jens Posted March 9, 2004 Share Posted March 9, 2004 Why do you block cybercity.dk the biggest internet ISP in denmark. their ip 212.242.40.53 and others are blocked, this means that we dont get mails from over 20% of our costumers..... Link to comment Share on other sites More sharing options...
Gruber Posted March 9, 2004 Share Posted March 9, 2004 Why do you block cybercity.dk the biggest internet ISP in denmark. their ip 212.242.40.53 and others are blocked, this means that we dont get mails from over 20% of our costumers..... The funny thing is that if you do an IP lookup for any of our mailgates, the reply is that a) the server has been blocked for less than 24 hours, and b ) the "sample" spam mails listed have dates of 15 Nov 2003 and 11 Dec 2003. The funnier thing still is that I just finished (a rather thorough) search for mails from SpamCop to Cybercity's abuse address with regard to above-mentioned mailgates, and the only reports I saw were dated (you guessed!) 15 Nov 2003. So the question I would very much like to get an answer for is - what was the cause for this particular blockage? Frustrated, a Cybercity NOC person. Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 9, 2004 Share Posted March 9, 2004 Try reading Why am I blocked? pinned FAQ at http://forum.spamcop.net/forums/index.php?showtopic=35 or Why am I blocked? in the spamcop Lounge http://forum.spamcop.net/forums/index.php?showtopic=509 One of these should help you to understand and find out how to resolve the problem. Since there is definitely spam coming from those IP addresses, the problem is probably a trojanized machine. It hasn't been listed very long so perhaps the problem is already being addressed. In the meantime, try using a web based email account to communicate with your customers. Or do what you would do if a backhoe interrupted your service. Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted March 9, 2004 Share Posted March 9, 2004 http://www.spamcop.net/w3m?action=checkblo...p=212.242.40.53 also shows other neighboring IPs with issues, one of which is listed. So there's more than just the one IP of the first posted query that seems to be involved. And it should be noted that the evidence spams portion of these pages is no longer real-time data (and I'm sure you noticed all the munging) ... you can thanks the spammers for that .. but, yes, I'll agree that the vintage of the spam samples does seem a bit odd ... It is possible (but not very likely) that all spam complaints were handled by a number of people that are all reporting under a "mole" status, in which complaints don't actually get sent out. Usually, this isn't all that big of a deal, as it would seem pretty rare that only mole reporters would get the same spam and not a single "regular" reporter. In addition to any and all other spam victims that don't use SpamCop. So first of all, if you limited the log search to just SpamCop reports, you may have missed all the other complaints. However, as you make it sound like you're definitely concerned and have tried researching your end for some clues, perhaps a gentle note to deputies at spamcop.net asking them to take a look at why at least 2 of "your" IPs are listed but only showing such old data for evidence might shed some light on what's going on. Link to comment Share on other sites More sharing options...
Gruber Posted March 9, 2004 Share Posted March 9, 2004 http://www.spamcop.net/w3m?action=checkblo...p=212.242.40.53 also shows other neighboring IPs with issues, one of which is listed. So there's more than just the one IP of the first posted query that seems to be involved. And it should be noted that the evidence spams portion of these pages is no longer real-time data (and I'm sure you noticed all the munging) ... you can thanks the spammers for that .. but, yes, I'll agree that the vintage of the spam samples does seem a bit odd ... It is possible (but not very likely) that all spam complaints were handled by a number of people that are all reporting under a "mole" status, in which complaints don't actually get sent out. Usually, this isn't all that big of a deal, as it would seem pretty rare that only mole reporters would get the same spam and not a single "regular" reporter. In addition to any and all other spam victims that don't use SpamCop. So first of all, if you limited the log search to just SpamCop reports, you may have missed all the other complaints. However, as you make it sound like you're definitely concerned and have tried researching your end for some clues, perhaps a gentle note to deputies at spamcop.net asking them to take a look at why at least 2 of "your" IPs are listed but only showing such old data for evidence might shed some light on what's going on. Thanks for the response. It is a pity that the data are not realtime (or at least that they do not seem related to the actual cause of the blockage). What I find really strange is the actual possibility of being blocked without getting a spam report, since SpamCop policy seems to strongly emphasize the necessity of a spam mail with all headers intact (which is only provided in the reports but not on the IP-lookup page) for successfull resolution of an incident. As for the other reports - we are getting tons of them, so it is pretty much impossible to determine what particular spam mail has generated the blockage. The most typical problem recently is a customer infected with spam trojan. We typically manage to block such within a moderately short interval of time (at a guess, from 30 minutes to maybe 4 hours), but a lot of harm is usually done by then. I'll try to follow your advice about contacting the deputies. Link to comment Share on other sites More sharing options...
Wazoo Posted March 9, 2004 Share Posted March 9, 2004 It is a pity that the data are not realtime It was seen/felt that some spammers were keeping tabs on these results in order to keep the spew going by trying to remain "under the radar" ... run from one server till it was about to hit a threshold, then move to a different server to continue the spew ... some were using these reports as signs that they were getting around filters, on and on .. thus the current status ... not much help I know, but again, you have to thanks the spammers for this .. As for the other reports - we are getting tons of them Sorry to hear that .. but yes, even 30 minutes these days is long enough to get recognised by a number of BL listing services ... so while you're at it, you might also want to copy a URL to check other listing services ... http://www.moensted.dk/spam/ ... sometimes the results there can just ruin a perfectly fine day <g> Link to comment Share on other sites More sharing options...
Gruber Posted March 9, 2004 Share Posted March 9, 2004 As for the other reports - we are getting tons of them Sorry to hear that .. but yes, even 30 minutes these days is long enough to get recognised by a number of BL listing services ... so while you're at it, you might also want to copy a URL to check other listing services ... http://www.moensted.dk/spam/ ... sometimes the results there can just ruin a perfectly fine day <g> Right. What actually bugs me is that I do not seem to be able to understand what criteria SpamCop uses to list an IP. I do believe that we do not have a single case when the listed addresses where the direct source of spam. Since we do relay for our customers, however, those machines do relay spam, as I explained in my previous post. So, when I logged into the ISP interface at SpamCop, I am getting a rather large number of listed issues for customer boxes (which were the actual spam sources, unwillingly in the vast number of cases), but for the mailgate machines I am only getting this: For 212.242.40.52, 2 issues: Submitted: Wed Mar 3 20:36:05 2004 +0100: Undelivered Mail Returned to Sender * 749083132 ( 212.242.40.52 ) To: mole[at]devnull.spamcop.net then Cannot find spam reports for issueid = XXXXXX And for the second address (.53), 3 issues, with an immediate: (Older reports), then -> Cannot find spam reports for issueid = YYYYYY So it looks like I do not have any possibility to find out the cause, which does not, alas, strike me as responsible service on the part of SpamCop. :-/ Link to comment Share on other sites More sharing options...
Miss Betsy Posted March 9, 2004 Share Posted March 9, 2004 ...a gentle note to deputies at spamcop.net... Perhaps you missed this in a previous post. The deputies are usually quite helpful in untangling these things. Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted March 9, 2004 Share Posted March 9, 2004 criteria SpamCop uses to list an IP it starts with two complaints by two different users. Then a bit of a formula gets involved, amount of traffic seen from said server (yet another process involved there), the amount of spam (from users and/or spamtraps), and a time factor. do not have a single case when the listed addresses where the direct source might be absolutely true, but what that suggests is a mis-configuration of your server mail handling software ... are all mail headers RFC822 compliant? SpamCop's parser attempts to run a "chain test" following the e-mail hand-offs from server to server, looking for the actual injection point amongst the forged and bad routing lines. It may be that your internal routing is broken, thus the chain test fails at the wrong spot, and falling back to the last "good" entry, selects one of the above IPs as the source. Again, if we all could see the complete headers, we might have solved this by now. But, the deputies are the ones with the power to look at the raw data, so until Don or Ellen or RW get your note and dig up the facts, we're all a bit in the dark. The missing data pointers you reference may have something to do with a database glitch a while back. But I'd have to defer to one of the deputies to sort that out. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.