Jump to content
Sign in to follow this  
andrew.badge

Blocked address for NATted firewall (small ISP)

Recommended Posts

0433 GMT -6

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.3 784%

Last 30 days 3.3 -6%

Average 3.3

0504 GMT -6

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.3 787%

Last 30 days 3.3 -6%

Average 3.3

Share this post


Link to post
Share on other sites
It would be great if you could drill down to an hour by hour count/percentage or at least provide a trend.

Of course their rating is also based on reports not traps (??), so an email sent last week could still be report today?

An email sent last week would not 'count' on the scbl. The algorithym for the scbl only counts reports (whether from spam traps or reporters) dynamically, in real time, according to the date stamp of when it was sent. Therefore if you have fixed the problem and no more unsolicited emails are being sent, then the delisting process will start. AFAICT, it works by hours (not days). IIRC, there is a lag between what the bl that is used does and what the screen says of whether it is still listed when it gets down to the last few hours. I didn't understand the explanation of why that was so.

I understand your frustration at being listed. However, you have to admit that being listed was a good thing because you were able to clean several computers of viruses. I do hope that the Senderbase stats that Wazoo has posted don't mean that you missed one or two.

Miss Betsy

Share this post


Link to post
Share on other sites
I do hope that the Senderbase stats that Wazoo has posted don't mean that you missed one or two.

Thanks Miss Betsy

although we have full antivirus and spam scanning active on all ports, we have basically blocked all client services.

They can only use the proxy and our DMZ mail server (which all ports are activily scanned with ForitGate and reported on using FortiAnalyser).

Out of 15000 PC at client site, its inevitible that another will get a virus (not matter what we do at the network edge). However all ports are blocked so it shouldn't cause further issues (note before we noticed it anyway).

Believe me, i've had directors and store owners complaining to me all day about the new restrictions, so i know its working.

I also checked reports from the Network (connect.com.au) and they back me up that the traffic has reduced (to normal levels).

Again. Hence why i have attempted to contact SenderBase to get some details of detected messages to invesigate.

Note: we are now delisted with SPAMCOP, so i assume this topic is closed.

Share this post


Link to post
Share on other sites

0705 GMT -6

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.3 792%

Last 30 days 3.3 -6%

Average 3.3

Share this post


Link to post
Share on other sites

And up yet another point at this d/t. Something strange with SenderBase? Considering http://www.dnsstuff.com/tools/ip4r.ch?ip=210.11.58.16+ shows just one other DNSBL http://www.uceprotect.net/en/rblcheck.php?ipr=210.11.58.16 which offers up the (days old, I guess) data

spam Database Query

Processing your request...

Please wait...Actual Status for 210.11.58.16 at UCEPROTECT-Network:

--------------------------------------------------------------------------------

UCEPROTECT-Network Level 1:

IP 210.11.58.16 is blacklisted at UCEPROTECT Level 1

This means spamtraps were hit from this IP directly within the last 7 days.

Find out, which UCEPROTECT-Server did list your IP and for what reason.

To do this, grep your logs (last 8 days) for following expression:

UCEPROTECT-Policy Server

All you need to know should be inside those logfiles.

If this is not your IP, but your providers server we recommend:

Please send a compliant to your provider and request him to fix this problem immediatly.

Think about this: You pay him for, that you can use the internet without problems.

For Informations how to get off our Level 1 follow this link

Maybe that would have been useful a day or two ago. But note, again, spamtraps being hit.

Share this post


Link to post
Share on other sites
(days old, I guess) dataMaybe that would have been useful a day or two ago.

Reading other peoples posts and i noted they get all sorts of strange values out of SenderBase.

I can only guess that it takes time to collected and complile their "3 billion messages daily".

Unless they have a farm of servers that make goolge look small??

It valuable data, but at this point its just a single percentage figure that i've got no data for.

Its a shame they don't have any forums themselves.

Just got a reply from IronPort.

Having taken a look at your situation, I have noticed that there's still reports of spam coming from the IP space you're on, as recently as yesterday (Wednesday, Nov 8, 2006).

Being the 10th now, it suggests their data is not realtime but delayed.

they also haven't indicated any further data since the 8th so once again i can only presume the issue is resolved.

I'm a bit disappointed thats all they said.

I requetsed at least one message header to help track the source, but they didn't supply anything but their "comments".

Share this post


Link to post
Share on other sites
<snip>

Just got a reply from IronPort.

Having taken a look at your situation, I have noticed that there's still reports of spam coming from the IP space you're on, as recently as yesterday (Wednesday, Nov 8, 2006).
Being the 10th now, it suggests their data is not realtime but delayed.
...Not necessarily true. IronPort HQ is in the US, and it's still 9 November here.
I requetsed at least one message header to help track the source, but they didn't supply anything but their "comments".
...Information about spam hitting SpamCop spam traps is available only from the SpamCop Deputies (deputies[at]admin.spamcop.net) and as I understand it they will not give you full headers because they must protect the integrity of their spam traps.

Share this post


Link to post
Share on other sites
Not necessarily true. IronPort HQ is in the US, and it's still 9 November here

Either way, its not real time.

the 8th is when the issue was fixed.

the 8th is when i started this post.

seems like years ago.

Share this post


Link to post
Share on other sites
they must protect the integrity of their spam traps

Its not SPAMCOP I requested information from, but SenderBase.

According to their "help" information they compile data from 50,000 ISPs and then collate the information.

Anyone thinking they do this in realtime is fooling themselves.

They do not use traps but messages from ISPs.

They are not a blacklist (according to their Help), so they have nothing to protect.

Share this post


Link to post
Share on other sites

1550 GMT -6

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.3 823%

Last 30 days 3.3 -5%

Average 3.3

Share this post


Link to post
Share on other sites

Spoke to Patrick from SenderBase.

He emailed me the header from the recent messages.

The timestamp is 08 Nov 2006 01:xx:xx with exactly the same title ("SmallCap vvatch") as tripped SPAMCOP.

Once again, shows the data is still based on the initial outbreak.

Share this post


Link to post
Share on other sites

This is really getting old ... SenderBase monitors/reports 'traffic' .. SenderBase does not handle SpamCop.net reports (unless they are the recipient of a specific report) ... SenderBase data is just one variable used on the calculation of the tripping point of a SpamCopDNSBL listing, which has nothing to do with SenderBase displayed data.

The traffic reports noted thus far are "real time". Traffic from that IP address is still on the increase, despite you statement that "all SMTP traffic was stopped" (which you then changed a post or two later)

What has yet to be noted is that how, even with all the things you say you've done, traffic could have gone from the approximately 2,000+ e-mails day to 20,000+ a day, and is still increasing. On one hand, it could be that due to your restrictions, more e-mail is being funneled to/through that server because you shut down so many other paths. On the other, as previously suggested, it may be that you have not found the sorce of these extra thousands of e-mails a day ....

According to their "help" information they compile data from 50,000 ISPs and then collate the information.

Curious as to where you found this data, this explanation .... that number is no where close to other data they provide. Collecting/collating is real time.

Anyone thinking they do this in realtime is fooling themselves.

They do not use traps but messages from ISPs.

Once again, where did you find this information? Monitoring "traffic" is not done by "messages from ISPs"

They are not a blacklist (according to their Help), so they have nothing to protect.

They also would have to ask SpamCop.net for data dealing with a SpamCopDNSBL listing.

Share this post


Link to post
Share on other sites
This is really getting old

Please stop replying to this post unless you have something productive to add.

I'm quite capable of reading a single percetage figure.

Share this post


Link to post
Share on other sites
Please stop replying to this post unless you have something productive to add.

<snip>

...Sorry, this is a public forum. You don't get to determine who may and who may not reply. Besides, you're addressing the Forum Administrator. It's not a good idea to risk alienating the person who runs the shop (although I seriously doubt that Wazoo would react to your intemperate replies to him by banning you).

...Nevertheless, IMHO you offer good advice to Wazoo albeit for the wrong reason -- he shouldn't be wasting his time replying to someone who isn't interested in his attempts to explain things; he's got far too many useful things to do. :) <g>

Share this post


Link to post
Share on other sites
Please stop replying to this post unless you have something productive to add.

I'm quite capable of reading a single percetage figure.

Assume you can, yet .. the question is how to correlate your previous statements of:

i have turned off every NRD , auto reply reply possible. i have added tarpits.

I have blocked every client completely. i have blocked ALL outgoing SMTP.

with the fact that the "last day" numbers are still increasing.

I am still replying (and asking questions) such that some of your misconceptions can be cleared up.

In fact, I just sent an e-mail upstream asking for some input from the paid SpamCop.net staff, as you don't seem to be handling input from other users very well .....

Share this post


Link to post
Share on other sites

Hey hey! A decrease finally seen!

1739 GMT -5

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.2 732%

Last 30 days 3.3 -3%

Average 3.3

down from 823% at 1550 GMT -6

Share this post


Link to post
Share on other sites

1540 GMT -6

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 3.9 266%

Last 30 days 3.3 -5%

Average 3.3

Something appears to have finally been done. Thanks.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×