Jump to content

How do I see the details on spam being reported?


Recommended Posts

I would like to research why one of Caltrans IP addresses is being reported as the source of spam.

The only information I have is what was forwarded to me via a different Department, and the SpamCop reports.

There are no details here for me to take action...

The only information I have is:

1425957615[at]reports.spamcop.net

[spamCop (198.31.97.68) id:1568561770]**Message you sent blocked by our bulk email filte..

I don't understand why this is reported to the admins in the second level domain (ca.gov) and not to my abuse contacts registered to dot.ca.gov.

From :SpamCop <summaries[at]admin.spamcop.net>

IPs reported in past hour:

198.31.97.68

[ SpamCop V1.507 Summary Report ]

-- See footer for key to columns and notes about this report --

IP_Address Start/Length Trap User Mole Simp Comments

RDNS

198.31.97.68 new/0 0 0 0 0

snaspam01.dot.ca.gov

-- Key to Columns --

IP Address: The numeric address.

Start: The first date (within the past week) that spam was

reported to have originated from the IP address.

Length: The duration of the incident in # of days

Trap: Messages received at traps.

User: Messages reported by registered users.

Mole: Messages reported by registered users who prefer to remain

anonymous.

Simp: Simple reports - messages submitted by unregistered users.

Comments: Notes reflect blocking-list status and issue-resolved status.

RDNS: Reverse dns name of ip address (must pass forward and reverse)

-- Summary Report Notes --

o All times are GMT, exact time of incident withheld.

o Time of this report is: Mon Nov 28 18:39:40 2005

o To close an issue, or get more details, log into your account:

http://www.spamcop.net/

o Issues are sorted with the newest reports first. Resolving new

issues first heads off additional spam from in-progress sources.

o This email is intended to be viewed with a fixed-width font.

o This email was requested in your SpamCop preferences page - where

it may be disabled.

o This report is sent periodically, but only if there have been changes.

----------------------------------

The opinions expressed here are my own and do not necessarily represent those of the California Department of Transportation

EDIT: spam changed from all caps to lower case to comply with trademark restrictions.

Link to comment
Share on other sites

caltrans.ca.gov,Nov 28 2005, 02:46 PM]I would like to research why one of Caltrans IP addresses is being reported as the source of spam.

EDIT: spam changed from all caps to lower case to comply with trademark restrictions.

36815[/snapback]

...As a "free" report-only member, I do not have the rights to look up this information. However, there seem to be a number of entries in news.admin.net-abuse.sightings for dot.ca.gov, so you may want to search there.
caltrans.ca.gov,Nov 28 2005, 02:46 PM]<snip>

I don't understand why this is reported to the admins in the second level domain (ca.gov) and not to my abuse contacts registered to dot.ca.gov.

36815[/snapback]

...SpamCop determines where to send reports, in part, from the listings at abuse.net.
Look up an address in the abuse.net contact database

abuse[at]ca.gov (for ca.gov)

postmaster[at]ca.gov (for ca.gov)

<snip>

It appears to me from what I can see in SpamCop that this is where spam reports for this IP address(198.31.97.68, aka snaspam01.dot.ca.gov) will be sent. The abuse.net home page (http://www.abuse.net/index.phtml) has a link labeled "How do I submit contact information for a domain?" which takes you to a page that describes how to update the abuse contact information for a host.

...Good luck!

Link to comment
Share on other sites

http://www.spamcop.net/w3m?action=checkblock&ip=198.31.97.68

198.31.97.68 not listed in bl.spamcop.net

http://www.spamcop.net/sc?track=198.31.97.68

Parsing input: 198.31.97.68

host 198.31.97.68 = snaspam01.dot.ca.gov (cached)

Routing details for 198.31.97.68

[refresh/show] Cached whois for 198.31.97.68 : abuse-arin[at]caltrans.ca.gov

Using abuse net on abuse-arin[at]caltrans.ca.gov

abuse net caltrans.ca.gov = postmaster[at]ca.gov, abuse[at]ca.gov

Using best contacts postmaster[at]ca.gov abuse[at]ca.gov

Routing Details button hit;

Reports routes for 198.31.97.68:

routeid:16774100 198.31.97.0 - 198.31.97.255 to:abuse-arin[at]caltrans.ca.gov

Administrator found from whois records

Refresh button hit;

Removing old cache entries.

Tracking details

Display data:

"whois 198.31.97.68[at]whois.arin.net" (Getting contact from whois.arin.net )

checking NET-198-31-97-0-1

Display data:

"whois NET-198-31-97-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse-arin[at]caltrans.ca.gov

198.31.97.0 - 198.31.97.255:abuse-arin[at]caltrans.ca.gov

checking NET-198-31-0-0-1

Display data:

"whois NET-198-31-0-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse[at]level3.com

198.31.0.0 - 198.31.255.255:abuse[at]level3.com

Routing details for 198.31.97.68

Using smaller IP block (/ 24 vs. / 16 )

Removing 1 larger (> / 24 ) route(s) from cache

Using abuse net on abuse-arin[at]caltrans.ca.gov

abuse net caltrans.ca.gov = postmaster[at]ca.gov, abuse[at]ca.gov

Using best contacts postmaster[at]ca.gov abuse[at]ca.gov

11/28/05 14:19:34 IP block 198.31.97.68

Trying 198.31.97.68 at ARIN

Trying 198.31.97 at ARIN

Level 3 Communications, Inc. LVLT-ORG-198-31 (NET-198-31-0-0-1)

198.31.0.0 - 198.31.255.255

Dept. of Transportation - Caltrans CALTRANS-97-20 (NET-198-31-97-0-1)

198.31.97.0 - 198.31.97.255

11/28/05 14:20:05 whois !NET-198-31-97-0-1[at]whois.arin.net

whois -h whois.arin.net !net-198-31-97-0-1 ...

OrgName: Dept. of Transportation - Caltrans

OrgID: DTC-27

Address: 247 W. Third St

City: San Bernadino

StateProv: CA

PostalCode: 92403

Country: US

NetRange: 198.31.97.0 - 198.31.97.255

CIDR: 198.31.97.0/24

NetName: CALTRANS-97-20

NetHandle: NET-198-31-97-0-1

Parent: NET-198-31-0-0-1

NetType: Reassigned

Comment:

RegDate: 2000-12-21

Updated: 2000-12-21

RTechHandle: NH151-ARIN

RTechName: Henderson, Neil

RTechPhone: +1-916-654-4083

RTechEmail: neil[at]caltrans.ca.gov

OrgAbuseHandle: ABUSE672-ARIN

OrgAbuseName: Abuse

OrgAbusePhone: +1-916-654-4216

OrgAbuseEmail: abuse-arin[at]caltrans.ca.gov

OrgNOCHandle: NOC1627-ARIN

OrgNOCName: Network Operations Center

OrgNOCPhone: +1-916-654-4216

OrgNOCEmail: noc-arin[at]caltrans.ca.gov

OrgTechHandle: NOC1627-ARIN

OrgTechName: Network Operations Center

OrgTechPhone: +1-916-654-4216

OrgTechEmail: noc-arin[at]caltrans.ca.gov

Sorry, but I don't see "abuse contacts registered to dot.ca.gov" anywhere in this data.

Link to comment
Share on other sites

Report History shows:

Submitted: Monday 2005/11/28 10:57:23 -0500:

**Message you sent blocked by our bulk email filter**

1568561770 ( 198.31.97.68 ) To: abuse[at]ca.gov

1568561765 ( 198.31.97.68 ) To: postmaster[at]ca.gov

--------------------------------------------------------------------------------

Submitted: Thursday 2005/11/17 02:04:36 -0500:

**Message you sent blocked by our bulk email filter**

1558276683 ( 198.31.97.68 ) To: postmaster[at]ca.gov

1558276682 ( 198.31.97.68 ) To: abuse[at]ca.gov

--------------------------------------------------------------------------------

Submitted: Thursday 2005/11/17 02:03:38 -0500:

**Message you sent blocked by our bulk email filter**

1558273540 ( 198.31.97.68 ) To: postmaster[at]ca.gov

1558273539 ( 198.31.97.68 ) To: abuse[at]ca.gov

Please stop sending misdirected bounces entitled "**Message you sent blocked by our bulk email filter**", which should be avoided by using 500-series errors during the SMTP transaction. Such misdirected bounces are now considered abusive and reportable by SpamCop per the "Messages which may be reported" section of On what type of email should I (not) use SpamCop? and the Misdirected bounces section of Why are auto-responders (and delayed bounces) bad?.
Link to comment
Share on other sites

caltrans.ca.gov,Nov 28 2005, 05:16 PM]<snip>

You were able to find the abuse contact information using arin.

Why can't spamcop do the same?

36837[/snapback]

...That's potentially an interesting question but one you are not likely to get an answer to here. The person who makes that decision doesn't participate in this Forum.

...Please see my reply, above 36821[/snapback], for what I think is a more relevant answer to your original point, "I don't understand why this is reported to the admins in the second level domain (ca.gov) and not to my abuse contacts registered to dot.ca.gov." Thanks.

...Good luck!

Link to comment
Share on other sites

Apologies in advance, but you ask this question at a time where there some attitudes being exposed, some bad thoughts and words being exchanged, and you've managed to bring a couple of sore points together ... the best I can do is offer a bit of an e-mail exchange on trying to get your answer available ....

From: "Wazoo"

To: "Deputies"

Subject: Re: FAQ data - commented out, but ...???

Date: Wed, 26 Oct 2005 15:29:14 -0500

Well, amazingly enough, yet another repeat of the FAQ that I was

asking about http://forum.spamcop.net/forums/index.php?showtopic=5227

Lots of other issues going on with that request, though if going with

the timeline and the "recent" move, it looks like Interland screwed

this guy .. but .... this is exactly the Question that I wanted the

"commented out" section update and brought back out into the

light ... not for "asking for copies of reports" but to explain the

decision process in why reports go where they go (in some cases)

----- Original Message -----

From: "Deputies"

To: "Wazoo"

Sent: Sunday, October 23, 2005 10:37 PM

Subject: Re: FAQ data - commented out, but ...???

> Faq 94 deals with people asking for reports.  At one time the only

> reports that were available were full reports and anyone could ask for them.

>

> Because of problems, we removed the ability of people to add themselves

> to receive reports.  They had to write us and we would add them is we

> approved.

>

> When summary reports were added to the system, we made the decision to

> take out the information about getting full reports.  However, as you'll

> find in many faqs, in case it didn't work out and we reverted, the

> original text is left in but commented out so it doesn't display.

>

> Faq 94 says what it should say.  It doesn't and isn't meant to deal with

> parsing problems.  The instructions are accurate for getting summary

> reports.

>

> Please include all previous correspondence with replies

> -------

>

> Wazoo wrote:

> > http://www.spamcop.net/fom-serve/cache/94.html

> > The decision process behind some report complaint

> > target addresses has come up a number of times in

> > both the Newsgroups and the Forum.  I would have

> > sworn that this was explained in the FAQ, but haven't

> > been able to find it in the past.  However, while

> > converting yet another entry for the KnowledgeBase,

> > I finally "found" what I recall ... the text has been

> > commented out, but .... (from some parse results, I'm

> > not sure it's totally accurate as stated??) .... to answer

> > the queries (and as an additional bit of input for abuse

> > and administrators, could this section of data be updated

> > and provided as a 'new' FAQ entry?

> >

> > Plain text;

> >

> > note on Addresses:

> > As part of the investigation to approve the routing of reports, we must be

> > able to tie the address back to the netblock and domain in some fashion.

> > Role account addresses are preferred, but not absolutely necessary. We will

> > not send reports to addresses hosted on free mail service providers (i.e.

> > Hotmail, Yahoo, Mail.com).

> > The instructions for getting reports from SpamCop are divided into two

> > sections - one for large and one for smaller networks.

> >

> > Network operators

> > SpamCop now bases its routing of reports mainly on "whois records" -

> > contacts registered for your network with the main (and some smaller)

> > network registries (ripe, arin, apnic, etc..). Please make sure these

> > records are up to date for your network. Normally, when SpamCop encounters a

> > NOC role account such as "hostmaster[at] or noc[at]" in the whois records, it will

> > check with abuse.net for a valid abuse contact instead of sending reports to

> > your NOC role account. If the email address on file for your network is not

> > in a recognized NOC-ish form (jsmith[at] or similar), it may be necessary to

> > manually alias to your abuse.net domain record.

> > If you encounter a need for this type of manual intervention, or you need

> > any other assistance, please email <a

> >

href="mailto:dep_route[at]admin.spamcop.net">dep_route[at]admin.spamcop.net</a>.

> > Include a list of your IP address ranges and the email address which should

> > receive reports regarding them.

> >

> > Abuse.net

> > All abuse desks should register an email address for the domains they manage

> > with abuse.net. SpamCop will use this information to try to route reports

> > correctly. We provide a <a href="/fom-serve/cache/343.html">handy form</a>

> > for registering your abuse[at] email address.

> >

> > HTML coded (ease in pasting in elsewhere);

> > <!--

> > <snipped>

> > <p><b>A note on Addresses:</b>

> > <p>As part of the investigation to approve the routing of reports, we must

> > be able to tie the address back to the netblock and domain in some fashion.

> > Role account addresses are preferred, but not absolutely necessary. We will

> > not send reports to addresses hosted on free mail service providers (i.e.

> > Hotmail, Yahoo, Mail.com).

> > <p>The instructions for getting reports from SpamCop are divided into two

> > sections - one for large and one for smaller networks.

> > <p><strong>Network operators</strong>

> > <p>SpamCop now bases its routing of reports mainly on "whois records" -

> > contacts registered for your network with the main (and some smaller)

> > network registries (ripe, arin, apnic, etc..). Please make sure these

> > records are up to date for your network. Normally, when SpamCop encounters a

> > NOC role account such as "hostmaster[at] or noc[at]" in the whois records, it will

> > check with abuse.net for a valid abuse contact instead of sending reports to

> > your NOC role account. If the email address on file for your network is not

> > in a recognized NOC-ish form (jsmith[at] or similar), it may be necessary to

> > manually alias to your abuse.net domain record.

> > <p>If you encounter a need for this type of manual intervention, or you need

> > any other assistance, please email <a href="mailto:dep_route[at]admin.spamcop.net">dep_route[at]admin.spamcop.net</a>.

> > Include a list of your IP address ranges and the email address which should

> > receive reports regarding them.

> > <p><strong>Abuse.net</strong>

> > <p>All abuse desks should register an email address for the domains they

> > manage with abuse.net. SpamCop will use this information to try to route

> > reports correctly. We provide a <a href="/fom-serve/cache/343.html">handy

> > form</a> for registering your abuse[at] email address.

That you ask the Frequently Asked Question once again, and the blown-off response from the "Official" side of the house in my attempts at fixing the "Official" FAQ and populate the (now defined as Un-Official FAQs here) is something I can't help you with. I tried, I failed, someone else's turn perhaps?

deputies[at]admin.spamcop.net and/or service[at]admin.spamcop.net .. and don't forget to mention how rude I was ....

Link to comment
Share on other sites

Apologies in advance, but you ask this question at a time where there some attitudes being exposed, some bad thoughts and words being exchanged, and you've managed to bring a couple of sore points together ... the best I can do is offer a bit of an e-mail exchange on trying to get your answer available ....

<snip>

That you ask the Frequently Asked Question once again, and the blown-off response from the "Official" side of the house in my attempts at fixing the "Official" FAQ and populate the (now defined as Un-Official FAQs here) is something I can't help you with.  I tried, I failed, someone else's turn perhaps?

<snip>

36841[/snapback]

...Do I understand correctly that all this means that the algorithm SpamCop uses to determine the e-mail addresses to which reports will be sent is not well understood by us volunteers and that sometimes these questions will have to be raised directly with the SpamCop administrators? If so, Wazoo, take a few deep, cleansing breaths and repeat along with me: "SpamCop is the best tool of its type." "SpamCop is the best tool of its type." "SpamCop is the ...." :D <big g>
Link to comment
Share on other sites

If you were to email update[at]abuse.net from abuse[at]dot.ca.gov or abuse[at]caltrans.ca.gov (with copies to postmaster[at]ca.gov and abuse[at]ca.gov) requesting that reports for caltrans.ca.gov go to abuse[at]dot.ca.gov or abuse[at]caltrans.ca.gov, and your request were accepted, and then someone refreshed SpamCop's route for 198.31.97.68, then the appropriate address should start getting SpamCop reports. Until then, SpamCop will continue to take abuse.net's word that there are no abuse.net records for caltrans.ca.gov, and that SpamCop and other network abuse reporters worldwide should keep emailing postmaster[at]ca.gov and abuse[at]ca.gov about their abuse issues with caltrans.ca.gov. Getting an abuse[at]dot.ca.gov or abuse[at]caltrans.ca.gov address into the ARIN records for NET-198-31-97-0-1 (198.31.97.0/24) by way of OrgAbuseEmail in OrgAbuseHandle ABUSE672-ARIN (as opposed to the current unusual address abuse-arin[at]caltrans.ca.gov) should also help long-term, but could take much longer due to California politics.

Link to comment
Share on other sites

...Do I understand correctly that all this means that the algorithm SpamCop uses to determine the e-mail addresses to which reports will be sent is not well understood by us volunteers and that sometimes these questions will have to be raised directly with the SpamCop administrators?

36843[/snapback]

It's more that code and policy has evolved/changed over the years, and as I pointed out, the last "description" of how an address is selected has been made "invisible" by someone recoding the "Official" FAQ .... nothing was offered in its place, there is no existing entry to explain the "current" selection process, and the parsing results do seem to be different at times ....

Link to comment
Share on other sites

...As a "free" report-only member, I do not have the rights to look up this information. However, there seem to be a number of entries in news.admin.net-abuse.sightings for dot.ca.gov, so you may want to search there

Only 6 entries and most were dot.ca.gov spam recipients.

Anyway, looks like Jeff G. was able to get some more information, but it still doesn't tell me anything about the source of the reported e-mail.

Only the time of the report.

..SpamCop determines where to send reports, in part, from the listings at abuse.net

Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov

I guess there is no way for me to get the original report information.

------

The opinions expressed here are my own and do not necessarily represent those of the California Department of Transportation

Link to comment
Share on other sites

caltrans.ca.gov,Nov 28 2005, 06:33 PM]Only 6 entries and most were dot.ca.gov spam recipients.

Anyway, looks like Jeff G. was able to get some more information, but it still doesn't tell me anything about the source of the reported e-mail.

Only the time of the report.

Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov

I guess there is no way for me to get the original report information.

36847[/snapback]

If you write to the 'official' spamcop administration (and I think the addresses have already been posted), they will tell you what you need to know. AIU they will tell you whether it is bounces or spam or a compromised machine. You can also discuss with them about why the parser chooses what it chooses. Probably what will happen will be that they will manually have reports go to you or if the reason they don't go to you is because somebody at ca.gov don't want them to go to you, they will tell you.

Miss Betsy

Link to comment
Share on other sites

caltrans.ca.gov,Nov 28 2005, 06:33 PM]I guess there is no way for me to get the original report information.

36847[/snapback]

postmaster[at]ca.gov and abuse[at]ca.gov should have copies of the Reports. If you ask very nicely and point to this Topic, 1568561770[at]reports.spamcop.net, 1558276682[at]reports.spamcop.net, and 1558273539[at]reports.spamcop.net (the original Reporters) should be able to give you the Tracking URLs for their Reports, which should reveal almost all of the original messages (munged).

You shouldn't need the unmunged info due the nature of your mailserver's current misdeeds. However, in other cases (such as needing to beat a customer about the head asking for promised proof of subscription confirmation), if both you and the Reporters are especially nice, they may even tell you what addresses were munged and/or send you the original messages (unmunged). Beware that unmunged addresses can sometimes be gotten from certain Reporters only by prying from their cold dead hands (despite all attempts at groveling).

P.S. Miss Betsy's post immediately above (http://forum.spamcop.net/forums/index.php?...indpost&p=36849) is also correct, but let me add that the best address for such a request is deputies[at]spamcop.net.

Link to comment
Share on other sites

Your contacts at ca.gov should have the reports ... but you started this with that they had sent you the reports ...????

Not sure if you're aware of this, but ... your posting IP address would have the same "reporting" issue, although an entirely different organization would be receiving those reports.

Parsing input: 64.174.7.191

host 64.174.7.191 (getting name) = pat.fwhq2nat.dot.ca.gov.

Routing details for 64.174.7.191

[refresh/show] Cached whois for 64.174.7.191 : abuse[at]sbcglobal.net

Using abuse net on abuse[at]sbcglobal.net

abuse net sbcglobal.net = abuse[at]sbcglobal.net

Using best contacts abuse[at]sbcglobal.net

Reports routes for 64.174.7.191:

routeid:16774898 64.160.0.0 - 64.175.255.255 to:abuse[at]sbcglobal.net

Administrator found from whois records

Tracking details

Display data:

"whois 64.174.7.191[at]whois.arin.net" (Getting contact from whois.arin.net )

checking NET-64-174-7-0-1

Display data:

"whois NET-64-174-7-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse[at]sbcglobal.net

64.174.7.0 - 64.174.7.255:abuse[at]sbcglobal.net

checking NET-64-160-0-0-1

Display data:

"whois NET-64-160-0-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse[at]sbcglobal.net

64.160.0.0 - 64.175.255.255:abuse[at]sbcglobal.net

Routing details for 64.174.7.191

Using abuse net on abuse[at]sbcglobal.net

abuse net sbcglobal.net = abuse[at]sbcglobal.net

Using best contacts abuse[at]sbcglobal.net

11/28/05 17:49:17 IP block 64.174.7.191

Trying 64.174.7.191 at ARIN

Trying 64.174.7 at ARIN

SBC Internet Services SBCIS-SIS80 (NET-64-160-0-0-1)

64.160.0.0 - 64.175.255.255

Caltrans SBCIS-101323-17533 (NET-64-174-7-0-1)

64.174.7.0 - 64.174.7.255

11/28/05 17:49:45 whois !NET-64-174-7-0-1[at]whois.arin.net

whois -h whois.arin.net !net-64-174-7-0-1 ...

CustName: Caltrans

Address: 1120 N Street

City: Sacramento

StateProv: CA

PostalCode: 95814

Country: US

RegDate: 2001-03-24

Updated: 2001-03-24

NetRange: 64.174.7.0 - 64.174.7.255

CIDR: 64.174.7.0/24

NetName: SBCIS-101323-17533

NetHandle: NET-64-174-7-0-1

Parent: NET-64-160-0-0-1

NetType: Reassigned

Comment:

RegDate: 2001-03-24

Updated: 2001-03-24

RTechHandle: PIA2-ORG-ARIN

RTechName: IPAdmin-PBI

RTechPhone: +1-800-648-1626

RTechEmail: pbiip[at]txmail.sbc.com

OrgAbuseHandle: ABUSE6-ARIN

OrgAbuseName: Abuse - Southwestern Bell Internet

OrgAbusePhone: +1-800-648-1626

OrgAbuseEmail: abuse[at]sbcglobal.net

OrgNOCHandle: SUPPO-ARIN

OrgNOCName: Support - Southwestern Bell Internet Services

OrgNOCPhone: +1-800-648-1626

OrgNOCEmail: support[at]swbell.net

OrgTechHandle: IPADM2-ARIN

OrgTechName: IPAdmin-SBIS

OrgTechPhone: +1-800-648-1626

OrgTechEmail: IPAdmin-SBIS[at]sbis.sbc.com

Once again, I'm not seeing "abuse contacts registered to dot.ca.gov" anywhere in this data.

Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov

As shown in the above and previous, the lookup is done by IP address, not Domain .. the results are (thus far in this case) driven by ARIN registration data .... and as the "abuse[at]" address is found, the next lookup at abuse.net isn't seen (by the parser) as a required step.

Link to comment
Share on other sites

Given that SBC's child PacBell/PBI appears to be the local telco monopoly for all (or most) of California, that is not surprising. Have any of you Customers of SBC or its children ever gotten a copy of an abuse report that was sent to abuse[at]sbcglobal.net?

Link to comment
Share on other sites

Your contacts at ca.gov should have the reports ... but you started this with that they had sent you the reports ...????

I still have not seen the reports.

All I have seen is a note saying, "Here is a copy of a reported blocking of spam traffic from a DOT IP Address (198.31.97.68) ( snaspam01.dot.ca.gov) server to

1425957615[at]reports.spamcop.net" with nothing else included.

I don't know why ca.gov did not have them, and were trying to get them from spamcop.

Not sure if you're aware of this, but ... your posting IP address would have the same "reporting" issue, although an entirely different organization would be receiving those reports.

Good point. But this is something I CAN do something about.

Link to comment
Share on other sites

From: "Wazoo"

To: "deputies"

Subject: user needs help - FAQ issue involved also

Date: Mon, 28 Nov 2005 18:54:48 -0600

http://forum.spamcop.net/forums/index.php?showtopic=5488

"The only information I have is:

1425957615[at]reports.spamcop.net"

"I don't understand why this is reported to the admins in the

second level domain (ca.gov) and not to my abuse contacts

registered to dot.ca.gov."

Once again, this Frequently Asked Question has been

brought up, once again, there is no FAQ to point to

with the answer.

Though there has been much dialog in the Forum, there

isn't much that can be offered to answer the actual

query .. "how can the actual report be obtained?"

Am sending this on the user's behalf, posting a copy

into that Topic with the standard blurb of trying to

"contact a Deputy" ....

deputies[at]admin.spamcop.net

Link to comment
Share on other sites

caltrans.ca.gov,Nov 28 2005, 06:33 PM]Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov

36847[/snapback]

As stated elsewhere here:
"whois NET-198-31-97-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

  Found AbuseEmail in whois abuse-arin[at]caltrans.ca.gov

  198.31.97.0 - 198.31.97.255:abuse-arin[at]caltrans.ca.gov

In other words, the abuse contact in arin for your IP address is caltrans.ca.gov so spamcop uses that domain to look for reporting addresses.
Using abuse net on abuse-arin[at]caltrans.ca.gov

abuse net caltrans.ca.gov = postmaster[at]ca.gov, abuse[at]ca.gov

Using best contacts postmaster[at]ca.gov abuse[at]ca.gov

Link to comment
Share on other sites

caltrans.ca.gov,Nov 28 2005, 04:16 PM]

Wazzoo, 

Thank you for responding. 

snaspam01.dot.ca.gov has IP address 198.31.97.68.

You were able to find the abuse contact information using arin. 

Why can't spamcop do the same?

36837[/snapback]

caltrans.ca.gov,Nov 28 2005, 05:33 PM]

Seems to me spamcop should look up the abuse contacts for "dot.ca.gov", not for "ca.gov". By default, this is postmaster[at]dot.ca.gov

Sorry, you're going to get a different answer here than I gave in response to your email to us. I'm not sure where you got 1425957615[at]reports.spamcop.net from, as the report number you are looking at is 1568561770, and that should be the number in the return address. 1425957615 is an old report that has timed out of our database.

SC doesn't use the dns/rdns setup of the server. Doing so would result in reports winding up in the hands of spammers, who often have control of their dns setup.

Instead, the system looks to the whois records, finding the owner of the block, providing it is a /24 or larger. It searches the addresses in the whois record. If a role account address is found, the domain for the role account address is checked with abuse.net.

In your case, role accounts abuse-arin [at] caltrans.ca.gov and

noc-arin [at] caltrans.ca.gov are found so caltrans.ca.gov is checked with abuse.net:

whois -h whois.abuse.net caltrans.ca.gov ...

postmaster[at]ca.gov (for ca.gov)

abuse[at]ca.gov (for ca.gov)

This may be a limitation of abuse.net not being able to go beyond 2nd level TLDs, I'm not sure, but that's the way it appears.

BTW, even if SC did take the rdns name, dot.ca.gov to abuse.net, we get the same results:

whois -h whois.abuse.net snaspam01.dot.ca.gov ...

postmaster[at]ca.gov (for ca.gov)

abuse[at]ca.gov (for ca.gov)

This is the results of several years of trial and error. The current configuration, in place for at least the last three years is the most successful at keeping reports out of the hands of the front line spammers. The only way around this for this situation is to direct route reports for the block so it goes around the abuse.net lookup.

route added:198.31.97.0 - 198.31.97.255, all, abuse-arin[at]caltrans.ca.gov = 1646227

http://www.spamcop.net/sc?id=z832545018z6a...bc4c3568e3c9f5z

Richard

SpamCop Deputy

Link to comment
Share on other sites

Richard, thank you for the explanation and Tracking URL and for directing the reports to the right place.

Caltrans Admin, viewing the source at http://www.spamcop.net/sc?id=z832545018z6a...;action=display, why is your mailserver snaspam01 bouncing UBE rather than tagging it or putting it into a bulk or spam folder for your user? Also, why does it feel the need to encode with 'Content-Type: text/plain; charset="utf-8"' and 'Content-Transfer-Encoding: base64', adversely affecting legibility with the naked eye? In addition, what about the returned message was considered UBE? If it was one of the bodies, why weren't the bodies returned? This is like you marking a postal envelope "Return To Sender - Unsolicited Chain Letter" but leaving the alleged chain letter out of the returned envelope.

Link to comment
Share on other sites

Richard, thank you for the explanation and Tracking URL and for directing the reports to the right place.

Caltrans Admin, viewing the source at http://www.spamcop.net/sc?id=z832545018z6a...;action=display, why is your mailserver snaspam01 bouncing UBE rather than tagging it or putting it into a bulk or spam folder for your user?

I am not authorized to speak for Caltrans, but let me just say that there is a cost to taxpayers for storage, backups, training, etc. if this is delivered to a bulk/spam folder.

Also, why does it feel the need to encode with 'Content-Type: text/plain; charset="utf-8"' and 'Content-Transfer-Encoding: base64', adversely affecting legibility with the naked eye?

There is nothing in the encoded section that is not visible in plain text.

In addition, what about the returned message was considered UBE?  If it was one of the bodies, why weren't the bodies returned?  This is like you marking a postal envelope "Return To Sender - Unsolicited Chain Letter" but leaving the alleged chain letter out of the returned envelope.

36878[/snapback]

You would prefer that the commercial spam message be included in the bounce?

That would provide virtually a direct path for spammers to deliver their message.

If the message goes back to a non-forged sender, they should know what they sent.

I am committed to reducing spam on the Internet. I will work with our vendors to find a solution that is in the best interest of our Department and the public.

In the mean time, perhaps snaspam01.dot.ca.gov should be blacklisted. In that case, spamcop customers will not receive misdirected bounces from this host.

Note however, this spam originated in Korea...

Received: from -189652552 (unknown [219.250.206.116])

by snaspam01.dot.ca.gov (spam Firewall) with SMTP id 19043D002F23

for <x>; Sun, 27 Nov 2005 11:39:17 -0800 (PST)

And is found in the CBL and senderbase:

http://cbl.abuseat.org/lookup.cgi?ip=219.250.206.116

but not blocked by spamcop.

http://www.spamcop.net/w3m?action=checkblo...219.250.206.116

219.250.206.116 not listed in bl.spamcop.net

----

The opinions expressed here are my own and do not necessarily represent those of the California Department of Transportation

EDIT: spam changed from all caps to lower case to comply with trademark restrictions.

Link to comment
Share on other sites

caltrans.ca.gov,Nov 29 2005, 01:07 PM]
<snip>

Caltrans Admin, viewing the source at http://www.spamcop.net/sc?id=z832545018z6a...;action=display, why is your mailserver snaspam01 bouncing UBE rather than tagging it or putting it into a bulk or spam folder for your user?

I am not authorized to speak for Caltrans, but let me just say that there is a cost to taxpayers for storage, backups, training, etc. if this is delivered to a bulk/spam folder.

36891[/snapback]

...FWIW: a point with which, even as a non-mail admin, I fully agree!
caltrans.ca.gov,Nov 29 2005, 01:07 PM]<snip>

In addition, what about the returned message was considered UBE?  If it was one of the bodies, why weren't the bodies returned?  This is like you marking a postal envelope "Return To Sender - Unsolicited Chain Letter" but leaving the alleged chain letter out of the returned envelope.
If the message goes back to a non-forged sender, they should know what they sent.

<snip>

36891[/snapback]

...How are you determining an e-mail address to which to send the reject message? Isn't it the admin (abuse or postmaster address) of the spam source? If so, it will probably help the admin to know the content of the spam, at least so (s)he can verify that it is, in fact, spam, giving her/him more incentive to find and take action against the perpetrator.
Link to comment
Share on other sites

Please refraim from using the term "spam" in all caps. This is a registered trade mark belonging to Hormel identifying their canned meat product. Internet spam should never be spelled in all caps

Link to comment
Share on other sites

caltrans.ca.gov,Nov 29 2005, 01:07 PM]You would prefer that the commercial spam message be included in the bounce?

That would provide virtually a direct path for spammers to deliver their message.

If the message goes back to a non-forged sender, they should know what they sent. 

EDIT: spam changed from all caps to lower case to comply with trademark restrictions.

36891[/snapback]

You should not be "bouncing" messages at all because most spam are using forged return addresses. The messages should be either rejected during the SMTP connection (500 level error code), accepted for the recipient to sift through, or accepted and deleted immediately. Please see Why are auto responders bad? from the FAQ.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...