Help Us Prevent Being Blocked Again

[waynem]

Here is our block message:

"38.112.183.115 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 14 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Automatic delisting

If you are the administrator of nywhost.harpercollins.com and you are sure it will not be the subject of any more reports of spam, you may cause the system to be delisted without waiting for us to review the issue.

You may only do this once per IP! So please be sure that the problem is really and truly resolved. If you delist your system and we get more spam reports about it, you will not be allowed to expedite delisting again. Delisting normally occurs 24 hours after spam reports have ceased.

You must be able to receive mail at one of the addresses below. Until you have received and confirmed your request, it will not take effect.

Looking for potential administrative email addresses for 38.112.183.115:

cannot find an mx for nywhost.harpercollins.com

206.16.192.227 is an mx ( 10 ) for harpercollins.com"

Can someone please explain why this happened and what steps we need to take to prevent it from happening again? We aren't going to add an mx record for every outbound mail portal in our company.

Thanks!

[Telarin]

The short answer is just what it says. Your mail server sent mail to a spamcop spamtrap. These are secret email addresses scattered around the internet. Because they are secret, and are not used by anyone, mail sent to them is, by definition, unsolicited, so they result in listings much quicker than reported spam.

No, as to a longer answer, the most common reason for hitting a spamtrap is that your server is misconfigured to send NDRs rather than bounce undeliverable mail during the SMTP session with a 500 series error message.

If you administer your own mail server, then simply correcting this problem will usually stop it from sending mail to innocent 3rd parties (and spamtraps). If you are NOT the administrator of your mail server, then you need to contact whoever handles that system (your ISP or webhost) and have them correct the problem.

Once the problem is corrected and the server stops randomly spewing NDRs to the internet, the spamcop listing should go away within 24 hours, or if it is the first time the system has had a problem, it can generally be delisted immediately.

[SpamCopAdmin]

38.112.183.115 listed in bl.spamcop.net

Can someone please explain why this happened and what steps we need to take to prevent it from happening again?

>-Subject: Out of Office AutoReply: [spam] Reserve Fund Payment Cap

The server is sending autoresponder mail to spamtrap addresses that feed our complaint database. A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. Spamtraps are basically the nonexistent addresses at small vanity domains owned by us or our associates. Our trap addresses aren't sending any mail, so they shouldn't be getting any return mail.

The return address on spam and virus mail is *always* forged these days, and as a result, these autoresponder messages have become a form of abuse in their own right.

Please disable the autoresponder. Or just stop sending mail to forged return addresses. That's all we're really asking.

http://www.spamcop.net/fom-serve/cache/329.html

- Don D'Minion - SpamCop Admin -

service [at] admin.spamcop.net

[waynem]

OK, let me make sure I understand why this is happening.

Our employees put on out of office messages to auto respond to e-mails. We also use a mail delivery service, but instead of blocking spam our preference is to tag and deliver, and a client rule sticks the tagged e-mail into a spam bucket in outlook.

Are these spam messages triggering an auto-reply to a spam cop trap? Since they are coming from forged addresses, the reply would indeed go back to an address that never sent the spam.

However, have you any idea how impossible it would be for me to approach management and suggest people stop using out of office messages?

Please confirm I understand this correctly, and that the mx record message was a red herring of sorts. Perhaps we can figure out a way to filter any outbound mail that has been tagged as spam.

Thanks,

Wayne

>-Subject: Out of Office AutoReply: [spam] Reserve Fund Payment Cap

The server is sending autoresponder mail to spamtrap addresses that feed our complaint database.  A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it.  Spamtraps are basically the nonexistent addresses at small vanity domains owned by us or our associates.  Our trap addresses aren't sending any mail, so they shouldn't be getting any return mail.

The return address on spam and virus mail is *always* forged these days, and as a result, these autoresponder messages have become a form of abuse in their own right.

Please disable the autoresponder.  Or just stop sending mail to forged return addresses.  That's all we're really asking.

http://www.spamcop.net/fom-serve/cache/329.html

- Don D'Minion - SpamCop Admin -

service [at] admin.spamcop.net

38800[/snapback]

[Merlyn]

With the current state of email using autoresponders and out of office messages is not a good thing to do. Most spam as you know uses forged "from" addresses and not only are they going to spamtraps but they are also going to innocent victims who have enough spam problems already without having to deal with the spam your "out of office message" sent them.

You will find yourself in many more blocklists if you allow autoresponders.

HTH HAND

[turetzsr]

OK, let me make sure I understand why this is happening.

Our employees put on out of office messages to auto respond to e-mails. We also use a mail delivery service, but instead of blocking spam our preference is to tag and deliver, and a client rule sticks the tagged e-mail into a spam bucket in outlook.

Are these spam messages triggering an auto-reply to a spam cop trap? Since they are coming from forged addresses, the reply would indeed go back to an address that never sent the spam.

38801[/snapback]

...Yes, that appears to be what is happening.

However, have you any idea how impossible it would be for me to approach management and suggest people stop using out of office messages?

38801[/snapback]

...That's their call. But please make them aware of what is happening, so that they are not surprised when they find many of their e-mails being blocked or otherwise diverted.

...FYI, my company also has Exchange/Outlook. Our e-mail admins suggest that each of us users turn off the default "Out of Office" capability but instead use a rule that sends an "Out of Office" message ONLY to a distribution list consisting of everyone in our Corporate Exchange network (someone or some automated process set up and maintains this distribution list).

<snip> the mx record message was a red herring of sorts.

38801[/snapback]

...That I can not confirm. If no one else here can offer any advice on that, you may wish to contact the SpamCop deputies at e-mail address deputies[at]spamcop.net.

Perhaps we can figure out a way to filter any outbound mail that has been tagged as spam.

38801[/snapback]

...That sounds like a good idea, especially as everything you need to do that seems to be in the Out of Office reply (see Don D'Minion's reply, above 38800[/snapback])

[waynem]

Welcome to the hell of your typical fortune 1000 IT Mail admin. If I suggested this to my management they would laugh in my face and rightly so. Execs don't give a fig about IT concerns, they cannot survive without the ability to auto-notify when they are traveling or out or wherever. Can you imagine suggesting to our CEO to call the 5000 people on the contact list when out of the office?

This needs to be fixed from the back end, not by taking away a very real and useful tool.

I will present some ideas to management that involve preventing mail items tagged as spam from leaving our mail servers. First I have to come up with something that is going to be invisible to the end users.

I don't support spam of any type, but punishing the end users isn't the right solution. Does spamcop offer a whitelist feature we can suggest our business partners place us on? Right now all I can suggest to them is to turn off spam cop to let our business e-mails pass through.

Thanks for all the help. Wish this was an easier battle, but we are caught between the spammers and the fussy execs. No win situation for the guys in the middle!

[agsteele]

Thanks for all the help. Wish this was an easier battle, but we are caught between the spammers and the fussy execs. No win situation for the guys in the middle!

38804[/snapback]

Not suggesting this is an easier option... But instead of delivering all the tagged spam you could divert it on its inbound journey.

Or, indeed, use a range of filtering tools to determine those items which really are junk. Our small organisation has managed to capture 99.9% of inbound spam and we catch perhaps one or at most two legitimate Emails in error. We use a combination of tests based on block lists and content.

You can then offer staff the option of a whitelist for known reliable senders.

An up-hill task I know but you do have options open to you.

Andrew

[dbiel]

And to continue Andrew's points to the next level, you could also try to filter your outgoing mail in an attempt to avoid hitting spam traps.

But anyway you look at it, it is no easy task. Good luck.

[Miss Betsy]

I don't support spam of any type, but punishing the end users isn't the right solution. Does spamcop offer a whitelist feature we can suggest our business partners place us on? Right now all I can suggest to them is to turn off spam cop to let our business e-mails pass through.

It is not 'punishing the end users' - it is similar to not being able to carry a pocket knife on an airplane. There is no reason why legitimate people can't do lots of things in the modern world, but we have to because of criminals.

In order to combat spam, the *sender* has to be a responsible netizen and, unfortunately, that means not using auto responders.

Having a whitelist for autoresponders is one way of doing it. Not allowing spam to go to the end user is another.

What you need to do is 'sell' being a good netizen. Perhaps suggesting that it hurts the corporate image for their out of office replies going to innocent parties?

And I am not quite sure what you mean about 'turning off spamcop' - the problem is that other IT departments are using spamcop which means that, at the very least, their emails are being tagged as spam - another argument for bad corporate image.

You might be able to find enough arguments for a bad image that would outweigh the advantages of an out of office reply. Another way of informing people is to bulk email everyone on one's address list before leaving. Or have an alternate contact in the signature and promise to reply within x days and if no reply, contact alternate. That covers backhoe and other kinds of interruptions as well as being out of office.

Miss Betsy

[turetzsr]

Welcome to the hell of your typical fortune 1000 IT Mail admin. If I suggested this to my management they would laugh in my face

38804[/snapback]

...Maybe so; I'm just suggesting you CYA ... if the first they hear about this problem is that their e-mail starts being rejected or lost, you'll deserve the severe reprimand (or worse) you get; if the first they hear about the risk is from you beforehand, it's their fault when they start having their e-mail rejected or lost.

and rightly so.

38804[/snapback]

...Not true! See my last comment in this reply.

Execs don't give a fig about IT concerns,

38804[/snapback]

...Of course not but they do (or should) care about problems they are causing themselves. If they know about it in advance and choose to do nothing, it's their fault entirely, end of discussion.

they cannot survive without the ability to auto-notify when they are traveling or out or wherever.

38804[/snapback]

...They won't be able to auto-notify if their e-mail is blocked or lost. Of course, if their ability to do business is so tied to e-mail that they can't live without it, they're not wise enough to succeed, anyway, so maybe it's no big deal. <g>

Can you imagine suggesting to our CEO to call the 5000 people on the contact list when out of the office?

38804[/snapback]

...Yeow, who suggested that?!?! To modify my earlier suggestion: instead of using the built-in Exchange/Outlook "Out of Office" capability, have everyone including the CEO use a rule that sends a message to a distribution list that contains everyone on your Exchange network; employees can also add to that distribution list any e-mail addresses the employee wishes to receive the out of office notice. I do that.

This needs to be fixed from the back end, not by taking away a very real and useful tool.

38804[/snapback]

...The "useful tool" is potentially (and, in your case, actually) abusive to the rest of us. It is your and your management's responsibility to come up with a way to avoid being abusive.

I will present some ideas to management that involve preventing mail items tagged as spam from leaving our mail servers. First I have to come up with something that is going to be invisible to the end users.

38804[/snapback]

...That seems a good first start. In the meantime, please consider intercepting any outgoing Out of Office messages until you've got at least an initial solution.

I don't support spam of any type, but punishing the end users isn't the right solution.

38804[/snapback]

...Nor is punishing those outside your Exchange network whose e-mail addresses are being forged.

Does spamcop offer a whitelist feature we can suggest our business partners place us on?

38804[/snapback]

...Nope. That's up to the individual receiving e-mail system.

Right now all I can suggest to them is to turn off spam cop to let our business e-mails pass through.

38804[/snapback]

...Or whitelist on their end, or tag the e-mail as potential spam and deliver it anyway, as recommended by SpamCop (see SpamCop FAQ: How do I configure my mailserver to reject mail based on the blocklist? paragraph that begins "We recommend").

[turetzsr]

Thanks for all the help. Wish this was an easier battle, but we are caught between the spammers and the fussy execs. No win situation for the guys in the middle!

38804[/snapback]

...Yes, the spammers have ruined the internet and e-mail for us all. But good execs can be educated! Good luck!

[Merlyn]

...Yes, the spammers have ruined the internet and e-mail for us all. But good execs can be educated! Good luck!

38809[/snapback]

Yes, they can be educated especially after their servers get placed in evey blocklist on the internet.

waynem, I wish you the best of luck also!

[Telarin]

If you are using Outlook 2003, you can use the out of office assistant in more than one way.

The simplest is what you are doing now, which is blindly reply to all email with an out-of-office notification. This is clearly bad for a number of very valid reasons, and is an all-around bad idea.

The second however, is not quite so bad. You can create a rule with the OOA to ONLY send an out-of-office notification to people that are already in your address book. I believe that is what turetzsr was referring to when he said:

To modify my earlier suggestion: instead of using the built-in Exchange/Outlook "Out of Office" capability, have everyone including the CEO use a rule that sends a message to a distribution list that contains everyone on your Exchange network; employees can also add to that distribution list any e-mail addresses the employee wishes to receive the out of office notice.

This functionality still uses the built-in Out of Office capability in Outlook, but adds a safety by keeping OORs from going to unknown senders.

[StevenUnderwood]

Please confirm I understand this correctly, and that the mx record message was a red herring of sorts. Perhaps we can figure out a way to filter any outbound mail that has been tagged as spam.

38801[/snapback]

The mx record was only a reason that manual delisting (once only) could not be performed. It is not hte reason for the listing.

And in my corporate environment, we use Postini to filter and hold all of our suspected spam so that our inboxes are clear and we do currently allow OOO responders but have warned they may be turned off in the future. In our environment, IT makes the rules to be followed, but this may be a rare environment. Lotus Notes also has an option to only respond to a specific list of senders (or not to respond to a certain list).

[petzl]

The proper use of a SpamFilter to HOLD probable spam, then a message sent to addressee to report, delete, retrieve and or "whitelist" said message shop stop the mindless bounce to whoever

(in this case a spamcop spamtrap address which is around 256 bit security to "guess" and got by the use of "spam webspiders")

Suggest you consider using the Planets best and most acurate SpamFilter SpamCop Members SCBL this should then stop spam hitting auto-responders if configured correctly

With all spam Filters it is best to use to SORT potential spam to a "hold" folder for addressee's to then report, delete, retrieve and or "whitelist" said messages (with a message containing above advice sent to the addressee that potentail spam is in held folder from ""100[at]123cv.cxm along with subject)

[waynem]

Thanks to everyone for the suggestions! We use Exclaimer and the previous version did not provide this functionality, but the newer version now installed appears to have the ability to catch flagged words in the subject of an outgoing message and do something with it. I will be looking into this today.

[itspgc]

Hello,

We currently host 5 email domains on 1 server so all 5 email domains go to the internet with the same IP address. We have 5 reverse lookup entries for the IP address in question (1 per email domain). How can we prevent being put on the black list based on the logic that is being used. (Reverse lookup of email source not matching reverse lookup DNS entry).

Don't say "educate your users not to reply to spam messages" because I cannot guarantee that 1 out of 8000 users will not do that.

We block users from sending email out from their desktops via firewall rules. The only mail leaving out network is from our mail server as a controlled by firewall access rules and firewall address translation rules.

Any help would be appreciated.

Phil

[agsteele]

Any help would be appreciated.

39086[/snapback]

Hi Phil!

It isn't clear just what your problem is as you haven't fully described what you would like help with.

If you're getting reports of outgojng Emails being rejected by other ISPs then please post the rejection message.

In any case knowing the IP of your mail server might assist along with a more detailed description of the problem.

You'll find the FAQ helpful - especially:

Why am I blocked

Has your Email been blocked?

Andrew

[StevenUnderwood]

How can we prevent being put on the black list based on the logic that is being used. (Reverse lookup of email source not matching reverse lookup DNS entry).

39086[/snapback]

Spamcop does NOT use that logic for listing (only source of spam are criteria for listing), but some system admins, might. It might be a reason that automatic delisting is not available.

[itspgc]

Spamcop does NOT use that logic for listing (only source of spam are criteria for listing), but some system admins, might.  It might be a reason that automatic delisting is not available.

39105[/snapback]

One of our users replied to spam and went out our email gateway with the address 142.239.254.29 When it appeares that Spamcop checked the email source with a reverse lookup of the IP address 142.239.254.29 they got smtp.ccns.nshealth.ca not matching the senders email address of firstname.lastname[at]cdha.nshealth.ca. The IP address was deemed to be bad and we got blacklisted as a spam source. If you do a NSLookup repetitvely on the IP address (142.239.254.29) you will get all the records (smtp.ccns.nshealth.ca or smtp.cdha.nshealth.ca or mail.sacentre.nshealth.ca) These are our email domains that are hosted on one server.

[Wazoo]

One of our users replied to spam and went out our email gateway with the address 142.239.254.29  When it appeares that Spamcop checked the email source with a reverse lookup of the IP address 142.239.254.29  they got smtp.ccns.nshealth.ca not matching the senders email address of firstname.lastname[at]cdha.nshealth.ca.  The IP address was deemed to be bad and we got blacklisted as a spam source. 

39114[/snapback]

Your understanding and description of "how this IP got listed" is totally bogus. Specific FAQ links were previously provided, and links to more information are all over the Top of this screen ....

Current check at http://www.spamcop.net/w3m?action=checkblo...=142.239.254.29

142.239.254.29 not listed in bl.spamcop.net

By the way, you started this with "We currently host 5 email domains on 1 server" .. then follow that up with "(smtp.ccns.nshealth.ca or smtp.cdha.nshealth.ca or mail.sacentre.nshealth.ca) These are our email domains that are hosted on one server."

There is only ONE Domain name showing there ... nshealth.ca

[StevenUnderwood]

One of our users replied to spam and went out our email gateway with the address 142.239.254.29

39114[/snapback]

OK, sounds possible. Reading further below, that reply may have gone to a spamtrap address. If you were added to the blocklist, it is possible there were more than 1 message sent to a trap.

When it appeares that Spamcop checked the email source with a reverse lookup of the IP address 142.239.254.29  they got smtp.ccns.nshealth.ca not matching the senders email address of firstname.lastname[at]cdha.nshealth.ca.

39114[/snapback]

Unless the message was sent to a spamcop email address, SpamCop did NOT do this lookup. SpamCop does not even do these types of lookups for it's own email as I understand it. Please provide your error message so we can help strighten out what happened.

The IP address was deemed to be bad and we got blacklisted as a spam source.

39114[/snapback]

142.239.254.29 not listed in bl.spamcop.net - so you are no longer listed if you ever were. There are other lists or criteria people use to reject email. Some of them even mistakenly point everyone to spamcop.net in their error message. Spamcop can not control that.

I also looked for user reports and there are none against this IP address, BUT the fact I can see a [report history] that is blank usually indicated there are spamtrap hits against your IP address, which would make sense if the reply went to a spamtrap (an address used for nothing but to collect unsolicited messages).

If you do a NSLookup repetitvely on the IP address (142.239.254.29)  you will get all the records (smtp.ccns.nshealth.ca or smtp.cdha.nshealth.ca or mail.sacentre.nshealth.ca)  These are our email domains that are hosted on one server.

39114[/snapback]

Not material to spamcop's strategy. Please state where you found this information about spamcop so we can explain more fully, or modify that text to be clearer.

As stated, you are not listed now, but if messages go unsolicited from your IP address, it is likely you will see either actual reports (which can add you to the blocklist) or more damaging, you will hit spamtraps, which do not send any reports.

To determine if this is the cause, you would need to ask deputies[at]spamcop.net nicely if they can provide you any information about why your IP may have been listed.

[itspgc]

Sorry if I misinterpreted one of the methods for blacklisting as a reverse lookup check on a spamtrap recieved message.

We were blacklisted and are now off.

We had a user or two reply to a spam message that obviously went to a spamtrap. We currently block 65-70% of incoming mesages as spam.

Is there a way to separate this behavior (replying to a spam message) from actual spamming? We have 8,000 users and I cannot control the behaviors of all of them. I would hope the threshold for spamtrap messages from one source would be set appropriately to avoid false positives yet be usable as an effective identification mechanism.

Thank you for you insight in this matter. I did not intend to offend anyone, If I inavertenly did, I am sorry, I only want to avoid having our email gateway blacklisted in the future.

Phil

[StevenUnderwood]

Sorry if I misinterpreted one of the methods for blacklisting as a reverse lookup check on a spamtrap recieved message.

We were blacklisted and are now off. 

We had a user or two reply to a spam message that obviously went to a spamtrap.  We currently block 65-70% of incoming mesages as spam.

Is there a way to separate this behavior (replying to a spam message) from actual spamming?  We have 8,000 users and I cannot control the behaviors of all of them.

39148[/snapback]

You may not be able to control the behavior, but you could inform them that replying to an unsolicited message is unlikely to reach the originator and more likely just overwhelming some innocent third party like themselves.

ANY message to a spamtrap is unsolicited, and therefore spam. Your customers sent spam and could probably be dealt with using the same rules, but maybe a little less strict if in your opinion, they just had a poor way of dealing with the spam they got. Education is the key.

However, keep in mind the the majority of spamtrap hits we have heard about lately are because people are not using rejects during the SMTP transaction and bouncing lots of messages all over the internet. Have you contacted the deputies to confirm your idea of how it happened?