Jump to content
Sign in to follow this  
odysseus183

False Positive

Recommended Posts

Hello,

My company email was being blocked last week by spamcop. The block has already expired, but since this happens on occasion I thought I would look into it.

Apparently, the block was put in place because some spam was sent from one our ISPs (Verio) email servers, 128.121.64.66. This is not our email server (204.3.196.116) and the spam did not come from our domain (bosssystems.com). The spam was reported to the usenet group news.net-abuse.sighting:

http://groups.google.com/group/news.admin....bea49bb805c52f2

Am I missing something here, or is our company being penalized by something that does not have anything to do with us? Is there a way I can avoid this in the future?

Aaron

Share this post


Link to post
Share on other sites

On the surface, based on a quick read, this appears to be better served by being placed in the Blocking List Help Forum .. moving it to that Forum section with this post ...

Share this post


Link to post
Share on other sites

It is unlikely that the email you posted a link to is involved in your spamcop listing. First, if your email server is indeed 204.3.196.116, then that email does not appear to have passed through that IP at all. Second, it takes much more than a single report to get an IP address listed.

I'm sure one of the paid reporters will be along shortly and can post the report summary for your IP address so we can get a better idea.

Is your mailserver run by Verio, or is it your own server? Verio typically configures their mailserver incorrectly so that they send bounces to forged from addresses by the thousands, which causes them to be listed on a regular basis. My internet connection is through Verio, however, we run our own internal mailserver, which is configured in accordance with best practices, and have never had a problem.

Share this post


Link to post
Share on other sites

Whether or not, your email server's IP address is listed on spamcop may, or may not, have anything to do with a posting on news.net-abuse.sighting.

Some posters have access to past reports and may be able to help you further with why your email server has been listed.

If you administer your own server, you might read the server admin section of the Why Am Blocked? FAQ for possibilities. Automatic replies which reply to forged return paths are often the culprit. Does the blocking coincide with someone in your office on vacation and using Out of Office replies indiscriminately?

Miss Betsy

Share this post


Link to post
Share on other sites

It is unlikely that the email you posted a link to is involved in your spamcop listing. First, if your email server is indeed 204.3.196.116, then that email does not appear to have passed through that IP at all. Second, it takes much more than a single report to get an IP address listed.

I'm sure one of the paid reporters will be along shortly and can post the report summary for your IP address so we can get a better idea.

No better idea on that IP Address:

Parsing input: 204.3.196.116

host 204.3.196.116 (getting name) = www.bosssystems.com.

host 204.3.196.116 = www.bosssystems.com (cached)

No recent reports, no history available

Routing details for 204.3.196.116

[refresh/show] Cached whois for 204.3.196.116 : swip[at]sjcwh.verio.net

abuse[at]verio.net redirects to abuse[at]ntt.net

Using best contacts abuse[at]ntt.net

The other IP address, however, is bouncing undeliverables all over the internet. Does your server use them as a smarthost, possibly? That would cause your mail to be affected by their listing.

Report History:

Don't Display UUBE

--------------------------------------------------------------------------------

Submitted: Monday, August 28, 2006 9:01:11 PM -0400:

failure notice

1896467229 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Sunday, August 27, 2006 7:28:17 AM -0400:

failure notice

1894095528 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Saturday, August 26, 2006 8:30:41 AM -0400:

failure notice

1892883988 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Saturday, August 26, 2006 2:25:13 AM -0400:

failure notice

1892589422 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Friday, August 25, 2006 10:03:25 AM -0400:

Mail Delivery Failure

1891684281 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Thursday, August 24, 2006 4:16:18 PM -0400:

failure notice

1890723671 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Thursday, August 24, 2006 8:52:40 AM -0400:

failure notice

1890170422 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

Older Reports

Share this post


Link to post
Share on other sites

Are you certain that 128.121.64.66 is not your outgoing mail server? Look in your email programs account settings for your SMTP server. What do you have listed there?

Share this post


Link to post
Share on other sites

Resolved bosssystems.com to 204.3.196.116

[bosssystems.com has 1 MX record mail-fwd.g14.rapidsite.net.(50)]

Resolved mail-fwd.g14.rapidsite.net to 128.121.85.2

You might be right

address 128.121.64.66 = mail14d.g14.rapidsite.net.

he is using Rapidsite! so it could have gone through there.

Share this post


Link to post
Share on other sites

We do not have any autoresponders configured. I checked again this morning to confirm.

Verio hosts our web and our email for us. I don't know the difference between hosting and "smart" hosting.

In our email programs, the POP3 server is specified as bosssystems.com and the SMTP server is specified as smtp.bosssystems.com. These both map to the same IP address, 204.3.196.116.

Rapidsite is part of Verio. From reading the link posted by DavidT, I gather that:

1. Verio is at fault.

2. There is nothing I can do about it except report the problem to Verio and/or get a new provider.

Is this about right?

Aaron

Share this post


Link to post
Share on other sites

It happened again, this time with mail14e.g14.rapidsite.net [128.121.64.102]

http://www.spamcop.net/w3m?action=blcheck&...=128.121.64.102

Please send an email to the address in my sig with the subject: SpamCop Forum Test

I would like to see the path your message takes coming from your system to the internet. It is likely your list is correct, but this should confirm it.

Share this post


Link to post
Share on other sites

I'm guessing that this is a "shared hosting" situation, in which many domains share a single server. In most of those cases, the email source IP is rarely the IP affiliated with the domain itself, but usually a more "global" one belonging to either the server itself or some hop upstream from the server. This is one of the major problems of shared hosting, in that if anything bad is being transmitted by your "neighbors" on the server, it winds up interfering with your outbound mail also.

In the case of the most recent IP you gave us, it looks like the server is sending "misdirected bounces" that are hitting spamtrap addresses. This is something that only the server admin would be able to deal with, in that they'd need to change the server's behavior so that it rejects incoming mail during the initial SMTP session instead of sending out separate bounce notices after the fact.

DT

Share this post


Link to post
Share on other sites

In the case of the most recent IP you gave us, it looks like the server is sending "misdirected bounces" that are hitting spamtrap addresses. This is something that only the server admin would be able to deal with, in that they'd need to change the server's behavior so that it rejects incoming mail during the initial SMTP session instead of sending out separate bounce notices after the fact.

What are "misdirected bounces"? Do they have something to do with autoresponders?

Share this post


Link to post
Share on other sites

What are "misdirected bounces"? Do they have something to do with autoresponders?

Autoresponders generate some, but not all misdirected bounces. You can read some details in one of the Spamcop FAQs here.

Share this post


Link to post
Share on other sites
Autoresponders generate some, but not all misdirected bounces. You can read some details in one of the Spamcop FAQs here.

Of course, mentioning that this referenced SpamCop FAQ is incorported into the single-page-access and expanded form of it here, linked to at the top of the page. There is also a Dictionary, Glossary, and the recently opened SpamCopWiki that includes "words you may not know the meaning of" available 'here' ....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×