Jump to content
Sign in to follow this  
tibmail

Single email address from IP range being blocked?

Recommended Posts

I've got a bit of a confusing issue here, we're an ISP and we relay mail for a whole bunch of folks. The other day one of them calls us and says their mail is getting bounced by our server. So I have a look on the server and I see loads of mail from their domain going through, I dig a bit deeper and I find that only sales[at]jimshop.com is getting blocked by spamcop wheras everyone else [at]jimshop.com is getting through.

The IP address for jimshop.com is on the spamcop list so I was thinking it might be the recipient server that is blocking it but the bounceback message is coming from our outbound smtp server

also, it's being blocked because it sent to a spam trap, what actually is a spam trap?

Share this post


Link to post
Share on other sites

I've got a bit of a confusing issue here, we're an ISP and we relay mail for a whole bunch of folks. The other day one of them calls us and says their mail is getting bounced by our server. So I have a look on the server and I see loads of mail from their domain going through, I dig a bit deeper and I find that only sales[at]jimshop.com is getting blocked by spamcop wheras everyone else [at]jimshop.com is getting through.

The IP address for jimshop.com is on the spamcop list so I was thinking it might be the recipient server that is blocking it but the bounceback message is coming from our outbound smtp server

also, it's being blocked because it sent to a spam trap, what actually is a spam trap?

Please supply the IP address that is allegedly listed. We (TINW) can do nothing to help without it. Spamcop knows nothing whatsoever about domains so I can only surmise that the sales[at] is being sent from a different IP from the others.

A spamtrap is an address that has NEVER been used to send email. They are hidden on web-sites for the bots to scrape them. ANY mail to a spamtrap is by definition unsolicited and therefore given more weight in scoring for the blacklist.

Share this post


Link to post
Share on other sites

Hi, the IP is 80.46.110.1, it's definitely listed and all the mail for that domain is coming from the same IP.

I'm not looking to appeal it at this stage as it's due to be delisted soon, I'm just trying to understand what's going on

Share this post


Link to post
Share on other sites

As you say, 80.46.110.1 is listed...

80.46.110.1 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 5 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

80-46-110-1.static.dsl.as9105.com is a static dsl connection so reports on this IP will have been sent to the ISP. The records seem to suggest that Tiscali is somewhere in the loop.

This IP is also listed at cbl.abuseat.org

A listing due to spam Trap hits are often an indication of a PC behind a router at this IP infected with a trojan of some sort - assuming these guys are not actually sending junk to spam traps. Because there are only spam trap hits there is no message history available to users to give further indication of the content.

Andrew

Share this post


Link to post
Share on other sites

Hi, the IP is 80.46.110.1, it's definitely listed and all the mail for that domain is coming from the same IP.

I'm not looking to appeal it at this stage as it's due to be delisted soon, I'm just trying to understand what's going on

OK that 's resolving as a static IP assigned by Tiscali.co.uk. The client is running his own mailserver there and you are cool with that? Can he explain why there has been a four-fold increase in traffic from that server in the last day or two? He almost certainly has a a trojanned machine spewing spam and spamcop is doing its job and working properly. You may want to disconnect him until he's found and fixed the problem.

Not sure what you mean by 'getting through' are YOU using the SCBL to e reject connections from your own clients? If not then its not YOUR server that's doing the rejecting: it's one of your client's intended recipients. If you have it, post the rejection message here.

Share this post


Link to post
Share on other sites
I'm not looking to appeal it at this stage as it's due to be delisted soon, I'm just trying to understand what's going on
If you mean that you didn't use the 'delist' button, that was a good decision. If you had used that and the spam continued, you wouldn't be able to use it when you get the problem fixed. It is a one time only button.

If other email addresses from the same IP address are not getting bounced, then the ISPs at the receiving end are not using the spamcop blocklist to reject email or if they are, it is only part of their filtering process. sales[at] might get blocked because of the content (an obvious sales pitch or spam key words) while other legitimate emails get through the content filters or the recipient has whitelisted the addresses.

However, ISTM as if you are filtering outgoing email for spam (though why you are doing that and not monitoring it to see if spam is being sent is a bit of a mystery). If that is so, then the way your filtering system is set up, it must only use spamcop for part of the filtering process so that only obvious spam is caught.

As was suggested before, either your client has a compromised computer or they have bought a 'guaranteed all opt-in mailing list' and really are sending unsolicited email from their sales department. If someone else previously has installed an outgoing spam filter and tweaked it so that only email from sales[at] gets caught, it sounds as if this has been going on for a while. You need to get the problem fixed - help your client understand either about compromised computers or best mailing list practices.

Miss Betsy

Share this post


Link to post
Share on other sites

The IP should be shut down until the machine is fixed.

Also: It should not be running a mail server:

SMTP - 25 220 bcplantjcb.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at Fri, 22 Aug 2008 15:48:45 +0100

Example header of spam

From Azmeer-rednazfa[at]1topme.co.kr Thu Aug 21 08:30:10 2008

Delivery-date: Thu, 21 Aug 2008 08:30:10 -0400

Received: from [80.46.110.1] (helo=80-46-110-1.static.dsl.as9105.com)

by mail.victim.example with esmtp (Exim 4.63)

(envelope-from <Azmeer-rednazfa[at]1topme.co.kr>)

id 1KW9Io-0004i5-7x

for victim[at]smtp.example; Thu, 21 Aug 2008 08:30:10 -0400

From: "Azmeer Luostarinen" <Azmeer-rednazfa[at]1topme.co.kr>

To: victim[at]smtp.example

Subject: Britney Spears Leaves Earth, Humanity Breathes Sigh of Relief

Share this post


Link to post
Share on other sites

80.46.110.1 was sending tons of spam to our system.

>- Subject: Britney Spears and Paris Hilton to Visit Burma

>- http://www..../play.exe

It is the type of spam that has an executable web link as a payload.

80.46.110.1 stopped spewing for some reason and was removed from our list Friday, August 22, 2008 10:29:54 -0600.

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×