hhlaw Posted August 28, 2006 Share Posted August 28, 2006 Hello, We are a law firm using email server services of lunarpages.com. During the last week we have greatly suffered from our emails being returned due to spamcop blocking and are not recieving emails although we know the people are sending them to us. The blocking was removed after couple of days but now it returned Our domain is hh-law.co.il We are obvisouly not spammers and spamcop are causing us enormous damages. We require your advice regarding parmently remove us from any kind of spamcop listings and verifying that problem will not return. We will appreciate your immediate reply. I can be contacted via my office email (the blocked one) - tal.p[at]hh-law.co.il or my personal mail at ta_per[at]hotmail.com. attached is an example to a blocking message we've recieved: From: Mail Delivery System [mailto:Mailer-Daemon[at]gioho.lunarpages.com] Sent: Monday, August 28, 2006 10:12 AM To: amos.hacmun[at]hh-law.co.il Subject: Mail delivery failed: returning message to sender This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: kobyc[at]chaos2000.co.il SMTP error from remote mail server after RCPT TO:<kobyc[at]chaos2000.co.il>: host mailin.barak.net.il [212.150.49.2]: 530 5.7.1 Blocked - see http://www.spamcop.net/bl.shtml?216.193.248.183: kobyc[at]chaos2000.co.il ------ This is a copy of the message, including all the headers. ------ Return-path: <amos.hacmun[at]hh-law.co.il> Received: from [192.116.245.75] (helo=Amosh) by gioho.lunarpages.com with esmtpa (Exim 4.52) id 1GHcED-0005Bu-9V for kobyc[at]chaos2000.co.il; Mon, 28 Aug 2006 01:12:19 -0700 Reply-To: <amos.hacmun[at]hh-law.co.il> From: "Amos Hacmun, Adv." <amos.hacmun[at]hh-law.co.il> To: "'Koby Cohen'" <kobyc[at]chaos2000.co.il> Subject: FW: Chaos - H&O Date: Mon, 28 Aug 2006 11:21:36 +0200 Organization: Heskia - Hacmun Law Firm MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_001A_01C6CA94.24755E40" X-Mailer: Microsoft Office Outlook, Build 11.0.6353 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Thread-index: AcbJ+nNlaavgY7uySEyyV7+vuNSWOQAfzLxQAAJsBjA= This is a multi-part message in MIME format. Link to comment Share on other sites More sharing options...
agsteele Posted August 28, 2006 Share Posted August 28, 2006 I presume you have followed the link you provided which reveals the following: Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Additional potential problems (these factors do not directly result in spamcop listing) * DNS error: 216.193.248.183 is gioho.lunarpages.com but gioho.lunarpages.com has no DNS information Because of the above problems, express-delisting is not available Checking the reports it is evident that the mail server is bouncing undeliverable message reports and these are what are causing the listings. See http://www.spamcop.net/fom-serve/cache/329.html for more information. You should work with your ISP or your Email manager if you run the server yourselves to turn off message bouncing. Additionally the ISP does not accept notification of problem reports which means that you and they will not be getting the advanced warning of a problem. ISP does not wish to receive report regarding 216.193.248.183 ISP does not wish to receive reports regarding http://216.193.248.183/ - no date available Because you are sharing this mail server with the other customers of lunarpages the listing may becaused by a completely different customer. You should work with lunarpages to resolve the problem, switch your mail service to another company, or run your own mail server so that you have full control and are not at the nercy of other Email users. Andrew Link to comment Share on other sites More sharing options...
Wazoo Posted August 28, 2006 Share Posted August 28, 2006 The SpamCopDNSBL is "automatic" .. meaning that if an IP address is seen spewing bad e-mail in a noticeable proportion to good e-mail, it gets listed. When the spew stops, it gets de-listed. Explained in the SpamCop FAQ here, in the Pinned entry "Why am I Blocked?" ... among other places, to include the numerous previous posts/discussions within this Forum section alone. http://www.spamcop.net/w3m?action=checkblo...216.193.248.183 216.193.248.183 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 7 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Additional potential problems DNS error: 216.193.248.183 is gioho.lunarpages.com but gioho.lunarpages.com has no DNS information http://www.senderbase.org/?searchBy=ipaddr...216.193.248.183 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.7 .. -56% Last 30 days ... 3.4 .. -75% Average ......... 4.0 SenderBase's "Magnitude" Explained suggests 10-13 thousand e-mails a day. If all f these e-mails are not from your office, then you are apparently using a shared e-mail server. As stated, spamtrap hits do not generate a notification, but it is also seen that one of the ISP's (your immediate upstream) has decided to not receive any notifications anyway. Apparently, you're going to have to advise them that they have a problem. The link you provided has entries dealing with Misdirected Bounces .... the SpamCop FAQ 'here' offers up more entries/explanation on "Why am I Blocked?" issues ..... Parsing input: 216.193.248.183 host 216.193.248.183 = gioho.lunarpages.com (cached) host 216.193.248.183 = gioho.lunarpages.com (cached) ISP does not wish to receive report regarding 216.193.248.183 ISP does not wish to receive reports regarding http://216.193.248.183/ - no date available Routing details for 216.193.248.183 Cached whois for 216.193.248.183 : hostmaster[at]lunarpages.com abuse[at]mzima.net Using abuse net on hostmaster[at]lunarpages.com abuse net lunarpages.com = abuse[at]lunarpages.com Using abuse net on abuse[at]mzima.net abuse net mzima.net = abuse[at]mzima.net Using best contacts abuse[at]mzima.net abuse[at]lunarpages.com Reports routes for 216.193.248.183: routeid:21423786 216.193.192.0 - 216.193.255.255 to:abuse[at]mzima.net Administrator found from whois records routeid:13110489 216.193.248.0 - 216.193.248.255 to:hostmaster[at]lunarpages.com Administrator found from whois records Removing old cache entries. Tracking details Display data: "whois 216.193.248.183[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-216-193-248-0-1 "whois NET-216-193-248-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) 216.193.248.0 - 216.193.248.255:hostmaster[at]lunarpages.com whois.arin.net contact: hostmaster[at]lunarpages.com checking NET-216-193-192-0-1 "whois NET-216-193-192-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]mzima.net 216.193.192.0 - 216.193.255.255:abuse[at]mzima.net Routing details for 216.193.248.183 Using abuse net on hostmaster[at]lunarpages.com abuse net lunarpages.com = abuse[at]lunarpages.com Using abuse net on abuse[at]mzima.net abuse net mzima.net = abuse[at]mzima.net Using best contacts abuse[at]mzima.net abuse[at]lunarpages.com Link to comment Share on other sites More sharing options...
Derek T Posted August 28, 2006 Share Posted August 28, 2006 The ISP you have chosen to provide important services and to whom you pay your firm's good money obviously doesn't give a damn about providing those services. I suggest you find one who does. But as Israel is a major source of spam and is home to the world's most notorious spammer, I don't know how easy that will be. Link to comment Share on other sites More sharing options...
dra007 Posted August 28, 2006 Share Posted August 28, 2006 As pointed out, most reports are spamtrap hits, though peppered with an occasional phisher: Report History: -------------------------------------------------------------------------------- Submitted: Tuesday, August 22, 2006 2:22:17 AM -0400: Mail delivery failed: returning message to sender 1886812104 ( 216.193.248.183 ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Saturday, August 19, 2006 9:23:44 PM -0400: Mail delivery failed: returning message to sender 1883519889 ( 216.193.248.183 ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 5:40:18 PM -0400: Mail delivery failed: returning message to sender 1879413504 ( 216.193.248.183 ) To: abuse[at]lunarpages.com -------------------------------------------------------------------------------- Submitted: Wednesday, August 16, 2006 2:40:16 AM -0400: [at]tonyawise.com 1878960776 ( 216.193.248.183 ) To: spamcop[at]imaphost.com 1878960763 ( http://www.tonyawise.com/ ) To: abuse[at]lunarpages.com 1878960751 ( 216.193.248.183 ) To: abuse[at]lunarpages.com -------------------------------------------------------------------------------- Submitted: Monday, August 07, 2006 5:35:17 PM -0400: Mail delivery failed: returning message to sender 1867986386 ( 216.193.248.183 ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Monday, August 07, 2006 3:08:14 PM -0400: Mail delivery failed: returning message to sender 1867857404 ( 216.193.248.183 ) To: uube[at]devnull.spamcop.net ---------------------------------------------------------------------------------- Submitted: Tuesday, July 18, 2006 7:11:01 PM -0400: Account Suspension Warning 1842335452 ( http://200.86.73.84:84/paypal.wbscr.secureauthe... ) To: gerencia[at]vtr.cl 1842335450 ( http://200.86.73.84:84/paypal.wbscr.secureauthe... ) To: postmaster#vtr.cl[at]devnull.spamcop.net 1842335447 ( http://200.86.73.84:84/paypal.wbscr.secureauthe... ) To: lsoto[at]vtr.cl 1842335441 ( http://200.86.73.84:84/paypal.wbscr.secureauthe... ) To: dominios[at]vtr.cl 1842335433 ( 216.193.248.183 ) To: spamcop[at]imaphost.com 1842335426 ( 216.193.248.183 ) To: abuse[at]lunarpages.com -------------------------------------------------------------------------------- Submitted: Friday, July 14, 2006 9:16:06 AM -0400: Mail delivery failed: returning message to sender 1837124262 ( Forwarded spam ) To: [concealed user-defined recipient] 1837124242 ( 216.193.248.183 ) To: spamcop[at]imaphost.com 1837124217 ( 216.193.248.183 ) To: abuse[at]lunarpages.com -------------------------------------------------------------------------------- Submitted: Wednesday, June 28, 2006 11:38:19 AM -0400: Mail delivery failed: returning message to sender 1816778549 ( 216.193.248.183 ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Monday, May 29, 2006 10:36:28 PM -0400: 1770620184 ( Forwarded spam ) To: [concealed user-defined recipient] 1770620178 ( 216.193.248.183 ) To: spamcop[at]imaphost.com 1770620164 ( 216.193.248.183 ) To: abuse[at]lunarpages.com Link to comment Share on other sites More sharing options...
StevenUnderwood Posted August 28, 2006 Share Posted August 28, 2006 During the last week we have greatly suffered from our emails being returned due to spamcop blocking and are not recieving emails although we know the people are sending them to us. Others have made responses, but I noticed one thing about your question: You are talking about 2 different processes above. On messages you are sending that are being bounced, that would be due to the listing on spamcop. On not receiving emails "although we know the people are sending them to us", that would only involve spamcop if YOU (or your mail service) are using spamcop to block incoming messages. Link to comment Share on other sites More sharing options...
istracpsboss Posted September 2, 2006 Share Posted September 2, 2006 We've a similar problem. I'm not a techie. We are estate agents in Croatia and whenever I have sent emails to my wife who is the lawyer who runs our legal department in another city over the last two days I've been getting a block. Since it is screwing up contracts which are time sensitive it is causing real problems. Clients arrive from abroad expecting to sign contracts for buying houses, which we then need to take to a notary before they close and they aren't ready because the documentation has been blocked. If anyone can help I'd be very grateful. Thanks. Here is the most recent one's headers: Hi. This is the qmail-send program at se-l4.avalon.lu. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <kcobal[at]globalnet.hr>: 213.149.32.10 does not like recipient. Remote host said: 553 Blocked - see http://www.spamcop.net/bl.shtml?209.61.218.134 Giving up on 213.149.32.10. --- Below this line is a copy of the message. Return-Path: <peter.ellis[at]croatiapropertyservices.com> Received: (qmail 11750 invoked by uid 89); 2 Sep 2006 08:03:17 -0000 Received: from unknown (HELO localhost) (127.0.0.1) by se-l4.avalon.lu with SMTP; 2 Sep 2006 08:03:17 -0000 Received: (qmail 11474 invoked by uid 89); 2 Sep 2006 08:02:54 -0000 Received: from 195-29-85-236.adsl.net.t-com.hr (HELO peterdesktop) (peter.ellis[at]croatiapropertyservices.com[at]195.29.85.236) by se-l4.avalon.lu with ESMTPA; 2 Sep 2006 08:02:54 -0000 From: "Peter Ellis" <peter.ellis[at]croatiapropertyservices.com> To: "Ksenija Ellis" <kcobal[at]globalnet.hr> Subject: RE: Certificate of Title Date: Sat, 2 Sep 2006 10:07:52 +0200 Message-ID: <DBENILCIBFOPEONBDIGDAEMACAAA.peter.ellis[at]croatiapropertyservices.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0281_01C6CE77.A7104810" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <20060901180416.0BA3D130805D[at]ls422.t-com.hr> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4963.1700 Link to comment Share on other sites More sharing options...
Farelf Posted September 2, 2006 Share Posted September 2, 2006 ... whenever I have sent emails to my wife who is the lawyer who runs our legal department in another city over the last two days I've been getting a block. ...Hi istracpsboss - you have presumably followed the link from the rejection notice you provided (and the links from that page) and understand it is not your messages that are causing the problem. "Something" sharing your IP address 209.61.218.134 is sending to spamtraps - in that circumstance no detailed reports are sent to your provider abuse address: abuse[at]hopone.net ('phone +1-202-318-0530). These are the people who need to work on getting blocklist removal - which will happen automatically within 24 hours of no more "spam" but it is likely to go straight back on again unless the cause has been found and eliminated. Is your wife able to get you whitelisted by globalnet.hr? That might be something the two of you could work on because the blocklist itself is a matter for your provider to fix. Link to comment Share on other sites More sharing options...
Derek T Posted September 2, 2006 Share Posted September 2, 2006 Hi istracpsboss - you have presumably followed the link from the rejection notice you provided (and the links from that page) and understand it is not your messages that are causing the problem. "Something" sharing your IP address 209.61.218.134 is sending to spamtraps - There are plenty of human reports too, which have apparently been ignored by your ISP - all but one are misdirected bounces. Link to comment Share on other sites More sharing options...
Miss Betsy Posted September 2, 2006 Share Posted September 2, 2006 Or you can have an alternative email address (such as hotmail) for emailing your wife or use the fax. That's what's good about blocking, you *do* get a rejection notice and know that the email hasn't been received. That would be a good idea to have an alternate any way since there are other reasons why email is sometimes unavailable. Miss Betsy Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 2, 2006 Share Posted September 2, 2006 There are plenty of human reports too, which have apparently been ignored by your ISP - all but one are misdirected bounces. Derek: The UUBE reports do not appear to go to the ISP but rather to: uube[at]devnull.spamcop.net. Only that one report went to the ISP. I believe this step was done to give a little more information on misdirected bounces. "failure notice" is the subject of the bounces seen. Report History: Display UUBE -------------------------------------------------------------------------------- Submitted: Sunday, August 13, 2006 5:11:08 PM -0400: Small Cap Stocks 1875498502 ( 209.61.218.134 ) To: relays[at]admin.spamcop.net 1875498497 ( 201.37.57.160 ) To: spamcop[at]imaphost.com 1875498494 ( 201.37.57.160 ) To: abuse[at]embratel.net.br 1875498492 ( 201.37.57.160 ) To: sistemas[at]intelignet.com.br 1875498487 ( 201.37.57.160 ) To: mail-abuse[at]cert.br 1875498480 ( 201.37.57.160 ) To: abuse[at]poa.virtua.com.br Report History: Don't Display UUBE -------------------------------------------------------------------------------- Submitted: Friday, September 01, 2006 11:34:35 AM -0400: failure notice 1902174864 ( 209.61.218.134 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Friday, September 01, 2006 9:59:06 AM -0400: failure notice 1902042282 ( 209.61.218.134 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Friday, September 01, 2006 3:27:16 AM -0400: failure notice 1901563888 ( 209.61.218.134 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 12:22:22 PM -0400: failure notice 1897471771 ( 209.61.218.134 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Tuesday, August 29, 2006 1:37:41 AM -0400: failure notice 1896714428 ( 209.61.218.134 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Monday, August 28, 2006 7:58:52 PM -0400: failure notice 1896402867 ( 209.61.218.134 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------------------------------------- Submitted: Monday, August 28, 2006 8:50:21 AM -0400: failure notice 1895585856 ( 209.61.218.134 ) ( UUBE ) To: uube[at]devnull.spamcop.net Older Reports Link to comment Share on other sites More sharing options...
Derek T Posted September 2, 2006 Share Posted September 2, 2006 The UUBE reports do not appear to go to the ISP but rather to: uube[at]devnull.spamcop.net. Only that one report went to the ISP. I believe this step was done to give a little more information on misdirected bounces. I didn't realise that. Nor do I understand it! Why would not warning them give more info? BTW, forgive my ignorance but what does UUBE stand for? It's a new one on me. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 2, 2006 Share Posted September 2, 2006 I didn't realise that. Nor do I understand it! Why would not warning them give more info? BTW, forgive my ignorance but what does UUBE stand for? It's a new one on me. Per an email from a deputy: UUBE - Unwanted/Unsolicited Bounce Email It was recently added to the glossary: http://forum.spamcop.net/forums/index.php?...ost&p=29916 (Thanks dbiel) It gives more info than not showing any listings like it used to be. Now at least the subject line is seen and approximate times as well without contacting the deputies. One example I saw the other day all had [spam] at the start of the subject line, so the administrator could deduce it was his spam-filter that was causing the misdirected bounces. Link to comment Share on other sites More sharing options...
dra007 Posted September 2, 2006 Share Posted September 2, 2006 I think there is a consensus uube signifies spamtrap reports. Link to comment Share on other sites More sharing options...
Derek T Posted September 2, 2006 Share Posted September 2, 2006 I think there is a consensus uube signifies spamtrap reports. Light dawns so a devnulled UUBE indicates a spamtrap hit and the volume of them indicates to 'us' how many and when. That makes sense, more info indeed! Thanks both. Link to comment Share on other sites More sharing options...
DavidT Posted September 2, 2006 Share Posted September 2, 2006 One example I saw the other day all had [spam] at the start of the subject line, so the administrator could deduce it was his spam-filter that was causing the misdirected bounces. Wait a moment. I've received bounces that my *incoming* filtering system had tagged with [spam], but that wasn't the *cause* of the bounce. I think there's also a bit of conjecture in the recent messages in this topic that may or may not be reality. We need to check this out with the deputies. For example, those UUBE items showing up associated with a particular IP may very well have been reported by SC users. Maybe those aren't spamtrap hits at all (I rather suspect not). DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 2, 2006 Share Posted September 2, 2006 Wait a moment. I've received bounces that my *incoming* filtering system had tagged with [spam], but that wasn't the *cause* of the bounce. I think there's also a bit of conjecture in the recent messages in this topic that may or may not be reality. We need to check this out with the deputies. For example, those UUBE items showing up associated with a particular IP may very well have been reported by SC users. Maybe those aren't spamtrap hits at all (I rather suspect not). Yes. And some of those programs can be made to bounce the error back to the originator. I know Norton AV for Notes used to do that... had to turn the outside notification off. You can try to get a better answer than I did. It was not confirmed or denied. Link to comment Share on other sites More sharing options...
Miss Betsy Posted September 3, 2006 Share Posted September 3, 2006 I don't think that uube address can be a mix of spam traps and reports by reporters. Reports by reporters should go to the source. spam traps don't make reports. My guess is that there were so many requests for what was in the email that hit the spam trap, that they started creating 'reports' that could be accessed using the data that they would give if asked. Now the deputies can simply point requests to the 'report' instead of looking it up and making a 'report' themselves in reply. Also, it is probably where the spam tag is placed that it can be seen if it is a misdirected bounce or a report. The tag would be after the rejection statement if it was a misdirected bounce and before the rejection statement if were a report. Miss Betsy Link to comment Share on other sites More sharing options...
DavidT Posted September 3, 2006 Share Posted September 3, 2006 Reports by reporters should go to the source. The key word might be "should." What if the "powers that be" have decided that excessive UUBE reports going to ISPs have made those ISPs decide to stop paying attention to SpamCop reports? If that were the case, then isn't it also possible that they've decided to "dev/null" the sending of the actual emails, and yet create a new way of handling those in the database/reporting system? I think that before we tell people "these are spamtrap-related" that we need clarification from the people who actually administer the reporting system. DT [edit] I have sent a detailed email to the "deputies" address, asking for clarification on the UUBE items in the reporting database. I'll report back here if and when I hear from a deputy...whether I'm right or wrong. ;-) Link to comment Share on other sites More sharing options...
Miss Betsy Posted September 4, 2006 Share Posted September 4, 2006 If ISPs don't want to get reporter reports, there is already a mechanism for that. It might be that reports about misdirected bounces go to a dev/null address, but it is more probable, to me, that it would follow the current system of the address/dev/null than to send them to a special address for misdirected bounces. At least we can tell people that they are misdirected bounces. That's the important part. Miss Betsy Link to comment Share on other sites More sharing options...
StevenUnderwood Posted September 4, 2006 Share Posted September 4, 2006 If ISPs don't want to get reporter reports, there is already a mechanism for that. It might be that reports about misdirected bounces go to a dev/null address, but it is more probable, to me, that it would follow the current system of the address/dev/null than to send them to a special address for misdirected bounces. At least we can tell people that they are misdirected bounces. That's the important part. Miss Betsy In the past week I have seen IP's with both reports going to the devnull address and to the ISP with the same subjects. I will keep my eyes open for more cases. Either scenario is possible, but I still think it is spamtrap hits. I await the deputies reply, if they allow it to be published. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.