dave-g Posted April 9, 2004 Share Posted April 9, 2004 Hi there, I'm a total newbie with the SpamCop email system--I just set up my account today--and I'm still a little confused. I apologize if any of this seems stupid, basic, or is otherwise answered in a FAQ somewhere.. If so, I haven't found it yet... I seem to have acomplished the setup. I set my webhost's mail account to forward mail to my new spamcop address, and I then have spamcop forwarding the filtered results to a new POP account that I set up today as well. The flow of mail seems to be working. However, I did get a piece of spam that, according to the headers, made it through the SpamAssassin that my webhost uses, and SpamCop, arriving at the inbox on my client (using the new POP). I clicked the "report spam" link in the webmail.spamcop.net page, pasted the entire message with long headers into the window, and submitted it without checking any additional boxes. A minute or two later, I got a minor deluge of 9 Open Relay Test Messages from SpamCop, and 9 bounchehost.cesmail failure notices.. This is way over my head. What's going on here? Is this the normal procedure when one reports a piece of spam that made it through the system? Is this just some system confusion from all the forwarding between my SpamCop account and my POP account, and their resulting traces in the headers? On a marginally unrelated topic, I'm still learning how this works... when dealing with messages in the "held mail" folder, are we supposed to report them as spam, or is it already known/assumed that they're spam and we should just delete them? Sorry if that seems dense or obvious... Thanks, -dave Link to comment Share on other sites More sharing options...
dave-g Posted April 11, 2004 Author Share Posted April 11, 2004 anyone? ... and hey, happy Easter! -dg Link to comment Share on other sites More sharing options...
Wazoo Posted April 11, 2004 Share Posted April 11, 2004 I can't answer ... to my knowledge, SpamCop does NOT do open-relay testing, that's a job for a couple of other BL maintainers. And the only "return" from SpamCop that might fall anywhere close that I know of (and again, I admit to not knowing much about this) is the e-mail traffic dealing with a mail-host registration sequence .. but I haven't seen anyone else call these "open-relay tests" ... What can you offer up as some kind of "evidence" that I/we can see to figure out exactly whsat it is that you're talking about? ... and I see I haven't even touched your additional on "bounchehost.cesmail failure notices" .. but again, this sounds like you'd have something to "show" to give "us" something to go on. Link to comment Share on other sites More sharing options...
dave-g Posted April 12, 2004 Author Share Posted April 12, 2004 Hi Wazoo, Thanks for replying.. Would it be smart/appropriate for me to post (paste) the full headers from one example of each email (the Open Relay Tests and the bouncehost.cesmail failure notices)? ... Or a screenshot of my inbox showing the messages in question? -dave Link to comment Share on other sites More sharing options...
Wazoo Posted April 12, 2004 Share Posted April 12, 2004 The headers would certainly help so I/we could come up with some kind of a good answer for you. You'll want to mung out your e-mail address and such to keep it from getting scraped, but don't get carried away with trying to hide too much stuff <g> .. I keep seeing references to "verification" e-mails as a result of doing the mail-host thing, but that doesn't sound like your "open relay" test type of mail. Link to comment Share on other sites More sharing options...
dave-g Posted April 13, 2004 Author Share Posted April 13, 2004 Okay, Here's the full headers and body of one of the "Open Relay Test Message"s that I got. From: spamcop-net[at]blade4.cesmail.net Subject: Open Relay Test Message Date: April 9, 2004 4:47:04 PM EDT To: listme[at]listme.dsbl.org Return-Path: <nobody[at]MYDOMAIN.com> Delivered-To: dg[at]MYDOMAIN.com Delivered-To: spamcop-net-MY-ACCOUNT[at]spamcop.net Delivered-To: listme%listme.dsbl.org[at]MYDOMAIN.com Received: (qmail 32725 invoked by uid 15611); 9 Apr 2004 20:47:25 -0000 Received: from unknown (HELO c60.cesmail.net) ([216.154.195.49]) (envelope-sender <nobody[at]MYDOMAIN.com>) by 130.94.188.251 (qmail-ldap-1.03) with SMTP for <dg[at]MYDOMAIN.com>; 9 Apr 2004 20:47:25 -0000 Received: from unknown (HELO blade4.cesmail.net) (192.168.1.214) by c60.cesmail.net with SMTP; 09 Apr 2004 16:47:25 -0400 Received: (qmail 4323 invoked by uid 1010); 9 Apr 2004 20:47:24 -0000 Received: (qmail 4268 invoked from network); 9 Apr 2004 20:47:22 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 9 Apr 2004 20:47:22 -0000 Received: from MYDOMAIN.com (130.94.188.251) by mailgate.cesmail.net with SMTP; 9 Apr 2004 20:47:22 -0000 Received: (qmail 32683 invoked by uid 15611); 9 Apr 2004 20:47:22 -0000 Received: (qmail 32681 invoked by uid 15611); 9 Apr 2004 20:47:21 -0000 Received: from unknown (HELO rrsender2.m1.spieleck.de) ([81.17.108.76]) (envelope-sender <nobody[at]MYDOMAIN.com>) by 130.94.188.251 (qmail-ldap-1.03) with SMTP for <listme%listme.dsbl.org[at]MYDOMAIN.com>; 9 Apr 2004 20:47:21 -0000 Message-Id: <adZzJ5iNJeuJvpLOZp7U2niMMPwjRcID[at]rrsender2.m1.spieleck.de> X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4 X-spam-Level: * X-spam-Status: hits=1.9 tests=FROM_NO_LOWER version=2.63 X-Spamcop-Checked: 192.168.1.101 130.94.188.251 81.17.108.76 130.94.188.251 Status: DSBL LISTME: smtp 130.94.188.251 adZzJ5iNJeuJvpLOZp7U2niMMPwjRcID MAIL FROM:<nobody[at][127.0.0.1]> RCPT TO:<listme%listme.dsbl.org[at][127.0.0.1]> DSBL END Your mail server is being tested for relaying capability because we have received mail from it that was classified as spam by our automatic spam detector and we wish to determine its likelihood to be abused by spammers. This does not necessarily mean that you actually send spam, since the spam detector is not totally reliable. For further information about whether your server is an open relay or not and what to do about it, please go to http://www.dsbl.org Link to comment Share on other sites More sharing options...
dave-g Posted April 13, 2004 Author Share Posted April 13, 2004 ... and here's one of the bouncehost.cesmail things.. Hopefully, I've expunged all the "scrape-able" personal stuff in the headers... if not -- lemme know and I'll re-edit! From: MAILER-DAEMON[at]bouncehost.cesmail.net Subject: failure notice Date: April 9, 2004 4:47:21 PM EDT To: nobody[at]MYDOMAIN.com Return-Path: <> Delivered-To: dg[at]MYDOMAIN.com Delivered-To: spamcop-net-MY-ACCOUNT[at]spamcop.net Delivered-To: nobody[at]MYDOMAIN.com Received: (qmail 32816 invoked by uid 15611); 9 Apr 2004 20:47:31 -0000 Received: from unknown (HELO c60.cesmail.net) ([216.154.195.49]) (envelope-sender <>) by 130.94.188.251 (qmail-ldap-1.03) with SMTP for <dg[at]MYDOMAIN.com>; 9 Apr 2004 20:47:31 -0000 Received: from unknown (HELO blade4.cesmail.net) (192.168.1.214) by c60.cesmail.net with SMTP; 09 Apr 2004 16:47:32 -0400 Received: (qmail 4472 invoked by uid 1010); 9 Apr 2004 20:47:30 -0000 Received: (qmail 4256 invoked from network); 9 Apr 2004 20:47:22 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 9 Apr 2004 20:47:22 -0000 Received: from MYDOMAIN.com (130.94.188.251) by mailgate.cesmail.net with SMTP; 9 Apr 2004 20:47:21 -0000 Received: (qmail 32678 invoked by uid 15611); 9 Apr 2004 20:47:21 -0000 Received: (qmail 32676 invoked for bounce); 9 Apr 2004 20:47:21 -0000 Message-Id: <20040409204730.4471.qmail[at]blade4.cesmail.net> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4 X-spam-Level: * X-spam-Status: hits=1.4 tests=NO_DNS_FOR_FROM,NO_REAL_NAME version=2.63 X-Spamcop-Checked: 192.168.1.101 130.94.188.251 Status: Hi. This is the qmail-send program I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out <listme%listme.dsbl.org[at]ca1-sg00020.securesites.net>: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message Return-Path: <nobody[at]MYDOMAIN.com> Received: (qmail 32670 invoked by uid 15611); 9 Apr 2004 20:47:21 -0000 Received: from unknown (HELO rrsender2.m1.spieleck.de) ([81.17.108.76]) (envelope-sender <nobody[at]MYDOMAIN.com>) by 130.94.188.251 (qmail-ldap-1.03) with SMTP for <listme%listme.dsbl.org>; 9 Apr 2004 20:47:21 -0000 Message-ID: <adZzJ5iNJeuJvpLOZp7U2niMMPwjRcID[at]rrsender2.m1.spieleck.de> Date: Fri, 9 Apr 2004 20:47:04 +0000 To: <listme[at]listme.dsbl.org> Subject: Open Relay Test Message DSBL LISTME: smtp 130.94.188.251 adZzJ5iNJeuJvpLOZp7U2niMMPwjRcID MAIL FROM:<nobody[at][127.0.0.1]> RCPT TO:<listme%listme.dsbl.org> DSBL END Your mail server is being tested for relaying capability because we have received mail from it that was classified as spam by our automatic spam detector and we wish to determine its likelihood to be abused by spammers. This does not necessarily mean that you actually send spam, since the spam detector is not totally reliable. For further information about whether your server is an open relay or not and what to do about it, please go to http://www.dsbl.org Link to comment Share on other sites More sharing options...
Wazoo Posted April 13, 2004 Share Posted April 13, 2004 Wow, can't believe no one else jumped in while I was out and about <g> The good news is http://dsbl.org/listing?130.94.188.251 says "IP not listed by DSBL" What happened is that upon any spam submittal to the SpamCop parser, all involved IPs are submitted to a number of other "services" for testing. The actual tests usually only occur at the first "sighting" ... so the referenced "relay tests" shouldn't hit you again (at least from the dsbl outfit) The "SpamCop e-mails you first described were actually failure messages from this open relay testing outfit, and assumedly, these failure bounces made it back to you via the spam submittal, though I haven't spent enough time trying to decode exactly how ... getting tested I'm aware of, but this is the first time I've heard of getting the e-mails. Not saying it hasn't happened before or is even out of the ordinary .. I just can't recall anyone ever bringing this up before. I am kicking a note out to Deputies to ask one of them to come in and make a statement though. Fingers crossed that one of them will respond here to offer a bit more background. If the only concern left is "what to do with them" .. I'd say no problem with trashing them, as they apparently are only a bit if "proof" that you "failed" dsbl's testing, which is a good thing <g> Link to comment Share on other sites More sharing options...
Richard W Posted April 13, 2004 Share Posted April 13, 2004 What happened is that upon any spam submittal to the SpamCop parser, all involved IPs are submitted to a number of other "services" for testing. The actual tests usually only occur at the first "sighting" ... so the referenced "relay tests" shouldn't hit you again (at least from the dsbl outfit) To clarify, when you report spam that shows mail being relayed, and it's the first time SpamCop sees that host as a relay, it will send the IP to ORDB for testing. You can 'uncheck' the box to send it for testing, but it will be offered up for testing every time you submit spam until you give in. Once sent, SpamCop remembers and will never send it again. Richard Link to comment Share on other sites More sharing options...
dave-g Posted April 13, 2004 Author Share Posted April 13, 2004 Ok... I think I follow. So... that being the case, what should I do with the >150 pieces of spam that have made it through the system since I signed up for SpamCop last Friday? I think I remember there being an email address I can forward them to for reporting (what is that address?). Would that means of reporting "remember" that I "passed" this relay test, or will I get 18 testbot-generated emails for each piece I report because I'm not submitting it the same way? Thanks to all, -dave Link to comment Share on other sites More sharing options...
Wazoo Posted April 14, 2004 Share Posted April 14, 2004 there being an email address I can forward them to for reporting (what is that address?). I can't help you directly there, as there are more than a single type of account, and I've no way of guessing which you signed up for. Anyway you signed up, you should have received some kind of welcoming letter with specific to you data included. You're really going to have to track that e-mail down. "remember" that I "passed" this relay test,The actual tests usually only occur at the first "sighting" ... so the referenced "relay tests" shouldn't hit you again (at least from the dsbl outfit)Once sent, SpamCop remembers and will never send it again. as suggested in the previous responses, everything is based on the IP address. Link to comment Share on other sites More sharing options...
dave-g Posted April 14, 2004 Author Share Posted April 14, 2004 FWIW, I've got the $30/year individual plan. Thanks again for the replies ... I'll give it a go and report back here if I get thousands of test-emails in response. I must admit, however that I'm a litle surprised at the amount of spam that still gets through. It's certainly better than before, down from a deluge to a moderate "creek" of spam, but still steady. -dave Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.