Jump to content

[Resolved] spam from 85.214.71.188


Recommended Posts

Posted

I'm getting spam from this IP yet they are not listed by spamcop

http://www.spamcop.net/w3m?action=checkblo...p=85.214.71.188

The reputation of these guys is tremendous, so others are getting a lot of spam as well:

http://www.senderbase.org/senderbase_queri...g=85.214.71.188

But still, they are not listed in any blocking list. Why is this the case? How long does it take to

stop these guys who are running a thriving cottage factory?

Ejo

Posted

This is guess-work based on the listed reports.

There seems to have been no spam from there until about 7 this morning (GMT) and it stopped before 9.

My theory is that an infected machine was plugged in, SpamCop told them and they did something about it, fast. If so there's no need for it to continue being listed: SpamCop is working as it should and the server-owner acted as s/he should to stop the run. SpamCop automatically lists and de-lists very quickly in response to circumstances.

IOW this is how it /should/ happen!

Posted

In addition to Derek T's helpful comments, it might be worth noting that the algorithm for listing in the SCBL is such that a number of factors need to come about before listing happens. IIUC these would include the volume of mail passing through an IP compared the amount of spam reported and the number of individuals reporting the IP.

So, for example, you could be submitting hundreds of reports but if you were the only person doing so then the IP wouldn't be listed.

Andrew

Posted
This is guess-work based on the listed reports.

There seems to have been no spam from there until about 7 this morning (GMT) and it stopped before 9.

My theory is that an infected machine was plugged in, SpamCop told them and they did something about it, fast. If so there's no need for it to continue being listed: SpamCop is working as it should and the server-owner acted as s/he should to stop the run. SpamCop automatically lists and de-lists very quickly in response to circumstances.

IOW this is how it /should/ happen!

If you check the reported spam option under

http://www.spamcop.net/mcgi?action=showhis...type=0;offset=0

then you'll see that there is still incoming spam from 85.214.71.188. This is not guesswork, it is ongoing. At the same time senderbase says that they are not listed on any blocking list. That evidence is here:

http://www.senderbase.org/senderbase_queri...g=85.214.71.188

I can only repeat what I wrote earlier: why is this, is the reporting inaccurate, does the list work, are these delayed reports, is the algorithm broken. Etc etc.

Even more evidence that it is ongoing:

http://www.spamcop.net/sc?id=z3859635138z4...545cce23e63bf1z

and if you check the mail header:

from foothub.net.ms (h1743850.stratoserver.net [85.214.71.188]) by mx1.tudelft.nl (Postfix) with SMTP id 3ACE07F815E for <x>; Sat, 27 Mar 2010 11:56:08 +0100 (CET)

Thus sent around an hour ago.

Ejo

Posted
85.214.71.188 went on the blocking list Saturday, March 27, 2010 11:07:28 -0600

I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week. In my case it kept on sending spam for several days until it was caught. It sounds like some infested system at the Strato Rechenzentrum in Berlin Germany

Ejo

Posted
I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week. In my case it kept on sending spam for several days until it was caught. It sounds like some infested system at the Strato Rechenzentrum in Berlin Germany

It doesn't explain why SpamCop blocklist has become reluctant to list spam sources?

Posted
It doesn't explain why SpamCop blocklist has become reluctant to list spam sources?

I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week.

"We" have no knowledge of the amount of spamtap hits, but do know that they score much higher in the calculations. Excluding those, then one would actually more have to wonder how it got listed.

going with the approximately "300 reports in the past week" as compared to the current magnitude listing of 4.8 which is in the ballpark of 100,000 e-mails-a-day .... as I stated before, try to do the math. If it was just the amount generated by SpamCop.net reporters, it would still not be listed, based on the ratio of good/bad traffic alone, even with the SenderBase "poor" reputation. Sure. perhaps "most" of the traffic was spam, but it was not reported through the SpamCop.net Parsing & Reporting System, therefore not available in sufficient quantity for the "bad part" of the calculations. In this case, the spammer did it him/herself by hitting the spamtrap addresses directly, and in sufficient quantity.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...