[Resolved] I work for an ISP and all reporting about our IPs have stopped

[fortressitx]

Hello, I work for an ISP/datacenter named fortressitx.com.

For years now we have used spamcop's reporting to us to find out which of our customers are spamming and used that information to remove spammers from our network.

These reports ceased to come to us about a month ago. There is no rhyme or reason for why they just stopped. No information was changed on our account here, we have checked our email system for blocked emails, but nothing is coming to us from the emails of [report ID][at]reports.spamcop.net. Nothing hits our mail servers.

I configured a second email account to our account in hopes that it may work as a fix, as well as set up hourly reports listing the complaints. Since then we have been getting emails to our secondary address on file, but only in the form of the hourly reports.

So this shows that there is still some spam coming from our network, however the reports we used to get are not coming in as they used to. Even when I go to the ISP control center page on our account and look up the IP that they say was reported, no new reports show, only old ones from months ago.

This all makes no sense to me. I've contacted spamcop through their contact form twice already from two different email accounts and I have not got any response at all back from them.

I was hoping someone here may have some sort of idea of what is going on or have had similar problems in the past and can help me solve it.

Thanks in advance to anyone who has some information to help me out.

Steve.

[turetzsr]

Hi, Steve,

...What is the IP address of your outgoing server through which you think spam is going? Armed with that information, one of us SpamCop spam reporting users can find out to what abuse address SpamCop reports are going. If you'd prefer to keep that information to yourself, you can do this yourself:

• If you do not already have a SpamCop spam reporting account, sign up for one at URL http://www.spamcop.net/ by clicking the link labeled "Register Now."
  
• Log into http://www.spamcop.net/ with your SpamCop reporting account login.
  
• Enter the IP address into the text entry field and press the "Process spam" button. Look for "Reporting addresses."
  

...Alternatively, you could try contacting the SpamCop Deputies at e-mail address deputies[at]admin.spamcop.net with all relevant information.

[fortressitx]

Thanks, we have a ton of Ip ranges here, so listing them would take forever.

I will try that email address you listed. Maybe I'll get a reply.

Thanks for your help.

[Wazoo]

I was hoping someone here may have some sort of idea of what is going on or have had similar problems in the past and can help me solve it.

http://www.spamcop.net/sc?track=xyzabc%40fortressitx.com

the critical parts include;

Reports routes for 69.72.141.51:

routeid:57046305 69.72.128.0 - 69.72.255.255 to:abuse[at]fortressitx.com

Administrator found from whois records

Found AbuseEmail in whois abuse[at]fortressitx.com

Using best contacts abuse[at]fortressitx.com

Reports disabled for abuse[at]fortressitx.com

Using abuse#fortressitx.com[at]devnull.spamcop.net for statistical tracking.

No valid email addresses found, sorry!

There are several possible reasons for this:

->The site involved may not want reports from SpamCop.

->SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.

->SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.

->There may be no working email address to receive reports.

[fortressitx]

Hmm, that is quite interesting. Gives me something to go by. The only one of those reasons that could be valid is the second one:

->SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.

I'm not sure why they would do that. We have our clients remove anything that comes in, although at time, perhaps customers only listwash their mailing lists. That would probably only occur with our customers who have valid email lists though.

I hope an admin form spamcop sees this and will help take action, or at least respond to my email I sent them.

[Wazoo]

I'm not sure why they would do that. We have our clients remove anything that comes in, although at time, perhaps customers only listwash their mailing lists. That would probably only occur with our customers who have valid email lists though.

The phrase "clients remove anything" sounds somewhat odd.

Be that as it may, if an output server IP Address or two was provided (as previously suggested/requested) there may be some other data available in the meantime. In general, the question might be whether your current spam of interest is someting being sent by one of your clents or a compromised system of thier users (having to make some assumptions here.)

[Farelf]

Thanks, we have a ton of Ip ranges here, so listing them would take forever. ...

Wow, I can see how that would be:

http://www.senderbase.org/senderbase_queri...ing=FortressITX

Domains closely associated with FortressITX

Showing 1 - 10 out of 765

It might have just been me but SMTP sessions with your abuse[at] address were strangely slow. No rejections but I'm wondering ... SC's "Reports disabled for abuse[at]fortressitx.com" just could come from a problem with contact to the address. Assume mailtrap.fortressitx.com has been used throughout?

But yes, it definitely needs a SC deputy or admin to weigh in.

[SpamCopAdmin]

The reports to their abuse address have been disabled by our administrative action.

Handled by email.

- Don D'Minion - SpamCop Admin -

.

[fortressitx]

Yes, I've gotten a response to my email from a representative explainign it was because some of our customers may have been listwashing.

I've replied asking for the reports to again be enabled so I can fix this problem, but no response from anyone in over a day.

We take spam seriously at our company but I feel the concept of disabling reports is counterproductive to spamcops goals to decrease spam.

Hopefully someone will get back to me so we can continue to remove customers who are spamming through our network.

[Farelf]

...We take spam seriously at our company but I feel the concept of disabling reports is counterproductive to spamcops goals to decrease spam.

Hopefully someone will get back to me so we can continue to remove customers who are spamming through our network.

Don will undoubtedly be getting back to you if he got your mail - reports still disabled right now as you know. The reporting system is indeed intended as a tool for providers to come to grips with malefactors and exploits within their networks.

Thanks for your concern to decrease spam - there were some real issues with your network a year or so ago and efforts to get on top of that is appreciated.

[SpamCopAdmin]

but no response from anyone in over a day

I'm still thinking.

- Don D'Minion - SpamCop Admin -

.

[kmolloy]

Hopefully someone will get back to me so we can continue to remove customers who are spamming through our network.

I am always skeptical when someone asserts that they must receive reports or they will have no idea which of their clients is spamming. Do you have an AOL/Yahoo/MSN FBL set up? Do you accept reports to abuse[at] Do your customers contract with someone like Return Path to monitor their SWIP'd space? Do you not get summary reports? Why not try acting on those sources first and then asking for SC reports?

[turetzsr]

I am always skeptical when someone asserts that they must receive reports or they will have no idea which of their clients is spamming. Do you have ...

<snip>

...Although I'm not an e-mail admin and therefore can't speak from personal experience, I've also heard tell that blocking outgoing traffic through port 25 except for traffic through your e-mail service and looking through system firewall logs for suspicious traffic also helps stop (port traffic blocking) and find (firewall logs) outgong spam. Sometimes it's helpful and worthwhile to hire an anti-spam expert to help you if you don't have this kind of expertise in-house.

[Telarin]

...Although I'm not an e-mail admin and therefore can't speak from personal experience, I've also heard tell that blocking outgoing traffic through port 25 except for traffic through your e-mail service and looking through system firewall logs for suspicious traffic also helps stop (port traffic blocking) and find (firewall logs) outgong spam. Sometimes it's helpful and worthwhile to hire an anti-spam expert to help you if you don't have this kind of expertise in-house.

Those are generally good practices for an ISP providing services to residential customers, howerver, it sounds like the OP provides services to commercial customers. Commercial customers generally run their own mail servers, and will not accept using an ISP smarthost as a reasonable requirement.

That being said, I can certainly see Don's concern. The OP said:

I'm not sure why they would do that. We have our clients remove anything that comes in, although at time, perhaps customers only listwash their mailing lists. That would probably only occur with our customers who have valid email lists though.

This sounds to ME like they are passing the spamcop reports on to the customer, who is then allowed to simply listwash.

In my opinion, the customer should never see the spamcop report. At best, they should be sending an email to the customer with nothing more than the recipient email address and requiring that they provide data showing how they obtained that email address, and show evidence that it was a legitimate confirmed opt-in subscription. If they can't prove that, then they need to dump the entire list that the email address in question came from, as it is clearly dirty. If it happens more than once, they need to be disconnected. Of course, that is my personal opinion, but I think it is a reasonable requirement that anyone handling a large mailing list should be able to show when and where every email address was obtained.

[fortressitx]

Hi guys, we are not really an ISP, but a datacenter. We have hundreds of clients, who resell their space to thousands more.

Feedback loops are good and we use them on our main company sites, but given that there are thousands upon thousands of end-user clients from our main clients, it's not realistic to be able to set up feedback loops for each domain name.

The reason I stated that I use spamcop for determining who is spamming is because of the volume of email that goes out of our datacenter on a daily basis is far too large to monitor each email sent. The spamcop reports give us a better understanding of which are problem clients so we can weed them off our network the fastest way possible.

To my knowledge and personal experience here dealing with abuse, spamcop is the most widely used and respected company for reporting spam on the recipients end, which is why I applaud their detailed reports and use them to the fullest of their capabilities.

Our direct clients understand that spamming is not allowed based on our TOS and AUP policies. Giving the spamcop reports to our direct clients allows them to go into their server and remove their customers that are spamming and abusing the AUP. Since we have such a multitude of clients whose main business plan is reselling space as single websites, we do not have access to just go into each client's server and remove the spammers.

Almost all of our clients agree that they do not want spammers. The ones who support such activity get removed from our network for such practices.

I'm almost positive that most datacenters follow the same practices that we do.

I've already explained to Don that I will make sure that the problem customers will be handled more strictly from now on to prevent listwashing, I'm just waiting for him to get back to me.

Thanks to all who have provided help here.

[btech]

Well, an easy way to prevent listwashing is for people to report with their addresses munged; that way the ISP/datacenter knows X customer is a spammer and said spammer can't remove that specific email address to 'stop' the reports.

Also, shouldn't these customers prove to you when the recipient allegedly subscribed? I've seen my address added and a fake IP, date and time used in the email when they claim I subscribed, so that's possible, but it's pretty easy to see when a sender fakes that info. FWIW, I run a mailing list and I keep all the registration emails, so I have a date, time and IP (of course, I use a 3rd party application, so I have that data too).

I've reported to Fortressix and the spam I get from their customers are from people that bought my 'spam' address, which was harvested 2 years ago (I only use it for reporting spam, as a honeypot, so to speak).

[Marty]

Well, an easy way to prevent listwashing is for people to report with their addresses munged; that way the ISP/datacenter knows X customer is a spammer and said spammer can't remove that specific email address to 'stop' the reports.

Also, shouldn't these customers prove to you when the recipient allegedly subscribed? I've seen my address added and a fake IP, date and time used in the email when they claim I subscribed, so that's possible, but it's pretty easy to see when a sender fakes that info. FWIW, I run a mailing list and I keep all the registration emails, so I have a date, time and IP (of course, I use a 3rd party application, so I have that data too).

I've reported to Fortressix and the spam I get from their customers are from people that bought my 'spam' address, which was harvested 2 years ago (I only use it for reporting spam, as a honeypot, so to speak).

I do hope that Don and Steve have been able to amicably resolve this issue.

Noting the topic in general and Btech's post in particular. My company is and has been a happy user of FortressITX (FITX) services for many years. Their business structure is typical for a datacenter server provider in that they use resellers ('ISP's) to resell their services on to companies such as ours.

We run a double opt-in confirmed list, and like btech we keep the 'evidence' on file. We have never been asked for it, but it is kept. AFAIK there have never been any spamcop reports regarding our operations. By adhering to spamcop best practices, and taking the time to set up feedback loops we have achieved a senderscore.org reputation score of 100 for our dedicated server IP#.

I believe that Steve's problem here is that FITX is quite rightly the 'responsible' party for reports to go to, but what should they then do with them? Their 'legal' contract is with their ISP/resellers who 'should' then take appropriate action against the 'end-user' who is renting the server attached to the IP #. Let's not even consider the added complication of resellers who may sell packages on to downstream resellers

Btech, it may be that the spammer is using tracking links (which the reporting parser is unable to munge), or simply that the offender is "spam-awareness-challenged" and has yet to learn that what they are doing is a "bad thing".

Maybe FITX should simply tell their reseller that reports have been received, without revealing the actual report. Just include enough info for the reseller to identify and investigate / take action against *their* customer?

"Just thinking aloud here"

HTH