Identifying the source of spam

[emc chris]

Hi,

We are a legitimate email marketing company, and just recently are regularly experiencing spamcop blocks.

I have signed up for reports on our IPs but am only receiving information on the IP becoming blocked, not the reported email.

I have a postmaster[at] address which is not receiving anything from spamcop, and last week sent an email to abuse.net requesting that another address be made responsible (though checking on their website, this change hasn't been made).

How can more information be obtained? Without knowing which email was possibly sent unsolicited there is no way that I can identify the customer.

FYI, the currently blocked IP is 194.154.181.117, and also frequently blocked is 194.154.181.116.

Any help appreciated.

Thanks,

Chris.

[Wazoo]

http://www.spamcop.net/w3m?action=checkblo...194.154.181.117

194.154.181.117 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 7 hours.

Causes of listing

SpamCop users have reported system as a source of spam less than 10 times in the past week

Listing History

In the past 6.1 days, it has been listed 3 times for a total of 2.1 days

Other hosts in this "neighborhood" with spam reports

194.154.181.116 194.154.181.119

http://www.senderbase.org/?searchBy=ipaddr...194.154.181.117

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.4 ... 703%

Last 30 days ... 4.1 ... 242%

Average ......... 3.5

http://www.spamcop.net/sc?track=194.154.181.117

Parsing input: 194.154.181.117

host 194.154.181.117 = mail2.mxmfb.com (cached)

host 194.154.181.117 = mail2.mxmfb.com (cached)

Routing details for 194.154.181.117

[refresh/show] Cached whois for 194.154.181.117 : abuse[at]gxn.net

Using abuse net on abuse[at]gxn.net

abuse net gxn.net = abuse[at]gxn.net

Using best contacts abuse[at]gxn.net

Tracking details

Display data:

"whois 194.154.181.117[at]whois.ripe.net" (Getting contact from whois.ripe.net)

whois.ripe.net found abuse contacts for 194.154.181.117 = abuse[at]gxn.net

whois: 194.154.181.96 - 194.154.181.127 = abuse[at]gxn.net

Routing details for 194.154.181.117

Using abuse net on abuse[at]gxn.net

abuse net gxn.net = abuse[at]gxn.net

Using best contacts abuse[at]gxn.net

Reports routes for 194.154.181.117:

routeid:14195409 194.154.181.96 - 194.154.181.127 to:abuse[at]gxn.net

Administrator found from whois records

http://www.senderbase.org/?sb=1&search...194.154.181.119

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.8 .. 341%

Last 30 days .. 3.3 ... 52%

Average ........ 3.1

SpamCop FAQ at the top of this very page

look for the entries like;

Why am I Blocked?

What is on the list?

[emc chris]

Tracking details

Display data:

"whois 194.154.181.117[at]whois.ripe.net" (Getting contact from whois.ripe.net)

whois.ripe.net found abuse contacts for 194.154.181.117 = abuse[at]gxn.net

whois: 194.154.181.96 - 194.154.181.127 = abuse[at]gxn.net

Routing details for 194.154.181.117

Using abuse net on abuse[at]gxn.net

abuse net gxn.net = abuse[at]gxn.net

Using best contacts abuse[at]gxn.net

Is there a way to add another abuse contact for our IPs? Rather than our upstream provider?

[Miss Betsy]

We are a legitimate email marketing company, and just recently are regularly experiencing spamcop blocks.

Legitimate means that you use confirmed subscription and other best practices.

Is there a way to add another abuse contact for our IPs? Rather than our upstream provider?

I am not experienced enough to be able to see if your upstream provider is receiving the reports because of the way the parser works or because someone noticed that reports of spam were going to the spammer and requested that reports go upstream. The reason for not sending reports to those who are sending the unsolicited email is because, often, all the report recipient does is remove the reporter's name. This action is called listwashing and does nothing to help others who are getting email that they did not request.

Since spammers have been using the reports to evade the bl, there is little likelihood that you can get the reports from spamcop. You can get them from your upstream provider. If you share those IP addresses with others, it may not be your emails that are causing the reports. Again, your upstream provider is the one who can do something about that.

An increase in the senderbase statistics usually means that there is a compromised machine that is spewing spam.

Perhaps someone will find some report history for you so that you can see if the subjects are the subjects of your emails.

The above information will, I hope, help you in any discussion of your problem. If you have some knowledge of how spamcop works (and how email works - at least you do know about abuse.net so perhaps you do. You would be surprised how many of those who are engaged in ebusiness who don't), then there are people on this forum who will be able to give you some good advice. The first thing they will want to know is whether you follow good practices or not. (there is a link in the FAQ) If you are running your own server, then you might check out the admin section of the Why Am I Blocked? FAQ to make sure that your servers are secure. Also check your firewall logs because compromised machines don't use Port 25. The most knowledgable and most helpful will want to know a lot of detail. You are talking to shade tree mechanics here, not customer service.

Miss Betsy

[emc chris]

Legitimate means that you use confirmed subscription and other best practices.

Where possible it is something we endeavour to ensure our clients do. It is entirely possible that some slip through the net and go against our policy, using lists that are obtained from alternative sources. Of course this is hard to pinpoint down to a client without email subjects that we can look up, and even with this data there are a huge number of false spam reports being made by opt-in subscribers.

Perhaps someone will find some report history for you so that you can see if the subjects are the subjects of your emails.

This would certainly prove useful, though I am confused regarding abuse.net. From the FAQ, I was led to believe that requesting a new point of contact for a domain would result in the relevant abuse emails being sent there?

A report history can help now, but I am also looking for a more permanent solution to solving this problem.

[Miss Betsy]

Where possible it is something we endeavour to ensure our clients do. It is entirely possible that some slip through the net and go against our policy, using lists that are obtained from alternative sources.

I have a feeling that until you do something so that your clients use best practices that you will continue to be listed. Your comment about many opt-in subscribers reporting is not a good indicator either. Perhaps they didn't really opt-in, perhaps they never got a confirmation email, perhaps the unsubscribe doesn't seem to work (people expect to unsubscribe and not receive any more email - not wait a month).

I would think it would be very easy to verify that clients are using confirmed subscription. You send the confirmation email and you have the list. You also are able to deal with bounces. Verifying that unsubscribes work might require a little more effort.

I am confused regarding abuse.net. From the FAQ, I was led to believe that requesting a new point of contact for a domain would result in the relevant abuse emails being sent there?

You will have to point to the FAQ or quote it to be sure, but I think that sometimes reports go upstream because the parser can't find a good address on its first look up. Registering a good address with abuse.net will help that problem. It won't help if reports are going upstream for another problem.

Miss Betsy

[dra007]

As you stated, all reports are going upstream:

Report History:

Submitted: Monday, July 31, 2006 1:43:28 PM -0400:

Nokia CK7W

1858970414 ( 194.154.181.117 ) To: spamcop[at]imaphost.com

1858970409 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1858970403 ( 194.154.181.117 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Thursday, July 27, 2006 1:26:39 PM -0400:

Reduce your monthly outgoings

1854182562 ( http://mxmodd.mxmfb.com/action.php?values=/opt/... ) To: mole[at]devnull.spamcop.net

1854182552 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: mole[at]devnull.spamcop.net

1854182537 ( 194.154.181.117 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Wednesday, July 26, 2006 2:24:50 AM -0400:

Recycle

1852163913 ( 194.154.181.117 ) To: spamcop[at]imaphost.com

1852163912 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1852163911 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1852163909 ( 194.154.181.117 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Tuesday, July 25, 2006 7:50:35 AM -0400:

Recycle

1851030850 ( 194.154.181.117 ) To: spamcop[at]imaphost.com

1851030834 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1851030828 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1851030817 ( 194.154.181.117 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Friday, July 21, 2006 1:10:20 AM -0400:

Next - End of Season Sale

1845256736 ( http://www.next.co.uk/stores ) To: bt[at]admin.spamcop.net

1845256735 ( 194.154.181.117 ) To: spamcop[at]imaphost.com

1845256733 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1845256729 ( 194.154.181.117 ) To: abuse[at]gxn.net

---------

and for 194.154.181.116:

Report History:

Submitted: Friday, July 28, 2006 12:27:25 PM -0400:

Next Sale - 70% Off In-store and Online

1855416686 ( http://www.next.co.uk/ ) To: bt[at]admin.spamcop.net

1855416678 ( 194.154.181.116 ) To: spamcop[at]imaphost.com

1855416672 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1855416668 ( 194.154.181.116 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Tuesday, July 25, 2006 8:59:03 AM -0400:

Reduce your monthly outgoings

1851106603 ( 194.154.181.116 ) To: spamcop[at]imaphost.com

1851106588 ( http://mxmodd.mxmfb.com/action.php?values=/opt/... ) To: abuse[at]gxn.net

1851106583 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1851106574 ( 194.154.181.116 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Tuesday, July 25, 2006 7:39:28 AM -0400:

Reduce your monthly outgoings

1851027294 ( 194.154.181.116 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Monday, July 24, 2006 1:13:35 PM -0400:

Recycle

1849926890 ( 194.154.181.116 ) To: spamcop[at]imaphost.com

1849926873 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1849926869 ( 194.154.181.116 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Wednesday, July 19, 2006 3:04:36 AM -0400:

TomTom

1842722234 ( 194.154.181.116 ) To: spamcop[at]imaphost.com

1842722233 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1842722232 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1842722227 ( 194.154.181.116 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Monday, July 17, 2006 5:52:11 PM -0400:

TomTom

1840972078 ( 194.154.181.116 ) To: spamcop[at]imaphost.com

1840972077 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: abuse[at]gxn.net

1840972076 ( 194.154.181.116 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Friday, July 14, 2006 9:25:27 AM -0400:

Hello From TravelOwl

1837490379 ( http://mxmodd.mxmfb.com/action.php?values=/clic... ) To: mole[at]devnull.spamcop.net

1837490373 ( 194.154.181.116 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Friday, July 07, 2006 5:47:31 AM -0400:

ANDREW - clear those persistent credit bills

1828923041 ( 194.154.181.116 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Thursday, July 06, 2006 1:26:38 PM -0400:

KATHARINE - clear those persistent credit bills

1828032091 ( 194.154.181.116 ) To: abuse[at]gxn.net

--------------------------------------------------------------------------------

Submitted: Thursday, July 06, 2006 10:20:28 AM -0400:

IAN - clear those persistent credit bills

1827919315 ( 194.154.181.116 ) To: spamcop[at]imaphost.com

1827919294 ( http://mxmodd.mxmfb.com/action.php?values=/opt/... ) To: abuse[at]gxn.net

1827919286 ( 194.154.181.116 ) To: abuse[at]gxn.net

I would say quite a few of these look like everyday spam....

[Wazoo]

In the days of old, there once was an official FAQ entry that covered this scenario. As I recollect, the general guideline was that a /24 was the 'easy' threshold to get routing set to 'yourself' .... Failing that, then there was some work needed to be done to get the approval of the IP block owner to have some IPAs rereferenced to another reporting location. That FAQ entry has been 'hidden' .. a long, long time ago, I was attempting to build yet another interface to the FAQ here (using a tool that has not been updated to work with this version of the Forum application) in which I spent a lot of time trying top work out issues with the original/official FAQ, correct some items, add other items, etc. etc. etc. ... The data in the original FAQ entry now hidden was determined to be "no longer required/applicable" by the powers that be .... so here we are once again, a Frequently Asked Question that has been determined by the paid staff as an item that does not need a FAQ entry .... in theory, the current ISP Cotrol Center was the item that was to be the solution ... though I really haven't seen that anyone is happy with that result ....

[Miss Betsy]

....in theory, the current ISP Cotrol Center was the item that was to be the solution ... though I really haven't seen that anyone is happy with that result ....

Since spamcop is the only (or one of a very few) bls that even inform the admin of the IP address that there is potential for being blocked and because there are fewer and fewer admins being informed who really care whether or not there is spam coming from their servers, my conjecture is that TPTB think that where the reports go is not very important. The responsible, competent admins will either be alerted by some alarm on their own or will have a good relationship with the report recipient so that the reports are forwarded to them.

As Wazoo said, not everyone agrees. While my conjecture may be way off base and the real reason is purely technical, the way to get reports is to deal with the report recipient. You can surely understand that whatever the reasons for where the reports go, spamcop does not want to be sending them to the spammer or providing the spammer with information to evade the bl. Like stores that require little old ladies to show their ids to cash a check, there are no exceptions.

Miss Betsy

[Telarin]

Reports are not going "upstream". Reports are going to the owner of the IP address, exactly as they are supposed to. Reports are not sent to the owner of a "domain" because there can be literally thousands of domains hosted on a single IP address, and there would be no way to determine which one to send to. Also, since anyone can register a domain, there would be no way to ensure that the domain owner is not a run of the mill spammer.

However, it is the IP addresses owner to take action on those reports. You should be informed by your ISP when your ISP gets abuse reports that concern you. Some ISPs forward the entire report, many do not, especially if they suspect that you are spamming. Some will simply tell you that they have received abuse reports against you, and that you need to stop or they with terminate your contract for TOS violations.

I would also have to agree with dra007 on this, it appears to me to be standard spammy subject lines on your messages. I would be willing to bet that the senders would have trouble producing proof of confirmation for those subscriptions.

Edit: One other thought, if you are leasing a sizable chunk of IPs from GXN, then they should SWIP you into the WHOIS info. If they did that, it is possible that spamcop would pick up the new contact info automatically, and even if it didn't it probably wouldn't be hard to have them manually approve it as long as it showed up in the WHOIS for that IP range. I don't know what RIPEs policy is, but with ARIN any block /29 or larger MUST be either SWIPed or listed on an RWHOIS server.