Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by michaell

  1. Most of the recent virus/worms forge everything, so the actual sending account isn't available. Figuring out what the right abuse address is for a given IP is also not easy. Spamcop has a complicated (and much debated) method for doing it, involving lookups to several places, and it still sometimes gets it wrong, so there is a database of manual overrides maintained by people. That's not something you could build into an antivirus package. Unless the particular virus is known to leave the actual sending account in the header, the best option is just to dump the email silently. A better option would be not to accept the email in the first place.
  2. ok... further revised version. Jeff - would you like to look over these and make an update? thanks
  3. Bounce messages can be valid mail, and they are required by the RFCs in certain circumstances. That doesn't mean that they can't also fit the definition of spam. Identifying the system which generated/relayed a message is desirable. I don't think anyone claimed that the systems merely identifying themselves is considered spamming. Identification is possible with a couple of words, which could be stored away in the message header. What isn't necessary is to have the full name of the software company, the name of the product, a URL to the companies software, or any verbiage about what the product does or how effective it is, in the body of the message. Some software is worse than others for this... No, but the vast majority currently circulating are. There's no disagreement that what they did was wrong by Spamcop's policies. Spamcop does have checks to try and avoid users sending reports about bounces and viruses, but they're can't be perfect. If your server isn't already delisted, if you post the IP or email deputies[at]admin.spamcop.net with the IP and an explanation, it will be delisted, and the user who reported it educated as to their mistake. I don't think so, and it's not necessarily true that that is all it does. That's true in those particular circumstances. However, source-host is often the spammer's machine, or in the case of viruses, the virus-infected PC. If either a spammer's specialised spamming software, or a self-mailing virus (such as MyDoom), gets the reject code, no bounce will be generated. If the spammer has used an open relay as "source-host", then recipients can block the bounce messages by blocking mail from the open relay (which many people do anyway using third-party relay lists), rather than having to block email from dest-host. It's true that it's possible to be RFC-compliant and still generate these kinds of messages. The point is that it's also possible, usually without much extra effort, to be RFC-compliant without generating undesirable bounce messages.
  4. Your reasons for sending the notifications are fine, but they're not well applied. If a person sends you an email, and they attach a virus-infected file, then it's desirable (necessary, even) to send them a message back when you block their message. If the email is generated by a virus which uses the sender's real address, then there is also a case for sending a message back. If the email was generated by a worm which forges sender addresses, then there's no value in generating a bounce message - all you are doing is spamming third parties, and the infected person won't get to know about it. The problem you have, I assume, is that your Antivirus software, like most mail server AV software, isn't clever enough to let you send messages back only when they are desirable. Given that 99% of the stuff it catches is likely to be one of the recent email worms, I'd be inclined to go for the option of turning the bounces off. For the server I run, no bounce is sent, but the admin gets a notification. It's easy to spot any blocked emails which aren't MyDoom or whatever the latest worm is, and sort out those cases by hand. Having said all that, Spamcop's list policy is not to include servers like yours. If you email deputies[at]admin.spamcop.net with your IP address and a brief explanation, your IP can be removed from the list.
  5. The reason your IP is listed is due to spam reports from before you sorted things out. There aren't any additional headers to show - your IP should be off the list shortly.
  6. I'm only guessing, but it looks like just a common first name at a known domain.
  7. Well if you don't do it before I have some time for it, I'll make some changes and post a revised version... probably not until next week though...
  8. The IP has, in fact, only been on the list for a few hours. I can't see too many details, but it's just those 2 reports. They both appear to be some kind of autoresponder. From the subject, I would guess the second is an autoresponse to a MyDoom email. The first could will be an autoresponse to a spam. abuse[at]alabanza.com should, however, have received these reports and been able to see that. The IP would fall of the list again in a matter of a few hours because it's just those 2 reports, but I thought I may as well delist it early, seeing as these reports aren't really of spam.
  9. Er... unfortunately none of that stuff is relevant in this case, Jeff. The IP was indeed listed due to MyDoom. The MyDoom worm generates email addresses from a list of names and attaches them to known domains, and unfortunately it seems to have come up with a spamtrap address in that way. I've removed the IP from the list. I hope the virus has been cleaned up now.
  10. with all due respect to Merlyn, the pinned post isn't very good as a FAQ - it's wordy and reads like a discussion (I didn't see it originally, but it was presumably written as part of a discussion). If it's going to be a FAQ, it could do with some work. The content is mostly ok, but it makes assumptions that Spamcop's list only lists spammers, and also that the reader is an end-user whose ISP's outgoing server has been listed. Those assumptions are quite possibly right in 80% of cases, but that means you're giving irrelevant and/or incorrect information to some...
  11. No, that's not an open proxy - it is, as that RSL message says, the input point of an open relay. An open proxy is something quite different - in this case, open proxies are being used to transmit the spam to
  12. It's not necessarily anything to do with .fr - the connections to your server are coming via exploited proxy servers in various places around the world. If it helps, the spam headers look something like this: Received: from webmail1.allianceatlantis.com [] by <spam_recipient_server> Received: from mail.salter.com ([]) by webmail1.allianceatlantis.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 28 Jan 2004 12:40:39 -0500 Received: from <open_proxy> by mail.salter.com with Microsoft SMTPSVC(5.0.2195.6713); Wed, 28 Jan 2004 13:40:15 -0400 is a LAN address. That server is accepting email and relaying it to webmail1.allianceatlantis.com, which in turn relays it to the recipients of the spam. The latest spam reported was sent just 5 hours ago, so I imagine the problem is ongoing.
  13. More precise information is kept. It used to be published, but it allowed spammers to calculate precisely how to avoid getting their email blocked. Admins and deputies still have access to it though... The server at is still sending email to spam traps (5 in the last hour) and being reported by Spamcop users. The emails received have subjects such as "Win Now! .downslope townsman townsmen" "Receive Money .entomology automorphic automorphism" and "Win Now! .endomorphism sodomy codon" and are being sent by a local user (or a process running as a local user) via the sendmail server running on the machine. There is some consideration given to servers that are shared between many users - Spamcop attempts to track email generally, as well as spam, so if the server is sending a large amount of legitimate email, it is less likely to get listed. In your case, the email received in the general sampling isn't much more than the volume of spam received by the spamtraps.
  14. 65000 contacts is rather a lot to send a mailing like that. It is so far 12 people that have reported your email as spam. Some of those people have sent two reports of messages from you which they have received at different times. You appear to have sent a lot of messages on 24 January, and then when that Spamcop listing expired, sent another lot of messages on 28 January and become listed again. If you want to do large mailings, you should be sure to follow good practice for managing mailing lists. If you are sending messages to thousands of people whose addresses you have collected over 3 years without their consent, then you are spamming.
  15. This wasn't from Spamcop's AV scanner. It was sent by a scanner at univaq.it, in response to a virus which had your address on it - that doesn't mean you sent the virus, but it is the reason that you get the response. Spamcop's spamassassin decided that this notification was spam, based on the priority and MIME headers generated by the silly RAV system.
  16. It seems a little inconsistent and I'm not sure how much of it is the web server and how much the web browser. Not that this is going to help anyone, but it seems to work fine for me. I've just gone through and caught up with some discussions, and the forums that I've read are dimmed. Oh, and hi by the way. I'm, like, new here
  • Create New...