Jump to content
Sign in to follow this  
dai_sr

spam hasnt changed but delisting has added 24 hours

Recommended Posts

Hi All,

Some help would be hugely appreciated. PC that caused us to be blacklisted yesterday was cleaned up last night. We were one hour away from being delisted when the details changed and we have to wait another 24 hours :angry:

From what i can see the spam sent hasnt changed from 2 (which was due to expire in an hour) so why have I lost another 24 hours? This is driving me and my customer nuts.

"81.149.43.191 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

* System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 2.1 days, it has been listed 2 times for a total of 2.1 days"

As you can see from the bottom line listed 2 times in 2 days? This morning it was 2 times in 24 hours and it was set to expire about now.

Help Please!

Share this post


Link to post
Share on other sites
81.149.43.191 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

As you can see from the bottom line listed 2 times in 2 days? This morning it was 2 times in 24 hours and it was set to expire about now.

You likely have more problems than just that one machine and another message hit the SpamCop spamtraps. It is not another listing, it is an extension of the existing one. There are no user reports against this IP, so everything is spamtrap hits. You would need to contact deputies[at]admin.spamcop.net to find out EXACTLY the type of message hitting the spamtrap. It may not have been an infected machine.

Using the SenderBase Lookup on the page you saw, http://www.senderbase.org/senderbase_queri...g=81.149.43.191, it shows over 5000 messages have been seen by the SenderBase network monitors in the last 24 hours while your average is ~1000. Can you explain that increase?

Share this post


Link to post
Share on other sites

You likely have more problems than just that one machine and another message hit the SpamCop spamtraps. It is not another listing, it is an extension of the existing one. There are no user reports against this IP, so everything is spamtrap hits. You would need to contact deputies[at]admin.spamcop.net to find out EXACTLY the type of message hitting the spamtrap. It may not have been an infected machine.

Using the SenderBase Lookup on the page you saw, http://www.senderbase.org/senderbase_queri...g=81.149.43.191, it shows over 5000 messages have been seen by the SenderBase network monitors in the last 24 hours while your average is ~1000. Can you explain that increase?

I can explain the increase certainly, I cleaned up what i believe was the offending machine about 7pm last night so I would imagine our stats are being distorted by that. It was 600%+ earlier and now its down to 400%

I still dont understand why we're getting this line and why when it numbers 2 still but i have to wait another 24 hours.

Listing History

In the past 2.1 days, it has been listed 2 times for a total of 2.1 days

Yesterday it was listed 2 times and was due to be delisted an hour ago, why when its still listed as 2 do we have to wait another 24 hours. Deputies are not answering promptly, it took 7 hours for the first reply. I understand that they are volunteers but if spamcop are going to be blocking genuine company mail along with spam then we need faster responses than that. Anyway a "self appointed internet police" thread is for another day and wont get me far in here im sure. Any help more than appreciated

Share this post


Link to post
Share on other sites
Yesterday it was listed 2 times and was due to be delisted an hour ago, why when its still listed as 2 do we have to wait another 24 hours. Deputies are not answering promptly, it took 7 hours for the first reply. I understand that they are volunteers but if spamcop are going to be blocking genuine company mail along with spam then we need faster responses than that. Anyway a "self appointed internet police" thread is for another day and wont get me far in here im sure. Any help more than appreciated

I believe it is because that second listing never expired, it was extended because another spamtrap report was received. Some IP addresses could be listed 1 time for for days or weeks elapsed time because spam reports keep coming in, resetting the timer. The listing is automated based on a mathematical formula.

It is also possible that that number simply has not updated and it will be 3 times at some point in the future.

The deputies are NOT volunteers, they are paid employees... we are volunteers here in the forums. There are 3 deputies (that we know of) dealing with ~1000-2000 messages a day. Since you have already received one reply from the deputies, it would appear your issue is being worked on.

Also, spamcop does no blocking what so ever. The administrator of the receiving server has decided to use spamcop's list to block (against spamcop's recommendation).

Share this post


Link to post
Share on other sites
I believe it is because that second listing never expired, it was extended because another spamtrap report was received. Some IP addresses could be listed 1 time for for days or weeks elapsed time because spam reports keep coming in, resetting the timer. The listing is automated based on a mathematical formula.

It is also possible that that number simply has not updated and it will be 3 times at some point in the future.

The deputies are NOT volunteers, they are paid employees... we are volunteers here in the forums. There are 3 deputies (that we know of) dealing with ~1000-2000 messages a day. Since you have already received one reply from the deputies, it would appear your issue is being worked on.

Also, spamcop does no blocking what so ever. The administrator of the receiving server has decided to use spamcop's list to block (against spamcop's recommendation).

Thanks, that explains why the count didnt go up but the time to wait increased. I cleaned the machine in question with Sophos last night, along with all the others on the network. Unfortunately you get no detail at all in the first emails you receive telling you you've fallen foul of the blacklist. I requested some help this morning to find out some more detail. Got a reply seven hours later, about 30 min after the pc in question sent another spam out. Thats so frustrating as it would've been off the network immediately if I'd had the detail to hand when the first error was sent through. Of course that delay in providing info hass cost the company another day offline to half of their customers. Ive since sent a begging letter to deputies but they are not going to delist us early, they dont make exceptions at all even though a few posts around the forum suggest that they do.

Such a shame that a system designed to stop spam is killing my business at the moment, no one is prepared to help out a first time accidental spammer amongst the deputies. Certainly not the way to go if they wanted to increase business. This is the first time ive come across spamcop and although its effective, its draconian measures and total lack of detail in the first emails recieved meant ive lost another day of business for 30 or so staff. A better resolution and i may have considered signing up my company to it.

Ah well, i guess im screwed and the company has no choice but to wait it out.

Share this post


Link to post
Share on other sites
<snip>Unfortunately you get no detail at all in the first emails you receive telling you you've fallen foul of the blacklist.

<snip>

...Right, not if you are sending e-mails to spam Traps. They have to be protected. Call me naive, but I would expect that e-mail server administrators know the tools available find unauthorized uses of their services without specifics from outside sources such as SpamCop.
Of course that delay in providing info hass cost the company another day offline to half of their customers.

<snip>

...The company is quite fortunate if this is the only reason it has or ever will not be able to reach its customers via e-mail. Internet e-mail as we know it today is not, never has been and is unlikely ever to be a guaranteed delivery mechanism. Alternative means of communication should be in all good business processes.
... no one is prepared to help out a first time accidental spammer amongst the deputies. Certainly not the way to go if they wanted to increase business.

<snip>

...Quite the contrary -- their services are directed towards those who wish to help report spam to abuse desks and administrators who want a list of IP addresses from which spam is spewing, not those spewing spam. I understand that you want to be a good citizen and are frustrated that you are not getting help from SpamCop in discovering what is causing the spam so you can stop it but there are only so many of them and they get so many requests. What have you done on your own? Some administrators have been able to find the source of spam by searching their outgoing firewall logs; some have found that out-of-office messages (or other replies generated after accepting spam) are the cause. There's a whole section in the SpamCop FAQ (see link near top left of each SpamCop Forum page) labeled "Assistance stopping spam." Have you contacted the administrators who are using the SpamCop blacklist to block you and ask that they whitelist your e-mails?

Share this post


Link to post
Share on other sites

A view as seen from the other side of the fence.

I cleaned the machine in question with Sophos last night, along with all the others on the network.

Apparently, you "thought" you had things all cleaned up ...????

Unfortunately you get no detail at all in the first emails you receive telling you you've fallen foul of the blacklist.

I'm going to suggest that no one here knows just what this "first e-mail" was all about, why it was generated, in response to what action, etc. Again, spamtrap hits generate no reports.

I requested some help this morning to find out some more detail. Got a reply seven hours later, about 30 min after the pc in question sent another spam out. Thats so frustrating as it would've been off the network immediately if I'd had the detail to hand when the first error was sent through. Of course that delay in providing info hass cost the company another day offline to half of their customers.

No one here has any insight to the e-mails you sent elsewhere. It has been repeatedly pointed out that the paid staff generally is described as three individuals located around the North American contnent that try to handle something to the tune of 800-1800 e-mails a day. Insufficient details in e-mails sent for help, resolution, etc. only serve to slow things down. Ranting e-mails don't usually help the situation either.

Ive since sent a begging letter to deputies but they are not going to delist us early, they dont make exceptions at all even though a few posts around the forum suggest that they do.

Part of that decision was probably pretty easy. As you provided in the Topic starting post; * System administrator has already delisted this system once .... that particular page includes the warning that it's a one-time use only option. As seen in the continuing dialog, this option was used by someone before the actual problem was totally cleared up. Oooops! some would say, others would point out some other senarios.

Such a shame that a system designed to stop spam is killing my business at the moment, no one is prepared to help out a first time accidental spammer amongst the deputies.

The SpamCopDNSBL is a tool offered to help "handle" spam, as recommended by SpamCop.net itself. That some folks (in this case, at least one of your receiving ISPs/Hosts) has chosen to use that tool in a blocking fashion cannot be 'blamed' on SpamCop.net.

Certainly not the way to go if they wanted to increase business.

And apparently, your lack of research has also shown that you have no idea that the use of the SpamCopDNSBL is basically free, as it has been since its inception.

This is the first time ive come across spamcop and although its effective, its draconian measures and total lack of detail in the first emails recieved meant ive lost another day of business for 30 or so staff. A better resolution and i may have considered signing up my company to it.

Ah well, i guess im screwed and the company has no choice but to wait it out.

Noting that a listing in the SpamCopDNSBL was not instantaneous ... there was some time elapsed before that happened. As you have pointed out, you had almost timed out once, but your systems generated more bad spew. As I pointed out, had the problem been totally cleared up 'first' the opportunity for an "express delisting" could have been used to its full advantage.

Share this post


Link to post
Share on other sites
This was from today!

Odd....I just ran the IP through the SC reporting system and it didn't show me that one. I note that the admins have re-routed reports to themselves on this IP for now...I guess they're working directly with the OP.

I just checked the IP on some other BLs and found it listed on the MSRBL. There's a set of fresh headers there....here they are:

Return-Path: <EMAIL[at]REMOVED>

Received: from pc09.biotec.local (mail.biotec-uk.com [81.149.43.191])

by smtp.sd73.bc.ca (Postfix) with SMTP id A42991A000B0B;

Fri, 18 Jul 2008 02:27:19 -0700 (PDT)

Message-ID: 1787001c8e8b8$773f6910$9e01a8c0[at]PC09

From: <EMAIL[at]REMOVED>

To: <EMAIL[at]REMOVED>

Subject: Breaking News Headlines and Video

Date: Fri, 18 Jul 2008 10:26:54 +0000

MIME-Version: 1.0

Content-Type: text/plain;

format=flowed;

charset="iso-8859-1";

reply-type=original

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2800.1106

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

Don't know if the item in question is actually spam or not, but it tripped the ClamAV "SaneSecurity" triggers at that BL.

DT

Share this post


Link to post
Share on other sites

A few details missing from this discussion that might help somewhat:

1) Are you running a mail server at this IP address, or are you using an SMTP/POP client to send through your ISPs mail server?

2) If you are running a mail server, is it sharing a single public IP address with your LAN through some kind of NAT arrangement?

3) If you are running a mail server, what software and version is it?

If you are running your own mail server, and it is sharing an IP address with your LAN, you might want to configure your firewall/router to block all outgoing port 25 traffic that does NOT originate from the mail server. This will prevent infected machines on your network from transmitting direct to MX mail. It should also generate some "traffic blocked" entries in your firewalls logs that will help you track down the problem machines.

Share this post


Link to post
Share on other sites

He might be looking for virii but he is missing worms and trojans. I believe education is needed.

Share this post


Link to post
Share on other sites
the admins have re-routed reports to themselves on this IP for now...I guess they're working directly with the OP.
Nothing to do with the OP. That reporting address has been in use since 2003. It's one of those that we do for networks who want our reports to go to a special address that they don't want published.

81.149.43.191 sent spam to our traps as recently as 6 hours ago.

http://www.spamcop.net/sc?id=z2076606787z6...2d9603b3a82cf7z

You can use that link to review an example from a recent user report. The "View entire message" link will show you the full headers and text.

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites
Nothing to do with the OP. That reporting address has been in use since 2003. It's one of those that we do for networks who want our reports to go to a special address that they don't want published.

Thanks...I stand corrected.

DT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×