spamcop@caltrans.ca.gov Posted November 28, 2005 Share Posted November 28, 2005 I would like to research why one of Caltrans IP addresses is being reported as the source of spam. The only information I have is what was forwarded to me via a different Department, and the SpamCop reports. There are no details here for me to take action... The only information I have is: 1425957615[at]reports.spamcop.net [spamCop (198.31.97.68) id:1568561770]**Message you sent blocked by our bulk email filte.. I don't understand why this is reported to the admins in the second level domain (ca.gov) and not to my abuse contacts registered to dot.ca.gov. From :SpamCop <summaries[at]admin.spamcop.net> IPs reported in past hour: 198.31.97.68 [ SpamCop V1.507 Summary Report ] -- See footer for key to columns and notes about this report -- IP_Address Start/Length Trap User Mole Simp Comments RDNS 198.31.97.68 new/0 0 0 0 0 snaspam01.dot.ca.gov -- Key to Columns -- IP Address: The numeric address. Start: The first date (within the past week) that spam was reported to have originated from the IP address. Length: The duration of the incident in # of days Trap: Messages received at traps. User: Messages reported by registered users. Mole: Messages reported by registered users who prefer to remain anonymous. Simp: Simple reports - messages submitted by unregistered users. Comments: Notes reflect blocking-list status and issue-resolved status. RDNS: Reverse dns name of ip address (must pass forward and reverse) -- Summary Report Notes -- o All times are GMT, exact time of incident withheld. o Time of this report is: Mon Nov 28 18:39:40 2005 o To close an issue, or get more details, log into your account: http://www.spamcop.net/ o Issues are sorted with the newest reports first. Resolving new issues first heads off additional spam from in-progress sources. o This email is intended to be viewed with a fixed-width font. o This email was requested in your SpamCop preferences page - where it may be disabled. o This report is sent periodically, but only if there have been changes. ---------------------------------- The opinions expressed here are my own and do not necessarily represent those of the California Department of Transportation EDIT: spam changed from all caps to lower case to comply with trademark restrictions. Link to comment Share on other sites More sharing options...
turetzsr Posted November 28, 2005 Share Posted November 28, 2005 caltrans.ca.gov,Nov 28 2005, 02:46 PM]I would like to research why one of Caltrans IP addresses is being reported as the source of spam. EDIT: spam changed from all caps to lower case to comply with trademark restrictions. 36815[/snapback] ...As a "free" report-only member, I do not have the rights to look up this information. However, there seem to be a number of entries in news.admin.net-abuse.sightings for dot.ca.gov, so you may want to search there.caltrans.ca.gov,Nov 28 2005, 02:46 PM]<snip> I don't understand why this is reported to the admins in the second level domain (ca.gov) and not to my abuse contacts registered to dot.ca.gov. 36815[/snapback] ...SpamCop determines where to send reports, in part, from the listings at abuse.net.Look up an address in the abuse.net contact database abuse[at]ca.gov (for ca.gov) postmaster[at]ca.gov (for ca.gov) <snip> It appears to me from what I can see in SpamCop that this is where spam reports for this IP address(198.31.97.68, aka snaspam01.dot.ca.gov) will be sent. The abuse.net home page (http://www.abuse.net/index.phtml) has a link labeled "How do I submit contact information for a domain?" which takes you to a page that describes how to update the abuse contact information for a host. ...Good luck! Link to comment Share on other sites More sharing options...
Wazoo Posted November 28, 2005 Share Posted November 28, 2005 http://www.spamcop.net/w3m?action=checkblock&ip=198.31.97.68 198.31.97.68 not listed in bl.spamcop.net http://www.spamcop.net/sc?track=198.31.97.68 Parsing input: 198.31.97.68 host 198.31.97.68 = snaspam01.dot.ca.gov (cached) Routing details for 198.31.97.68 [refresh/show] Cached whois for 198.31.97.68 : abuse-arin[at]caltrans.ca.gov Using abuse net on abuse-arin[at]caltrans.ca.gov abuse net caltrans.ca.gov = postmaster[at]ca.gov, abuse[at]ca.gov Using best contacts postmaster[at]ca.gov abuse[at]ca.gov Routing Details button hit; Reports routes for 198.31.97.68: routeid:16774100 198.31.97.0 - 198.31.97.255 to:abuse-arin[at]caltrans.ca.gov Administrator found from whois records Refresh button hit; Removing old cache entries. Tracking details Display data: "whois 198.31.97.68[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-198-31-97-0-1 Display data: "whois NET-198-31-97-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse-arin[at]caltrans.ca.gov 198.31.97.0 - 198.31.97.255:abuse-arin[at]caltrans.ca.gov checking NET-198-31-0-0-1 Display data: "whois NET-198-31-0-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]level3.com 198.31.0.0 - 198.31.255.255:abuse[at]level3.com Routing details for 198.31.97.68 Using smaller IP block (/ 24 vs. / 16 ) Removing 1 larger (> / 24 ) route(s) from cache Using abuse net on abuse-arin[at]caltrans.ca.gov abuse net caltrans.ca.gov = postmaster[at]ca.gov, abuse[at]ca.gov Using best contacts postmaster[at]ca.gov abuse[at]ca.gov 11/28/05 14:19:34 IP block 198.31.97.68 Trying 198.31.97.68 at ARIN Trying 198.31.97 at ARIN Level 3 Communications, Inc. LVLT-ORG-198-31 (NET-198-31-0-0-1) 198.31.0.0 - 198.31.255.255 Dept. of Transportation - Caltrans CALTRANS-97-20 (NET-198-31-97-0-1) 198.31.97.0 - 198.31.97.255 11/28/05 14:20:05 whois !NET-198-31-97-0-1[at]whois.arin.net whois -h whois.arin.net !net-198-31-97-0-1 ... OrgName: Dept. of Transportation - Caltrans OrgID: DTC-27 Address: 247 W. Third St City: San Bernadino StateProv: CA PostalCode: 92403 Country: US NetRange: 198.31.97.0 - 198.31.97.255 CIDR: 198.31.97.0/24 NetName: CALTRANS-97-20 NetHandle: NET-198-31-97-0-1 Parent: NET-198-31-0-0-1 NetType: Reassigned Comment: RegDate: 2000-12-21 Updated: 2000-12-21 RTechHandle: NH151-ARIN RTechName: Henderson, Neil RTechPhone: +1-916-654-4083 RTechEmail: neil[at]caltrans.ca.gov OrgAbuseHandle: ABUSE672-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-916-654-4216 OrgAbuseEmail: abuse-arin[at]caltrans.ca.gov OrgNOCHandle: NOC1627-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-916-654-4216 OrgNOCEmail: noc-arin[at]caltrans.ca.gov OrgTechHandle: NOC1627-ARIN OrgTechName: Network Operations Center OrgTechPhone: +1-916-654-4216 OrgTechEmail: noc-arin[at]caltrans.ca.gov Sorry, but I don't see "abuse contacts registered to dot.ca.gov" anywhere in this data. Link to comment Share on other sites More sharing options...
Jeff G. Posted November 28, 2005 Share Posted November 28, 2005 Report History shows: Submitted: Monday 2005/11/28 10:57:23 -0500: **Message you sent blocked by our bulk email filter** 1568561770 ( 198.31.97.68 ) To: abuse[at]ca.gov 1568561765 ( 198.31.97.68 ) To: postmaster[at]ca.gov -------------------------------------------------------------------------------- Submitted: Thursday 2005/11/17 02:04:36 -0500: **Message you sent blocked by our bulk email filter** 1558276683 ( 198.31.97.68 ) To: postmaster[at]ca.gov 1558276682 ( 198.31.97.68 ) To: abuse[at]ca.gov -------------------------------------------------------------------------------- Submitted: Thursday 2005/11/17 02:03:38 -0500: **Message you sent blocked by our bulk email filter** 1558273540 ( 198.31.97.68 ) To: postmaster[at]ca.gov 1558273539 ( 198.31.97.68 ) To: abuse[at]ca.gov Please stop sending misdirected bounces entitled "**Message you sent blocked by our bulk email filter**", which should be avoided by using 500-series errors during the SMTP transaction. Such misdirected bounces are now considered abusive and reportable by SpamCop per the "Messages which may be reported" section of On what type of email should I (not) use SpamCop? and the Misdirected bounces section of Why are auto-responders (and delayed bounces) bad?. Link to comment Share on other sites More sharing options...
spamcop@caltrans.ca.gov Posted November 28, 2005 Author Share Posted November 28, 2005 Sorry, but I don't see "abuse contacts registered to dot.ca.gov" anywhere in this data. 36822[/snapback] Wazzoo, Thank you for responding. snaspam01.dot.ca.gov has IP address 198.31.97.68. You were able to find the abuse contact information using arin. Why can't spamcop do the same? Link to comment Share on other sites More sharing options...
turetzsr Posted November 28, 2005 Share Posted November 28, 2005 caltrans.ca.gov,Nov 28 2005, 05:16 PM]<snip> You were able to find the abuse contact information using arin. Why can't spamcop do the same? 36837[/snapback] ...That's potentially an interesting question but one you are not likely to get an answer to here. The person who makes that decision doesn't participate in this Forum. ...Please see my reply, above 36821[/snapback], for what I think is a more relevant answer to your original point, "I don't understand why this is reported to the admins in the second level domain (ca.gov) and not to my abuse contacts registered to dot.ca.gov." Thanks. ...Good luck! Link to comment Share on other sites More sharing options...
Wazoo Posted November 28, 2005 Share Posted November 28, 2005 Apologies in advance, but you ask this question at a time where there some attitudes being exposed, some bad thoughts and words being exchanged, and you've managed to bring a couple of sore points together ... the best I can do is offer a bit of an e-mail exchange on trying to get your answer available .... From: "Wazoo" To: "Deputies" Subject: Re: FAQ data - commented out, but ...??? Date: Wed, 26 Oct 2005 15:29:14 -0500 Well, amazingly enough, yet another repeat of the FAQ that I was asking about http://forum.spamcop.net/forums/index.php?showtopic=5227 Lots of other issues going on with that request, though if going with the timeline and the "recent" move, it looks like Interland screwed this guy .. but .... this is exactly the Question that I wanted the "commented out" section update and brought back out into the light ... not for "asking for copies of reports" but to explain the decision process in why reports go where they go (in some cases) ----- Original Message ----- From: "Deputies" To: "Wazoo" Sent: Sunday, October 23, 2005 10:37 PM Subject: Re: FAQ data - commented out, but ...??? > Faq 94 deals with people asking for reports. At one time the only > reports that were available were full reports and anyone could ask for them. > > Because of problems, we removed the ability of people to add themselves > to receive reports. They had to write us and we would add them is we > approved. > > When summary reports were added to the system, we made the decision to > take out the information about getting full reports. However, as you'll > find in many faqs, in case it didn't work out and we reverted, the > original text is left in but commented out so it doesn't display. > > Faq 94 says what it should say. It doesn't and isn't meant to deal with > parsing problems. The instructions are accurate for getting summary > reports. > > Please include all previous correspondence with replies > ------- > > Wazoo wrote: > > http://www.spamcop.net/fom-serve/cache/94.html > > The decision process behind some report complaint > > target addresses has come up a number of times in > > both the Newsgroups and the Forum. I would have > > sworn that this was explained in the FAQ, but haven't > > been able to find it in the past. However, while > > converting yet another entry for the KnowledgeBase, > > I finally "found" what I recall ... the text has been > > commented out, but .... (from some parse results, I'm > > not sure it's totally accurate as stated??) .... to answer > > the queries (and as an additional bit of input for abuse > > and administrators, could this section of data be updated > > and provided as a 'new' FAQ entry? > > > > Plain text; > > > > note on Addresses: > > As part of the investigation to approve the routing of reports, we must be > > able to tie the address back to the netblock and domain in some fashion. > > Role account addresses are preferred, but not absolutely necessary. We will > > not send reports to addresses hosted on free mail service providers (i.e. > > Hotmail, Yahoo, Mail.com). > > The instructions for getting reports from SpamCop are divided into two > > sections - one for large and one for smaller networks. > > > > Network operators > > SpamCop now bases its routing of reports mainly on "whois records" - > > contacts registered for your network with the main (and some smaller) > > network registries (ripe, arin, apnic, etc..). Please make sure these > > records are up to date for your network. Normally, when SpamCop encounters a > > NOC role account such as "hostmaster[at] or noc[at]" in the whois records, it will > > check with abuse.net for a valid abuse contact instead of sending reports to > > your NOC role account. If the email address on file for your network is not > > in a recognized NOC-ish form (jsmith[at] or similar), it may be necessary to > > manually alias to your abuse.net domain record. > > If you encounter a need for this type of manual intervention, or you need > > any other assistance, please email <a > > href="mailto:dep_route[at]admin.spamcop.net">dep_route[at]admin.spamcop.net</a>. > > Include a list of your IP address ranges and the email address which should > > receive reports regarding them. > > > > Abuse.net > > All abuse desks should register an email address for the domains they manage > > with abuse.net. SpamCop will use this information to try to route reports > > correctly. We provide a <a href="/fom-serve/cache/343.html">handy form</a> > > for registering your abuse[at] email address. > > > > HTML coded (ease in pasting in elsewhere); > > <!-- > > <snipped> > > <p><b>A note on Addresses:</b> > > <p>As part of the investigation to approve the routing of reports, we must > > be able to tie the address back to the netblock and domain in some fashion. > > Role account addresses are preferred, but not absolutely necessary. We will > > not send reports to addresses hosted on free mail service providers (i.e. > > Hotmail, Yahoo, Mail.com). > > <p>The instructions for getting reports from SpamCop are divided into two > > sections - one for large and one for smaller networks. > > <p><strong>Network operators</strong> > > <p>SpamCop now bases its routing of reports mainly on "whois records" - > > contacts registered for your network with the main (and some smaller) > > network registries (ripe, arin, apnic, etc..). Please make sure these > > records are up to date for your network. Normally, when SpamCop encounters a > > NOC role account such as "hostmaster[at] or noc[at]" in the whois records, it will > > check with abuse.net for a valid abuse contact instead of sending reports to > > your NOC role account. If the email address on file for your network is not > > in a recognized NOC-ish form (jsmith[at] or similar), it may be necessary to > > manually alias to your abuse.net domain record. > > <p>If you encounter a need for this type of manual intervention, or you need > > any other assistance, please email <a href="mailto:dep_route[at]admin.spamcop.net">dep_route[at]admin.spamcop.net</a>. > > Include a list of your IP address ranges and the email address which should > > receive reports regarding them. > > <p><strong>Abuse.net</strong> > > <p>All abuse desks should register an email address for the domains they > > manage with abuse.net. SpamCop will use this information to try to route > > reports correctly. We provide a <a href="/fom-serve/cache/343.html">handy > > form</a> for registering your abuse[at] email address. That you ask the Frequently Asked Question once again, and the blown-off response from the "Official" side of the house in my attempts at fixing the "Official" FAQ and populate the (now defined as Un-Official FAQs here) is something I can't help you with. I tried, I failed, someone else's turn perhaps? deputies[at]admin.spamcop.net and/or service[at]admin.spamcop.net .. and don't forget to mention how rude I was .... Link to comment Share on other sites More sharing options...
turetzsr Posted November 28, 2005 Share Posted November 28, 2005 Apologies in advance, but you ask this question at a time where there some attitudes being exposed, some bad thoughts and words being exchanged, and you've managed to bring a couple of sore points together ... the best I can do is offer a bit of an e-mail exchange on trying to get your answer available .... <snip> That you ask the Frequently Asked Question once again, and the blown-off response from the "Official" side of the house in my attempts at fixing the "Official" FAQ and populate the (now defined as Un-Official FAQs here) is something I can't help you with. I tried, I failed, someone else's turn perhaps? <snip> 36841[/snapback] ...Do I understand correctly that all this means that the algorithm SpamCop uses to determine the e-mail addresses to which reports will be sent is not well understood by us volunteers and that sometimes these questions will have to be raised directly with the SpamCop administrators? If so, Wazoo, take a few deep, cleansing breaths and repeat along with me: "SpamCop is the best tool of its type." "SpamCop is the best tool of its type." "SpamCop is the ...." <big g> Link to comment Share on other sites More sharing options...
Jeff G. Posted November 28, 2005 Share Posted November 28, 2005 If you were to email update[at]abuse.net from abuse[at]dot.ca.gov or abuse[at]caltrans.ca.gov (with copies to postmaster[at]ca.gov and abuse[at]ca.gov) requesting that reports for caltrans.ca.gov go to abuse[at]dot.ca.gov or abuse[at]caltrans.ca.gov, and your request were accepted, and then someone refreshed SpamCop's route for 198.31.97.68, then the appropriate address should start getting SpamCop reports. Until then, SpamCop will continue to take abuse.net's word that there are no abuse.net records for caltrans.ca.gov, and that SpamCop and other network abuse reporters worldwide should keep emailing postmaster[at]ca.gov and abuse[at]ca.gov about their abuse issues with caltrans.ca.gov. Getting an abuse[at]dot.ca.gov or abuse[at]caltrans.ca.gov address into the ARIN records for NET-198-31-97-0-1 (198.31.97.0/24) by way of OrgAbuseEmail in OrgAbuseHandle ABUSE672-ARIN (as opposed to the current unusual address abuse-arin[at]caltrans.ca.gov) should also help long-term, but could take much longer due to California politics. Link to comment Share on other sites More sharing options...
Wazoo Posted November 28, 2005 Share Posted November 28, 2005 ...Do I understand correctly that all this means that the algorithm SpamCop uses to determine the e-mail addresses to which reports will be sent is not well understood by us volunteers and that sometimes these questions will have to be raised directly with the SpamCop administrators? 36843[/snapback] It's more that code and policy has evolved/changed over the years, and as I pointed out, the last "description" of how an address is selected has been made "invisible" by someone recoding the "Official" FAQ .... nothing was offered in its place, there is no existing entry to explain the "current" selection process, and the parsing results do seem to be different at times .... Link to comment Share on other sites More sharing options...
spamcop@caltrans.ca.gov Posted November 28, 2005 Author Share Posted November 28, 2005 ...As a "free" report-only member, I do not have the rights to look up this information. However, there seem to be a number of entries in news.admin.net-abuse.sightings for dot.ca.gov, so you may want to search there Only 6 entries and most were dot.ca.gov spam recipients. Anyway, looks like Jeff G. was able to get some more information, but it still doesn't tell me anything about the source of the reported e-mail. Only the time of the report. ..SpamCop determines where to send reports, in part, from the listings at abuse.net Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov I guess there is no way for me to get the original report information. ------ The opinions expressed here are my own and do not necessarily represent those of the California Department of Transportation Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 28, 2005 Share Posted November 28, 2005 caltrans.ca.gov,Nov 28 2005, 06:33 PM]Only 6 entries and most were dot.ca.gov spam recipients. Anyway, looks like Jeff G. was able to get some more information, but it still doesn't tell me anything about the source of the reported e-mail. Only the time of the report. Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov I guess there is no way for me to get the original report information. 36847[/snapback] If you write to the 'official' spamcop administration (and I think the addresses have already been posted), they will tell you what you need to know. AIU they will tell you whether it is bounces or spam or a compromised machine. You can also discuss with them about why the parser chooses what it chooses. Probably what will happen will be that they will manually have reports go to you or if the reason they don't go to you is because somebody at ca.gov don't want them to go to you, they will tell you. Miss Betsy Link to comment Share on other sites More sharing options...
Jeff G. Posted November 28, 2005 Share Posted November 28, 2005 caltrans.ca.gov,Nov 28 2005, 06:33 PM]I guess there is no way for me to get the original report information.36847[/snapback] postmaster[at]ca.gov and abuse[at]ca.gov should have copies of the Reports. If you ask very nicely and point to this Topic, 1568561770[at]reports.spamcop.net, 1558276682[at]reports.spamcop.net, and 1558273539[at]reports.spamcop.net (the original Reporters) should be able to give you the Tracking URLs for their Reports, which should reveal almost all of the original messages (munged). You shouldn't need the unmunged info due the nature of your mailserver's current misdeeds. However, in other cases (such as needing to beat a customer about the head asking for promised proof of subscription confirmation), if both you and the Reporters are especially nice, they may even tell you what addresses were munged and/or send you the original messages (unmunged). Beware that unmunged addresses can sometimes be gotten from certain Reporters only by prying from their cold dead hands (despite all attempts at groveling). P.S. Miss Betsy's post immediately above (http://forum.spamcop.net/forums/index.php?...indpost&p=36849) is also correct, but let me add that the best address for such a request is deputies[at]spamcop.net. Link to comment Share on other sites More sharing options...
Wazoo Posted November 28, 2005 Share Posted November 28, 2005 Your contacts at ca.gov should have the reports ... but you started this with that they had sent you the reports ...???? Not sure if you're aware of this, but ... your posting IP address would have the same "reporting" issue, although an entirely different organization would be receiving those reports. Parsing input: 64.174.7.191 host 64.174.7.191 (getting name) = pat.fwhq2nat.dot.ca.gov. Routing details for 64.174.7.191 [refresh/show] Cached whois for 64.174.7.191 : abuse[at]sbcglobal.net Using abuse net on abuse[at]sbcglobal.net abuse net sbcglobal.net = abuse[at]sbcglobal.net Using best contacts abuse[at]sbcglobal.net Reports routes for 64.174.7.191: routeid:16774898 64.160.0.0 - 64.175.255.255 to:abuse[at]sbcglobal.net Administrator found from whois records Tracking details Display data: "whois 64.174.7.191[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-64-174-7-0-1 Display data: "whois NET-64-174-7-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]sbcglobal.net 64.174.7.0 - 64.174.7.255:abuse[at]sbcglobal.net checking NET-64-160-0-0-1 Display data: "whois NET-64-160-0-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]sbcglobal.net 64.160.0.0 - 64.175.255.255:abuse[at]sbcglobal.net Routing details for 64.174.7.191 Using abuse net on abuse[at]sbcglobal.net abuse net sbcglobal.net = abuse[at]sbcglobal.net Using best contacts abuse[at]sbcglobal.net 11/28/05 17:49:17 IP block 64.174.7.191 Trying 64.174.7.191 at ARIN Trying 64.174.7 at ARIN SBC Internet Services SBCIS-SIS80 (NET-64-160-0-0-1) 64.160.0.0 - 64.175.255.255 Caltrans SBCIS-101323-17533 (NET-64-174-7-0-1) 64.174.7.0 - 64.174.7.255 11/28/05 17:49:45 whois !NET-64-174-7-0-1[at]whois.arin.net whois -h whois.arin.net !net-64-174-7-0-1 ... CustName: Caltrans Address: 1120 N Street City: Sacramento StateProv: CA PostalCode: 95814 Country: US RegDate: 2001-03-24 Updated: 2001-03-24 NetRange: 64.174.7.0 - 64.174.7.255 CIDR: 64.174.7.0/24 NetName: SBCIS-101323-17533 NetHandle: NET-64-174-7-0-1 Parent: NET-64-160-0-0-1 NetType: Reassigned Comment: RegDate: 2001-03-24 Updated: 2001-03-24 RTechHandle: PIA2-ORG-ARIN RTechName: IPAdmin-PBI RTechPhone: +1-800-648-1626 RTechEmail: pbiip[at]txmail.sbc.com OrgAbuseHandle: ABUSE6-ARIN OrgAbuseName: Abuse - Southwestern Bell Internet OrgAbusePhone: +1-800-648-1626 OrgAbuseEmail: abuse[at]sbcglobal.net OrgNOCHandle: SUPPO-ARIN OrgNOCName: Support - Southwestern Bell Internet Services OrgNOCPhone: +1-800-648-1626 OrgNOCEmail: support[at]swbell.net OrgTechHandle: IPADM2-ARIN OrgTechName: IPAdmin-SBIS OrgTechPhone: +1-800-648-1626 OrgTechEmail: IPAdmin-SBIS[at]sbis.sbc.com Once again, I'm not seeing "abuse contacts registered to dot.ca.gov" anywhere in this data. Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov As shown in the above and previous, the lookup is done by IP address, not Domain .. the results are (thus far in this case) driven by ARIN registration data .... and as the "abuse[at]" address is found, the next lookup at abuse.net isn't seen (by the parser) as a required step. Link to comment Share on other sites More sharing options...
Jeff G. Posted November 28, 2005 Share Posted November 28, 2005 Given that SBC's child PacBell/PBI appears to be the local telco monopoly for all (or most) of California, that is not surprising. Have any of you Customers of SBC or its children ever gotten a copy of an abuse report that was sent to abuse[at]sbcglobal.net? Link to comment Share on other sites More sharing options...
spamcop@caltrans.ca.gov Posted November 29, 2005 Author Share Posted November 29, 2005 Given that SBC's child PacBell/PBI appears to be the local telco monopoly for all (or most) of California, that is not surprising. Have any of you Customers of SBC or its children ever gotten a copy of an abuse report that was sent to abuse[at]sbcglobal.net? 36852[/snapback] Never. Link to comment Share on other sites More sharing options...
spamcop@caltrans.ca.gov Posted November 29, 2005 Author Share Posted November 29, 2005 Your contacts at ca.gov should have the reports ... but you started this with that they had sent you the reports ...???? I still have not seen the reports. All I have seen is a note saying, "Here is a copy of a reported blocking of spam traffic from a DOT IP Address (198.31.97.68) ( snaspam01.dot.ca.gov) server to 1425957615[at]reports.spamcop.net" with nothing else included. I don't know why ca.gov did not have them, and were trying to get them from spamcop. Not sure if you're aware of this, but ... your posting IP address would have the same "reporting" issue, although an entirely different organization would be receiving those reports. Good point. But this is something I CAN do something about. Link to comment Share on other sites More sharing options...
Wazoo Posted November 29, 2005 Share Posted November 29, 2005 From: "Wazoo" To: "deputies" Subject: user needs help - FAQ issue involved also Date: Mon, 28 Nov 2005 18:54:48 -0600 http://forum.spamcop.net/forums/index.php?showtopic=5488 "The only information I have is: 1425957615[at]reports.spamcop.net" "I don't understand why this is reported to the admins in the second level domain (ca.gov) and not to my abuse contacts registered to dot.ca.gov." Once again, this Frequently Asked Question has been brought up, once again, there is no FAQ to point to with the answer. Though there has been much dialog in the Forum, there isn't much that can be offered to answer the actual query .. "how can the actual report be obtained?" Am sending this on the user's behalf, posting a copy into that Topic with the standard blurb of trying to "contact a Deputy" .... deputies[at]admin.spamcop.net Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 29, 2005 Share Posted November 29, 2005 caltrans.ca.gov,Nov 28 2005, 06:33 PM]Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov 36847[/snapback] As stated elsewhere here:"whois NET-198-31-97-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse-arin[at]caltrans.ca.gov 198.31.97.0 - 198.31.97.255:abuse-arin[at]caltrans.ca.gov In other words, the abuse contact in arin for your IP address is caltrans.ca.gov so spamcop uses that domain to look for reporting addresses.Using abuse net on abuse-arin[at]caltrans.ca.gov abuse net caltrans.ca.gov = postmaster[at]ca.gov, abuse[at]ca.gov Using best contacts postmaster[at]ca.gov abuse[at]ca.gov Link to comment Share on other sites More sharing options...
Richard W Posted November 29, 2005 Share Posted November 29, 2005 caltrans.ca.gov,Nov 28 2005, 04:16 PM] Wazzoo, Thank you for responding. snaspam01.dot.ca.gov has IP address 198.31.97.68. You were able to find the abuse contact information using arin. Why can't spamcop do the same? 36837[/snapback] caltrans.ca.gov,Nov 28 2005, 05:33 PM] Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov Sorry, you're going to get a different answer here than I gave in response to your email to us. I'm not sure where you got 1425957615[at]reports.spamcop.net from, as the report number you are looking at is 1568561770, and that should be the number in the return address. 1425957615 is an old report that has timed out of our database. SC doesn't use the dns/rdns setup of the server. Doing so would result in reports winding up in the hands of spammers, who often have control of their dns setup. Instead, the system looks to the whois records, finding the owner of the block, providing it is a /24 or larger. It searches the addresses in the whois record. If a role account address is found, the domain for the role account address is checked with abuse.net. In your case, role accounts abuse-arin [at] caltrans.ca.gov and noc-arin [at] caltrans.ca.gov are found so caltrans.ca.gov is checked with abuse.net: whois -h whois.abuse.net caltrans.ca.gov ... postmaster[at]ca.gov (for ca.gov) abuse[at]ca.gov (for ca.gov) This may be a limitation of abuse.net not being able to go beyond 2nd level TLDs, I'm not sure, but that's the way it appears. BTW, even if SC did take the rdns name, dot.ca.gov to abuse.net, we get the same results: whois -h whois.abuse.net snaspam01.dot.ca.gov ... postmaster[at]ca.gov (for ca.gov) abuse[at]ca.gov (for ca.gov) This is the results of several years of trial and error. The current configuration, in place for at least the last three years is the most successful at keeping reports out of the hands of the front line spammers. The only way around this for this situation is to direct route reports for the block so it goes around the abuse.net lookup. route added:198.31.97.0 - 198.31.97.255, all, abuse-arin[at]caltrans.ca.gov = 1646227 http://www.spamcop.net/sc?id=z832545018z6a...bc4c3568e3c9f5z Richard SpamCop Deputy Link to comment Share on other sites More sharing options...
Jeff G. Posted November 29, 2005 Share Posted November 29, 2005 Richard, thank you for the explanation and Tracking URL and for directing the reports to the right place. Caltrans Admin, viewing the source at http://www.spamcop.net/sc?id=z832545018z6a...;action=display, why is your mailserver snaspam01 bouncing UBE rather than tagging it or putting it into a bulk or spam folder for your user? Also, why does it feel the need to encode with 'Content-Type: text/plain; charset="utf-8"' and 'Content-Transfer-Encoding: base64', adversely affecting legibility with the naked eye? In addition, what about the returned message was considered UBE? If it was one of the bodies, why weren't the bodies returned? This is like you marking a postal envelope "Return To Sender - Unsolicited Chain Letter" but leaving the alleged chain letter out of the returned envelope. Link to comment Share on other sites More sharing options...
spamcop@caltrans.ca.gov Posted November 29, 2005 Author Share Posted November 29, 2005 Richard, thank you for the explanation and Tracking URL and for directing the reports to the right place. Caltrans Admin, viewing the source at http://www.spamcop.net/sc?id=z832545018z6a...;action=display, why is your mailserver snaspam01 bouncing UBE rather than tagging it or putting it into a bulk or spam folder for your user? I am not authorized to speak for Caltrans, but let me just say that there is a cost to taxpayers for storage, backups, training, etc. if this is delivered to a bulk/spam folder. Also, why does it feel the need to encode with 'Content-Type: text/plain; charset="utf-8"' and 'Content-Transfer-Encoding: base64', adversely affecting legibility with the naked eye? There is nothing in the encoded section that is not visible in plain text. In addition, what about the returned message was considered UBE? If it was one of the bodies, why weren't the bodies returned? This is like you marking a postal envelope "Return To Sender - Unsolicited Chain Letter" but leaving the alleged chain letter out of the returned envelope. 36878[/snapback] You would prefer that the commercial spam message be included in the bounce? That would provide virtually a direct path for spammers to deliver their message. If the message goes back to a non-forged sender, they should know what they sent. I am committed to reducing spam on the Internet. I will work with our vendors to find a solution that is in the best interest of our Department and the public. In the mean time, perhaps snaspam01.dot.ca.gov should be blacklisted. In that case, spamcop customers will not receive misdirected bounces from this host. Note however, this spam originated in Korea... Received: from -189652552 (unknown [219.250.206.116]) by snaspam01.dot.ca.gov (spam Firewall) with SMTP id 19043D002F23 for <x>; Sun, 27 Nov 2005 11:39:17 -0800 (PST) And is found in the CBL and senderbase: http://cbl.abuseat.org/lookup.cgi?ip=219.250.206.116 but not blocked by spamcop. http://www.spamcop.net/w3m?action=checkblo...219.250.206.116 219.250.206.116 not listed in bl.spamcop.net ---- The opinions expressed here are my own and do not necessarily represent those of the California Department of Transportation EDIT: spam changed from all caps to lower case to comply with trademark restrictions. Link to comment Share on other sites More sharing options...
turetzsr Posted November 29, 2005 Share Posted November 29, 2005 caltrans.ca.gov,Nov 29 2005, 01:07 PM]<snip> Caltrans Admin, viewing the source at http://www.spamcop.net/sc?id=z832545018z6a...;action=display, why is your mailserver snaspam01 bouncing UBE rather than tagging it or putting it into a bulk or spam folder for your user? I am not authorized to speak for Caltrans, but let me just say that there is a cost to taxpayers for storage, backups, training, etc. if this is delivered to a bulk/spam folder. 36891[/snapback] ...FWIW: a point with which, even as a non-mail admin, I fully agree!caltrans.ca.gov,Nov 29 2005, 01:07 PM]<snip> In addition, what about the returned message was considered UBE? If it was one of the bodies, why weren't the bodies returned? This is like you marking a postal envelope "Return To Sender - Unsolicited Chain Letter" but leaving the alleged chain letter out of the returned envelope.If the message goes back to a non-forged sender, they should know what they sent. <snip> 36891[/snapback] ...How are you determining an e-mail address to which to send the reject message? Isn't it the admin (abuse or postmaster address) of the spam source? If so, it will probably help the admin to know the content of the spam, at least so (s)he can verify that it is, in fact, spam, giving her/him more incentive to find and take action against the perpetrator. Link to comment Share on other sites More sharing options...
dbiel Posted November 29, 2005 Share Posted November 29, 2005 Please refraim from using the term "spam" in all caps. This is a registered trade mark belonging to Hormel identifying their canned meat product. Internet spam should never be spelled in all caps Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 29, 2005 Share Posted November 29, 2005 caltrans.ca.gov,Nov 29 2005, 01:07 PM]You would prefer that the commercial spam message be included in the bounce? That would provide virtually a direct path for spammers to deliver their message. If the message goes back to a non-forged sender, they should know what they sent. EDIT: spam changed from all caps to lower case to comply with trademark restrictions. 36891[/snapback] You should not be "bouncing" messages at all because most spam are using forged return addresses. The messages should be either rejected during the SMTP connection (500 level error code), accepted for the recipient to sift through, or accepted and deleted immediately. Please see Why are auto responders bad? from the FAQ. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.