rejected but not listed??

[cummings]

somebody emailed us and got their emails kicked back to them stating .........

(reason: 521 Mail rejected - you are listed in Spamcop (spam) [FREE] -

http://spamcop.net/bl.shtml)

the rejected IP is [155.212.64.2]

when i search spamcop, i get this message.........

155.212.64.2 not listed in bl.spamcop.net

i don't want to have to shut off spamcop at our mail server, can anyone explain why this is happening?

thank you

mark

IT

Cummings Printing

[Merlyn]

The IP (155.212.64.2) is not listed.

Either you did not get the complete error message that included the correct IP or the server receiving/blocking the email is improperly set up or maybe it was listed and it is no longer listed.

You have not given enough evidence to see what was happening.

Post the entire block message.

[Wazoo]

I'll agree with Merlyn. Nothing on the SpamCopBL (though noting that it hasn't been real-time in ages) ... However, the next level of checks results in absolutely zero data at http://www.senderbase.org/?searchBy=ipaddr...ng=155.212.64.2 .... (This is a first for me)

A lookup comes back with;

10/18/04 15:21:16 IP block 155.212.64.2

Trying 155.212.64.2 at ARIN

Trying 155.212.64 at ARIN

OrgName: Conversent Communications

OrgID: CONVER-100

NetType: Direct Allocation

OK, then going back and re-reading .. your system allegedly did the blocking based on

somebody emailed us and got their emails kicked back to them stating .........

So first of all, you should fix the error message to include the IP in question so the user can link directly to the "evidence" page. (this is also making the assumption that you've set up the DNSBL sequence correctly in whatever OS/Application you're running)

If this IP was once listed and now not, there was an issue discovered that some ISPs mirroring the database were not keeping in sync, but that issue hasn't been raised in quite a while.

How sure are you that the IP offered is correct? A typo might have all of us trying to research the wrong target here. As SenderBase has no knowledge of this IP/system as an e-mail server, there may be a suspicion that this belongs to some end-user with a compromised machine (the hitting spamtrap scenario) ....

Are you sure of your BL checking sequence? Another flag setting for some other reason, but using the SpamCopDNSBL error as the message line?

[cummings]

let me start by posting the whole message. (see below in green)

as for wazoo's suggestions, i don't know how to implement them. for example, i don't know how to change the spam filter rejection message on my mail server. and as for my bl checking sequence, i don't know how to see/edit that. not that i expect people here to explain it all to me, but i honestly didn't know i had control over those things. i run an email server software named '602 lan suite' which has a web interface configuration page that lists free spam filters (such as spamcop) and i simply check them off. i looked and can't find any further configuration options beyond checking and unchecking which spam filters you'd like to activate.

/padawan

suggestions and instructions appreciated

-m

From: "Mail Delivery Subsystem" <MAILER-DAEMON[at]mr03.conversent.net>

To: <mjsweeney[at]maildatainc.com>

Subject: Returned mail: see transcript for details

Date: Mon, 18 Oct 2004 07:59:40 -0400

Message-ID: <200410181159.i9IBxeIN095910[at]mr03.conversent.net>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0046_01C4B522.67404FC0"

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)

X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300

X-spam-Score: 0.421

X-spam-Level:

X-spam-Tests: SARE_BOUNDARY_09

Importance: Normal

This is a multi-part message in MIME format.

------=_NextPart_000_0046_01C4B522.67404FC0

Content-Type: text/plain;

charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

The original message was received at Mon, 18 Oct 2004 07:59:35 -0400 (EDT)

from host2.155.212.64.conversent.net [155.212.64.2]

----- The following addresses had permanent fatal errors -----

<kenw[at]cummingsprinting.com>

(reason: 521 Mail rejected - you are listed in Spamcop (spam) [FREE] -

http://spamcop.net/bl.shtml)

----- Transcript of session follows -----

... while talking to mail.cummingsprinting.com.:

>>> RCPT To:<kenw[at]cummingsprinting.com>

<<< 521 Mail rejected - you are listed in Spamcop (spam) [FREE] -

http://spamcop.net/bl.shtml

554 5.0.0 Service unavailable

------=_NextPart_000_0046_01C4B522.67404FC0

Content-Type: message/delivery-status;

name="ATT00004.dat"

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment;

filename="ATT00004.dat"

Reporting-MTA: dns; mr03.conversent.net

Received-From-MTA: DNS; host2.155.212.64.conversent.net

Arrival-Date: Mon, 18 Oct 2004 07:59:35 -0400 (EDT)

Final-Recipient: RFC822; kenw[at]cummingsprinting.com

Action: failed

Status: 5.0.0

Remote-MTA: DNS; mail.cummingsprinting.com

Diagnostic-Code: SMTP; 521 Mail rejected - you are listed in Spamcop (spam) [FREE] - http://spamcop.net/bl.shtml

Last-Attempt-Date: Mon, 18 Oct 2004 07:59:40 -0400 (EDT)

------=_NextPart_000_0046_01C4B522.67404FC0

Content-Type: message/rfc822

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment

From: "Michael Sweeney" <mjsweeney[at]maildatainc.com>

To: "Kenneth J Warnock" <kenw[at]cummingsprinting.com>

Subject: FW: MAILINGS 10/15/2004

Date: Mon, 18 Oct 2004 08:34:03 -0400

Message-ID: <NDBBLEIGOLPPEIOFOHLLOEICCOAA.mjsweeney[at]maildatainc.com>

MIME-Version: 1.0

Content-Type: text/plain;

charset="Windows-1252"

Content-Transfer-Encoding: 7bit

X-Priority: 3 (Normal)

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)

X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300

Importance: Normal

[Merlyn]

I believe it is/was your server having the problem. A 521 error refers to the "Machine does not accept mail". Your server is not explaining it good enough.

The machine issued a 521 error and the problem with a 521 error is it does not stop/close the SMTP transaction and it keeps going so it finished it's testing and spewed out the Spamcop error by mistake.

Just a thought.

[louisd]

Strange... From what I can find the MX records for conversant.net shows two mail servers:

spool.conversant.net at 155.212.2.24 and

filter.conversant.net at 155.212.2.33 and 155.212.2.34

These do show up in SenderBase

155.212.2.33 shows a 475% increase in mail in the last 24 hours

155.212.2.34 shows a 113% increase

.24 shows a -100%

None show up in the spamcop list or any other list for that matter. My uneducated guess would be that the mail program is returning an incorrect error message.

[Merlyn]

Yes but if you follow the flow. The 521 error was issued first and it blamed Spamcop but a 521 error is issued in the SMTP transaction stream before the host checks any blocklists. Most likely an error in how your mail host handles a 521.

I am sure others will check it out also <g>

[Wazoo]

602 LanSuite - are you using the free 5-user version or are you able to hit them for support because you bought a bigger package? (if this is for the corporate staff/e-mail, I see that you must be out of the "free" status <g>) Have you hit their support forums at all yet? Is this server stand-alone or is it using your ISP for data transfer? It's been a while, but I think you are correct in that all you can do is check/uncheck the various BLs offered .. am thinking that you were limited to what they had programmed in, but again, it's been a while.

While doing some other research, out of curiosity, are your web pages also being hosted on this same 602 package? (looking at the strange place a trace-route died)

[cummings]

i'm not using the free version. i haven't hit their support forums yet. if that's where i should be, i'll try there too. i came here first because the reject said "you are in spamcop's bl" and then i checked and they weren't.

when merlyn talks about 521's and SPTP (i need SPTP for my bunghole! are you threatening me?..... sorry), that's where i get lost. dont get me wrong, i'm glad the discussion is happening, even if it's over my head. i'm getting the idea that the consensus is that i need to dig into 602 and get them looking at the problem, so i'm having the person who installed 602 come look at these posts in this thread and let me know what he thinks about it all. i'm sure he understands these posts and can help me understand them too. he also has an "in" with 602 and can rattle some cages if their software is handling things incorrectly.

thank you everyone for the help so far. if anyone has anything else to pitch in, please let me know. i'll pull out my webopedia.com and try to follow along best i can.

/newb

[Wazoo]

Strange .. your sample shows an e-mail coming from a Domain of maildatainc.com, which offer contact points at erols/RCN ... (once?) home of the legendary AfterBurner and his Dominion of anti-spam zealots with big mallets ... still trying to work on the conversent.net tie-in (the IP address of the e-mail sample source) ..... Also strange in that SenderBase is still showing no traffic seen from the specified IP address ... wondering if you might also get your customer in here also, there may be something he/she/they can offer as to how their e-mail configuration is actually setup that might offer a clue or two ..???? SpamCopDNSbl is still showing the IP as not listed.

[Merlyn]

Sorry mistyped I meant SMTP

[Jeff G.]

Upon further review (on the basis of cummings's similar new post at http://forum.spamcop.net/forums/index.php?showtopic=4630 and the hostname of the server that sent the bounce above), the rejected server appears to have been mr03.conversent.net, which currently has IP Address 155.212.2.42, is not currently listed by the SCBL, and has the following recent Report History:

Submitted: Thursday, June 23, 2005 09:45:28 -0400:

cut your monthly mortgage payment in half

    * 1452606320 ( 155.212.2.42 ) To: mole[at]devnull.spamcop.net

Submitted: Wednesday, June 15, 2005 21:00:59 -0400:

You best friends and family deserve the BEST internet photo album!i

    * 1447919030 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1447919025 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Wednesday, June 15, 2005 12:53:06 -0400:

Understanding OEM softwareC

    * 1447691476 ( http:// gamesquality.info/?bw2408f541da7fa92dc74... ) To: postmaster#cnc-noc.net[at]devnull.spamcop.net

    * 1447691449 ( http:// gamesquality.info/?bw2408f541da7fa92dc74... ) To: abuse[at]chinanet.cn.net

    * 1447691307 ( 155.212.2.42 ) To: spamcop[at]imaphost.com

    * 1447691289 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1447691236 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Wednesday, June 08, 2005 14:42:18 -0400:

Get your meds inexpensivelyXSPOFELHAZ

    * 1443435588 ( 155.212.2.42 ) To: spamcop[at]imaphost.com

    * 1443435587 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1443435586 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Saturday, June 04, 2005 12:29:34 -0400:

Fw: Its all about L?EVITRA nowMYKOYG

    * 1440287077 ( http:// bgq.getsearchhealthfind.com ) To: mole[at]devnull.spamcop.net

    * 1440287073 ( 155.212.2.42 ) To: mole[at]devnull.spamcop.net

Submitted: Saturday, June 04, 2005 12:28:36 -0400:

full service pharmac|y featuring over one thousand different d|rugsN

    * 1440286352 ( http:// hfu.getsearchhealthfind.com ) To: mole[at]devnull.spamcop.net

    * 1440286351 ( 155.212.2.42 ) To: mole[at]devnull.spamcop.net

Submitted: Friday, June 03, 2005 03:58:16 -0400:

0rder your dr%ugs here and get toll-free customer supportKLLU

    * 1439356175 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1439356160 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Friday, June 03, 2005 03:55:57 -0400:

0rder your dr%ugs here and get toll-free customer supportKLLU

    * 1439349771 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1439349755 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Friday, June 03, 2005 03:54:51 -0400:

0rder your dr%ugs here and get toll-free customer supportKLLU

    * 1439350672 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1439350664 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Wednesday, June 01, 2005 10:11:51 -0400:

24/7 pharmac&yF

    * 1438008035 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1438008006 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Tuesday, May 31, 2005 16:33:35 -0400:

Your order has been confirmedPNBZQOLEM

    * 1437423322 ( http:// leq.e-searchhealthfind.com ) To: mole[at]devnull.spamcop.net

    * 1437423268 ( 155.212.2.42 ) To: mole[at]devnull.spamcop.net

Submitted: Tuesday, May 31, 2005 02:59:01 -0400:

Top 1000 popular pharmac{y dr]ugsMR

    * 1436927162 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1436927141 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Monday, May 30, 2005 06:46:08 -0400:

Online pharma{cy skin care rx online: re[at]tin-a & r$enovaPHDZ

    * 1436283876 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1436283875 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Sunday, May 29, 2005 06:10:33 -0400:

Fw: Its all about LE.VITRA nowFCTRSJV

    * 1435617694 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1435617693 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Friday, May 27, 2005 18:58:22 -0400:

Top 1000 popular pha%rmacy dru*gsKI

    * 1434687708 ( 155.212.2.42 ) To: abuse[at]conversent.com

    * 1434687695 ( 155.212.2.42 ) To: postmaster[at]conversent.com

Submitted: Thursday, May 26, 2005 10:33:46 -0400:

Re your Pres-cription order #8754IZTZD

    * 1433617633 ( http:// lju.coolsearchhealthfind.com ) To: mail-abuse[at]nic.br

    * 1433617626 ( http:// lju.coolsearchhealthfind.com ) To: spambr[at]admin.spamcop.net

    * 1433617614 ( 155.212.2.42 ) To: spamcop[at]imaphost.com

    * 1433617605 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1433617583 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Wednesday, May 25, 2005 23:04:06 -0400:

spam: full service )pharmacy featuring over one thousand different dr$ugsBQUR

    * 1433303683 ( http:// rxt.coolsearchhealthfind.com ) To: abuse[at]coralwave.com

    * 1433303681 ( http:// rxt.coolsearchhealthfind.com ) To: abuse[at]cablebahamas.com

    * 1433303671 ( http:// rxt.coolsearchhealthfind.com ) To: hostmaster[at]cablebahamas.com

    * 1433303663 ( 155.212.2.42 ) To: spamcop[at]imaphost.com

    * 1433303659 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1433303644 ( 155.212.2.42 ) To: abuse[at]conversent.com

Submitted: Wednesday, May 25, 2005 05:47:03 -0400:

No more }pharmacy waiting linesGKQWH

    * 1432739712 ( http:// fnq.coolsearchhealthfind.com ) To: mail-abuse[at]nic.br

    * 1432739709 ( http:// fnq.coolsearchhealthfind.com ) To: spambr[at]admin.spamcop.net

    * 1432739705 ( 155.212.2.42 ) To: postmaster[at]conversent.com

    * 1432739687 ( 155.212.2.42 ) To: abuse[at]conversent.com

[Jeff G.]

I added some explanation to my previous Reply above.