spam-n00b Posted December 15, 2005 Share Posted December 15, 2005 I am an alumnus of UC Berkeley. As a member of the Alumni Association, I have an email forwarding alias from a Berkeley domain: XXXXXX[at]cal.berkeley.edu for example. The University of California system (as well as many other universities apparently) uses PCI data company (publishingconcepts.com) to fulfill this service. PCI has apparently run afoul of the Spamcop SCBL, at least for one of their forwarding servers. http://www.spamcop.net/w3m?action=blcheck&ip=12.156.3.16 As a result, I'm not getting any email since my webhost (icdsoft.com) uses the SCBL on all incoming mail for all domains, and cannot disable it for my domain or include the above IP on a whitelist for my domain. So, am I "screwed" and at the mercy of these PCI idiots (who have AWFUL customer service, by the way)... or do I (as an end user) have any recourse? Also, on a side-note, should my webhost be able to offer a whitelist in order to "quick fix" the problem for me? Is it time to shop for different hosting? All suggestions will be much appreciated. Link to comment Share on other sites More sharing options...
Telarin Posted December 15, 2005 Share Posted December 15, 2005 Short answer - as an end user there isn't very much you can do directly other than shop for a new mail host. Now on to the longer answer... 12.156.3.16 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 19 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam about 210 times in the past week Wow, if spamcop users have reported it 210 times in the past week, there is a MAJOR amount of spam coming from that system, as spamcop users only make up a tiny percentage of the internet populace in general. One of the paying members can probably pull some samples so we can see if it is misdirected bounces, or actual spam spam, however with that volume, I would be there is a fair amount of actual spam in there. Your ISP CAN physically whitelist the server by IP address, however, if I were your ISP, it would take a lot of convincing considering the numbers seen here, and the fact that, per senderbase, this IP has shown nearly a 150% increase in email volume over average. So first, lets see if one of the paying members can post some spam samples, and from there maybe we can find you a workable course of action. Link to comment Share on other sites More sharing options...
spam-n00b Posted December 15, 2005 Author Share Posted December 15, 2005 As far as my webhost offering a whitelist... I know that they could whitelist it for ALL of the domains that they host (they said as much), but I need to know if I should expect my webhost to be able to whitelist a sender for my domain only, so that *I* can take responsibility for my email addresses potentially receiving spam without other hosted domains getting involved. Thanks for your help so far!! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 15, 2005 Share Posted December 15, 2005 So first, lets see if one of the paying members can post some spam samples, and from there maybe we can find you a workable course of action. 37870[/snapback] Here you go. Looking at the headers, either there is a spammer(s) using their servers to physically send the messages, or their headers are messing up so that the parser can not work their way back through the forward. I am going to shoot an email off to the deputies to see if they can determine which. Report History: -------------------------------------------------------------------------------- Submitted: Thursday, December 15, 2005 11:01:04 AM -0500: fake 1587447165 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1587447132 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Thursday, December 15, 2005 9:51:39 AM -0500: hello 1587394944 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1587394933 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Thursday, December 15, 2005 9:13:16 AM -0500: ***spam*** 1587394004 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1587393976 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Wednesday, December 14, 2005 5:59:31 PM -0500: ***spam*** 1586630796 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1586630794 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Wednesday, December 14, 2005 3:52:20 PM -0500: Paris_Hilton_&_Nicole_Richie 1586528448 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1586528431 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Wednesday, December 14, 2005 12:58:32 PM -0500: You visit illegal websites 1586392607 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1586392570 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Wednesday, December 14, 2005 10:16:54 AM -0500: Buy Oxy Gifts Online for the Holidays 1586236573 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Wednesday, December 14, 2005 9:05:53 AM -0500: Paris Hilton & Nicole Richie 1586170652 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1586170610 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Tuesday, December 13, 2005 9:09:26 PM -0500: agradou 1585613006 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1585613002 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Tuesday, December 13, 2005 8:17:16 PM -0500: warning 1585577868 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1585577864 ( 12.156.3.16 ) To: abuse[at]theplanet.com Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 15, 2005 Share Posted December 15, 2005 FYI: As seen in this thread, Cornell also seems to be having forwarding issues. Possibly related???? http://forum.spamcop.net/forums/index.php?...indpost&p=37786 Link to comment Share on other sites More sharing options...
spam-n00b Posted December 15, 2005 Author Share Posted December 15, 2005 Here you go. Looking at the headers, either there is a spammer(s) using their servers to physically send the messages, or their headers are messing up so that the parser can not work their way back through the forward. I am going to shoot an email off to the deputies to see if they can determine which. Thanks! I feel a little bit ticked off that we are (well, not so much ME, mostly you guys) are essentially doing PCI's job for them. I'm going to make sure that I do my best to let UC Berkeley know the kind of company that they're doing business with and get them to switch vendors. Anyone know of a "competitor" to PCI who could offer reliable (i.e., never have THIS problem) email forwarding of a scale that the UC system could switch to? I'd love to have a recommendation for the Alumni Association... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 15, 2005 Share Posted December 15, 2005 FYI: As seen in this thread, Cornell also seems to be having forwarding issues. Possibly related???? http://forum.spamcop.net/forums/index.php?...indpost&p=37786 37873[/snapback] Looking at the Cornell situation closer, it seems they are running their own servers to provide the forwarding. Link to comment Share on other sites More sharing options...
spam-n00b Posted December 15, 2005 Author Share Posted December 15, 2005 FYI: As seen in this thread, Cornell also seems to be having forwarding issues. Possibly related???? http://forum.spamcop.net/forums/index.php?...indpost&p=37786 37873[/snapback] Doesn't seem to be related... they're not using PCI and the problem seems to be misdirected bounces at Cornell itself rather than actual spam from some downstream "service" provider. Good eye though! Link to comment Share on other sites More sharing options...
dra007 Posted December 15, 2005 Share Posted December 15, 2005 Here you go. Looking at the headers, either there is a spammer(s) using their servers to physically send the messages, or their headers are messing up so that the parser can not work their way back through the forward. I am going to shoot an email off to the deputies to see if they can determine which. Report History: -------------------------------------------------------------------------------- Submitted: Wednesday, December 14, 2005 3:52:20 PM -0500: Paris_Hilton_&_Nicole_Richie 1586528448 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1586528431 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Wednesday, December 14, 2005 12:58:32 PM -0500: You visit illegal websites 1586392607 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1586392570 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Wednesday, December 14, 2005 9:05:53 AM -0500: Paris Hilton & Nicole Richie 1586170652 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1586170610 ( 12.156.3.16 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Tuesday, December 13, 2005 8:17:16 PM -0500: warning 1585577868 ( 12.156.3.16 ) To: spamcop[at]imaphost.com 1585577864 ( 12.156.3.16 ) To: abuse[at]theplanet.com 37872[/snapback] These look like virus generated e-mail in the recent soberMM attack.... Link to comment Share on other sites More sharing options...
Telarin Posted December 15, 2005 Share Posted December 15, 2005 Yes, I meant "isn't"... I've fixed it, thanks for pointing that out As far as whitelisting an IP address for only a particular user or domain on a mail server, it iss going to depend entirely on the mail package that they are using. I know with exchange, whitelisting an IP is either all or nothing, you can't do it for only some. I don't know of any competitors to PCI that can offer this, but it would seem that they could probably do it in-house for less than outsourcing it, seeing as they most likely already have all the necessary infrastructure in place. Link to comment Share on other sites More sharing options...
spam-n00b Posted December 15, 2005 Author Share Posted December 15, 2005 These look like virus generated e-mail in the recent soberMM attack.... 37878[/snapback] So the question remains, are PCI's mail servers infected/pwn3d or is someone sending through their forwarding service and PCI just has malformed headers that Spamcop can't parse... Since Spamcop always SEEMED to be able to parse spam that I received through my forwarded emails (i.e., when I cut/paste the message source into spamcop it correctly says that the "sender" is in Russia or China or wherever, and not that it's PCI), my guess is that they have either recently changed the way they are doing their headers (yeah right) or someone on their network security staff needs to get fired. Link to comment Share on other sites More sharing options...
spam-n00b Posted December 15, 2005 Author Share Posted December 15, 2005 As in interesting side-note, the PCI website seems to be down. Looks like they're having "issues". I hope they lose clients over this. For a company that is "big" enough to offer these sorts of services to MAJOR universities to screw up this bad... well, let's just say I'm massively unimpressed. Link to comment Share on other sites More sharing options...
Telarin Posted December 15, 2005 Share Posted December 15, 2005 Since Spamcop always SEEMED to be able to parse spam that I received through my forwarded emails (i.e., when I cut/paste the message source into spamcop it correctly says that the "sender" is in Russia or China or wherever, and not that it's PCI), my guess is that they have either recently changed the way they are doing their headers (yeah right) or someone on their network security staff needs to get fired. 37880[/snapback] Of course, that assumes that they have a network security staff to begin with. You'd be surprised how small some of these "big" internet companies are now. Its amazing what a couple guys in a garage with a couple servers and a T1 can do. Anyway, as far as the parsing goes, we'll have to wait and see if the deputies get back to StevenUnderwood with some more detailed headers from the messages that have been reported. That should tell us if they are being parsed correctly, or have someone started getting the wrong mailserver reported. Link to comment Share on other sites More sharing options...
Wazoo Posted December 15, 2005 Share Posted December 15, 2005 As in interesting side-note, the PCI website seems to be down. Looks like they're having "issues". 37881[/snapback] Might be a browser setting involved .. I was redirected to a 'secure' site with a bad certificate ... https://publishingconcepts.com/index.asp?&SSLChecker=TRUE Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 15, 2005 Share Posted December 15, 2005 Anyway, as far as the parsing goes, we'll have to wait and see if the deputies get back to StevenUnderwood with some more detailed headers from the messages that have been reported. That should tell us if they are being parsed correctly, or have someone started getting the wrong mailserver reported. 37882[/snapback] Reply in part from Ellen: if the person who is asking the question is associated with the blocked IP please have them write to us. I am afraid that I cannot give out details of this issue publicly. I can tell you that the spam is not originating at PCI. So it sounds like publishingconcepts.com administration should try to contact deputies[at]spamcop.net, though it MAY need to be bumped up to the people at theplanet.com as they seem to be the registered owner of that IP. The IP I gave to Ellen to check was: 12.156.3.16 host 12.156.3.16 = list5.publishingconcepts.com (cached) Reporting addresses: abuse[at]theplanet.com Please report back here if you get any further response on this. Link to comment Share on other sites More sharing options...
spam-n00b Posted December 15, 2005 Author Share Posted December 15, 2005 So it sounds like publishingconcepts.com administration should try to contact deputies[at]spamcop.net, though it MAY need to be bumped up to the people at theplanet.com as they seem to be the registered owner of that IP. The IP I gave to Ellen to check was: 12.156.3.16 host 12.156.3.16 = list5.publishingconcepts.com (cached) Reporting addresses: abuse[at]theplanet.com Please report back here if you get any further response on this. 37891[/snapback] Well, good news and bad news... Email forwarding is working again, but only because PCI has started using a different IP address. The "new" IP is 12.156.3.8 = list.publishingconcepts.com... still with ThePlanet. ThePlanet "owns" the IP range of 12.156.0.0 - 12.156.7.255, all of which apparently "really" belongs to AT&T WorldNet Services which has the whole 12.xx.xx.xx block. This does very little (if anything) to solve the "root" cause. I had already contacted ThePlanet earlier (as they are, as you noticed, the registered owner of the IP) and they told me that they could only deal with PCI, and not with me. Since the spam problem appears to have (potentially) risen within ThePlanet, switching to another server from the same people seems "unwise" to me. I still maintain that PCI is at fault, at the VERY least for taking MULTIPLE days to fix these issues. This is not an "Oops, we're blocked, let's fix it in 15 minutes"... I actually got the impression (based on a followup voice mail) that the guys at PCI didn't even KNOW that they were on the SCBL until I TOLD THEM in the voicemail that I left them this morning. So, watch out for ThePlanet and PCI... I'd avoid either of those companies personally. Link to comment Share on other sites More sharing options...
Telarin Posted December 15, 2005 Share Posted December 15, 2005 The problem here is that spamcop is a very good "early warning system" as it is probably the most aggressive BL out there. It is supposed to work like this: 1 You get on the SCBL 2 You fix the problem 3 Your listing in the SCBL expires 4 Everyone is happy On the other hand, the path they are headed down is: 1 You get on the SCBL 2 You don't do anything other than move your mail servers around 3 You end up with your whole BLOCK of IPs on a BL that is MUCH harder to get off of. 4 You can't move your servers around anymore, because the whole block is listed 5 Customers become angry, because it can take weeks to get off some BLs 6 You lose lots of customers 7 You finally get around to fixing the problem 8 Still on the BLs, trying to get unlisted 9 Lose more customers etc... Link to comment Share on other sites More sharing options...
spam-n00b Posted December 15, 2005 Author Share Posted December 15, 2005 The problem here is that spamcop is a very good "early warning system" as it is probably the most aggressive BL out there. It is supposed to work like this: 1 You get on the SCBL 2 You fix the problem 3 Your listing in the SCBL expires 4 Everyone is happy On the other hand, the path they are headed down is: 1 You get on the SCBL 2 You don't do anything other than move your mail servers around 3 You end up with your whole BLOCK of IPs on a BL that is MUCH harder to get off of. 4 You can't move your servers around anymore, because the whole block is listed 5 Customers become angry, because it can take weeks to get off some BLs 6 You lose lots of customers 7 You finally get around to fixing the problem 8 Still on the BLs, trying to get unlisted 9 Lose more customers etc... 37906[/snapback] I agree completely. The problem is these people who can't be bothered to fix the underlying "disease" and instead just treat the symptoms... ultimately, the patient will die. I have tried to indicate to the Alumni Association that they are doing business with a company that isn't following best practices and is likely to have future problems of the same nature, but more severe. Hopefully SOMEONE out there will listen. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 16, 2005 Share Posted December 16, 2005 Well, if you can get either PCI or theplanet to contact the deputies[at]spamcp.net address, it sounded to me like she could get something fixed quiet easily. Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 16, 2005 Share Posted December 16, 2005 I agree completely. The problem is these people who can't be bothered to fix the underlying "disease" and instead just treat the symptoms... ultimately, the patient will die. I have tried to indicate to the Alumni Association that they are doing business with a company that isn't following best practices and is likely to have future problems of the same nature, but more severe. Hopefully SOMEONE out there will listen. 37907[/snapback] I sure hope they do also!! You obviously made the most of your college education because you DO understand the problem. Miss Betsy Link to comment Share on other sites More sharing options...
spam-n00b Posted December 16, 2005 Author Share Posted December 16, 2005 Well, if you can get either PCI or theplanet to contact the deputies[at]spamcp.net address, it sounded to me like she could get something fixed quiet easily. 37913[/snapback] Heh, not likely. ThePlanet refuses to discuss the issue with me since I'm not PCI. I can TELL them things, but they ignore me. My first call to PCI went straight to voicemail and I never received a response. My second call to PCI got a human being who shifted me to a different voicemail WITHOUT EVEN TELLING ME when I mentioned the issue. The callback I received from THAT voicemail is documented above... where they told me that they switched IPs because of the spamcop issue. Of course, this morning one of the spam emails I submitted to SpamCop resolved to the "new" IP that they switched to: 12.156.3.8 Looks like they're going to get back on the SCBL because they can't be bothered to fix their headers or clean their computers. Either way, I'm past caring. I've switched all my "important" email contacts directly to my personal email accounts and have bypassed the need for the UC Berkeley Alumni forwarding. Link to comment Share on other sites More sharing options...
Jeff G. Posted December 16, 2005 Share Posted December 16, 2005 Of course, this morning one of the spam emails I submitted to SpamCop resolved to the "new" IP that they switched to: 12.156.3.837973[/snapback] Would you mind sharing a Tracking URL for that spam email message you submitted to SpamCop this morning, as a favor to your fellow alums that may have their email blocked in the future? Thanks! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 16, 2005 Share Posted December 16, 2005 , this morning one of the spam emails I submitted to SpamCop resolved to the "new" IP that they switched to: 12.156.3.8 37973[/snapback] You are aware the YOU are responsible for the reports YOU send using the SpamCop toolset, correct? I do hope you are unselecting that IP as the source (unless you feel it really IS the source). As JeffG stated, a tracking URL for this message could help us to formulate a complaint to PCI. Link to comment Share on other sites More sharing options...
Merlyn Posted December 16, 2005 Share Posted December 16, 2005 Of course, this morning one of the spam emails I submitted to SpamCop resolved to the "new" IP that they switched to: 12.156.3.8 37973[/snapback] Yup! looks like spam to me Submitted: Friday, December 16, 2005 1:09:36 PM -0500: Two hundred and thirty thousand dollars for only $320/month 1588764403 ( http://errorntrial.com/p3.asp ) To: glxk[at]gxcc.com.cn 1588764396 ( 12.156.3.8 ) To: spamcop[at]imaphost.com 1588764383 ( 12.156.3.8 ) To: abuse[at]theplanet.com -------------------------------------------------------------------------------- Submitted: Friday, December 16, 2005 3:12:22 AM -0500: Paris Hilton & Nicole Richie 1588198236 ( 12.156.3.8 ) To: mole[at]devnull.spamcop.net -------------------------------------------------------------------------------- BTW: the first spam is from a spam gang hosted in china see: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL35677 THEPLANET.COM does not have a clue. That is why we do not accept email traffic from them. Doesn't say much for Publishing Concepts either. The spammers have more control of their servers than they do. HTH HAND Link to comment Share on other sites More sharing options...
spam-n00b Posted December 16, 2005 Author Share Posted December 16, 2005 You are aware the YOU are responsible for the reports YOU send using the SpamCop toolset, correct? I do hope you are unselecting that IP as the source (unless you feel it really IS the source). As JeffG stated, a tracking URL for this message could help us to formulate a complaint to PCI. 37975[/snapback] Yes, I understand that. ThePlanet seems to have problems with the headers it's using, so they are the "source" insofar as they are masking whoever the "real" source is. I don't know how to provide a tracking URL for the message (Is it just the page you go to if you click the number listed in the "Past Reports" tab?), but I'd gladly provide one if someone gives me a brief walkthrough. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.