Jump to content
Sign in to follow this  
andrew.badge

Blocked address for NATted firewall (small ISP)

Recommended Posts

Hi Guys,

Background:

We run a small "virtual" ISP for pharmacy (retail) businesses.

Most clients are NATted behind FortiGate firewalls but some demand public IPs.

Note: its currently very hard to get public IPs so NATting is an easy choice.

However most SMTP traffic comes out of one IP (210.11.58.16), hence we are vulnerable to any spam from the 3000 sites behind this address.

Our details:

Blocked IP: 210.11.58.16

Actions performed:

We changed the outgoing SMTP rules to "drop" any detected spam messages instead of just marking them as spam.

Several questions:

How do you register your admin details for an IP address / range?

Our range is owned by a large telco (connect.com.au). the SPAMCOP "potential admin address" listed the connect.com.au address, however they don't care about our issue. How can i get SPAMCOP's list to know we're the admins for that IP range.

How sensitive is the blocking?:

According to the daily report, we've sent 24 messages to the trap since the 6th.

I would not think this is a huge amount as we blocked about 30 a minute on the firewall.

Are the details even correct?

Viewing the report, the % increase changes on each refresh, although the message states SPAMCOP has not received a message in the last 4 hours. How accurate/inaccurate is this stuff???

Are detected spam counted?

I noticed some reports listed "detected" spam where our severs listed [spam] in the header with an explanation? Is the only safe option to drop spam messages (not just mark the subject or MIME header)?

I thought this was not good practice (for false positivies)?

How can i get details of the alleged spam?

I don't seem to be able to find any evidence of activity (from SPAMCOP) apart from a "count". What details can i get to help track the messages?

Share this post


Link to post
Share on other sites

I am not going to be very helpful to you because I am not a server admin, but I might be able to give you some information.

First of all, spam is the Hormel trademark for its meat product. spam is unsolicited email.

Actions performed:

We changed the outgoing SMTP rules to "drop" any detected spam messages instead of just marking them as spam.

IIUC, what you were doing before was sending messages marked as 'spam' to other people? Usually, I think, incoming email is tagged as 'spam'. Any outgoing messages that look like spam are dropped and the account closed.

Are detected spam counted?

I noticed some reports listed "detected" spam where our severs listed [spam] in the header with an explanation? Is the only safe option to drop spam messages (not just mark the subject or MIME header)?

I thought this was not good practice (for false positivies)?

The 'detected' spam in the headers was probably placed there by the incoming server of the reporter's email service. The reporter then reported it via spamcop. Many people prefer to 'tag' incoming email as spam to avoid false positives. Myself, I prefer that it be returned at the server level so that the sender knows it wasn't delivered. (It can't be returned after acceptance because the spammer has forged the return path.)

How can i get details of the alleged spam?

I don't seem to be able to find any evidence of activity (from SPAMCOP) apart from a "count". What details can i get to help track the messages?

You mentioned a 'report' above. If the server admin who is getting the reports is passing them on to you, then you should have the entire headers and be able to identify whoever is getting reported. Perhaps you have a rogue pharmacy (one of the more popular spams) or a compromised computer on your network since you are identifying outgoing mail as spam.

Generally, however, the problem is spam trap hits and spam traps do not send reports. The spam trap hits come from misdirected bounces and other auto replies. If some of your clients are using out of office replies indiscriminately and notifying all those forged addresses, that could account for being blocked. You won't get any details about spam trap hits except the subject line or information except what type of auto reply it looks like.

The rest of your questions would be better answered by someone else.

Miss Betsy

Share this post


Link to post
Share on other sites

First of all, spam is the Hormel trademark for its meat product. spam is unsolicited email.

Thanks for that useful bit of information. I did assume most people on this forum were not looking for a meat fix, but were intelligent humnan beings. How wrong was I!

IIUC, what you were doing before was sending messages marked as 'spam' to other people?

Because these blacklists are NOT perfect and legitimate emails might get blocked. Hence why I am posting this message. We don't manage the server doing the sending but provide the network the send via. I understand the reason for blocking the marked messages, but a flawed method is still a flawed method, no matter how you justify it.

The spam trap hits come from misdirected bounces and other auto replies.

So basically the system is easily mistaken as it only takes into account the messages that hit the trap, not proportional to the legitimate traffic from that IP. right?

24 messages in 3 days doesn't seem to be a reason to distrupt my business.

Edited by andrew.badge

Share this post


Link to post
Share on other sites

Perhaps you have a rogue pharmacy (one of the more popular spams) or a compromised computer on your network since you are identifying outgoing mail as spam.

more than likely. I have scheduled techs to visit a few sites with high SMTP traffic to check their systems, but again..

we have around 3000 sites using this firewall with an average of 5 PCs per site.

We sent 24 messages to the trap in 3 days.

15000 PCs sending 24 messages in 3 days?

Do we get notification when we are blocked? No.

Do we get any/sufficent warning to prevent an issue? No

Once a mistake is found, can are IP be quickly removed form the list? No

We're doing our best to react to issues as they appear but incidents like this only force our clients to presume its the anti-spam systems that at are at fault.

Hence they request to be completely unfiltered on public IPs. How is this better?

Share this post


Link to post
Share on other sites

Thanks for that useful bit of information. I did assume most people on this forum were not looking for a meat fix, but were intelligent humnan beings. How wrong was I!

No, because Hormel protect their trademark, Miss Betsy was simply acknowledging their rights in the capitalised version of the word.

Because these blacklists are NOT perfect and legitimate emails might get blocked. Hence why I am posting this message. We don't manage the server doing the sending but provide the network the send via. I understand the reason for blocking the marked messages, but a flawed method is stuill a flawed methos, no matter how you justify it.

So basically the system is easily mistaken as it only takes into account the messages that hit the trap, not proportional to the legitimate traffic from that IP. right?

24 messages in 3 days doesn't seem to be a reason to distrupt my business.

The system reports:

210.11.58.16 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 21 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

That suggests you have a continuing problem with misdirected messages reaching spam traps. So, either your mail servers are sending junk to spam trap addresses or you are accepting messages from spammers and then bouncing them back to the forged addresses in their headers. Either will get your ip added to the blocklist. Based on that listing other ISPs are choosing to reject any Email arriving from your ip.

Senderbase statistics show a large change in the volumes of mail passing through your ip. That may indicate a wider problem.

Volume Statistics for this IP

....................Magnitude Vol Change vs. Average

Last day............4.2 742%

Last 30 days......3.3 ........-8%

Average 3.3

Have you seen the FAQ entry on misdirected bounces? http://www.spamcop.net/fom-serve/cache/329.html

If you address that problem then you may well find you resolve the issue completely. You need to drop any spam and all undeliverable messages at the SMTP stage rather bounce them back.

Andrew

Share this post


Link to post
Share on other sites

Guys (and girls) ...thanks again for the trademark lesson, but can we keep to the topic please.

I have blocked all outgoing spammessages. Apart from stopping all SMTP traffic form my clients (or reading each email), what else can i do?

Our Fortigate clients update (at least) hourly, so 99.999% of spam (you'll note the lowercase) will be blocked.

How can I get updated statistics to ensure the measures are working at SPAMCOP's end?

You mentioned a 'report' above.

I generated the report manually after finding our IP blocked. Noone sent it to me.

This is what is says:

210.11.58.16 Nov 6 06h/1 24 0 0 0 blocklisted

nus138540-5.gw.connect.com.au

This is basically all the information i've got to go by. I've only got one report (i chose the hourly option).

Share this post


Link to post
Share on other sites

I would suggest that you are pulling bits of facts in from all over the place and trying to use enough of them to try to start some kind of argument. That's pretty much a lost cause.

There is the SpamCop FAQ available here that a lot of folks spent time on trying to build and populate with answers to Frequently Asked Questions. You make it appear that none of that was looked at before posting.

One if those FAQ items is titled "What's on the list?" .... I suggest you takie a look at that before continuing to try to waste everyone else's time in here.

Are you going to try to address the traffic increase noted by agsteele?

The ISP Account / Control Center / Summary Report has become such an issue that a Wiki page was created last week to address some of those issues.

Share this post


Link to post
Share on other sites
Are you going to try to address the traffic increase noted by agsteele?

Our 30 day average is down 8%. Its only the last day that has increased.

i have blocked multiple clients completely.

I have changed all outgoing rules to drop messages.

i'd love to get ANY details on this so i could address it.

i need information on what SPAMCOP is seeing, especially recently.

Are the changes having any effect? I have to wait 24 hours to see if a single percent value is going up or down...not really proactive?

Are you going to try to address the traffic increase noted by agsteele?

Note: the traffic leaving the firewall has dropped dramatically (5% of this morning AEST)

However i haven't seen a drop in the percentage reported.

Is the "day" calendar day based or a rolling period?

Is the "day" for US timezones only?

I hope these questions are not wasting your time. i searched the FAQ and count not find any helpful answers.

Share this post


Link to post
Share on other sites

Question:

Lookup julianhaight.com (same IP address as bl.spamcop.net) and it has a 1205% increase in the last day.

yet it is not blocked.

How do they get around it?

Note: i found this while checking the IP 216.127.43.94 (which bl.spamcop.net resolves to).

Share this post


Link to post
Share on other sites

You are looking at SenderBase data. You are then complaining about SpamCop.net data. Notice how the spelling changed between those two company names.

"last 24 hours" does usually indicate some correlation to "a day" in most parts of the world.

I can't guess at what you might mean by "search the FAQ and can't find any helpful answers" .... compounded by then asking more questions that are in fact within the previously referenced FAQ, Wiki, etc.

If "What's on the list?" didn't help, what about the "Why am I Blocked?" entry, also available as a separate Pinned item?

Your answer on the increased traffic seen in the last 24 hours really doesn't say much .... what was that massive increase all about? (again, trying to relate it from your perspective to "24 spamtrap hits")

Share this post


Link to post
Share on other sites
You are lookubg at SenderBase data. You are then complaining about SpamCop.net data. Notice how the spelling changed between those two company names.

Sorry I was replying to the quoted statistics you and Andrew provided (which were from SenderBase).

I can't actually find any stats or details for SPAMCOP.

I understand why the IP was blocked and hopefully fixed the issue.

But i would now like to move forward with determining whether the fixes has worked.

Share this post


Link to post
Share on other sites
i have blocked multiple clients completely.

I have changed all outgoing rules to drop messages.

That's good. Thanks for the information. Have you contacted deputies[at]spamcop.net to check the messages that are hitting spam traps? If they are satisified that you have fixed the problems then they can sometimes be persuaded to de-list your ip early.

They can also provide a general indication of the nature of the messages received.

Note: the traffic leaving the firewall has dropped dramatically (5% of this morning AEST)

However i haven't seen a drop in the percentage reported.

The percentages I referred to are from SenderBase rather than SpamCop. I believe that the algorithms for calculating what will happen to your listing and when are different on Senderbase.

Is the "day" calendar day based or a rolling period?

Is the "day" for US timezones only?

This is a good question and which, sadly, I don't have an answer to. I see that the daily increase on Senderbase hasn't changed since my earlier post. The SenderBase pages give a general explanation of how the calculations work but little else. Of course, if averaging is involved then even a 100% reduction in traffic will only reduce the average by half. But the question is a good one to understand the information provided.

I understand the SpamCop calculations are dynamic and respond to the number of reports received and spam trap hits recorded.

You may wish to know that you are also now listed on the CBL blocklist - http://cbl.abuseat.org/lookup.cgi?ip=210.11.58.16 but it looks like you'll delist very soon.

I see your SCBL time out has increased by an hour to 22 hours so that suggests you are still bouncing stuff which is hitting spam traps I'd suggest the deputies would be the best port of call for information on the messages involved.

Andrew

Share this post


Link to post
Share on other sites

Thanks for your help Andrew.

I'm hoping the "day" period is calendar based so it will reset after midnight (US time i assume).

It hasn't moved since all the changes made.

CBL blocklist

Yeah. the CBL list is on and off this afternoon. We're off the list, but SenderBase still lists us as on.

If you know of any further details /stats for SPAMCOP, can you list them here?

this is the only details i have

http://www.spamcop.net/w3m?action=checkblo...ip=210.11.58.16

It only mentions that "22 hours" timeframe.

Share this post


Link to post
Share on other sites
If you know of any further details /stats for SPAMCOP, can you list them here?

Because the hits are linked to spam traps you'll need to contact the deputies. Even paying contributors don't have access to greater detail.

You coud sign up for an ISP account but that really dones't provide a great deal more information :-(

Andrew

Share this post


Link to post
Share on other sites
I understand why the IP was blocked and hopefully fixed the issue.

But i would now like to move forward with determining whether the fixes has worked.

Since those of us on the forum can only see the same data you see, there is no way that we can help you here. A lot of the data is 'not there' because spammers were using it to game the algorithym and the deputies will not tell you anything more about spam trap hits, apparently, than the subject line and what type of email is causing it.

As someone told you, the paid deputies are the only ones who can give you any help in determining if the problem has been fixed without waiting to see if the IP address delists and then if it relists. Be sure you load your first email to them with all the data that they might need and also that you show that you are the admin in charge of the IP address.

I sure hope that you have found the problem and fixed it. a spamcop listing is often an early warning system that something has gone wrong and, if the problem is addressed, prevents a listing on other lists which are not dynamic.

Miss Betsy

PS I know correction about the Hormel trademark seems off topic, but they have been really good sports about their trademark being used for unsolicited email and just ask the difference in capitalization.

Share this post


Link to post
Share on other sites

Ok, you still haven't addressed the misdirected bounce scenario which is the most likely cause of your listing, so I will ask the question directly. What happens if I send a message to one of your customers domains to a non-existant address?

Do you reject it during the SMTP transaction with a 500 error, guaranteeing that it goes to the original sending server?

Do you accept the message, and then generate a new message to the (probably forged) "FROM" address stating that it wasn't delivered?

If you are doing the later, then those non-delivery messages are going to people who didn't initiate any communication and are by definition unsolicited and reportable, and are almost guaranteed to cause you to be listed in numerous blocklists.

Note: I tried testing this, but 210.11.58.16 does not accept incoming connections on port 25, so I'm guessing incoming mail is handled by a different server than the outgoing. Which could still indicate a problem if the bounces are routed through the regular outgoing email. I would be happy to test the bounce behavior if you provide me with the IP for the incoming SMTP server.

You are now also listed on the UCEProtect.net blocklist

http://www.uceprotect.net/en/rblcheck.php?ipr=210.11.58.16

Edited by Telarin

Share this post


Link to post
Share on other sites

Data point: 1500 GMT -6

http://spamcop.net/w3m?action=checkblock&ip=210.11.58.16

210.11.58.16 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 12 hours.

Still only showing spamtrap hots as the issue.

http://www.senderbase.com/?searchBy=ipaddr...ng=210.11.58.16

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.2 .. 744%

Last 30 days .. 3.3 .... -9%

Average ........ 3.3

Traffic is still "up" .. actually increased a bit since the last data seen/posted.

Who is actually on 'control' of that server? the firewall?

Just noting that the 'decrease' you've noted in direwall traffic doesn't seem to match the SenderBase data ... so where else might traffic be leaving this IP address that is bypassing the firewall?

Share this post


Link to post
Share on other sites

Yet another data point;

Report on IP address: 210.11.58.16

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ....... 4.3 .. 782%

Last 30 days . 3.3 .... -6%

Average ....... 3.3

traffic still going up ...?????

Share this post


Link to post
Share on other sites
traffic still going up ...?????

Yes, i asked for an explanation/report. We only have 1 hour before we're delisted on SPAMCOP so that indicates the changes we made yesterday fixed the issue.

However some systems may continue to report our ip for a time to come.

FYI: SPAMCOP emailed me the email title. I traced the issue to 7 emails sent from one site.

The tech found 5 virus on one of their PCs (a POS register) which are now removed.

Along with the other changes made to our policies i can assure you we will be delisted once the backlog settles down.

Also FYI:

We are lised on two blacklists currently SPAMCOP and and UCEPROTECT1

http://www.dnsstuff.com/tools/ip4r.ch?ip=210.11.58.16

However UCE only delist after 1 week or if you pay them.

So again i think it may just take time for old traffic reports to disappear.

Share this post


Link to post
Share on other sites
FYI: SPAMCOP emailed me the email title. I traced the issue to 7 emails sent from one site.

The tech found 5 virus on one of their PCs (a POS register) which are now removed.

Along with the other changes made to our policies i can assure you we will be delisted once the backlog settles down.

7 e-mails????

Once again, I point to the FAQ that you could find nothing of value in .... SenderBase's "Magnitude" Explained ..... a Volume of 4.3 equates to something over 20,000+ e-mails a day ...???? Pretty darn hard to work your 7 and the 20,000 into the math found at What is on the list? .... same information avaulable on the SCWiki, in a bit of a different format, seeing as how you don't like the FAQ ....

and just in the time it tool me to make this post (and edit it) ...

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.3 783%

Last 30 days 3.3 -6%

Average 3.3

Still on the rise .....

Share this post


Link to post
Share on other sites
7 e-mails????

Yes SPAMCOP listing is based on traps. and yes there have only been 7 emails with that title sent in the last week to the trap. This will not be inidcative of the volume as a whole, but of the count of messages that caused the issue.

SenderBase is a different thing. I haven't got any details to go on from them apart form the %.

I agree their rating would be on different metrics, but i've got no details.

It would be great if you could drill down to an hour by hour count/percentage or at least provide a trend.

Of course their rating is also based on reports not traps (??), so an email sent last week could still be report today?

I await their reply.

Share this post


Link to post
Share on other sites
Yes SPAMCOP listing is based on traps. and yes there have only been 7 emails with that title sent in the last week to the trap. This will not be inidcative of the volume as a whole, but of the count of messages that caused the issue.

Geeze ..... spamtrap hits are but one variable in the formula .....

SenderBase is a different thing. I haven't got any details to go on from them apart form the %.

I agree their rating would be on different metrics, but i've got no details.

The FAQ, the Wiki, etc. etc. etc. never mind web-sites ... SenderBase data is yet another variable in the formula

It would be great if you could drill down to an hour by hour count/percentage or at least provide a trend.

Of course their rating is also based on reports not traps (??), so an email sent last week could still be report today?

????? "trend" is still going up ... listing on the SpamCopDNSBL is based on the math involved of the 'total traffic seen' and the traffic reported/spamtrap hits .... this information is available in many FAQ entries .... all you are really saying thus far is that the spamtrap addresses are not currently being hit .. you haven't said squat about any justification for the traffic increase, suggesting that there is still an issue, evidence being somewhere you've not looked at yet ....

Share this post


Link to post
Share on other sites
you haven't said squat about any justification for the traffic increase, suggesting that there is still an issue, evidence being somewhere you've not looked at yet ....

Listen DH. i have turned off every NRD , auto reply reply possible. i have added tarpits.

I have blocked every client completely. i have blocked ALL outgoing SMTP.

I have had tech visit sites to ensure they have update to date protection.

I have NO evidence that the statistics are current or just an delayed effect. I have queried SenderBase about this. no reply yet.

As you noted in the previous posts, this is different to SPAMCOP.

YES i have acknologed we had a problem but i can only assume it is fixed. Hence our pending delisting on SPAMCOP (any minute now).

If you haven't got anything helpful to provide, please do not reply to this post.

I am not finding your replies very helpful or proactive.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×