Jump to content
Sign in to follow this  
DavidT

[Resolved] OpenOffice.org email server blocked

Recommended Posts

(Note: this topic involves the SCBL, "SC Reporting," and even SC email accounts, so if a wise moderator chooses to move it, I'll understand. However, please don't move it to the SC Email forum, because the other two categories have much more to do with this issue.)

I have some SC email accounts which use SpamCop Blocklist listings as one factor in filtering messages and redirecting them to a "Held Mail" folder. Like millions of other people, I've downloaded OpenOffice.org software and they occasionally send me emails, but sometimes these messages wind up being diverted to my Held Mail due to SCBL listings of their outbound mail servers. This happened again today, so I logged into my SC Reporting account and looked up the details about the blocked IP (204.16.104.2).

Sure enough, it's currently listed:

204.16.104.2 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing

* SpamCop users have reported system as a source of spam less than 10 times in the past week

Listing History

In the past 161.5 days, it has been listed 8 times for a total of 5.5 days

So I took a look at the Report History and found these:

Submitted: Thursday, December 07, 2006 9:44:15 AM -0700:

Re: [users] XP Conflicts?

* 2053076906 ( 204.16.104.2 ) To: postmaster#ethereal.net[at]devnull.spamcop.net

Submitted: Thursday, December 07, 2006 8:47:25 AM -0700:

Re: [users] games in Calc ?!?

* 2053077532 ( 204.16.104.2 ) To: postmaster#ethereal.net[at]devnull.spamcop.net

Submitted: Wednesday, December 06, 2006 2:12:07 PM -0700:

[users] i am using open office ver 2.03 my problem is images not being saved ...

* 2051717035 ( 204.16.104.2 ) To: postmaster#ethereal.net[at]devnull.spamcop.net

Submitted: Wednesday, December 06, 2006 2:10:22 PM -0700:

Re: [users] Openoffice download problem

* 2051718020 ( 204.16.104.2 ) To: postmaster#ethereal.net[at]devnull.spamcop.net

Submitted: Wednesday, December 06, 2006 10:23:42 AM -0700:

Re: [users] games in Calc ?!?

* 2051440483 ( 204.16.104.2 ) To: postmaster#ethereal.net[at]devnull.spamcop.net

Submitted: Wednesday, December 06, 2006 9:03:38 AM -0700:

Re: [users] games in Calc ?!?

* 2051370494 ( 204.16.104.2 ) To: postmaster#ethereal.net[at]devnull.spamcop.net

Submitted: Tuesday, December 05, 2006 3:01:53 PM -0700:

Re: [users] [moderated] YOU MUST GIVE A SUMMARY HERE

* 2050232641 ( 204.16.104.2 ) To: postmaster#ethereal.net[at]devnull.spamcop.net

Submitted: Monday, December 04, 2006 10:53:10 PM -0700:

[users] [moderated] YOU MUST GIVE A SUMMARY HERE

* 2049220386 ( 204.16.104.2 ) To: postmaster#ethereal.net[at]devnull.spamcop.net

The "[users]" denotes the "Users Mail List" at OpenOffice.org, which is mentioned here:

http://support.openoffice.org/index.html

So, I thought, maybe they're not being careful about unconfirmed subscriptions, so I sent an email to the "users-subscribe" address and I then received a "Subject: confirm subscribe to users[at].." message back (had to dig it out of my Held Mail, actually), which demonstrated that the SC users who are submitting those reports were most likely confirmed subscribers to the OpenOffice.org "Users" mail list and have been reporting the list messages they are receiving as if they were spam. This is why that IP is currently blocked and I contend that it's due to misreporting on behalf of those users. If they want to unsubscribe from the list, they can, but they shouldn't be reporting those messages as spam, and this should be looked into by the Deputies (please?).

I also took a look at the SenderBase stats on the IP and they are benign, and a lookup at the Multi-RBL check (http://www.robtex.com/rbls.html) showed only the SCBL listing.

Regarding the contact info for that IP, yes, I see that there's a problem there preventing SC reports from reaching the responsible parties, but that's a secondary issue...the reports probably shouldn't have been generated in the first place.

The SpamCop BL is a useful tool, but not when it's being fed by careless users. I've seen this happen before with list subscriptions, and the denizens here are often quick to defend the SC reporting users. I don't think that reporting messages from a list to which they have willingly subscribed is defensible.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites
The SpamCop BL is a useful tool, but not when it's being fed by careless users. I've seen this happen before with list subscriptions, and the denizens here are often quick to defend the SC reporting users. I don't think that reporting messages from a list to which they have willingly subscribed is defensible.

Hi David,

It does look as though some user(s) are reporting stuff they have signed up for.

If the responsible admins for the list aren't receiving the reports then they, obviously, cannot challenge them. So the matter you mention does contribute to making the problem worse. But clearly these forums can only debate the rights/wrongs.

The responsible person(s) need to contact the deputies to resolve the matter and challenge the mistaken reporters. Presumably those filing these reports could lose their reporting privileges unless they have a reasonable defence (although I'm not sure what that could be).

Andrew

Share this post


Link to post
Share on other sites
But clearly these forums can only debate the rights/wrongs.

Mostly true, except that when an SC admin drops by, the possibility exists that they could look into things further.

The responsible person(s) need to contact the deputies to resolve the matter and challenge the mistaken reporters.

I'll try contacting them. However, the contact information being shown on that IP in the SC Reporting system seems to be incorrect (outdated). When I query ARIN on that IP, I show different contact info (a "collab.net" address) than what's being shown in the SC system (an "ethereal.net" address). I see that the ARIN info was updated three days ago, and the old info (which is still cached at DNSStuff.com) shows the "ethereal.net" address. Therefore, whenever the SC system starts pulling the more recent contact info, then the people responsible for this IP should start to receive reports. Again, it's possible that a SC admin might be able to correct (or refresh) the outdated contact info being used by the SC reporting system.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

Yet another issue .....

Parsing input: 204.16.104.2

Routing details for 204.16.104.2

[refresh/show] Cached whois for 204.16.104.2 : tristan+dns[at]ethereal.net

Using abuse net on tristan+dns[at]ethereal.net

No abuse net record for ethereal.net

Using default postmaster contacts postmaster[at]ethereal.net

postmaster[at]ethereal.net bounces (8 sent : 7 bounces)

Using postmaster#ethereal.net[at]devnull.spamcop.net for statistical tracking.

I hit the 'refresh' link ... now shows;

Parsing input: 204.16.104.2

Routing details for 204.16.104.2

[refresh/show] Cached whois for 204.16.104.2 : hostmaster[at]collab.net

Using abuse net on hostmaster[at]collab.net

abuse net collab.net = abuse[at]collab.net

Using best contacts abuse[at]collab.net

How about perhaps doing some research on just what/who the correct address should actually be ....

Edit: see that research/work/posting was being done at the same time ....

From: "WazoO"

To: deputies

Subject: 204.16.104.2 - bad listing

Date: Thu, 7 Dec 2006 12:38:07 -0600

Per dialog at http://forum.spamcop.net/forums/index.php?showtopic=7618

204.16.104.2 appears to be a victim of bad reporting and

possibly bad data caching. Report history suggests that valid

traffic was reported ... apparently to the wrong address ....

http://www.spamcop.net/sc?track=204.16.104.2

Parsing input: 204.16.104.2

Routing details for 204.16.104.2

[refresh/show] Cached whois for 204.16.104.2 : tristan+dns[at]ethereal.net

Using abuse net on tristan+dns[at]ethereal.net

No abuse net record for ethereal.net

Using default postmaster contacts postmaster[at]ethereal.net

postmaster[at]ethereal.net bounces (8 sent : 7 bounces)

Using postmaster#ethereal.net[at]devnull.spamcop.net for statistical

tracking.

I hit the 'refresh' link ... now shows;

Parsing input: 204.16.104.2

Routing details for 204.16.104.2

[refresh/show] Cached whois for 204.16.104.2 : hostmaster[at]collab.net

Using abuse net on hostmaster[at]collab.net

abuse net collab.net = abuse[at]collab.net

Using best contacts abuse[at]collab.net

Share this post


Link to post
Share on other sites
Edit: see that research/work/posting was being done at the same time ....

Yes, and as you reported, it looks as if the SC reporting/parsing system is now displaying the correct contact address for that IP. Unfortunately, due to the lag in the updating of the contact info, all of those recent SC reports went to devnull, so the server and list admins haven't received the necessary information from SC.

I've sent off a message to the Abuse address at collab.net as well as the list owners, telling them of the apparently bogus spam reporting and the listing in the SCBL and I suggested that they contact the Deputies. It's a little odd that the contact information for the IP happened to get magically updated only minutes after I posted this topic....hmmmm....a suspicious mind would look to see if a SC admin has been lurking.... [on edit: Wazoo explains the phenomenon below...nothing suspicious about it at all]

[on edit] update: I received a very quick response from an OpenOffice.org rep:

This is useful and I'll let CollabNet know. Thanks for taking the

time and helping us out!

DT

Edited by DavidT

Share this post


Link to post
Share on other sites
It's a little odd that the contact information for the IP happened to get magically updated only minutes after I posted this topic....hmmmm....a suspicious mind would look to see if a SC admin has been lurking....

Perhaps you missed the tidbit I typed in there ... I hit the 'refresh' link ... now shows;

Share this post


Link to post
Share on other sites
Perhaps you missed the tidbit I typed in there ... I hit the 'refresh' link ... now shows;

Sort of...I actually had no idea that when one user does that, that it would update the information for other users. So, I could have helped out by using that same link, I suppose? (although not in time to have had any effect on the devnull'd reports of the SCBL listing) I've never used the "[refresh/show]" link before, and so am not very well informed as to its potential ramifications. Now I'll have to go looking through the FAQ to see if it's mentioned anywhere. :-)

DT

Share this post


Link to post
Share on other sites

The SpamCop BL is a useful tool, but not when it's being fed by careless users. I've seen this happen before with list subscriptions, and the denizens here are often quick to defend the SC reporting users. I don't think that reporting messages from a list to which they have willingly subscribed is defensible.

1. Reporting messages from a list they have subscribed to is a punishable offense. That is one of the options the receiver of the reports has.

2. It is also possible that in this case, the person reporting has not signed up for this list but instead currently has an address that once belonged to someone who subscribed. IF (and it is a big if because I don't think it is likely what is happening here) that is what is happening, the list should be responsible to drop addresses from lists if they bounce more than a couple times in a row.

3. I think it is more likely someone has some scri_pt written to auto-report any messages with certain characteristics (like being blocked by SpamCop) and they don't even know they are doing it.

Share this post


Link to post
Share on other sites
the list should be responsible to drop addresses from lists if they bounce more than a couple times in a row.

Yes, and I'm confident that they're already doing that. However, this issue doesn't involve bounces.

I think it is more likely someone has some scri_pt written to auto-report any messages with certain characteristics (like being blocked by SpamCop) and they don't even know they are doing it.

Possible, but if so, they should certainly lose their reporting privs, because they're responsible for harming innocent third parties. I hope that a SC admin can close this case by reporting exactly that.

DT

Share this post


Link to post
Share on other sites

Yes, and I'm confident that they're already doing that (dropping addresses from their list due to bounces).

And how do you know they are doing that? Does it state as much in their documentation? Have you asked anyone?

In my experience, the bulk of mailing lists do NOT do this sort of maintenance. This year, I had an account at work that had not existed in over 5 years. A new employee started that had the same email address in the short format and in the first day they had messages from 3 different lists appear in the inbox that the old user had signed up for. I immediately changed her email account to a non-standard format (for our company) and reported the messages (manually) stating the facts of the situation. Never did hear back from any of the list managers and I have not tried that address since, so do not know the resolution.

Share this post


Link to post
Share on other sites

I supended the user responsible for the false reports.

The list server at 204.16.104.2 is not currently on our list, so everything should be OK going forward.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites
I supended the user responsible for the false reports.

The list server at 204.16.104.2 is not currently on our list, so everything should be OK going forward.

Wow! Thanks for the quick and prompt action.

Share this post


Link to post
Share on other sites
I supended the user responsible for the false reports.

It wasn't someone by the name of William Gates, was it? :D

Share this post


Link to post
Share on other sites
It wasn't someone by the name of William Gates, was it? :D
Wasn't that the guy who promised, 2 years ago, that spam would be eliminated by 2006? Gates believes ...

Share this post


Link to post
Share on other sites
I supended the user responsible for the false reports. The list server at 204.16.104.2 is not currently on our list, so everything should be OK going forward.

Let me also add my thanks to the growing list. I also know that the folks at OpenOffice.org are much happier now that both issues are cleared up (the problem with the reporting address and the false reports). I've been in touch with them since starting this topic and they asked me for advise on preventing this in the future. I think they realize that as long as any further SC reports are brought to their attention, they can then react to any false reporting. I'll also suggest that they inquire about adding an additional address to receive reports, if they think that's necessary.

DT

Share this post


Link to post
Share on other sites

Well....it *was* resolved, but there still seems to be a SpamCop user who submits the OpenOffice.org announcements as spam. Here's the most recent:

Submitted: Tuesday, January 23, 2007 9:42:38 AM -0700:

[ooo-announce] The ODF Toolkit Project

* 2112047168 ( http://odftoolkit.openoffice.org/ ) To: abuse[at]collab.net

* 2112047105 ( 204.16.104.2 ) To: abuse[at]collab.net

I have alerted OOo, Collab.net, Sun, SC Deputies and the Royal Canadian Mounted Police. ;-)

Looks like maybe there's another SC reporting user who needs to have their privs suspended.

DT

Share this post


Link to post
Share on other sites

There's always somebody that doesn't pay attention to what they are doing. Maybe a brief suspension will encourage them to pay more attention to what they are submitting.

Share this post


Link to post
Share on other sites
Looks like maybe there's another SC reporting user who needs to have their privs suspended.

Just got a response back from Don D'Minion, SpamCop Admin. He confirmed that since that initial user suspension, that at least four other SC reporting users have been reporting the OpenOffice.org newsletters as spam. Indeed, I just checked the recent reports for the IP address in question, and there's a SC user in Arbedo, Switzerland who just reported one on Jan. 30th, but his reporting privs have not been suspended, nor have those of the three others.

However, Don CC'd the reporters (using the internal Spamcop addresses associated with specific reports) and the OOo list admins to whom I'll be suppying the personal addresses of the four reporters and I'll suggest that they preemtively scrape them off any and all OOo lists, lest they continue their false reports. It frustrates me when other users carelessly abuse the SC system, especially since I'm currently unable to report any spam due to a dispute with Don over the "material changes" clause.

I'll be interested to see if any of the four reporters respond back to me.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

We still have a stupid SC reporting user who is reporting the OpenOffice.org newsletters as spam. I just did a lookup on the IP address [204.16.104.2] and found a report from 22 Feb:

Submitted: Thursday, February 22, 2007 5:52:48 AM -0700:

[ooo-announce] OpenOffice.org selects Barcelona for the OpenOffice.org Confer...

* 2160893366 ( 204.16.104.2 ) To: abuse[at]collab.net

Looks like maybe SpamCopAdmin might need to use his "cluestick" on this user (again?). At least it's only one idiot this time, and the IP didn't wind up on the SCBL as in the past.

DT

Share this post


Link to post
Share on other sites

Months later, and there's STILL at least one stupid SpamCop Reporting System user (maybe more) who submits each and every OpenOffice.org newsletter as if it were spam...they're NOT!

Latest:

Submitted: Thursday, May 24, 2007 7:49:37 AM -0700:

[ooo-announce] Press reports regarding "SB/BadBunny-A" virus

* 2301879837 ( http://www.openoffice.org/security/ ) To: abuse[at]collab.net

* 2301879812 ( 204.16.104.2 ) To: abuse[at]collab.net

Submitted: Thursday, May 24, 2007 6:36:14 AM -0700:

[ooo-announce] Press reports regarding "SB/BadBunny-A" virus

* 2301798196 ( 204.16.104.2 ) To: abuse[at]collab.net

Submitted: Wednesday, May 23, 2007 4:00:16 PM -0700:

[ooo-announce] Press reports regarding "SB/BadBunny-A" virus

* 2301051495 ( 204.16.104.2 ) To: abuse[at]collab.net

Submitted: Wednesday, May 23, 2007 10:22:54 AM -0700:

[ooo-announce] Press reports regarding "SB/BadBunny-A" virus

* 2300755209 ( http://www.openoffice.org/security/ ) To: abuse[at]collab.net

* 2300755092 ( 204.16.104.2 ) To: abuse[at]collab.net

Submitted: Monday, May 21, 2007 9:04:48 AM -0700:

Attn: Dear one in the Lord

* 2297297628 ( 204.16.104.2 ) To: abuse[at]collab.net

Submitted: Monday, April 30, 2007 4:08:30 AM -0700:

[ooo-announce] OpenOffice.org Newsletter - Volume 04 - Issue 10 - 04/2007

* 2268409527 ( 204.16.104.2 ) To: abuse[at]collab.net

Submitted: Thursday, April 19, 2007 11:03:06 PM -0700:

[ooo-announce] Pentaho and OpenOffice.org

* 2253971098 ( http://www.pentaho.com/products/reporting/ ) To: abuse[at]rackspace.com

* 2253971096 ( http://blogs.sun.com/GullFOSS/entry/report_desi... ) To: abuse[at]internap.com

* 2253971091 ( 204.16.104.2 ) To: abuse[at]collab.net

It would be nice if the SA Admins would take some punitive action against these false reporters.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites
Months later, and there's STILL at least one stupid SpamCop Reporting System user (maybe more) who submits each and every OpenOffice.org newsletter as if it were spam...they're NOT!

Latest:

It would be nice if the SA Admins would take some punitive action against these false reporters.

As I mentioned before, perhaps this user is not the original owner of the address this is being sent to. In that case, it is reportable spam. I have not gone back over this topic, but have you contacted the deputies and gotten a response on this issue? Continuously complaining in a user to user forum will not help anything.

Share this post


Link to post
Share on other sites

Months later, and there's STILL at least one stupid SpamCop Reporting System user (maybe more) who submits each and every OpenOffice.org newsletter as if it were spam...they're NOT!

Latest:

It would be nice if the SA Admins would take some punitive action against these false reporters.

DT

Time for an attitude change!

Share this post


Link to post
Share on other sites

Time for an attitude change!

Reply to my request for the deputies to investigate/comment:

There are multiple users reporting mail from 204.16.104.2 --

For the subject line:

[ooo-announce] Press reports regarding "SB/BadBunny-A" virus

on 5/23-5/24 there are 4 users reporting that subject line.

I have no idea how they form their maillists; whether they use

closed-loop or any other means of ensuring that the owner of an email

address wants and expects to receive mail.

If the person with responsibility for that IP and/or the openoffice

mailings wants to write to us to discuss this please pass along our

email address: deputies[at]admin.spamcop.net

Ellen

SpamCop

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×