Jump to content
Sign in to follow this  
lil_tud

MAIL BLOCKED

Recommended Posts

Hello

We are subscribing to the “bl.spamcop.net” “block list” to tag our spam, and since Monday the 19th, “bl.spamcop.net” seems to be tagging an extremely high amount of email that isn’t spam.

on the average, id say 75% of email that is being tagged is genuine mail, and only about 25% of mail is actual spam. This seems to be an overnight increase, as the day before this we were having no problems.

We are using GFI mail essentials

Can anyone help here, imp sure it will be something simple, but I cant see anything

Cheers :)

Share this post


Link to post
Share on other sites

The SpamCop Bl is based on the IP address of the sending server.

What are the IP addresses being blocked?

If a lot of you mail comes from one server, then if it happens to get on the list then you will see a lot of good mail also getting blocked. It is the nature of the beast.

Because of shared servers if frequently happens that vaild mail will be affected because of spam that has managed to make use of the same server.

This is also the point in which white lists play a part to help filter good mail out of the blocked mailed.

Share this post


Link to post
Share on other sites

The strange thing is that all the messages that seem to be betting tagged are coming from different mail servers.

is there anyway that there could be something else that is causing these messages to be tagged?

I have gone through a large number of the headers of the messages and checked the address of the sending server, and then checked the ip address in the block checker on the spamcop webpage and none of the addresses come up as listed addresses.

i have tried subscribing to a different "black list" and continue to get the same problem, does this mean that it could be a problem with our domin name?

apesma.asn.au

Cheers

Share this post


Link to post
Share on other sites

With out posting specific information ie server IP numbers, header info, validated reason messages are blocked, what other filters/blocking lists are in play; we have no way of guessing what is happening

Share this post


Link to post
Share on other sites

Here is the header of a message that was quarantined, the reason for quarantine was because the sender was found in bl.spamcop.net

Is this any help in diagnosing the problem?

Thank you for your help on this, it is much appreciated

Microsoft Mail Internet Headers Version 2.0

Received: from gateway.apesma.asn.au ([172.16.3.1]) by mailex.apesma.asn.au with Microsoft SMTPSVC(5.0.2195.6713);

Tue, 20 Sep 2005 12:31:15 +1000

Thread-Topic: SA BRANCH - [Quarantined (DNSBL):] Sending mail server found on bl.spamcop.net

Received: from mailout2.pacific.net.au ([127.0.0.1]) by gateway.apesma.asn.au with Microsoft SMTPSVC(6.0.3790.211); Tue, 20 Sep 2005 12:30:17 +1000

Received: from mailproxy1.pacific.net.au (mailproxy1.pacific.net.au [61.8.0.86]) by mailout2.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j8K2ScE5029110 for <sradman[at]apesma.asn.au>; Tue, 20 Sep 2005 12:28:38 +1000

Received: from SAOPTIMA1 (b3615.static.pacific.net.au [203.24.135.21]) by mailproxy1.pacific.net.au (8.13.4/8.13.4/Debian-3) with SMTP id j8K2Sau2011764 for <sradman[at]apesma.asn.au>; Tue, 20 Sep 2005 12:28:37 +1000

From: "Chris Heritage" <cheritage[at]apesma.asn.au>

To: "'Suzi Radman'" <sradman[at]apesma.asn.au>

Subject: SA BRANCH - [Quarantined (DNSBL):] Sending mail server found on bl.spamcop.net

Date: Tue, 20 Sep 2005 11:58:44 +0930

Message-ID: <000901c5bd8b$069bba20$0500a8c0[at]SAOPTIMA1>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_000A_01C5BDDA.A7659620"

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0)

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.326

Importance: Normal

In-Reply-To: <07ED12D109CFC24CA0FE152C3DF7949102295E19[at]mailex.apesma.asn.au>

X-MS-TNEF-Correlator: 0000000068CED68110B6D81199440000E8DF186EC4BEFF00

Return-Path: <cheritage[at]apesma.asn.au>

X-OriginalArrivalTime: 20 Sep 2005 02:30:17.0954 (UTC) FILETIME=[3D7B9420:01C5BD8B]

------=_NextPart_000_000A_01C5BDDA.A7659620

Content-Type: text/plain;

charset="us-ascii"

Content-Transfer-Encoding: 7bit

------=_NextPart_000_000A_01C5BDDA.A7659620

Content-Type: application/ms-tnef;

name="winmail.dat"

Content-Transfer-Encoding: base64

Content-Disposition: attachment;

filename="winmail.dat"

------=_NextPart_000_000A_01C5BDDA.A7659620--

Share this post


Link to post
Share on other sites

At the time of this post, none of the IPs showing in that sample are listed in the SpamCopDNSBL.

Share this post


Link to post
Share on other sites

Is there any other way that this message could have been bocked by spamcop.net other than those IP's being listed at the time of the message?

Share this post


Link to post
Share on other sites

Looks like your primary mail service is a little vulnerable - "You only have 1 MX record" - according to http://www.dnsreport.com/tools/dnsreport.c...n=apesma.asn.au

"Your domain does not have an SPF record." (same source) which could cause problems with some addressees

... but I wouldn't see either causing the trouble reported. Just eliminating possibilities ...

Share this post


Link to post
Share on other sites
Is there any other way that this message could have been bocked by spamcop.net other than those IP's being listed at the time of the message?

32983[/snapback]

Semantics, actions, and realities .... SpamCop blocks nothing. You've admitted to using the SpamCopDNSBL in a Tagging mode, which is great. However, if one goes with that none of the IPs involved was actually listed, then the next suspect would be the implementation of the decision process in the filtering/tagging mode on that server. (Suggestion being that there is something else going on, but the SpamCop 'tag' is incorrectly being pulled/inserted as "the" reason.) Any way to expand the "error" message so it includes the IP involved in making that decision point? From this side of the screen, there's really no way to guess at what's tripping the flags at this point.

Share this post


Link to post
Share on other sites

...Didn't someone else once have the problem that they had cached an old version of the SpamCop DNSBL and hadn't gotten a recent enough copy of the BL? Perhaps that's what is happening in this case.... Just grasping at straws, here.

Share this post


Link to post
Share on other sites

There isn’t really a way to expand the error message that would specify a specific address that could be causing the problem or anything along those line, its a quite simple process for adding a block list to sub scribe to, its basically just a process of ticking a tick box to check weather the sending mail server is on a DNS black list, and then choosing which DNSBL server list to look at. Once this is chosen you can chose what to do with the message after if it as been stamped as spam, to delete it FW'd it, tag it etc. and I’ve just chosen to tag the message. There isn’t really any other options to describe why the message was tagged as spam.

I thought maybe there could be the possibility that I could have an old copy of the BL or something like that, so I’ve tried using different BL's, like sbl.spamhaus.net, and i've had exactly the same problem, so now im even more confused, im starting to think that maybe the GFI software may need to be reinstalled, because it seems to be malfunctioning in some way from what i can see

Share this post


Link to post
Share on other sites

...A couple more wild thoughts. You might want to:

  • The http://support.gfi.com/manuals/en/me11/me11manual-1-21.html GFI Mail Essentials documentation for using DNSBLs says:
    The IP addresses are kept in the database for 4 days, or until the Simple Mail Transport Protocol service is restarted.
    Perhaps the process that is intended to delete the old IP addresses is not working.
  • Check if it is a problem with the GFI Mail Essentials BL database:
    • go through all the DNSBLs and SURBLs (and any other types of block lists available with Mail Essentials) and make sure they're all off
    • see if e-mail is still being tagged as spam
      • if so, try to purge the block list database
      • if not: turn on one DNSBL and see if you still have the problem
        • if so, turn that one off and try another
          • if still a problem, try to purge the block list database
          • if not, turn that one off and try another; continue this step until you have the problem; that’s the BL that’s causing the problem

          [*]if not, turn that one off and try another, etc

Share this post


Link to post
Share on other sites

I Think Your definitely on to something there, I unsubscribe to spamcop, then restarted my SMTP service, then re added spamcop and this seems to have made a huge difference in the amount of messages being tagged as spam.

There is still a couple of funny thins there, such as one message said it was tagged as being listed on spamhaus, yet im not subscribed to that server, but im definitely thinking that this area is the source of the problem

Thank you

Share this post


Link to post
Share on other sites

I Think maybe i have spoken too soon

In the first hour it only caught up one or 2 emails that were genuine, but in the second our i caught 7 emails that were spam, and 31 that were genuine mail

Share this post


Link to post
Share on other sites
I Think maybe i have spoken too soon

In the  first hour it only caught up one or 2 emails that were genuine, but in the second our i caught 7 emails that were spam, and 31 that were genuine mail

33029[/snapback]

I think you need to contact "GFI mail essentials" for help with this problem.

You can manually check any IP address either via a DNS lookup (How can I check if an IP is on the list?) or via the web page (has some latency) at http://www.spamcop.net/bl.shtml

Many systems check only the connecting IP address (possibly your immediate ISP if they are collecting your mail for you). If that is the case, and it also has some "memory" of where spam is coming from, it could be that common IP that is becoming marked as spammy by that software, then marking everything coming via that path (everything) as spam.

Share this post


Link to post
Share on other sites
There is still a couple of funny thins there,  such as one message said it was tagged as being listed on spamhaus, yet im not subscribed to that server, but im definitely thinking that this area is the source of the problem

Thank you

33025[/snapback]

I understand you are not using the Spamhaus bl but are you also saying that the mail that was blocked by the Spamhaus BL wasn't spam?

Share this post


Link to post
Share on other sites
I understand you are not using the Spamhaus bl but are you also saying that the mail that was blocked by the Spamhaus BL wasn't spam?

33032[/snapback]

Yes thats right, the messages picked up werent spam

Another question, i understand that when the message is scanned, it scans all of the IP's of all of the servers that the message has passed through on its travels, is this correct? I am pretty sure this is what GFI does.

and if so how do i find out what all of those IP's are, because if i look at the header information of the message then i will only get one IP the check to see if it is black listed. is there anyway to see more information about the message, because it is my uderstading that the software scans more of the message the I can see.

Does this sound familar to anyone?

Thanks

Share this post


Link to post
Share on other sites
<snip>

Another question, i understand that when the message is scanned, it scans all of the IP's of all of the servers that the message has passed through on its travels, is this correct? I am pretty sure this is what GFI does.

and if so how do i find out what all of those IP's are, because if i look at the header information of the message then i will only get one IP the check to see if it is black listed.  is there anyway to see more information about the message, because it is my uderstading that the software scans more of the message the I can see.

<snip>

33057[/snapback]

...Not certain what you are asking but it sounds like whatever process you are using is not showing you the full internet headers of the spam because all e-mail I receive from outside my provider's network has multiple "received" lines. Might SpamCop FAQ: How do I get my email program to reveal the full, unmodified email? help you find the answer to your question?

Share this post


Link to post
Share on other sites
and if so how do i find out what all of those IP's are, because if i look at the header information of the message then i will only get one IP the check to see if it is black listed.  is there anyway to see more information about the message, because it is my uderstading that the software scans more of the message the I can see.

33057[/snapback]

The headers you posted earlier had all the IP addresses there. The first 2 are internal non-routable IP addresses, however.
  Received: from gateway.apesma.asn.au ([172.16.3.1]) by mailex.apesma.asn.au with Microsoft SMTPSVC(5.0.2195.6713); Tue, 20 Sep 2005 12:31:15 +1000

  Received: from mailout2.pacific.net.au ([127.0.0.1]) by gateway.apesma.asn.au with Microsoft SMTPSVC(6.0.3790.211); Tue, 20 Sep 2005 12:30:17 +1000

  Received: from mailproxy1.pacific.net.au (mailproxy1.pacific.net.au [61.8.0.86]) by mailout2.pacific.net.au (8.13.4/8.13.4/Debian-3) with ESMTP id j8K2ScE5029110 for <x>; Tue, 20 Sep 2005 12:28:38 +1000

  Received: from SAOPTIMA1 (b3615.static.pacific.net.au [203.24.135.21]) by mailproxy1.pacific.net.au (8.13.4/8.13.4/Debian-3) with SMTP id j8K2Sau2011764 for <x>; Tue, 20 Sep 2005 12:28:37 +1000

Share this post


Link to post
Share on other sites

So there could not possibly be any other servers / IP's that could be involved / being scanned that aren’t mentioned here in the header?

sorry but im just trying in eliminate any other possibilities

Share this post


Link to post
Share on other sites

Not necessarily the case. The issue is just what does GFI do and how does it do it?

Since this is a SpamCop forum, you may be hard pressed to find much support here unless there happens to be some GFI experts in the group.

GFI could be taking domain names and converting them to IP addresses and then applying those addresses against the list. Note, this is just a guess on my part since I know nothing of GFI. Just trying to make the point that there are other ways that IP addresses can be exposed and filtered depending on the software that is in use and how it happens to be programmed.

More importantly, you need to be using some form of White listing or you will continue to have problems using the SpamCop list as it does tag a significatant about of valid mail simply do to the fact of shared mail servers. Remember it does not take a very large percentage of spam to get a server listed by SpamCop, so it could easily happen that a server is sending out 90% vailid mail and 10% spam and be listed long term by SpamCop resulting in a 90% false postive rete when looking at that one server only.

Share this post


Link to post
Share on other sites

Well I can definately see why you are getting a high percentage of false positives.

There is something we all should have noticed earlier, that is the header that you posted in Post #5 was generated from your domain and sent to your domain. It was an internal message sent though pacific.net.au. What is the relationship between apesma.asn.au and pacific.net.au? There is something very wrong with your set up if you are tagging your own mail servers/users.

Could it possibly be that you have somehow black listed your own servers?

Share this post


Link to post
Share on other sites
There is something we all should have noticed earlier, that is the header that you posted in Post #5 was generated from your domain and sent to your domain.

I wouldn't say that <g> I thought it was a bit hard to ignore that the poster had no problem wth posting full details (full name attached to e-mail addresses) ... I also ignored the fact that the e-mail was composed in Outlook, thus sidestepping the possible issue of an Exchange server in the mix. That the Subject line had comments entered was one thing, but trying to guess at who or what added the Thread-Topic: line was something else I didn't bring up.

It was an internal message sent though pacific.net.au.  What is the relationship between apesma.asn.au and pacific.net.au? There is something very wrong with your set up if you are tagging your own mail servers/users.

Could it possibly be that you have somehow black listed your own servers?

33065[/snapback]

As I recollect (and just re-verified) ... http://www.senderbase.org/?searchBy=ipaddr...g=203.24.135.21 seems to indicate no or next to no traffic ..... where as http://www.senderbase.org/search?searchString=61.8.0.86 is still showing a 'large' reduction in traffic, tossing up that this IP may have been listed back when all this started ... but it wasn't when I checked then and it isn't now ...

So, I'm still leaning on the appearance that this does not appear to be a SpamCop or SpamDNSBL issue.That other BLs have been brought into the picture and also called false positives kind of pushes things even further off stage .... so far behind on so many other things, not sure I want to suggest that I'll go look at this other app ....

Dang! Wouldn't you know it? Being a bit lulled by all the Debian3 comments in those headers, imagine the shock when reading the first text bit on the Google search screen .... GFI MailEssentials for Exchange/SMTP ... Dang!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×