Jump to content
Sign in to follow this  
stevewest15

Please help me investigate why we got listed?

Recommended Posts

Hi folks,

We are a hosting company and several days ago, I setup a few domains which we do not accept mail for to act as spam traps by forwarding all incoming mail to my spamcop account. Today, I got chewed out by my superiors who are blaming me that spamcop blacklisted our main mail server IP address 209.8.232.10 due to what I did two days ago. :(

I was only trying to help report spammers and I thought that would be of benefit to everyone who hate spam...never thought it would get us listed instead.

I just signed up for an ISP account and tried to get a report to see more details on why we got listed but there are no reports available. Am I doing something wrong as to why I can't see more details on what triggered this blacklisting? The only thing I found was this link by doing a lookup at Senderbase.

Also, I just recieved our 1st Alert from spamcop as I'm typing this request that our IP address 209.8.232.10 has been reported again in the past 1 hour.

I'm thinking maybe one of our customers has setup an autoresponder but I'm not sure without seeing more info. on why we got listed. I've also read the FAQ about "Misdirected bounces" and we are already using qmail spamcontrol addon and we have the following options enabled:

userchk (checking whether the recipient mail resource such as mailbox, forward, or mailbox alias exists before accept any message)

mfdnscheck (DNS check of domain name in sender's address)

smdcheck (Allows only local domains in the MAIL FROM address if mail is sent remotely)

noathost (Fully qualified domain email address required in RCPT TO and MAIL FROM smtp commands)

Any assistance is greatly appreciated!

thx,

SW

Share this post


Link to post
Share on other sites
We are a hosting company and several days ago, I setup a few domains which we do not accept mail for to act as spam traps by forwarding all incoming mail to my spamcop account. Today, I got chewed out by my superiors who are blaming me that spamcop blacklisted our main mail server IP address 209.8.232.10 due to what I did two days ago.  :(

The only thing to say here is that it would appear that you'd need to look at what's actually being sent out, easiest would be to CC: yourself on these forwarded items.

I just signed up for an ISP account and tried to get a report to see more details on why we got listed but there are no reports available. Am I doing something wrong as to why I can't see more details on what triggered this blacklisting? The only thing I found was this link by doing a lookup at Senderbase.

If you look at that URL, it's currently showing;

209.8.232.10 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 3 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 52.9 days, it has been listed 3 times for a total of 29 hours

Which means that you would not be receiving any "reports" or "notifications" as the 'problem' is spamtrap hits.

Also, I just recieved our 1st Alert from spamcop as I'm typing this request that our IP address 209.8.232.10 has been reported again in the past 1 hour.

This may or may not be connected to the original issue. As seen in the URL above, there haven't been enough "complaints" submitted yet to show up on the statistics page.

I'm thinking maybe one of our customers has setup an autoresponder but I'm not sure without seeing more info. on why we got listed. I've also read the FAQ about "Misdirected bounces" and we are already using qmail spamcontrol addon and we have the following options enabled:

40710[/snapback]

I would again say .. check what's actually going out as far as your "auto-forwarding spamtrap" scenario goes.

What I don't see is that you looked at the SpamCOp FAQ "here" to see all the additional data provided, to include info on how to attempt to get more data on a "hitting SpamCop.net spamtraps" issue.

Share this post


Link to post
Share on other sites

Hi Wazoo,

Thank you for your thorough response!

The only thing to say here is that it would appear that you'd need to look at what's actually being sent out, easiest would be to CC: yourself on these forwarded items.
I wish we didn't process so much mail (over 400,000/day) and over 7000 customer's forwarding rules, your suggestion would be very feasible. But then again, to locate 2 misdirected e-mails (if I'm reading the latest spamcop report correctly) will still be a very difficult task:

IP_Address	Start/Length	Trap	User	Mole	Simp	Comments	RDNS
209.8.232.10	Feb 22 04h/0	2	0	0	0	delisted manually, blocklisted	mail.beza.net

We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.
Before posting here, I did read the "FAQ topic: Misdirected Bounces" located here and this is why I posted our Qmail spamcontrol settings whereby qmail will not accept any messages unless a number of conditions have been met:

1. email account must be a valid account locally, otherwise message is not accepted

2. sending IP address is checked against 8 rbls including spamcop

3. message could be accepted and bounce only if the local user mailbox is full

4. message could be accepted and a customer's autoresponder replies back to a forged 'From' email header. If this occurs, the autoresponder does not enclose the original message which spammers are known to use to distribute their junk

5. greylisting is enabled and a number of other antispam counter measures

I would again say .. check what's actually going out as far as your "auto-forwarding spamtrap" scenario goes.
Any ideas on how I can begin to go about doing this? Without knowning what e-mail account caused this, it's almost impossible. At least can we get the e-mail address that sent this message? Or maybe a date/time, anything?

Once again, any help you can offer is very appreciated!

Thank you,

SW

Share this post


Link to post
Share on other sites

The Report History for mail.beza.net [209.8.232.10] implies 11-20 SpamCop Spamtrap hits, and no actual SpamCop Reports. Please contact the SpamCop Deputies via deputies[at]spamcop.net, requesting help in stopping whatever is hitting the SpamCop Spamtraps and referencing this Topic's URL http://forum.spamcop.net/forums/index.php?showtopic=5996. Thanks!

Share this post


Link to post
Share on other sites

Hi Jeff G.,

Thank you for the info. I will be sending an e-mail immdediately in hope someone can help us get to the bottom of this.

Thank you once again!

SW

Share this post


Link to post
Share on other sites
Thank you for the info. I will be sending an e-mail immdediately in hope someone can help us get to the bottom of this.

40718[/snapback]

Please be aware that the last report we had the deputies were very behind in their mail replies so it may take a couple days. Please be patient and try and provide as much information as possible so they can try and answer the questions with the least amount of interaction.

Share this post


Link to post
Share on other sites
We are a hosting company and several days ago, I setup a few domains which we do not accept mail for to act as spam traps by forwarding all incoming mail to my spamcop account. Today, I got chewed out by my superiors who are blaming me that spamcop blacklisted our main mail server IP address 209.8.232.10 due to what I did two days ago.

40710[/snapback]

In addition to the suggestions offered by others, you could have a mailhost problem. If you have not correctly configured the mailhosts then you can easily end up reporting yourself.

Andrew

Share this post


Link to post
Share on other sites
We are a hosting company and several days ago, I setup a few domains which we do not accept mail for to act as spam traps by forwarding all incoming mail to my spamcop account. Today, I got chewed out by my superiors who are blaming me that spamcop blacklisted our main mail server IP address 209.8.232.10 due to what I did two days ago.  :(

I would make certain you are forwarding to the correct address. Also, have you checked when you report these addresses to make certain that you are not reporting one of your own IP addresses?

As long as the emails are going to the right place, I don't see any way that this configuration could cause spamtrap hits, so at initial glance, I would say it is VERY unlikely that what you did caused the hit.

Let us know when you hear back from the deputies, as I would be very interested to know if this was coincidence, or if somehow your configuration caused spamtrap hits.

Share this post


Link to post
Share on other sites
We are a hosting company and several days ago, I setup a few domains which we do not accept mail for to act as spam traps by forwarding all incoming mail to my spamcop account.

40710[/snapback]

As others have not mentioned it yet, how did you forward these messages? If you simply did a redirect, then it will appear to the parser that your submit address is being spammed directly, rather than being a message you are trying to report. Generally, you need to forward as attachment.

Share this post


Link to post
Share on other sites

Hi folks,

Thanks to everyone for their replies. Please see below for my response to everyones replies:

Please be aware that the last report we had the deputies were very behind in their mail replies so it may take a couple days.
I'm still waiting to hear from someone. I just sent another request because I just got another spamcop alert but I couldn't make much sense from it:

IP_Address Start/Length Trap User Mole Simp Comments

RDNS

209.8.232.10 new/0 0 0 0 0 delisted manually

mail.beza.net

We have already disabled all 'autoresponders' for all customers to prevent any possible abuse by spammers. We have also lowered Spamguard treshold from 15 emails to 6 emails in 1 minute which will cause the sender to be blacklisted (qmail badmailfrom), we have increased spamassassin to 'very aggressive' setting thereby rejecting possible spam (even though this has created way too many false positives) at the SMTP level before it could cause issues with misdirected bounces due to forged 'return-paths'.

In addition to the suggestions offered by others, you could have a mailhost problem.  If you have not correctly configured the mailhosts then you can easily end up reporting yourself.
I'm not sure what you are referring to in regards to 'mailhost problem'? Are you speaking about a qmail setting or something that needs to be set in spamcop?

In the meantime, we have stopped reporting any spam to spamcop until we hear back from someone at spamcop.

...how did you forward these messages?  If you simply did a redirect, then it will appear to the parser that your submit address is being spammed directl...
The forwarding setting basically 'redirected' the message so it was not submitted to spamcop as an attachment. We've stopped any further reporting...it's unfortunate because we were always very keen on reporting spam as soon as we got it to help everyone else out there who queries spamcop rbl to ensure the spam doesn't get through for others.

So, I'm hoping the spamcop deputies can provide us with more information as to why we got listed and if it is a problem on our end, we will correct it ASAP.

thx,

SW

Share this post


Link to post
Share on other sites
I'm not sure what you are referring to in regards to 'mailhost problem'? Are you speaking about a qmail setting or something that needs to be set in spamcop?

40831[/snapback]

It's something you need to do when setting up your spam-reporting account. You tell SpamCop which servers you have accounts with and it finds all the mx's. If you don't do this you can end up reporting yourself, which, given your OP and your not forwarding as attachments, you may very well have done.

Share this post


Link to post
Share on other sites
We have already disabled all 'autoresponders' for all customers to prevent any possible abuse by spammers. We have also lowered Spamguard treshold from 15 emails to 6 emails in 1 minute which will cause the sender to be blacklisted (qmail badmailfrom), we have increased spamassassin to 'very aggressive' setting thereby rejecting possible spam (even though this has created way too many false positives) at the SMTP level before it could cause issues with misdirected bounces due to forged 'return-paths'.

40831[/snapback]

This could be your problem right here. You should not be sending NDRs. This is considered unacceptable by current best practices. If you cannot deliver an email for some reason (invalid email address, full mailbox, etc) you should reject the message during the SMTP session with a 500 series error, this way the sending server is responsible for generating the NDR and there is no possiblity of misdirecting a bounce to a forged return path. If you are unable to reject during the SMTP session because of some limitation in your mail software, you should simply discard the message without generating an NDR.

Misdirected NDRs ARE considered spam, and a very common culprits when all you see is spam trap hits with no actual spam reports. I think some of the spamtraps may have been compromised and the spammers are intentionally using them as return paths to cause problems.

Share this post


Link to post
Share on other sites
We have already disabled all 'autoresponders' for all customers to prevent any possible abuse by spammers. We have also lowered Spamguard treshold from 15 emails to 6 emails in 1 minute which will cause the sender to be blacklisted (qmail badmailfrom), we have increased spamassassin to 'very aggressive' setting thereby rejecting possible spam (even though this has created way too many false positives) at the SMTP level before it could cause issues with misdirected bounces due to forged 'return-paths'.
This could be your problem right here.

40836[/snapback]

...Sorry, what could?
You should not be sending NDRs.

<snip>

40836[/snapback]

...Isn't the OP saying he is avoiding precisely that mistake? To repeat:
<snip> we have increased spamassassin to 'very aggressive' setting thereby rejecting possible spam (even though this has created way too many false positives) at the SMTP level before it could cause issues with misdirected bounces due to forged 'return-paths'.

Share this post


Link to post
Share on other sites

The way the OP phrased it, it sounds like they are only rejecting items that spam Assassin catches rather than anything to an invalid email box. Perhaps the phrasing is a bit ambiguous.

Could the OP please clarify, if a mail comes in that spam Assassin does not catch and is destined for a mailbox that does not exist, are you sending an NDR to the envelope return-path, or are you rejecting with a 500 error?

Share this post


Link to post
Share on other sites
...If you cannot deliver an email for some reason (invalid email address, full mailbox, etc) you should reject the message during the SMTP session with a 500 series error...
This is exactly what we are doing: rejecting messages at the SMTP level if they fall into one of the following criterias:

- User's mailbox does NOT exists

- User's mailbox full (we are currently beta testing this feature but in the meantime, we are monitoring all customer's mailboxes & increasing them to prevent bounced message after mail server accepts the message due to mailbox is full)

- Spamassassin (SA) filtering at the SMTP level (rather than run SA after the message has been accepted)

Currently, we are working on finding a way to prevent the following 'possible' problem:

Our hosting customers have a number of antispam settings to choose from which include "Delete", "Deliver" or "Move" messages that are identified as spam by SA. If they select to 'Deliver' the spam identified message, then SA is setup to re-write the subject (*****spam******), place the following info (see below) and attach the original message as an attachment prior to delivering the message to customer's mailbox:

spam detection software, running on the localhost, has

identified this incoming email as possible spam.  The original message

has been attached to this so you can view it (if it isn't spam) or label

similar future email...

Content analysis details:  (16.4 points, 7.0 required)

Now typically this is not a problem...but it does become a problem if our hosting customer has setup to forward all incoming mail (even messages identified by SA as spam) to a third party mail provider (ie AOL, Yahoo, personal ISP, etc.). In this case, our mail servers will forward the Spamassassin notice which contains the original email as an attachment to the address they listed to forward all incoming mail too.

AOL for example, will reject the message as "containing URL reported by aol members as spam...". Once this message is rejected by aol, our mail server tries to send a rejection notice back to the original sender (which can be forged by spammers). We are working on finding away to stop these messages from being sent but in the meantime, we have always striped the original spam message and only send the following notice (incase it makes it to an inocent person who never sent the message):

We were unable to deliver your message. Please see below for more information on the possible cause for this failure:

<AOL Sever error message goes here>

--- Enclosed are the original headers of the message.

Return-Path:

<someone[at]somedomain.com>

Received:

(qmail 12523 invoked by uid 399); 1 Mar 2006 14:14:25 -0000

Received:

from localhost (127.0.0.1) by localhost with SMTP; 1 Mar 2006 14:14:25 -0000

(Body supressed)

So, the body of the message is NEVER sent back just incase the message was spam.

SW

Share this post


Link to post
Share on other sites

If AOL rejects a message to one of your customers in common as containing spam, the best thing to do is to drop the reject message on the floor (and report the original message as spam if you have the time), as it's highly improbable that the reject message would actually reach the original message's true sender.

Edited by Jeff G.

Share this post


Link to post
Share on other sites
If AOL rejects a message to one of your customers in common as containing spam, the best thing to do is to drop the reject message on the floor (and report the original message as spam if you have the time), as it's highly improbable that the reject message would actually reach the original message's true sender.

40847[/snapback]

Hi Jeff,

We are currently looking at what's the best method to implement this. If anyone here has any suggestions on ways to implement this in a qmail environment, would appreciate their input.

In the meantime, I have just heard back from spamcop deputies who have inquired about additional information. I provided what they asked for...and not sure why they did not check the link to this posting which was enclosed in my original request back on Feb 22nd...but in any case, I'll report back once we have more information.

thx,

SW

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×