Jump to content
Sign in to follow this  
ozzzo

Open proxy checking

Recommended Posts

Posted into the SpamCop Discussion > Discussions & Observations > How to use .... .. yet, nothing included as far as a How to use ... tutorial or instruction set .. so making the call that this post is actually a question about output from the Parsing & Reporting tool .... with this post, moving this Topic/Post to the appropriate Forum section ....

A specific answer might have been offered if the actual IP address question had been offered up, as explained in numerous places about How to post a 'good' question ....

The generic answer is that IP addresses are submitted by the parsing tool to several other places for these types of checks. The parsing output of a spam submittal also includes the actual location of the place that lists the IP address as being an open proxy. There are numerous places that check for different things in different ways. Some don't get updated on a minute-by-minute basis.

Share this post


Link to post
Share on other sites

Can't improve on Wazoo's answer. Without an IP address is very difficult to guess what you are talking about.

Are you sure that you are getting spamcop reports?

Miss Betsy

Share this post


Link to post
Share on other sites

I suspect that the OP was describing where, in the full report from submitting spam for reporting, it would say:

210.56.96.173 not listed in dnsbl.njabl.org

210.56.96.173 not listed in dnsbl.njabl.org

210.56.96.173 listed in cbl.abuseat.org ( 127.0.0.2 )

210.56.96.173 is an open proxy

210.56.96.173 not listed in accredit.habeas.com

210.56.96.173 not listed in plus.bondedsender.org

210.56.96.173 not listed in iadb.isipp.com

I would suggest that the OP is unfamiliar with SC terminology and used "email" to refer to the reports that I don't know the correct name for either. Like me, (s)he is probably dazzled by the numerous terms that normally have no sigificance until one actually is confronted with a situation where more information is needed or desired. There are tons of TLA's and FLA's that require definitions of definitions for one to translate and understand the significance. This is really foreign territory for someone who is not in IT and hasn't had the time, interest or need to study in-depth and doesn't work with this stuff every day.

I don't read this to be a request by the OP for specifics on a particular IP address so much as "Can sombody tell me, in simple terms, what an open proxy is? I don't know what a closed proxy is, and I'm a little uncertain of what a proxy is because I've seen the term used but the context didn't really help with understanding it." A simple "No, it cant be explained simply" would probably do the trick.

At least this one tried to do some research before posting here, which is more than I can say for numerous others who refuse to do anything before posting a question that is answered under 5 or 6 different headings. I followed the link that the OP included and found myriads of information that I already knew (at my current level of understanding), much that had no relationship to proxies but nothing that I found in a hurry that contributed much toward decyphering "open proxy". I can understand coming here for clarification.

Share this post


Link to post
Share on other sites

I suspect that the OP was describing where, in the full report from submitting spam for reporting, it would say:

spaceman jogged my memory and he may be right. The quick report replies, entitled: "SpamCop Quick reporting data" contains the parse of the spam with a section like:

x.x.x.x not listed in dnsbl.njabl.org

x.x.x.x not listed in dnsbl.njabl.org

x.x.x.x not listed in cbl.abuseat.org

x.x.x.x listed in dnsbl.sorbs.net ( 127.0.0.7 )

x.x.x.x not listed in relays.ordb.org.

which can include the x.x.x.x is an open proxy line.

Every one I could find in my evidence here was in this pair:

x.x.x.x listed in cbl.abuseat.org ( 127.0.0.2 )

x.x.x.x is an open proxy

Perhaps that second line is triggered by the listing at cbl.abuseat.org? The example spaceman provided seems to have been listed because of a possible naming issue, however: http://cbl.abuseat.org/namingproblems.html is linked from: http://cbl.abuseat.org/lookup.cgi?ip=210.56.96.173

Share this post


Link to post
Share on other sites
I suspect that the OP was describing where, in the full report from submitting spam for reporting, it would say:

I'll agree, but then note that he/she went to to talk about trying to 'test' an IP address which came back with negative results.

I would suggest that the OP is unfamiliar with SC terminology and used "email" to refer to the reports that I don't know the correct name for either. Like me, (s)he is probably dazzled by the numerous terms that normally have no sigificance until one actually is confronted with a situation where more information is needed or desired.

This begat the generation of a Dictionary here, then Glossary, and most recently, a Wiki that has 'technical terms' in use here defined.

I don't read this to be a request by the OP for specifics on a particular IP address so much as "Can sombody tell me, in simple terms, what an open proxy is? I don't know what a closed proxy is, and I'm a little uncertain of what a proxy is because I've seen the term used but the context didn't really help with understanding it." A simple "No, it cant be explained simply" would probably do the trick.

For starters, try Proxy here, which at least starts the definition process. As stated there, a Proxy is simply a bit of code that can do any number of things, so th question of Closed, Open, Abused, etc. depends on the context and usage of the specific Proxy .... the "specific IP address" response was based on the dialg in the initial query, again; "checking one that always came back 'not open'"

At least this one tried to do some research before posting here, which is more than I can say for numerous others who refuse to do anything before posting a question that is answered under 5 or 6 different headings.

I can't agree enough to this thought / comment .....

Share this post


Link to post
Share on other sites

Well, it is being abuse by somebody:

CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=210.56.96.173

--------------------------------------------------------------------------------

XBL Exploits Block List (includes CBL): xbl.spamhaus.org -> 127.0.0.4

http://www.spamhaus.org/query/bl?ip=210.56.96.173

--------------------------------------------------------------------------------

SBLXBL Combined zone to reduce queries. Includes both SBL and XBL zones: sbl-xbl.spamhaus.org -> 127.0.0.4

http://www.spamhaus.org/query/bl?ip=210.56.96.173

--------------------------------------------------------------------------------

UCEPROTECTL2 UCEPROTECT®-Network Project - Level 2: dnsbl-2.uceprotect.net -> 127.0.0.2

Sorry 210.56.96.173 is Level 2 listed at UCEPROTECT-NETWORK. See http://www.uceprotect.net/rblcheck.php?ipr=210.56.96.173

--------------------------------------------------------------------------------

DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=210.56.96.173

--------------------------------------------------------------------------------

DRBL-VOTE-CARAVAN Distributed RBL node: Used within the Caravan ISP's network: vote.drbl.caravan.ru -> 127.0.0.2

spammers are not welcome here: abuse silence after 48 hrs

--------------------------------------------------------------------------------

I guess the last line above says it all :lol:

Share this post


Link to post
Share on other sites

DNSStuff has a utility that will check an IP address against most all of the major DNSbls (which will often be an indicator that the IP is a proxy of some time). To use this, simply enter the IP into the field called "spam Database Lookup" that can be found at the top in the middle row under IP Tests.

On a similarly related issue, I have been trying to find a tool to determine if an IP/hostname is a web proxy. I am a moderator on a large forum and we routinely check IP addresses from registered users to see if they match any other in the database, but often times, we can't tell if it is a proxy. The only way I know of to determine if an address is a proxy or not is by running a port scan on the IP address to see if any of the common proxy ports and open on the IP address and then trying to connect to them either through a web browser or telnet and see what the response is.

If anyone knows of a better method of determining this, I would be most grateful for the information.

Thanks, and sorry if I've hijacking the thread. Feel free to PM me if the OP or the mods want to keep this discussion on topic.

Share this post


Link to post
Share on other sites

The lines that I pasted in post 4 were copied directly from the reporting data from a report that I sent inthis morning.

Share this post


Link to post
Share on other sites
If anyone knows of a better method of determining this, I would be most grateful for the information.

I'm just bumping this to see if I can find an answer to my question posted. If not applicable, I can repost the question in the lounge.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×