Jump to content
Sign in to follow this  
R-T

1and1, one of the world's largest hosts, blocked my spamcop!

Recommended Posts

(I meant to type "blocked BY spamcop")

bl.spamcop.net is blocking 1and1's < http:///www.1and1.com > mailserver at 74.208.4.194

This is wreaking havoc! If spamcop is going to block 1and1, they might as well block earthlink and aol while they are at it!

HELP!

What to do?

Thanks...

P.S. Spamcop is the only list blocking this IP: http://www.dnsstuff.com/tools/ip4r.ch?ip=74.208.4.194

Edited by R-T

Share this post


Link to post
Share on other sites

(I meant to type "blocked BY spamcop")

bl.spamcop.net is blocking 1and1's < http:///www.1and1.com > mailserver at 74.208.4.194

This is wreaking havoc! If spamcop is going to block 1and1, they might as well block earthlink and aol while they are at it!

SpamCop DOES block certain IP's of those providers when the spam reports coming from them reach a certain percentage.

Every list has their own resons for blocking. SpamCop uses reports from it's users and spamtraps, both of which have been seen for this IP address. SpamCop lists quicker than most, but also automatically de-lists. It can be seen as an early warning system for administrators.

What to do? Make sure the administrators (Reporting addresses: abuse[at]schlund.de and abuse[at]1and1.com) are handling the problems and removing them from the network.

More information: http://www.spamcop.net/bl.shtml?74.208.4.194

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Here are some of the reports that have come in within the last 24 hours:

Report History:
 24 hours
--------------------------------------------------------------------------------

Submitted: Wednesday, March 28, 2007 9:29:56 AM -0400: 
Be leaner and slimmer by next week 
2219100178 ( 74.208.4.194 ) To: abuse[at]schlund.de 
2219100177 ( 74.208.4.194 ) To: abuse[at]1and1.com 

--------------------------------------------------------------------------------

Submitted: Wednesday, March 28, 2007 9:19:38 AM -0400: 
Become Fit For Life 
2219083490 ( 74.208.4.194 ) To: abuse[at]schlund.de 
2219083480 ( 74.208.4.194 ) To: abuse[at]1and1.com 

--------------------------------------------------------------------------------

Submitted: Wednesday, March 28, 2007 9:19:38 AM -0400: 
Become Fit For Life 
2219083537 ( 74.208.4.194 ) To: abuse[at]schlund.de 
2219083518 ( 74.208.4.194 ) To: abuse[at]1and1.com 

--------------------------------------------------------------------------------

Submitted: Wednesday, March 28, 2007 2:23:27 AM -0400: 
Cancer cure? 
2218562249 ( [url="http://www.siginfogroup.com/"]http://www.siginfogroup.com/[/url] ) To: abuse[at]ntt.net 
2218562248 ( 74.208.4.194 ) To: abuse[at]schlund.de 
2218562247 ( 74.208.4.194 ) To: abuse[at]1and1.com 

--------------------------------------------------------------------------------

Submitted: Tuesday, March 27, 2007 11:02:35 PM -0400: 
A.Lange &amp; Sohne Watches 
2218336882 ( 74.208.4.194 ) To: abuse[at]1and1.com 
2218336881 ( 74.208.4.194 ) To: abuse[at]schlund.de 

P.S. I tried to modify your title, but it is too long to modify, the title would have ended at the word by.

Share this post


Link to post
Share on other sites

Should I say 'welcome back' or not?

(I meant to type "blocked BY spamcop")

And you would be just as wrong .... SpamCop.net cannot block your e-mail. Unless there's a SpamCp.net e-mail address involved, SpamCop.net doesn't touch your e-mail.

bl.spamcop.net is blocking 1and1's < http:///www.1and1.com > mailserver at 74.208.4.194

No ... the traffic conditions from the server at that IP address managed to satisfy the forumla for getting listed in the SpamCopDNSBL. Some other ISP has chosen to use the data in the SpamCopDNSBL in a 'blocking fashion' .. which even SpamCop.net does not recommend.

This is wreaking havoc! If spamcop is going to block 1and1, they might as well block earthlink and aol while they are at it!

P.S. Spamcop is the only list blocking this IP: http://www.dnsstuff.com/tools/ip4r.ch?ip=74.208.4.194

As Steven stated, the reason that there are so many BLs out there us because that are all based on different rules, polcies, etc. Try What is the SpamCop Blocking List? to see the math involved.

The background of today's status;

http://spamcop.net/w3m?action=checkblock&ip=74.208.4.194

74.208.4.194 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 21 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

System has been listed for less than 24 hours.

Other hosts in this "neighborhood" with spam reports

74.208.4.195 74.208.4.198 74.208.4.199 74.208.4.202 74.208.4.203

However, the 'real' show is seen at http://www.senderbase.org/search?searchBy=...ng=74.208.4.194

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.8 .. 44006%

Last 30 days ... 2.8 .... 360%

Average ......... 2.2

There are many 'possible' reasons for a spike like this, but ... the spamtrap hits, the spam complaints, in addition to this kind of numbers jump usually translates to spammer abuse/control of that server.

Again, let's note that 1and1 / Schlund are all over the map, have a ton-load of ourpur servers, but .. not all of them are so bad so as to end up on the SpamCopDNSBL. On the other hand, they do seem to manage to get discussed here a lot.

Share this post


Link to post
Share on other sites

However, the 'real' show is seen at http://www.senderbase.org/search?searchBy=...ng=74.208.4.194

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.8 .. 44006%

Last 30 days ... 2.8 .... 360%

Average ......... 2.2

There are many 'possible' reasons for a spike like this, but ... the spamtrap hits, the spam complaints, in addition to this kind of numbers jump usually translates to spammer abuse/control of that server.

Again, let's note that 1and1 / Schlund are all over the map, have a ton-load of ourpur servers, but .. not all of them are so bad so as to end up on the SpamCopDNSBL. On the other hand, they do seem to manage to get discussed here a lot.

One reason, it looks like this is a new server IP: Date of first message seen from this address 2007-03-27

Share this post


Link to post
Share on other sites
One reason, it looks like this is a new server IP: Date of first message seen from this address 2007-03-27

Yeah, I saw that too .. However, pointing that out would have left me a bit speechless on the average and last 30 day numbers .. which I can only repeat, IronPort / SenderBase folks don't talk to me either.

1and1, 1und1, Schlund got so big based on their buying out of many local ISPs. I conjectured years ago that this was one of this issues ... they bought a mom & pop operation in some small town, but didn't bring in new people or hardware to bring that operation up to speed .. just changing the 'name' and DNS/MX records. Then do the marketing thing and throw another few thousand (new) users against that system that used to work fine for a few hundred 'local' folks .... eventually there will be enough 'customer' complaints that things get 'fixed' ...

Share this post


Link to post
Share on other sites

To clarify: contrary to what has been said above, spamcop CAN, and DOES block email.

How?

- When my client told me about their problem sending mail, their message to me went into my spamcop Held Mail folder (I'm a spamcop customer). If their message going to my Held Mail folder doesn't count as a block, what does? An outright bounce?

- My client's mailservers all use bl.spamcop.net - because it's a fantastic RBL... normally.

Shouldn't the ten complaint limit be adjusted for volume? I mean, if an AOL mailserver sends out a billion emails a day, and gets 100 complaints a day, is that really a sign that the mail server supports spammers?

Same thing for 1and1 - and by the way, they didn't grow big by using small ISP's equipment, even if they bought the ISP. They own all of their own equipment, that is housed in their own facilities. Do a trace route on their IPs, it all goes back to Europe (Germany, I think).

Thanks for any help on this...

Share this post


Link to post
Share on other sites

To clarify: contrary to what has been said above, spamcop CAN, and DOES block email.

How?

- When my client told me about their problem sending mail, their message to me went into my spamcop Held Mail folder (I'm a spamcop customer). If their message going to my Held Mail folder doesn't count as a block, what does? An outright bounce?

Spamcop can only block mail on their own servers and yes the are not really blocking it because it goes to your held mail folder. Each mail admin who uses the blocklist decides on how they handle it.

- My client's mailservers all use bl.spamcop.net - because it's a fantastic RBL... normally.

Shouldn't the ten complaint limit be adjusted for volume? I mean, if an AOL mailserver sends out a billion emails a day, and gets 100 complaints a day, is that really a sign that the mail server supports spammers?

Same thing for 1and1 - and by the way, they didn't grow big by using small ISP's equipment, even if they bought the ISP. They own all of their own equipment, that is housed in their own facilities. Do a trace route on their IPs, it all goes back to Europe (Germany, I think).

Thanks for any help on this...

From the looks of it the numbers support a spam run.

Last day 4.8 43935%

Last 30 days 2.8 360%

From the spamcop reports posted above it is a spam run

Share this post


Link to post
Share on other sites

I am one of the people that have reported 1and1 daily for some time and that translates in more than 10 reports. Mostly meds and rolex spams...the usual crap, yes. So deffinitely I can confirm the data here which suggests that ISP has poor control over spam output from their servers.

Share this post


Link to post
Share on other sites

Terminology issues here ....

"Blocked" means blocked, rejected, refused (unfortunately, also accepted then deleted/dropped on the floor)

"Placed into my Held folder" = filtering action - no blocking involved

Your starting post in this Topic used the word "blocked" and then went further to state that SpamCop.net was dong the 'blocking' .... The dialog you are challenging was to explain that the SpamCopDNSBL does not have the 'power' to block your e-mail ... only an ISP that has chosen to use the data found in the SpamCopDNSBL and apply that to a refuse/reject/block configuration setting can actually 'block' your e-mail

Taken further, "you" can send all the e-mail you want. It's only that part of your e-mail that leaves a server at an IP address that has been listed in the SpamCopDNSBL that then attempts to go to an ISP that has their servers configured to reject any e-mail coming from a SpamCopDNSBL listed IP address .... this is not 100% blockage, by any means .. and most definitely, not accomplished by SpamCop.net at all.

As I stated in yet another recent dealing with 1and1 / Schlund ... these folks are not unfamiliar with their servers making their way onto many different BLs.

Shouldn't the ten complaint limit be adjusted for volume? I mean, if an AOL mailserver sends out a billion emails a day, and gets 100 complaints a day, is that really a sign that the mail server supports spammers?

This seems to suggest that you either did not read or did not understand the offered link to a FAQ/Wiki entry that laid some of the basic groundwork for the math involved in a SpamCopDNSBL listing/de-listing. You also seem to have skipped over (or ignored?) the impact of "spamtrap hits" which have a definite penalty associted with them for use in that math formula.

Your offered 'a billion' and '100 complaints' would fail to meet the math needed for a listing.

Later: wondering if perhaps they have actually done something .. traffic seems to be winding down a bit ..

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.8 .. 43739% (down from 44006% a couple of hours ago)

Last 30 days .. 2.8 .... 360%

Average ........ 2.2

Share this post


Link to post
Share on other sites

74.208.4.194 = mout.perfora.net is one of 1and1's main mail servers. That group of servers have been flagged as main mail handlers in our system and have been removed from our blocking list. The SpamCop parse will now push past those servers and go after the user IP that is the actual source of the spam.

Our blocking list clients who have been refusing to accept mail from 74.208.4.194 should start allowing it now, or very soon.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites

To clarify: contrary to what has been said above, spamcop CAN, and DOES block email.

[sNIP]

and by the way, they didn't grow big by using small ISP's equipment, even if they bought the ISP. They own all of their own equipment, that is housed in their own facilities. Do a trace route on their IPs, it all goes back to Europe (Germany, I think).

Thanks for any help on this...

If SpamCops blocklists an email server it is because their BIG email people are incompetent!

SpamCop will only try to list the computer sending the spam. An misconfigured email server conceals the source and after a great many spams will eventually then get listed (SpamCop would of sent many abuse reports before listing which have been ignored)

http://www.spamcop.net/sc?id=z1264470771z9...4b8d9545effb80z

shows how with a competent provider send an abuse report

Re: 58.179.20.131 (Administrator of network where email originates)

abuse[at]iprimus.com.au

58.179.20.131 is the computer I sent this test from (hotmail is interested in reports sent through their servers)

If one gets a abuse report it is informing of a security problem I would suggest they go through my signature on ALL machines using that server

Share this post


Link to post
Share on other sites

Don - Thanks for your help.

Comments defining "block" vs. "warning" or "held" or whatever: this is a childish game of semantics.

To the end user, there are only two states for mail: mail they get in their inbox, and mail that does not make it into their inbox.

Saying an email wasn't blocked because it went into my held mail folder, where I have to search with an eagle's eye for it to stand out from 500 spam messages I get every day, is being disingenuous. It's in my held mail folder because bl.spamcop.net doesn't like it. How does that sound, "doesn't like it"? If that doesn't set off flags like "blocked" does, so be it, hopefully you understand my point.

As for mail admins that use bl.spamcop.net (like myself on my client's mail servers): my mail server software doesn't allow for individual settings for each blocklist; I can input the RBLs like zen.spamhaus.org and bl.spamcop.net, and say to use SpamAssassin, but once I input those settings, I can only specify what to do with messages that are "not liked" by one or all of those methods; I can't say "if zen.spamhaus.org doesn't like it, bounce it, but if bl.spamcop.net doesn't like it, deliver it but tag the subject line with 'Junk Mail'".

Share this post


Link to post
Share on other sites
Don - Thanks for your help.

Though noting that his 'explanation' sure seems to fit the "bought yet another local place and put our stamp on it" .. this time including a new server farm. The downside is that the spam spew from that server continues. Oh well.

Znyone can toss up a 'new e-mail server' and not expect to run into BL issues ... that is unless/until the spam spew starts.

Comments defining "block" vs. "warning" or "held" or whatever: this is a childish game of semantics.

To the end user, there are only two states for mail: mail they get in their inbox, and mail that does not make it into their inbox.

That may be your definition. Unfortunately, if you want to talk 'technical issues' you must use the correct definitions for the words used. If you ask an e-mail server admin a question about "blocked" e-mail, then there are a number of specific places to look for that data/history .. transaction logs between the two involved servers, configuration settings of various other tools, error logs, on and on. However, if you are actually asking about a fitering process, then the Admin search has to go down another whole path, looking at totally different sections of the server .. to possibly include 'user' configuration settings. Hardly 'childish'.

Saying an email wasn't blocked because it went into my held mail folder, where I have to search with an eagle's eye for it to stand out from 500 spam messages I get every day, is being disingenuous. It's in my held mail folder because bl.spamcop.net doesn't like it. How does that sound, "doesn't like it"? If that doesn't set off flags like "blocked" does, so be it, hopefully you understand my point.

As you seem to ask .. no .. your point flat sucks as clarified by the above, the dialog available on what a SpamCop.net does and how it does it, the numerous entries within these Discussions, the FAQ entries, the Wiki pages, on and on ... What you are seeing in your SpamCop.net e-mail accounts is Tagging and Filtering ... a long ways down the road from "Blocking"

As for mail admins that use bl.spamcop.net (like myself on my client's mail servers): my mail server software doesn't allow for individual settings for each blocklist; I can input the RBLs like zen.spamhaus.org and bl.spamcop.net, and say to use SpamAssassin, but once I input those settings, I can only specify what to do with messages that are "not liked" by one or all of those methods; I can't say "if zen.spamhaus.org doesn't like it, bounce it, but if bl.spamcop.net doesn't like it, deliver it but tag the subject line with 'Junk Mail'".

And rather than change your tools, throw a complaint to that developer, whatever, you decide to arrive here and raise a bit of hell? There's a lot of other folks doing things differently .. just for giggles, there's this 'new' tool that goes by the name of SpamAssassin that lets one 'score' an incoming e-mail, 'tag' incoming e-mail, allowing the user to decide just what to do with that incoming (scored/tagged/or not) e-mail.

Oh wait ... SpamAssassin is even used on your SpamCop.net e-mal account ... hmmm, scores, Tags, results can be adjusted in "your Filter configuration settings" ....????? Technical words = "Filtered / NOT BLOCKED" .. as you still received it ... which be definition, is not what 'Blocked' means ....

Share this post


Link to post
Share on other sites

Comments defining "block" vs. "warning" or "held" or whatever: this is a childish game of semantics.

To the end user, there are only two states for mail: mail they get in their inbox, and mail that does not make it into their inbox.

In a technical field, it is very important to use the correct terminology or the correct things don't get fixed.

In my experience with many different levels of expertise, most people these days, even my parents, understand that they need to check their "Held Mail", "spam Folder", "Junk Email", etc due to the actions of spammers.

Perhaps you need a more sophisticated server software that does allow for individual targets. There are many available. You can also disable any blocklists that you do not agree with their rules for listing.

As far as your "does not like" definition, it may be sufficient for a very low level discussion of the topic with someone. It is not sufficient when discussing an issue with delivery of email. "Spamcop has detected a large percentage of spam coming from that server and listed it" is generally more accurate.

Yes, if you have a spamcop email account, then spamcop can divert a message from a listed server to the Held Mail folder. Other than that, spamcop can not physically interact with any email transmission. The receiving server asks spamcop if a specific address is listed. SpamCop answers with a yes or no. The receiving server then makes a decision as to what it wants to do with that message.

It is up to senders of messages to ensure their servers are being maintained properly so their messages can be delivered. If your provider is not able to supply an account that is not affected by blocklists, it is up to you whether you want to keep supporting that provider. I have changed providers about 6 times in the last 15 years, most of the time changing because of the service I was being given.

Share this post


Link to post
Share on other sites

A little OT but as a side note it seems SBCGlobal is now blocking 1and1's mail server.

SMTP error from remote server after MAIL command:

host sbcmx2.prodigy.net[207.115.20.21]:

553 5.3.0 flpvm18,DNSBL:To request removal of, 74.208.4.195, send the complete error message in an E-mail to removeme at sbc.sbcglobal.net

Share this post


Link to post
Share on other sites
A little OT but as a side note it seems SBCGlobal is now blocking 1and1's mail server.

SMTP error from remote server after MAIL command:

host sbcmx2.prodigy.net[207.115.20.21]:

553 5.3.0 flpvm18,DNSBL:To request removal of, 74.208.4.195, send the complete error message in an E-mail to removeme at sbc.sbcglobal.net

And to keep thing technically correct, this is about 'another' 1and1 server ....

Share this post


Link to post
Share on other sites

In a technical field, it is very important to use the correct terminology or the correct things don't get fixed.

In my experience with many different levels of expertise, most people these days, even my parents, understand that they need to check their "Held Mail", "spam Folder", "Junk Email", etc due to the actions of spammers.

Perhaps you need a more sophisticated server software that does allow for individual targets. There are many available. You can also disable any blocklists that you do not agree with their rules for listing.

As far as your "does not like" definition, it may be sufficient for a very low level discussion of the topic with someone. It is not sufficient when discussing an issue with delivery of email. "Spamcop has detected a large percentage of spam coming from that server and listed it" is generally more accurate.

Yes, if you have a spamcop email account, then spamcop can divert a message from a listed server to the Held Mail folder. Other than that, spamcop can not physically interact with any email transmission. The receiving server asks spamcop if a specific address is listed. SpamCop answers with a yes or no. The receiving server then makes a decision as to what it wants to do with that message.

It is up to senders of messages to ensure their servers are being maintained properly so their messages can be delivered. If your provider is not able to supply an account that is not affected by blocklists, it is up to you whether you want to keep supporting that provider. I have changed providers about 6 times in the last 15 years, most of the time changing because of the service I was being given.

Share this post


Link to post
Share on other sites

It's been quite a while since tooangry has posted here ... it does make one wonder what was "going" to be said before the mind was changed, wrong button clicked, or ...???? I did note that it appeared that I wasn't the target this time for whatever reason <g>

It's my recollection that the last PM or three were basically ignored, so not going to send out yet another one ...

Share this post


Link to post
Share on other sites

...Inquiry by user pirco and follow-ups moved to the SpamCop Lounge Forum (a new topic: Apparent Blocking of 1&1 by SORBS) because it had to do with apparent blocking due to SORBS and nothing to do with SpamCop (except for an apparently inaccurate reference thereto by 1&1).

[edit - and PM sent after further post 'here' moved]

Edited by Farelf

Share this post


Link to post
Share on other sites
- When my client told me about their problem sending mail, their message to me went into my spamcop Held Mail folder (I'm a spamcop customer). If their message going to my Held Mail folder doesn't count as a block, what does? An outright bounce?

Take it up with 1 Und 1.... they own the IP and are responsible for activity on it. SpamCop only compiles IPs through the reporting system and allows users to implement that list to prevent spam delivery to their inbox.

YOU SHOULD BE COMPLAINING TO THE PEOPLE THAT DON'T RESOLVE THE SPAMMING ON THEIR IP.

... you're goin after the wrong people here, mate.

*EDIT* I just realized that post was from 2007... you can delete this post if it's no longer relevant.

Share this post


Link to post
Share on other sites

My mail provider 1and1 has been blocked several times in the last year. Every time it takes days to sort out, and I am losing potential customers.

Is there anything I can be asking 1and1 to do to sort this out? Otherwise, I just don't know what to do. Does Gmail get blocked in the same way? if not maybe I should move my mail servers there...I can't go on like this, that is for sure.

realise now this is an old thread so started new one

Edited by szimbler

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×