Jump to content

[Resolved] spam from 85.214.71.188


Recommended Posts

I'm getting spam from this IP yet they are not listed by spamcop

http://www.spamcop.net/w3m?action=checkblo...p=85.214.71.188

The reputation of these guys is tremendous, so others are getting a lot of spam as well:

http://www.senderbase.org/senderbase_queri...g=85.214.71.188

But still, they are not listed in any blocking list. Why is this the case? How long does it take to

stop these guys who are running a thriving cottage factory?

Ejo

Link to comment
Share on other sites

This is guess-work based on the listed reports.

There seems to have been no spam from there until about 7 this morning (GMT) and it stopped before 9.

My theory is that an infected machine was plugged in, SpamCop told them and they did something about it, fast. If so there's no need for it to continue being listed: SpamCop is working as it should and the server-owner acted as s/he should to stop the run. SpamCop automatically lists and de-lists very quickly in response to circumstances.

IOW this is how it /should/ happen!

Link to comment
Share on other sites

In addition to Derek T's helpful comments, it might be worth noting that the algorithm for listing in the SCBL is such that a number of factors need to come about before listing happens. IIUC these would include the volume of mail passing through an IP compared the amount of spam reported and the number of individuals reporting the IP.

So, for example, you could be submitting hundreds of reports but if you were the only person doing so then the IP wouldn't be listed.

Andrew

Link to comment
Share on other sites

This is guess-work based on the listed reports.

There seems to have been no spam from there until about 7 this morning (GMT) and it stopped before 9.

My theory is that an infected machine was plugged in, SpamCop told them and they did something about it, fast. If so there's no need for it to continue being listed: SpamCop is working as it should and the server-owner acted as s/he should to stop the run. SpamCop automatically lists and de-lists very quickly in response to circumstances.

IOW this is how it /should/ happen!

If you check the reported spam option under

http://www.spamcop.net/mcgi?action=showhis...type=0;offset=0

then you'll see that there is still incoming spam from 85.214.71.188. This is not guesswork, it is ongoing. At the same time senderbase says that they are not listed on any blocking list. That evidence is here:

http://www.senderbase.org/senderbase_queri...g=85.214.71.188

I can only repeat what I wrote earlier: why is this, is the reporting inaccurate, does the list work, are these delayed reports, is the algorithm broken. Etc etc.

Even more evidence that it is ongoing:

http://www.spamcop.net/sc?id=z3859635138z4...545cce23e63bf1z

and if you check the mail header:

from foothub.net.ms (h1743850.stratoserver.net [85.214.71.188]) by mx1.tudelft.nl (Postfix) with SMTP id 3ACE07F815E for <x>; Sat, 27 Mar 2010 11:56:08 +0100 (CET)

Thus sent around an hour ago.

Ejo

Link to comment
Share on other sites

But still, they are not listed in any blocking list. Why is this the case? How long does it take to stop these guys who are running a thriving cottage factory?

Time is but one factor in being an active entry in the SpamCopDNSBL. See What is the SpamCop Blocking List (SCBL)? .. try some of the math involved, perhaps also referencing SenderBase's "Magnitude" Explained

Link to comment
Share on other sites

85.214.71.188 went on the blocking list Saturday, March 27, 2010 11:07:28 -0600

I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week. In my case it kept on sending spam for several days until it was caught. It sounds like some infested system at the Strato Rechenzentrum in Berlin Germany

Ejo

Link to comment
Share on other sites

I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week. In my case it kept on sending spam for several days until it was caught. It sounds like some infested system at the Strato Rechenzentrum in Berlin Germany

It doesn't explain why SpamCop blocklist has become reluctant to list spam sources?

Link to comment
Share on other sites

It doesn't explain why SpamCop blocklist has become reluctant to list spam sources?

I'm glad that this eventually happened. The reasons for listing it was according to spamcop that 85.214.71.188 has sent mail to SpamCop spam traps in the past week and also SpamCop users have reported 85.214.71.188 as a source of spam about 300 times in the past week.

"We" have no knowledge of the amount of spamtap hits, but do know that they score much higher in the calculations. Excluding those, then one would actually more have to wonder how it got listed.

going with the approximately "300 reports in the past week" as compared to the current magnitude listing of 4.8 which is in the ballpark of 100,000 e-mails-a-day .... as I stated before, try to do the math. If it was just the amount generated by SpamCop.net reporters, it would still not be listed, based on the ratio of good/bad traffic alone, even with the SenderBase "poor" reputation. Sure. perhaps "most" of the traffic was spam, but it was not reported through the SpamCop.net Parsing & Reporting System, therefore not available in sufficient quantity for the "bad part" of the calculations. In this case, the spammer did it him/herself by hitting the spamtrap addresses directly, and in sufficient quantity.

Link to comment
Share on other sites

You are quite right at the time you post. As was I - there had been no reports for over two hours at the time I posted. :blush:

And if you look at the SenderBase data, the flow is ever increasing ....

http://www.senderbase.org/senderbase_queri...g=85.214.71.188

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 5.3 .. 527%

Last month ... 4.5

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...