Jump to content
Sign in to follow this  
paulmon

Help me prevent the ISP I work for from being blocked!

Recommended Posts

I'm the manager of the engineering group for a majorish Canadian ISP. I hate spammers. It seems that one of my 200,000 users is spamming. We have numerous spam prevention system in place. We have a throttle that prevents users sending out massive amounts of email. This is set very low. However we still find outselves getting blacklisted by SpamCop. My only guess as to why this is happening is that the user(s) that are spamming are doing so at a low volume, and trip a SpamCop spam trap email address.

What I would like to know is how is this preventable? I'm being told by SpamCop that 1 of my 200,000 users is spamming. How on earth can I possibly find them if they're sending a low volume of spam and they hit the spam trap? SpamCop won't answer phone calls and for fear of divulging the spam trap address won't tell us the time and date of the sending user, basically they won't tell us anything other than "one of your 200,000 users is spamming."

How are other ISPs getting around this blocking?

I run the engineering of an honest ISP that honestly doesn't want any spammers on their network. I want to find these people and run them off my network. Basically I want what SpamCop wants, I want to stop spam. However I can't do that with some help.

Someone somewhere must have some suggestions.

Regards,

Paul

Share this post


Link to post
Share on other sites

Hi, Paul,

...Your frustration is understandable. Spammers have ruined things for everyone!

...Please go back to the first page of this forum (http://forum.spamcop.net/forums/index.php?showforum=11) and click the link labeled "Announcement: [How-to] Post a Question (and prevent stupid/rude answers)," especially the section labeled "The question." We need a bit more information from you to help you.

...In general, I have heard others mention to admins that they should check their outgoing firewall logs for suspicious activity. Some signs of suspicious activity are messages that look like bounces or out-of-office messages. Once you post the information referred to in the aforementioned Announcement, others here might be able to provide a bit more information that might help you.

...Good luck!

Share this post


Link to post
Share on other sites

Steve, I've read that post and don't know what else to tell you. I can't provide the spam in question as we believe the user is tripping a spam trap. All I know is my mail server is listed in SpamCop.

The mail server in question is referenced by this spam Cop report.

I guess the frustration comes from SpamCop's desire to reduce spam and then sitting on their "high horse" and not providing people like me and my team the information they need top stop it. I can understand why they don't want to let people know for fear of people starting to know the spam trap email address'.

So on the one hand SpamCop wants to reduce spam, on the other hand their silence is actually causing more spam.

Our cluster of mail servers sends out hundreds of thousands of emails a day. Checking our outbound logs for "suspicious activity" is like trying to find a you know what in a hay stack. We already track messages by count for every IP and every user in our network, similar to Senderbase but our own system. This is part of the throttle I mention in my first post. However as we're talking spam trap address' a user could send 10 messages/hour and still get us flagged on the Spamcop DB.

My sales team, marketing team, technical support and customers don't care about the fact that the ISPs blocking us for using SpamCop in too strict of a fashion aren't using it as designed isn't their concern. To them this is my problem to fix but without a two way street between SpamCop and my team this isn't fixable.

So how do I find one spammer in 200,000 users with no information at all? How are other ISPs preventing themselves from getting blacklisted? An ISP could never EVER prevent spam entirely, anyone who thinks so is dreaming. So how do I prevent getting blacklisted if I can never get rid of all spam?

Paul

Share this post


Link to post
Share on other sites

Thanks for providing the IP address in question. Looking at the page you referenced, both spamtrap hits and user reports have been made. From that page, follow the SenderBase link ... overall traffic numbers don't suggest spammer infestation. So the likelyhood is "misdirected e-mails" .... From the SenderBase page, follow the Google Group look-up .... . hmmmm, first item seen is a 'rejection e-mail' as the user doesn't live here .... then there's some older spam .... Back to the "Why am I Blocked?" FAQ for starters ...????

PBSL has a "new/fresh' database, so no data found there ....

Share this post


Link to post
Share on other sites
Thanks for providing the IP address in question. Looking at the page you referenced, both spamtrap hits and user reports have been made.

<snip>

...Which also means that user reports should have been going to aupviolations[at]primus.ca (I found this by following the link you provided, Paul, then clicking on the link labeled "Trace IP"). Have you looked for those reports?

Share this post


Link to post
Share on other sites

Suspecting that the data shouldn't be all that hard to 'discover' ....

Report History:

------------------------------------------------------
Submitted: Monday, October 02, 2006 9:44:04 AM -0500: 
YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 
1947730370 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
-----------------------------------------------------
Submitted: Monday, October 02, 2006 7:21:58 AM -0500: 
YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 
1947559170 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 
1947559146 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
-----------------------------------------------------
Submitted: Monday, October 02, 2006 1:27:13 AM -0500: 
[spam] YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 
1947852131 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 
1947852118 ( 216.254.136.21 ) To: aupviolations[at]primus.ca
---------------------------------------------------
Submitted: Sunday, October 01, 2006 7:04:10 PM -0500: 
Mail delivery failed : returning message to sender 
1946895663 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net 
------------------------------------------------------
Submitted: Sunday, October 01, 2006 4:15:28 PM -0500: 
YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 
1946746992 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
-----------------------------------------------------
Submitted: Sunday, October 01, 2006 8:15:18 AM -0500: 
Mail delivery failed : returning message to sender 
1946271041 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net 
----------------------------------------------------
Submitted: Saturday, September 30, 2006 6:57:52 AM -0500: 
Mail delivery failed : returning message to sender 
1944857333 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net 
---------------------------------------------------
Submitted: Friday, September 29, 2006 3:42:59 PM -0500: 
Mail delivery failed : returning message to sender 
1944013478 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net 
--------------------------------------------------
Submitted: Friday, September 29, 2006 12:00:42 PM -0500: 
Mail delivery failed : returning message to sender 
1943757524 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net 
------------------------------------------------
Submitted: Thursday, September 28, 2006 6:43:00 PM -0500: 
Mail delivery failed : returning message to sender 
1942686192 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net 
------------------------------------------------
Submitted: Monday, October 02, 2006 9:44:04 AM -0500: 
YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 
1947730370 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
-----------------------------------------------------
Submitted: Monday, October 02, 2006 7:21:58 AM -0500: 
YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 
1947559170 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 
1947559146 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
----------------------------------------------------------------
Submitted: Monday, October 02, 2006 1:27:13 AM -0500: 
[spam] YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 
1947852131 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 
1947852118 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
-------------------------------------------------------------
Submitted: Sunday, October 01, 2006 4:15:28 PM -0500: 
YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 
1946746992 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
---------------------------------------------------
Submitted: Wednesday, September 27, 2006 11:59:56 AM -0500: 
BE OUR COMPANY REPRESENTATIVE IN YOUR REGION 
1940795740 ( 216.254.141.10 ) To: spamcop[at]imaphost.com 
1940795731 ( 216.254.141.10 ) To: aupviolations[at]primus.ca 
1940795728 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
---------------------------------------------------
Submitted: Tuesday, September 26, 2006 11:37:50 PM -0500: 
CONGRATULATION YOU HAVE WON THE ONLINE BRITISH NATIONAL LOTTERY BATCH: 074/05... 
1940040726 ( 216.254.141.10 ) To: spamcop[at]imaphost.com 
1940040701 ( 216.254.141.10 ) To: aupviolations[at]primus.ca 
1940040692 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 
-------------------------------------------------
Submitted: Tuesday, September 26, 2006 10:55:02 PM -0500: 
[spam:76%] CONGRATULATION YOU HAVE WON THE ONLINE BRITISH 
1940028923 ( 216.254.141.10 ) To: spamcop[at]imaphost.com 
1940028918 ( 216.254.141.10 ) To: aupviolations[at]primus.ca 
1940028916 ( 216.254.136.21 ) To: aupviolations[at]primus.ca 

Share this post


Link to post
Share on other sites
The mail server in question is referenced by this spam Cop report.

So how do I find one spammer in 200,000 users with no information at all? How are other ISPs preventing themselves from getting blacklisted? An ISP could never EVER prevent spam entirely, anyone who thinks so is dreaming. So how do I prevent getting blacklisted if I can never get rid of all spam?

Your Mail server is not stamping the source IP (where mail server received message from)

Your email server is not compliant and is concealing the spam source

****mail.tor.primus.ca_headers*****

Return-Path: <remove^bblockstech.com>

Received: from smtp-05.primus.ca (mail.tor.primus.ca [216.254.136.21])

by www.***.*** (Postfix) with ESMTP id A529111E82

for <***^***.***>; Mon, 17 Apr 2006 21:46:26 -0400 (EDT)

Received: from dsl-207-112-109-251.tor.primus.ca ([207.112.109.251] helo=YOUR-97FD25D54E)

by smtp-05.primus.ca with esmtpa (Exim 4.50)

id 1FVfEi-0007k9-J9

for ***^***.***; Mon, 17 Apr 2006 21:42:37 -0400

From: Steve Shivkumar <sshivkumar^bblockstech.com>

To: ***^***.***

Message-Id: <20060417214237.609557^bblockstech.com>

Subject: 5-day Voice Over IP Security Boot Camp Course in Ottawa June 5-9, 2006

Date: Mon, 17 Apr 2006 21:42:37 -0400

MIME-Version: 1.0

Reply-To: sshivkumar^bblockstech.com

Content-Type: multipart/mixed; boundary="MixedBoundary.11111111.11111111"

*****Headers_End****

http://www.spamcop.net/sc?id=z1087964718z872b4575be82457c32c974068e18a468z

A test email from me through Hotmail correctly identifies the IP source[211.27.248.13]. It does not identify Hotmail email server as the "injection point" (Hotmail servers are compliant)

If you make email server [216.254.136.21] compliant where it appropriately stamps the source or "injection point" your server will not be added to the SCBL or any other "blocklist"(unless it does other dumb things like mindlessly bounce email) At present your server is naming itself as the spam injection point It needs to stamp where it is getting its email from

Share this post


Link to post
Share on other sites

According to senderbase there are 358 'mailservers' sending mail from Primus. The vast majority are in DSL space and indicate trojanned customers. As petzl says, if your SMTP servers recorded the injection point that would help, but so would being a bit more proactive in closing down infected connections.

Edited by Derek T

Share this post


Link to post
Share on other sites
Your Mail server is not stamping the source IP (where mail server received message from)

Your email server is not compliant and is concealing the spam source

Am I missing something? Isn't this the injection point?

Received: from dsl-207-112-109-251.tor.primus.ca ([207.112.109.251] helo=YOUR-97FD25D54E)

Paul

Share this post


Link to post
Share on other sites

Aside from the "injection point" issue, what about all those misdirected bounces? (aka "backscatter")

I'm not able to inspect any of the actual reported messages, but when we see items in the database flagged as "UUBE" (Unwanted/Unsolicited Bounce Email ) with Subject lines like this:

Mail delivery failed : returning message to sender

that's usually a red flag for misdirected bounces....see this URL:

http://www.spamcop.net/fom-serve/cache/329.html

Many otherwise "clean" servers are getting listed in SpamCop's SCBL due to this issue.

DT

Share this post


Link to post
Share on other sites
Am I missing something? Isn't this the injection point?

Received: from dsl-207-112-109-251.tor.primus.ca ([207.112.109.251] helo=YOUR-97FD25D54E)

I concur. The format may look a little strange with HELO ID after the IP address but the parser had no problems with it. Chain test looks fine and no problem identifying the source IP in two examples I tried from http://groups.google.com/groups?scoring=d&...1+group:*abuse*

Received:  from [207.112.84.44] (helo=YOUR-97FD25D54E) by smtp-06.primus.ca with esmtpa (Exim 4.43) id 1FcvB9-0007Jl-Kd for ***^***.***; Sun, 07 May 2006 22:08:56 -0400
207.112.84.44 found
host 207.112.84.44 (getting name) = dsl-207-112-84-44.tor.primus.ca.
Possible spammer: 207.112.84.44
Possible relay: 216.254.136.21
216.254.136.21 not listed in relays.ordb.org.
216.254.136.21 has already been sent to relay testers
Received line accepted

Share this post


Link to post
Share on other sites

Inital query issue, problem, spew continues ....

Submitted: Tuesday, October 03, 2006 6:14:31 AM -0500:
NOTIFICA DEL PREMIO:CONGRATULAZIONI!!!
1948963158 ( 216.254.136.21 ) To: spamcop[at]imaphost.com
1948963153 ( 216.254.136.21 ) To: aupviolations[at]primus.ca
-----------------------------------------------------
Submitted: Tuesday, October 03, 2006 6:04:11 AM -0500:
Mail delivery failed : returning message to sender
1948949337 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
------------------------------------------------------
Submitted: Tuesday, October 03, 2006 1:56:07 AM -0500:
Mail delivery failed : returning message to sender
1948704265 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
------------------------------------------------------
Submitted: Tuesday, October 03, 2006 1:12:58 AM -0500:
Mail delivery failed : returning message to sender
1948659494 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
-------------------------------------------------------
Submitted: Tuesday, October 03, 2006 12:44:04 AM -0500:
Mail delivery failed : returning message to sender
1948630560 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net

Share this post


Link to post
Share on other sites
Am I missing something? Isn't this the injection point?

Received: from dsl-207-112-109-251.tor.primus.ca ([207.112.109.251] helo=YOUR-97FD25D54E)

Sorry you are correct ,SpamCop would not list this/your server if spam was sent through it (SpamCop would indeed just block the source computer)

I looked at your SpamCop "report history" and is is targeting 216.254.136.21 as a spam source (need to see newer headers) IP 216.254.136.21 is also being sourced for UUBE

This then means your server is bouncing (Joe Jobing) email to fake addresses

http://www.spamcop.net/fom-serve/cache/329.html

I suggest you contact deputies directly

http://www.spamcop.net/fom-serve/cache/91.html

Share this post


Link to post
Share on other sites

More recent Report History follows (you should be accepting and acting on UUBE Reports, rather than opting not to receive them):

Submitted: Saturday 2006/10/07 18:58:23 -0400:
Mail delivery failed : returning message to sender
1956179132 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
------------------------------------------------
Submitted: Saturday 2006/10/07 18:57:18 -0400:
Mail delivery failed : returning message to sender
1956177981 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
------------------------------------------------
Submitted: Saturday 2006/10/07 04:56:21 -0400:
Mail delivery failed : returning message to sender
1955272751 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
------------------------------------------------
Submitted: Saturday 2006/10/07 02:02:14 -0400:
Mail delivery failed : returning message to sender
1955090106 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------
Submitted: Friday 2006/10/06 22:17:21 -0400:
Mail delivery failed : returning message to sender
1954881195 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------
Submitted: Friday 2006/10/06 21:29:03 -0400:
Mail delivery failed : returning message to sender
1954837468 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------
Submitted: Friday 2006/10/06 18:47:49 -0400:
Mail delivery failed : returning message to sender
1954696702 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------
Submitted: Friday 2006/10/06 15:03:08 -0400:
REQUEST TO BE OUR COMPANY'S PAYMENT AGENT IN YOUR REGION
1954459122 ( 216.254.136.21 ) To: aupviolations[at]primus.ca
---------------------------------------------
Submitted: Friday 2006/10/06 12:13:41 -0400:
Mail delivery failed : returning message to sender
1954233714 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
------------------------------------------------
Submitted: Thursday 2006/10/05 21:52:53 -0400:
spam: =?ISO-8859-1?Q?ATTN: YOU WON =A31.5M (CLAIM IT NOW).?=
1954456583 ( 216.254.136.21 ) To: spamcop[at]imaphost.com
1954456574 ( 216.254.136.21 ) To: aupviolations[at]primus.ca
---------------------------------------------
Submitted: Friday 2006/10/06 09:02:03 -0400:
Mail delivery failed : returning message to sender
1953960092 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------
Submitted: Friday 2006/10/06 08:37:16 -0400:
MYSTERY SHOPPER WANTED EARN NO LESS THAN $ 500.00
1953925654 ( 216.254.136.21 ) To: aupviolations[at]primus.ca
---------------------------------------------
Submitted: Friday 2006/10/06 07:49:41 -0400:
Mail delivery failed : returning message to sender
1953862577 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------
Submitted: Friday 2006/10/06 00:55:52 -0400:
Mail delivery failed : returning message to sender
1953393459 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
-------------------------------------------------
Submitted: Thursday 2006/10/05 17:46:15 -0400:
Mail delivery failed : returning message to sender
1952968721 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
-------------------------------------------------
Submitted: Thursday 2006/10/05 16:26:44 -0400:
Mail delivery failed : returning message to sender
1952881542 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------------
Submitted: Wednesday 2006/10/04 23:29:04 -0400:
Mail delivery failed : returning message to sender
1951737240 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------------
Submitted: Wednesday 2006/10/04 16:24:05 -0400:
Mail delivery failed : returning message to sender
1951332937 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------------
Submitted: Wednesday 2006/10/04 07:34:17 -0400:
Mail delivery failed : returning message to sender
1950600067 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
---------------------------------------------------
Submitted: Wednesday 2006/10/04 03:05:59 -0400:
Mail delivery failed : returning message to sender
1950309905 ( 216.254.136.21 ) To: aupviolations[at]primus.ca
---------------------------------------------------
Submitted: Wednesday 2006/10/04 00:39:22 -0400:
Mail delivery failed : returning message to sender
1950149440 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
------------------------------------------------
Submitted: Tuesday 2006/10/03 20:54:58 -0400:
Mail delivery failed : returning message to sender
1949945431 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net
------------------------------------------------
Submitted: Tuesday 2006/10/03 07:14:31 -0400:
NOTIFICA DEL PREMIO:CONGRATULAZIONI!!!
1948963158 ( 216.254.136.21 ) To: spamcop[at]imaphost.com
1948963153 ( 216.254.136.21 ) To: aupviolations[at]primus.ca
------------------------------------------------
Submitted: Tuesday 2006/10/03 07:04:11 -0400:
Mail delivery failed : returning message to sender
1948949337 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×