Jump to content

Spams coming into inbox even though sending IP is on blocklist


Recommended Posts

I have been under the assumption that for awhile the SC email system is not parsing sending IPs through all the blocklists I have selected. Today, I did a check and noticed that this does seem to be the case. I have been meaning to check into this in the past, but I haven't had time. So, for now, this post only contains 2 email examples that have slipped through the blacklist filtering system. I will post more if need be, as they come into my inbox and are not placed in Held Mail.

Right now I have all blocklists enabled, except CBL since you should be able to use SpamHaus's XBL as it feeds from the CBL. SpamAssassin is set to level 5.

First email:

http://www.spamcop.net/sc?id=z1322355043z0...4a8be7ba5ca17cz

IP: 85.108.206.134

Listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=85.108.206.134

Listed in SORBS:

Dynamic IP Space (LAN, Cable, DSL & Dial Ups)

Netblock: 85.108.0.0/16 (85.108.0.0-85.108.255.255)

Record Created: Fri Mar 17 23:37:05 2006 GMT

Record Updated: Fri Mar 17 23:37:05 2006 GMT

Additional Information: Dynamic/Generic IP/rDNS address, use your ISPs mail server or get rDNS set to indicate static assignment.

Currently active and flagged to be published in DNS

Second email:

http://www.spamcop.net/sc?id=z1322368954z7...1b8e6f981cd79az

IP: 83.5.240.245

Listed in SpamCop (prior to me reporting it): http://www.spamcop.net/w3m?action=checkblo...ip=83.5.240.245

Listed in SORBS:

Dynamic IP Space (LAN, Cable, DSL & Dial Ups)

Netblock: 83.5.0.0/16 (83.5.0.0-83.5.255.255)

Record Created: Fri Mar 23 19:05:38 2007 GMT

Record Updated: Fri Mar 23 19:05:38 2007 GMT

Additional Information: [#153721 TPCERT Supplied)] Dynamic/Generic IP/rDNS address, use your ISPs mail server or get rDNS set to indicate static assignment.

Currently active and flagged to be published in DNS

So, is there someone I need to contact to let them know about this problem?

Link to comment
Share on other sites

So, is there someone I need to contact to let them know about this problem?

That would be JT, the admin of the email service. I can not support your claim with more evidence, however as I know I have had spam held by at least the spamcop bl within the last week.

There is a web link in the FAQ. I have had good luck using the support[at]spamcop.net address as well.

Link to comment
Share on other sites

That would be JT, the admin of the email service. I can not support your claim with more evidence, however as I know I have had spam held by at least the spamcop bl within the last week.

There is a web link in the FAQ. I have had good luck using the support[at]spamcop.net address as well.

It seems to be sporadic and I can't say when or why it will occur. I've noticed spams in my held mail that were blocked by SPBL and SpamHaus in the recent past, but it's almost ALWAYS blocked by SpamAssassin. If it passes through SA then it seems to make it into my inbox, even if it shows up as an open proxy/relay when I report it.

I'm not 100% sure of the mechanisms behind SA, but I believe that it does check some blacklists itself.

Link to comment
Share on other sites

If it passes through SA then it seems to make it into my inbox, even if it shows up as an open proxy/relay when I report it.

I'm not 100% sure of the mechanisms behind SA, but I believe that it does check some blacklists itself.

SA is currently checked first and if it does not pass, no further checks are made. I only have a small percentage that get checked by the DNSBL's, but have only had one spam slip by the filters in the last 60 days.

To answer your PM (this is a public forum to share information), I provided the email address in my original response and you even quoted it.

Also, possibly in play here, is the recent report of a DDoS against many of the DNSBL's ( http://www.channelinsider.com/article/Anti...e/209254_1.aspx )

Link to comment
Share on other sites

To answer your PM (this is a public forum to share information), I provided the email address in my original response and you even quoted it.

Okay, that was just a misunderstanding by me. I thought the support address was an alternate address for getting in touch with SC support. I actually don't know who JB is, although I see his/her initials posted frequently here.

Also, possibly in play here, is the recent report of a DDoS against many of the DNSBL's ( http://www.channelinsider.com/article/Anti...e/209254_1.aspx )

True, and that is always an ongoing thing with DNSbls. However, I would assume that if I use their lookup interface on their website then that should indicate that the blocklist is functioning, as it is at least able to query their database. I also checked the story from ISC, and they are also reporting that an SA rules list that's widely used is offline too. Does SpamCop host it's own SA rules?

http://isc.sans.org/diary.html?storyid=2940

On a side note, there are now some very effective methods to combat against DoS attacks. Service provider Prolexic has technology for hosting sites and server software/hardware to help slow and stop these kinds of attacks. Unfortunately, their services are pretty expensive, so I doubt that non-profit BLs have the kind of capital to use those kinds of defensive measures.

SA is currently checked first and if it does not pass, no further checks are made. I only have a small percentage that get checked by the DNSBL's, but have only had one spam slip by the filters in the last 60 days.

Let me make sure I understand you. Are you saying that all incoming emails are only checked by SA, and the sending IP address is not being passed through the DNS blacklists that the user has enabled under Options, SpamCop Tools, Select your email filtering blacklists?

Link to comment
Share on other sites

However, I would assume that if I use their lookup interface on their website then that should indicate that the blocklist is functioning, as it is at least able to query their database.

Not always a good assumtion. Web pages are generally designed to wait a much longer time to display the information that most DNS lookups would wait.

Let me make sure I understand you. Are you saying that all incoming emails are only checked by SA, and the sending IP address is not being passed through the DNS blacklists that the user has enabled under Options, SpamCop Tools, Select your email filtering blacklists?

No, but the DNSBL's are only checked if the SA rule does not "call it spam". If SA score is lower than your setting, then the first DNSBL is checked, if negative, the next one is checked, etc.
Link to comment
Share on other sites

No, but the DNSBL's are only checked if the SA rule does not "call it spam". If SA score is lower than your setting, then the first DNSBL is checked, if negative, the next one is checked, etc.

You can check what SpamAssasin (SA) assigns for each IP listed on a blocklist here (this is for ver 3.1 latest SA is 3.2)If listed on SpamCop's SCBL gets a score of 1.332 or 1.558 added depending on set-up.

http://spamassassin.apache.org/tests_3_1_x.html

I do not believe this is a dynamic link (as is SpamCop emails) for a DNSBL look-up not sure of how often it is renewed

I believe SA is first checked then whitelist, if passed, SpamCop email then checks your Blacklist, and other DNBL's. If whitelisted will deliver, Your whitelist by-passes all other blocks including blacklist

It helps to have in your blacklist country specific blocks like br, de, cn, pl, it, uk, mx, ro and so on if you do not on a normal basis receive email from these countries. A full email address on your whitelist will bypass such blocks

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...