup generators, but then, about a year ago, when there was an electrical outage in Baltimore, it turned out that there weren't any backup generators at all, and their entire server farm was down for quite some time. I no longer trust them at all.

We've moved our accounts to a VPS situation at Spry, where all of our mail will be transmitted from our own IP address, even though we share the physical server with other accounts.

BTW, I just Googled Jerry, and here's his recent resume:

http://bluedragyn.net/~jerry/resume2.txt

Looks like he's been working at Johns Hopkins University since leaving Alabanza.

DT

[Jeff G.]

Yep, that Jerry. It appears that things at Alabanza have gone downhill since he left.

[loafman]

Yep, that Jerry.  It appears that things at Alabanza have gone downhill since he left.

30746[/snapback]

He probably left because they were going downhill.

...Ken

[Merlyn]

Thanks for the info. I'll need more than the Subjects to track them down, so I've opened a ticket with Alabanza regarding this. Our servers are maintained within their network.

30733[/snapback]

While you are talking to them ask them when they are going to remove the following spammers.

SBL26893 208.56.17.172/32 alabanza.com

10-May-2005 00:13 GMT quake3demo.org

SBL26325 64.176.245.29/32 alabanza.com

23-Apr-2005 18:56 GMT bellegarde.name

(ROKSO)SBL24853 64.176.2.37/32 alabanza.com

13-Mar-2005 00:08 GMT Global Internic / NewTLDRegistration.com

betcities.com ([at]abundanthosting.com)

SBL23822 64.176.214.91/32 alabanza.com

12-Feb-2005 22:07 GMT colsagar.com / newwebsitego.biz (site)

(ROKSO)SBL23716 208.56.119.99/32 alabanza.com

09-Feb-2005 10:51 GMT Global Internic / NewTLDRegistration.com

ezdomainsupport.com (host.abundanthosting.com)

(ROKSO)SBL22080 64.176.236.99/32 alabanza.com

20-Dec-2004 16:04 GMT Global Internic / NewTLDRegistration.com

Metronas Online ; Easyinternic.com [at]host.abundanthosting.com

SBL21058 64.177.76.29/32 alabanza.com

17-Nov-2004 01:53 GMT spamvertized 'taboo drawings' site at secendfoserd.net

SBL21042 65.109.95.11/32 alabanza.com

16-Nov-2004 18:47 GMT spamvertized 'taboo drawings' site at enddes.net

SBL20937 64.177.76.28/32 alabanza.com

13-Nov-2004 20:49 GMT tenejoinnow-go.com

SBL20288 64.176.168.35/32 alabanza.com

19-Oct-2004 11:38 GMT universitywafer.com / silicon-on-insulator.org (site)

SBL19169 64.177.163.241/32 alabanza.com

03-Sep-2004 20:39 GMT americasbesthomeloans.com

SBL16340 64.177.113.112/29 alabanza.com

12-May-2004 06:34 GMT bullet-proof-webhosting.com

(ROKSO)SBL15527 64.177.147.176/32 alabanza.com

08-Apr-2004 07:26 GMT SubscriberBASE

freeslide.com / subscriberbase.com

SBL15298 216.147.123.26/32 alabanza.com

29-Mar-2004 17:56 GMT ebay account stealer

SBL15134 65.108.122.110/32 alabanza.com

22-Mar-2004 03:13 GMT ebay account stealer

(ROKSO)SBL14311 65.108.229.223/32 alabanza.com

17-Feb-2004 03:26 GMT Shay Tyler / MLeads.com

stumblehere.com / MLeads.com spammers

(ROKSO)SBL14308 64.177.8.15/32 alabanza.com

17-Feb-2004 01:39 GMT Shay Tyler / MLeads.com

dynamicintelligence.net

(ROKSO)SBL14287 208.56.74.76/32 alabanza.com

17-Feb-2004 01:23 GMT Shay Tyler / MLeads.com

advancedquality.net

(ROKSO)SBL14274 208.56.213.76/32 alabanza.com

17-Feb-2004 00:59 GMT Shay Tyler / MLeads.com

Jason duPont - MLeads.com mortgage spammer

(ROKSO)SBL14273 64.176.148.208/29 alabanza.com

17-Feb-2004 00:58 GMT Shay Tyler / MLeads.com

MLeads.com / iloanapplication.com

(ROKSO)SBL14272 208.56.228.11/32 alabanza.com

17-Feb-2004 00:57 GMT Shay Tyler / MLeads.com

MLeads.com / iloanapplication.com

(ROKSO)SBL14079 64.176.122.239/32 alabanza.com

12-Feb-2004 01:34 GMT radisp.net / IQ Enterprises

enthusiasmofsuccess.com

(ROKSO)SBL14074 65.109.130.54/32 alabanza.com

12-Feb-2004 01:28 GMT radisp.net / IQ Enterprises

vivaciousopportunities.com

SBL13407 64.176.141.101/32 alabanza.com

16-Jan-2004 04:39 GMT www.bullet-proof-webhosting.com

SBL13180 64.177.161.131/32 alabanza.com

05-Jan-2004 01:11 GMT bpwh.com / Tecom Bulletproof webhoster

SBL13179 64.176.198.8/32 alabanza.com

04-Jan-2004 22:13 GMT pay-ssl.com

SBL13049 65.109.90.128/32 alabanza.com

29-Dec-2003 08:34 GMT Khan C Smith - wholooks.com

SBL12366 64.177.75.68/32 alabanza.com

27-Nov-2003 06:17 GMT www.101-website-traffic.com

(ROKSO)SBL10510 64.177.153.194/32 alabanza.com

14-Sep-2003 18:16 GMT EvoClix / Larry Tasman / Greg Numark

printing-factory-warehouse.com / evo-clicks.com

[durandel]

Hi folks.

Well, their abuse dept. responded:

--------------------------------------------------

"We checked on all the complaints we have received from SpamCop and found only 3 complaints received all related to the default autoresponder causing problems. We have resolved this issue. But there were not enough complaints to cause your server IP to become blacklisted by spamcop unless they are now adopting a zero tolerance policy. I have included an attachment titled Important information. Please read this attachment at your convenience. It contains important information.

Could you please reply to the moderator that you spoke to and request that your servers IP be added to their list as a third party. This will ensure that you also will receive any spam complaints against any end user in your server. This will put you and your business at a great point of advantage.

209.239.38.113 not listed in bl.spamcop.net

209.239.38.232 not listed in bl.spamcop.net

209.239.45.15 not listed in bl.spamcop.net

If we can further assist you please do not hesitate in contacting us.

Sincerely,

Leon

Alabanza Abuse"

--------------------------------------------------

Sounds like it was a classic auto-response problem (spam, probably virus-sent, hits their domain, which sends an autoresponse to whomever is spoofed in the From address). They sent the mail headers too, so I could verify which domains it was for those 3 reports.

I'll go ahead and email deputy<at>spamcop.net about getting the reports sent to us directly so we can cut out the Alabanza abuse dept. as a middleman (probably an overworked middleman at that).

Thanks!

[Jeff G.]

Thanks for the update!

deputy<at>spamcop.net

30791[/snapback]

deputies<at>spamcop.net is a more correct address.

[DavidT]

Sounds like it was a classic auto-response problem

Yes, very likely, in that Alabanza has a very idiotic custom-programmed auto-response for undeliverable addresses (assuming that the domain isn't using a catchall). It doesn't happen during the initial SMTP handshaking, but is an "after the fact" responder...the kind that causes problems, and therefore, the Alabanza servers make frequent appearances on the SCBL. I recommend finding better hosting.

DT