Jump to content
Sign in to follow this  
Saipem

Work email blocked!

Recommended Posts

Hi, OK simple quick question, how am I supposed to deal with my work email being blocked by spam corp?

Considering i have no access to webbased emails at work (hotmail etc all blocked)

The admin for the server in question (212.17.199.49) is in the companies HQ in Italy (I work in the UK, emails all routed through gateway in italy). And by the time they do anything the 27 hours of blocking will have elapsed (takes them a month to hire someone, I doubt they'll sort this out within 24 hours).

(I have contacted our UK IT department.. can you spell "chocolate teapot"?)

But at the same time a lot of my job requires email and I really can't cope with the lottery of every email that goes through that gateway (we have many, or at least I assume so as not all my mails to the client that uses spamcorp have been blocked)

Also it seems strange to me that we should be blocked when we are a company, anyone that actually tryed to send spam through that gateway would get fired?!

Not to mention if we were serious spammers all our gateways would be blocked.

BTW, sorry if any (or all!) of my terminology is wrong.

Share this post


Link to post
Share on other sites
Hi, OK simple quick question, how am I supposed to deal with my work email being blocked by spam corp?

Considering i have no access to webbased emails at work (hotmail etc all blocked)

The admin for the server in question (212.17.199.49) is in the companies HQ in Italy

The IP is question has been listed for the following reasons:

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* SpamCop users have reported system as a source of spam less than 10 times in the past week

The subjects of a few spam items identified as passing trough this server include:

Submitted: Mon, 05 Mar 2007 15:11:46 GMT:

Herbal VI[at] , -GRA- Dailey

Submitted: Mon, 05 Mar 2007 08:58:11 GMT:

Herbal VI[at] , -GRA- Lund

Submitted: Mon, 05 Mar 2007 08:08:03 GMT:

Incredible Herbal V1gra - no side effects Curtis Ewing

Submitted: Mon, 05 Mar 2007 02:54:24 GMT:

**spam** Order: anteater

So from the immediate evidence available it looks like your chocolate teapots need too take a look at the firewall logs. There does appear to be a problem with this ip address.

Andrew

Share this post


Link to post
Share on other sites
So from the immediate evidence available it looks like your chocolate teapots need too take a look at the firewall logs. There does appear to be a problem with this ip address.

Cool, thanks for the help, will forward the details to people that should be sorting it out.

But out of interest, there sould be some kind of suggestions in the faq for the IT iliterate peon's like myself who have no choice of what to do (I don't have access to other email addresses, and some things basically have to be communicated by email) and have no control over our email systems.

Cheers again.

Share this post


Link to post
Share on other sites
Cool, thanks for the help, will forward the details to people that should be sorting it out.
...Also of note: http://www.spamcop.net/sc?track=212.17.199.49 which tells them the e-mail addresses to which reports of user-reported spam are sent. If these are incorrect, they should be changed (see FAQ item "How do I register an abuse[at] email address?").
But out of interest, there sould be some kind of suggestions in the faq for the IT iliterate peon's like myself who have no choice of what to do (I don't have access to other email addresses, and some things basically have to be communicated by email) and have no control over our email systems.
...The "SpamCop FAQ" (see link near top left of all SpamCop Forum pages) includes a link labeled "Why am I Blocked?" You will probably wish to skip down to the section labeled "Q: Why me? A: It Happens to the best of us." It includes a suggestion to (temporarily) use a webmail service, which you indicate is not an option for you. However, there follow other good suggestions.

Share this post


Link to post
Share on other sites

...Also of note: http://www.spamcop.net/sc?track=212.17.199.49 which tells them the e-mail addresses to which reports of user-reported spam are sent.

Cool, so I'm working for the UK arm of an italian company, all my email gets sent to italy to go through a gateway there only to be handled by the italian arm of British telecom!

If these are incorrect, they should be changed

I'm afraid I can't tell you if they are correct, i'm so many steps removed from anyone who knows it's only slightly funny.

But again I'll forward the info to people that should know who to forward it to or at least who knows someone else nearer to where it should go!!!

The "SpamCop FAQ" (see link near top left of all SpamCop Forum pages) includes a link labeled "Why am I Blocked?" You will probably wish to skip down to the section labeled "Q: Why me? A: It Happens to the best of us." It includes a suggestion to (temporarily) use a webmail service, which you indicate is not an option for you. However, there follow other good suggestions.

Sorry I did read the webmail bit, but I must have been glazing over or skim-reading if I missed other good suggestions.

Actually that's not entirly true but I won't hold you nice people up with any more babling :-)

.edit.

In case it's not obvious, I think you can say this is resolved, I've done all I can and so have you :-)

Cheers again

Edited by Saipem

Share this post


Link to post
Share on other sites
Cool, so I'm working for the UK arm of an italian company, all my email gets sent to italy to go through a gateway there only to be handled by the italian arm of British telecom!
...Wish we here could help you with that. :) <g>

...But if you're talking about the reports of spam, they aren't your e-mail, they're the e-mail admin's e-mail, as it is the e-mail server that is sending the spam.

I'm afraid I can't tell you if they are correct, i'm so many steps removed from anyone who knows it's only slightly funny.
...Understood -- I didn't expect you would.
But again I'll forward the info to people that should know who to forward it to or at least who knows someone else nearer to where it should go!!!
...Exactly! Good luck with that!
<snip>

In case it's not obvious, I think you can say this is resolved, I've done all I can and so have you :-)

...Well, I'm hoping to see you back here again with word on what has become of your communication with the "people that should be sorting it out" so I'm not going to mark this forum thread as resolved, yet.

Share this post


Link to post
Share on other sites
Hi, OK simple quick question, how am I supposed to deal with my work email being blocked by spam corp?

Please note that SpamCop blocks NOTHING, it can't, and even if it could it wouldn't. It's the recipients that are blocking based on a SpamCop listing. SpamCop does NOT recommend this and does not do it on its own email system: it just moves stuff to 'held mail'. Get the recipients to whitelist your email address (whitelisting is done on addresses) no matter what IP it comes from (blocklisting is done on IPs).

Share this post


Link to post
Share on other sites

...But if you're talking about the reports of spam,

No I wasn't, don't worry, despite my comments about being a computer illiterate Peon, I am literate enough to run a redhat linux box at home and be my departments unofficial IT support.

Well, I'm hoping to see you back here again with word on what has become of your communication with the "people that should be sorting it out" so I'm not going to mark this forum thread as resolved, yet.

I'm glad you didn't, beause it's not. The same IP has been listed again. would it be possible for you to give me a list of the emails again (I assume it's something new?) so I can badger the IT manager.

<snip> It's the recipients that are blocking based on a SpamCop listing.<snip>Get the recipients to whitelist your email address <snip>

You are right, I meant to send a quote of your email to the people in question, now that I've been blocked again, well, I've done it.

Although, I do know my address has been spoofed in the past for spam (it's an odd experience receiving a mail from yourself that you've not sent! and then working out if it should go on the block senders list made my head hurt!) so obviously if they whitelist my address they will get the spoofed emails won't they?

Share this post


Link to post
Share on other sites
I'm glad you didn't, beause it's not. The same IP has been listed again. would it be possible for you to give me a list of the emails again (I assume it's something new?) so I can badger the IT manager.

The identifiable spam is as follows:

Submitted: Tue, 06 Mar 2007 20:04:21 GMT:

Incredible Herbal V1gra - no side effects Nicole Esposito

Submitted: Mon, 05 Mar 2007 15:11:46 GMT:

Herbal VI[at] , -GRA- Dailey

Submitted: Mon, 05 Mar 2007 08:58:11 GMT:

Herbal VI[at] , -GRA- Lund

Submitted: Mon, 05 Mar 2007 08:08:03 GMT:

Incredible Herbal V1gra - no side effects Curtis Ewing

However, spam is also reaching spam traps which accounts for the speed with which the ip address is being re-listed.

Reports of the problem are being sent to:

tony.mills[at]albacom.it

bernini[at]albacom.net

mills[at]albacom.net

ronci[at]albacom.net

spam trap hits would most likely, in this situation, relate to spam sent through this IP address to these spam trap addresses. I'd be inclined to think there is a compromised PC on the network hence the reason I suggested they look at their firewall logs as an aid to diagnosis.

That said, the Email volumes are quite moderate so my gut diagnosis may be way off beam.

Senderbase reports ( http://www.senderbase.org/search?searchBy=...g=212.17.199.49 )

Magnitude Vol Change vs. Average

Last day 5.0 -30%

Last 30 days 3.6 -97%

Share this post


Link to post
Share on other sites

The identifiable spam is as follows:

Submitted: Tue, 06 Mar 2007 20:04:21 GMT:

<snip>

Submitted: Mon, 05 Mar 2007 08:08:03 GMT:

Hmmm, I was assuming being relisted was because of spam since the last listing, all those were before or during the original listing.

Is it possible that the problem has been fixed but the reports have come in after the problem was fixed?

However, spam is also reaching spam traps which accounts for the speed with which the ip address is being re-listed.

Ok so this means there is still definitely a problem? Is it possible to give me a few identifiable spam from more recently? as it would help me complain to the IT manager.

Reports of the problem are being sent to:

<snip>

Yeah I've asked them to check the email addresses, I don't think they are right, but I can't do anything to fix that except annoy my IT department, and we've got to remeber I'm tryign to do my job at the same time.

spam trap hits would most likely, in this situation, relate to spam sent through this IP address to these spam trap addresses. I'd be inclined to think there is a compromised PC on the network hence the reason I suggested they look at their firewall logs as an aid to diagnosis.

Yeah I did basically suggest that, but I may have been to subtle. My next comunication will be more direct.

That said, the Email volumes are quite moderate so my gut diagnosis may be way off beam.

Senderbase reports ( http://www.senderbase.org/search?searchBy=...g=212.17.199.49 )

Magnitude Vol Change vs. Average

Last day 5.0 -30%

Last 30 days 3.6 -97%

I'm afraid I'm not sure I'm getting the point of those stats, doesn't that suggest that in the last 30 days the mail volume through that IP has gone down to half what it averages, and the volume in the last day is up, but still down on the average?

What is that average based on?

Share this post


Link to post
Share on other sites

Unfortunately, no one here has access to email that has hit spam traps. We can only see those reports that Wazoo already posted, which are spams submitted by reporters. To get information on spam trap hits, you would have to email deputies[at]admin.spamcop.net

As far as the senderbase statistics, the 5.0 magnitude indicates that approximately 100,000 emails are being sent from that IP address each day.

Share this post


Link to post
Share on other sites

Unfortunately, no one here has access to email that has hit spam traps. We can only see those reports that Wazoo already posted, which are spams submitted by reporters. To get information on spam trap hits, you would have to email deputies[at]admin.spamcop.net

Don't worry, I've been reading around so I understand why we can't find out about the spam traps, just thought there might have been more recent reports. And I don't want to over step my position by dealing directly with spam corp, when my IT department should be.

I can't really complain to IT that the problem hasn't been fixed if we could have been blocked because of badly set up auto-responses (is that right?) and I don't have some proof that that IP is still sending out spam.

As far as the senderbase statistics, the 5.0 magnitude indicates that approximately 100,000 emails are being sent from that IP address each day.

THat is interesting. Considering the size of the company that's not much at all, there must be loads of gateways, which means either my part of the company only use a small proportion of them, or I've been very very unlucky.

That means that all those 100k emails are blacklisted (if spam corp doesn't condone blocking why do most people call it a "Blocklist"?). I guess I can assume that someone else is complaining too!

:looking on the Sendbase Help now to work out what the numbers mean... under common tasks it says this: "It is also useful to abuse desk managers tasked with investigating". Originally thought there was a pause between abuse and desk :-)

Hmmm, so would an 800% increase in mail in the last 24 hours suggest spam?

http://www.senderbase.org/search?searchBy=...g=212.17.199.37

Great. :-(

Edited by Saipem

Share this post


Link to post
Share on other sites

http://spamcop.net/w3m?action=checkblock&a...p=212.17.199.49

212.17.199.49 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

It appears this listing is caused by misdirected bounces.

Other hosts in this "neighborhood" with spam reports

212.17.199.37 212.17.199.48 212.17.199.154

http://www.senderbase.org/search?searchBy=...g=212.17.199.49

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 5.0 .. -28%

Last 30 days .. 3.6 .. -97%

Average ........ 5.1

# of domains controlled by this network owner 3

Addresses in relayout.eni.it used to send email - Showing 1 - 3 out of 3

212.17.199.49 relayout.eni.it Y 5.0 3.6

212.17.199.154 relayout.eni.it Y 4.9 3.6

212.17.199.37 relayout.eni.it Y 4.2 3.4

http://www.senderbase.org/search?searchBy=...relayout.eni.it

Volume Statistics for this Domain

Magnitude Vol Change vs. 30 Day

Last day ........ 5.0 .. 950%

Last 30 days .. 4.0

Oddity in that there are three IP addresses showing for output servers, but the 'names' are the same ....

03/08/07 15:10:37 Slow traceroute 212.17.199.49

Trace 212.17.199.49 ...

166.49.180.51 RTT: 140ms TTL:208 (t2a3-ge2-0.it-mil2.eu.bt.net ok)

166.49.233.2 RTT: 143ms TTL:208 (166-49-233-2.eu.bt.net bogus rDNS: host not found [authoritative])

213.255.14.69 RTT: 144ms TTL:208 (No rDNS)

212.17.207.247 RTT: 144ms TTL:208 (No rDNS)

212.17.199.152 RTT: 143ms TTL:208 (No rDNS)

* * * failed

03/08/07 15:12:54 Slow traceroute 212.17.199.154

Trace 212.17.199.154 ...

166.49.233.2 RTT: 139ms TTL:208 (166-49-233-2.eu.bt.net bogus rDNS: host not found [authoritative])

213.255.14.5 RTT: 146ms TTL:208 (No rDNS)

212.17.207.247 RTT: 149ms TTL:208 (No rDNS)

212.17.199.152 RTT: 146ms TTL:208 (No rDNS)

* * * failed

03/08/07 15:14:46 Slow traceroute 212.17.199.37

Trace 212.17.199.37 ...

166.49.233.2 RTT: 151ms TTL:208 (166-49-233-2.eu.bt.net bogus rDNS: host not found [authoritative])

213.255.14.5 RTT: 144ms TTL:208 (No rDNS)

212.17.207.247 RTT: 154ms TTL:208 (No rDNS)

212.17.199.152 RTT: 145ms TTL:208 (No rDNS)

* * * failed

Pretty consistent with the lack of rDNS and blocking of ICMP traffic

Hmmm, so would an 800% increase in mail in the last 24 hours suggest spam?

http://www.senderbase.org/search?searchBy=...g=212.17.199.37

Great. :-(

The possibility exists that the downwards trend on the other two IP addresses is because that traffic is being moved to this server, causing its traffic flow to show this increase ....????

anyway, off to do other things .. just setting some other data points here.

Share this post


Link to post
Share on other sites

You must admit there is a lot of garbage coming from those servers. looking at the reports it is mostly drugs, loans etc.... Lot of zombies behind that network

Edited by Merlyn

Share this post


Link to post
Share on other sites

Currently 212.17.199.37 is listed on LashBack Unsubscribe Blacklist though that could have as much (or more) to do with their product sales aspirations as it might with the actual cause of listing there. Nevertheless, another potential source of information on supposed spam originating from the IP address.

Share this post


Link to post
Share on other sites

Ok, there are lots of things I don't understand in the last three posts, except the fact 49 has been delisted.

So thanks again for your help.

I intend to be back here on Monday after the weekend to try to untangle the various bits of jargon :-)

Edited by Saipem

Share this post


Link to post
Share on other sites
Although, I do know my address has been spoofed in the past for spam (it's an odd experience receiving a mail from yourself that you've not sent! and then working out if it should go on the block senders list made my head hurt!) so obviously if they whitelist my address they will get the spoofed emails won't they?

Unfortunately, yes, but they won't be chucking the baby out with the batwater.

Share this post


Link to post
Share on other sites
That means that all those 100k emails are blacklisted (if spam corp doesn't condone blocking why do most people call it a "Blocklist"?). I guess I can assume that someone else is complaining too!

Unfortunately the injecting IP is the only thing that can't be spoofed/forged: spammers have spoilt it for everyone. Admins that DO have a clue welcome the 'heads-up' from SpamCop that something has gone horribly wrong. Clueless ones blame the messanger.

SpamCop says of its list that it is aggressive and does not recommend using it as a 'reject'-list. For its own customers it 'blocks' it from our Inboxes and files it under 'Held-mail'. However, as it costs the receiver money to accept all that spam, some choose to reject altogether. Their server, their rules.

I think it can be fairly said that SpamCop is the easiest list to get on, and the easiest to get off once the problem is fixed: both are entirely automatic.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×