Jump to content
Sign in to follow this  
cummings

can't figure out why this is rejected

Recommended Posts

An IP Address can get listed by the SCBL very quickly. It can be delisted immediately (via one-time delisting) or 48 hours after the last Report or Mole Report or spamtrap hit after listing. Of course, listing status at the SCBL's root DNS servers is one thing, and due to propagation delays evidence of a change in it can take up to three hours to be reflected in the SCBL's public DNS servers (which in the example case of IP Address 1.2.3.4 can be queried by checking 4.3.2.1.bl.spamcop.net for its IP Address (A Record) of 127.0.0.2) or the SCBL's webpage. You should always be able to find that test address 127.0.0.2 is listed by confirming that 2.0.0.127.bl.spamcop.net has an IP Address of 127.0.0.2. For some reason, http://www.spamcop.net/w3m?action=checkblock&ip=127.0.0.2 currently shows "127.0.0.2 is not a routeable IP address" rather than "127.0.0.2 listed in bl.spamcop.net (127.0.0.2)".

Share this post


Link to post
Share on other sites
IIUC a listing "lives" for about two hours unless renewed by new reports of spam.

31214[/snapback]

That's two days, not two hours.

Share this post


Link to post
Share on other sites

Hmmm, thinking that this is going to take some research to find documentation (thinking now that it was in a response from Ellen on something else ..??), but I also believe that there is a 2 hour minimum involved, mainly to keep the database from going crazy with an IP "on the edge" of the algorithm ... where there once was the threshold of 2% ... one complaint pushed it over, 10 minutes later the 'new traffic seen' would push it back, then another complaint ....

Share this post


Link to post
Share on other sites

Boy, what a thread.

It looks to me that we need to get back to the basics.

Why is cummings using the spamcop BL and how does he expect that it should work?

Turning the SpamCop BL on and off to deal with individual customers who happen to get on the BL is a extremely time consuming and impractical way to use the BL.

White listing is the most effective way to deal with mail that gets blocked that you want to receive.

I would contend that Cummings is acting like an end user rather than a mail server admin and as such a functional white list would be a good idea.

As stated by others, cummings servers need to format correct error messages that clearly indicate why a message is being bounced (the exact cause - IP address) and it would be helpful if it contained an alternate method of reaching them (phone, reply back, etc) that would allow cummings to add the user to the white list and get around the blocking problem.

Due to problems of abuse of information, the exact current status of any IP listed/not listed on the SpamCop BL is no longer readily available and add to that the time delays in server updates, there is no way of knowing at any exact point in time if any specific IP will be determined to be on or off the SpamCop BL.

Example, 2 emails sent at the exact same time to two different addresses, both of which are using the SpamCop BL without any white lists or other filtering; one accepts the mail as not being on the BL, one rejects the mail because it is on the BL - a simple fact of life that we can all thank the world of spammers for.

If nobody ever responed to spam, the majority of it would stop on it own. (no profit, no spam)

Share this post


Link to post
Share on other sites

here is my response from the deputies:

Theoretically queue1.tis-in.trb would be the server trying to deliver to

you. Of course that domain name doesn't exist so who knows what the IP is

:-(

> Received: from unknown (HELO tco-lat-exbh2.TRIBUNE.AD.TRB) (172.24.24.26)

> by queue1.tis-in.trb with SMTP; 29 Jul 2005 16:48:39 -0000

163.192.21.6 was listed on 7/29 for 2 hours.

198.187.230.11 was listed on 7/30-7/31

163.192.2.12 has not been listed in the last 30 days

163.192.2.14 has not been listed in the last 30 days

163.192.4.179 has not been listed in the last 30 days

It would be nice if your software included the IP that it was blocking in

the reject as that would make things easier to figure out. If you have a

whitelist capability you could probably whitelist 163.192.21.0/24 and also

198.187.230.11. That would give you more flexibility in what blocklists you

use.

i received the rejection notice from my customer on 7/29 at 230pm, which probably can be explained by this: 163.192.21.6 was listed on 7/29 for 2 hours.

to be safe, i should probably whitelist their mail servers in case they are about to get re-listed for a day or 2 hours or whatever.

here is what i plan to do, but i won't do it until someone here tells me that i'm on the right track.

1. enter 163.192.21.0/24, 163.192.2.0/24, 163.192.4.0/24 and 198.187.230.0/24 into the whitelist in 602 Lan Suite Email Server Software, just to cover all bases (in case they have more mail servers in those ranges).

2. enable spamcop in the anti-spam area of 602.

3. call our customer and ask them to send a test email.

4. if it gets rejected by spamcop, post the new rejection message here. if it gets through to me without rejection, leave settings as is (and let people here know the results).

5. contact 602 with a feature request to include the IP that is blocklisted.

here is the email i sent back to deputies[at]:

the email that my server (208.32.228.22) rejected from my customer (probably 163.192.21.6) was dated 7/29. so it seems likely that the email was sent in the 2 hour time that 163.192.21.6 was listed. in that case, it is probably safe to use spamcop again seeing that 163.192.21.6 is not being blocked anymore. however, i will add those IPs to my whitelist to prevent future problems. i will also put in a feature request for 602 software to tell the person rejected which IP is blocklisted. thank you.

does this sound like a good solution? thank you again for the help.

Edited by cummings

Share this post


Link to post
Share on other sites
does this sound like a good solution?  thank you again for the help.

31266[/snapback]

Sounds good to me.

Share this post


Link to post
Share on other sites
IIUC a listing "lives" for about two hours unless renewed by new reports of spam.
That's two days, not two hours.

31216[/snapback]

here is my response from the deputies:

<snip>

163.192.21.6 was listed on 7/29 for 2 hours. [emphasis by Steve T]

<snip>

31266[/snapback]

...So am I safe in concluding that a listing "lives" for a minimum of about two hours and up to 48 hours?

Share this post


Link to post
Share on other sites
...So am I safe in concluding that a  listing "lives" for a minimum of about two hours and up to 48 hours?

31278[/snapback]

Before the accident <g> ... that was one of my forte's .. not necessarily knowing the answer, but knowing where the answer was .... I'm stuck right now in that I "know" it was stated, but .... that old age thing has gotten hold of me and I just can't place it ... will try searching sometime later ...

Share this post


Link to post
Share on other sites

Perhaps the two hours are some sort of express listing triggered by overwhelming quantities of email? Who knows what strange and wonderful statistics pour out of IronPort's monitored systems? :)

Share this post


Link to post
Share on other sites

no response from customer. probably doesn't want to spend the time testing for us so we can enable spamcop again =( and the customer is always right.....

i may turn it back on in a little while to see if he gets another rejection notice. if he does, i'll probably just have to leave it off.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×