Jump to content
Sign in to follow this  
renoir

many false positives

Recommended Posts

did spamcops blacklist get compromised? i am getting much of my good mail held :(

edit: i also used spamhause blacklists.

Edited by renoir

Share this post


Link to post
Share on other sites

Moving this to the SpamCop E-mail Account Forum section .. assumedly more appropriate than the Reporting section ...???

And once again noting that it's pretty hard to analyze something with no data ... how about the Tracking URL of a couple of your complained about items such that actual data can be seen / discussed?

Share this post


Link to post
Share on other sites
did spamcops blacklist get compromised?  i am getting much of my good mail held :(

edit:  i also used spamhause  blacklists.

39892[/snapback]

I can't say I'm noticing an increase in false positives although a few more messages are slipping through into my inbox of late. But that's one or two a week so not too bad.

Could it be the various block-lists you've selected and/or the SpamAssassin trigger level you've selected?

Try adjusting the various options you have and that could fix the problem - assuming you are using the Flat Rate Email service to handle this filtering.

Andrew

Share this post


Link to post
Share on other sites
did spamcops blacklist get compromised?  i am getting much of my good mail held :(

edit:  i also used spamhause  blacklists.

39892[/snapback]

You should inspect the headers of the held message to determine the reason for holding. Perhaps one of your redirectors (if you use them) are listed.

Share this post


Link to post
Share on other sites

Neither list is compromised.

Please post the headers of one of the emails you think was wrongly listed.

Share this post


Link to post
Share on other sites

here is a recently blocked email to me: info[at]netpaths.net

Edit: 2006/02/03 10:08 EST -0500 Jeff G. reduced the posted spam email message to Tracking URL http://www.spamcop.net/sc?id=z868763570za7...af49d561d8f6e5z (cancelled) and merged renoir's new Topic "blocked email" with its existing Topic "many false positives" because it looked like an example of one of the "many false positives".

Lines for future comment:

Received: from web5.zone53.net (209.8.23.180)

by mailgate.cesmail.net with SMTP; 3 Feb 2006 13:20:47 -0000

Received: from mx4.atomicpc.net ([216.154.232.135])

by web5.zone53.net with esmtps (TLSv1:AES256-SHA:256)

(Exim 4.52)

id 1F50rp-0001oa-4d

for info[at]netpaths.net; Fri, 03 Feb 2006 08:20:49 -0500

Received: by mx4.atomicpc.net (Postfix, from userid 501)

id 8BFFF48C6B5; Fri, 3 Feb 2006 05:20:43 -0800 (PST)

Received: from VALUEDC0EE74F5 (cpe-66-74-154-245.socal.res.rr.com [66.74.154.245])

by mx4.atomicpc.net (Postfix) with ESMTP id 34A8248C6B1;

Fri, 3 Feb 2006 05:20:42 -0800 (PST)

X-SpamCop-Checked: 192.168.1.101 209.8.23.180

X-SpamCop-Disposition: Blocked bl.spamcop.net

Edited by Jeff G.

Share this post


Link to post
Share on other sites

It appears that you have some complex forwarding going on, and that the final hop before the SpamCop Email System, web5.zone53.net (209.8.23.180), was listed by the SCBL about 10 hours ago (see http://mailsc.spamcop.net/bl.shtml?209.8.23.180 and http://mailsc.spamcop.net/w3m?action=blcheck&ip=209.8.23.180 for details). Its Report History follows:

Submitted: Friday 2006/02/03 02:56:07 -0500:

Un manuel Photoshop 7 avec des exercices ?

1645275638 ( 209.8.23.180 ) To: spamcop[at]imaphost.com

1645275634 ( 209.8.23.180 ) To: abuse[at]btnaccess.com

1645275631 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com

--------------------------------------------------------------------------------

Submitted: Tuesday 2006/01/31 04:13:07 -0500:

tonton, tu as bien un exemple de Photoshop Newsletter ?

1641697376 ( 209.8.23.180 ) To: spamcop[at]imaphost.com

1641697366 ( 209.8.23.180 ) To: abuse[at]btnaccess.com

1641697359 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com

--------------------------------------------------------------------------------

Submitted: Saturday 2006/01/28 05:19:55 -0500:

tonton, connais-tu ce truc de Photoshop ?

1638426265 ( 209.8.23.180 ) To: spamcop[at]imaphost.com

1638426264 ( 209.8.23.180 ) To: abuse[at]btnaccess.com

1638426262 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com

--------------------------------------------------------------------------------

Submitted: Thursday 2006/01/26 10:25:27 -0500:

Bienvenue tonton !

1636384447 ( 209.8.23.180 ) To: abuse[at]btnaccess.com

1636384439 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com

Share this post


Link to post
Share on other sites

it cant be, this is the ip of my hosting company 209.8.23.180

how can i get this cleaned up immediately?

Share this post


Link to post
Share on other sites
how can i get this cleaned up immediately?

39992[/snapback]

Please talk to your hosting company, zone53.net, BeyondTheNetwork, btnaccess.com, PCCW, Capital Area Internet Service, and/or Capital Area Internet Service. "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 8 hours." Temporarily, you could Uncheck "SpamCop Blacklist" at https://webmail.spamcop.net/horde/imp/spamcop/blacklists.php or http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php.

Share this post


Link to post
Share on other sites

the host myriadnetwork.com said they deleted the account of the spammer. they said they only sent 3 reported emails. can you turn on 209.8.23.180?

Share this post


Link to post
Share on other sites
the host  myriadnetwork.com said they deleted the account of the spammer.  they said they only sent 3 reported emails.  can you turn on  209.8.23.180?

39996[/snapback]

...Thank you for contacting them.

...Unfortunately, we here are (mostly) just other users of SpamCop and SpamCop admins do not allow us to remove IP addresses from the blacklist.

...However, this should happen automatically within the next 7 or 8 hours (SpamCop Checkblock for this IP address) if there are no more spam reports.

Share this post


Link to post
Share on other sites
can you turn on  209.8.23.180?

39996[/snapback]

Sorry, I can't. "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 7 hours."

Share this post


Link to post
Share on other sites

this is a copy of the email the service provider gave me. is there any way to bump this to an administrator?

support email:

The issue has already been investigated, and someone is losing their account over this for failing to comply with our AUP. They were not actually spamming at all - they just have a really poor mailing list setup (not opt-in/confirm/anything - just sign someone up and they're automatically subscribed). They chose to go against my recommendation to either:

1. make your list opt-in, or

2. take your mailing list elsewhere

As such they wound up resending an email to a person who had already complained about them once before. The funny thing is, they have ~15 - 20 people on this mailing list, and it took 1 person to complain about 3 times before we were blocked.

Share this post


Link to post
Share on other sites
this is a copy of the email the service provider gave me.  is there any way to bump this to an administrator?

<snip>

40000[/snapback]

...You (or, better, your e-mail provider's administrator) could write to the SpamCop Deputies at e-mail address deputies[at]spamcop.net. However, my guess would be that by the time they got to your request, decided whether they would bother to reply and actually acted, the automatic mechanism by which SpamCop de-lists IP addresses would already have de-listed this address.

Share this post


Link to post
Share on other sites
The funny thing is, they have ~15 - 20 people on this mailing list, and it took 1 person to complain about 3 times before we were blocked.

40000[/snapback]

They may not have the story completely right, however. Jeff G. presents 4 items which have been reported publically, and there could also be mole reports which the ISP would not have received.

The last public information I remember is that it takes more than one reporter to list an IP as well as the percentage of spam/valid email (seen by a network of domains) being above a certain percentage.

Share this post


Link to post
Share on other sites

http://www.spamcop.net/w3m?action=checkblock&ip=209.8.23.180

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 5 hours.

Causes of listing

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 371.5 days, it has been listed 6 times for a total of 4.4 days

http://www.senderbase.org/?searchBy=ipaddr...ng=209.8.23.180

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.5 .. -20%

Last 30 days .. 3.7 ... 20%

Average ........ 3.6

SenderBase's "Magnitude" Explained sure seems to suggest that the "3 or 4 e-mails" is a bit weak on lining up with the data seen. Even the "listed 6 times" seems to argue that a bit, even recalling that one of the ancient trip ponts was 2% of traffic being reported, there's no way to factor "3 or 4 e-mails" into any of the equations offered for an entry to the SpamCopDNSBL ....

Share this post


Link to post
Share on other sites
it cant be,  this is the ip of my hosting company  209.8.23.180

how can i get this cleaned up immediately?

39992[/snapback]

209.8.23.180 is a mail server? For SpamCop to be blocking a mail server means that this is the last identifiable link

If a provider is competently setup the last identifiable link (chain) would be the computer sending the spam which would then be the IP listed by SpamCop

SpamCop Members Blocking List

is like a radar stopping a spam while spam is being sent, quickly releasing that listed IP once the spam stops. This process is completely automatic but SpamCop has the worlds best staff and deputies checking in the unlikely case of something going wrong

(The spell checker now works)

Edited by petzl

Share this post


Link to post
Share on other sites
(The spell checker now works)

40005[/snapback]

??? Hadn't seen or heard that it didn't ...???? Though noting that I also don't recall anyone asking for words to be added in either, if that's what you might mean.

Share this post


Link to post
Share on other sites
They were not actually spamming at all - they just have a really poor mailing list setup (not opt-in/confirm/anything - just sign someone up and they're automatically subscribed).

40000[/snapback]

That is called spam.

Share this post


Link to post
Share on other sites
??? Hadn't seen or heard that it didn't ...???? Though noting that I also don't recall anyone asking for words to be added in either, if that's what you might mean.

40006[/snapback]

The old spell checker always "worked" just seemed pretty useless (always used the google toolbar one.

The new one works well

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×