Recurring Block List Issue

[support@hostedsolutions.com]

We have a Plesk shared email and hosting server at 216.27.30.250 that has been listed 3 times in the last 5 days. We thought we had indentified the source of the spam by correlating some reports sent by AOL's white list but we were re-listed twice since the last AOL report. The server hosts several hundred customers and domains making it difficult to identify the particular customer that sent the spam. We've verified that the IP address is not an open relay and its not located on any other block lists.

We would like to identify the domain that the mail was sent from or the spamvertised site in the email so we can correct the problem or suspend the account.

We've sent three requests via the web form asking for any assistance or information that the administrators can provide and but have not received a reply yet.

We would appreciate any assistance in identifying the offending customer so we can get the IP address off the block list.

Thank you.

Simon Campbell

Hosted Solutions

spam Cop Report:

216.27.30.250 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 16 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

* System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 5.8 days, it has been listed 3 times for a total of 41 hours

[Telarin]

Well, unfortunately the webform or emailing deputies[at]admin.spamcop.net is the only way you are going to get further information on spamtrap hits. I've always gotten replies from them within 24 hours, but I'm very careful to make sure to detail exactly what I need, and provide all the necessary information at one time for them to help me. I know that from time to time their email load becomes a bit overwhelming, so I wouldn't recommend submitting again unless it has been more than 48 hours.

Now on to your actual problem, most often, when we see spamtrap hits without any manual reports, it is caused by misdirected bounces. I would start there and make sure that your mailserver is rejecting undeliverable messages during the SMTP phase, and not trying to create a new NDR and sending it to the forged FROM address of the message.

[support@hostedsolutions.com]

Now on to your actual problem, most often, when we see spamtrap hits without any manual reports, it is caused by misdirected bounces. I would start there and make sure that your mailserver is rejecting undeliverable messages during the SMTP phase, and not trying to create a new NDR and sending it to the forged FROM address of the message.

It was my understanding that qmail does not allow you do this.

[Telarin]

I don't think there are any current MTA's that are not capable of rejecting during the SMTP session. Some may require an add-on to work properly, but generating post-facto NDR's is considered very bad mail server practice.

[turetzsr]

hostedsolutions.com' post='48102' date='Sep 20 2006, 05:24 PM']It was my understanding that qmail does not allow you do this.

...Please see Jank1887's reply in thread ' Stuck with "Misdirected Bounces" ' and subsequent discussion. Note: lest you think that finding this was magic, I found this by doing a "Search" (see form at top of most any SpamCop Forum page, including this one) for ' "misdirected bounces" qmail '.

[support@hostedsolutions.com]

...Please see Jank1887's reply in thread ' Stuck with "Misdirected Bounces" ' and subsequent discussion. Note: lest you think that finding this was magic, I found this by doing a "Search" (see form at top of most any SpamCop Forum page, including this one) for ' "misdirected bounces" qmail '.

Thank you information. We'll see if that resolves the issue.

[StevenUnderwood]

This information should give you some idea about when reports were received. It is available to paid reporters. There is only one report whickin not UUBE but that was a mole report (no reports sent):

Report History:

Display UUBE

--------------------------------------------------------------------------------

Submitted: Wednesday, September 06, 2006 5:04:19 PM -0400:

The Solution Center

1910210036 ( http://www.thesolutioncenter.com/meeting_reward... ) To: mole[at]devnull.spamcop.net

1910210034 ( 216.27.30.250 ) To: mole[at]devnull.spamcop.net

Report History: 

Don't Display UUBE



--------------------------------------------------------------------------------

Submitted: Tuesday, September 12, 2006 10:09:49 AM -0400: 
failure notice 
1918440784 ( 216.27.30.250 ) ( UUBE ) To: uube[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Tuesday, September 12, 2006 10:09:50 AM -0400: 
failure notice 
1918440723 ( 216.27.30.250 ) ( UUBE ) To: uube[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Tuesday, September 12, 2006 10:09:50 AM -0400: 
failure notice 
1918440716 ( 216.27.30.250 ) ( UUBE ) To: uube[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Tuesday, September 12, 2006 10:09:46 AM -0400: 
failure notice 
1918440699 ( 216.27.30.250 ) ( UUBE ) To: uube[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Tuesday, September 12, 2006 10:09:35 AM -0400: 
failure notice 
1918440367 ( 216.27.30.250 ) ( UUBE ) To: uube[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Tuesday, September 12, 2006 10:09:31 AM -0400: 
failure notice 
1918440284 ( 216.27.30.250 ) ( UUBE ) To: uube[at]devnull.spamcop.net 
Older Reports