Jump to content

[Resolved] SC Notifications blocklisted (SORBS)


lisati
 Share

Recommended Posts

Posted in the lounge because this is more of a grumble than a support request.

In the interests of expanding my horizons this morning and possibly learning something new, I was playing around with "postscreen" on my email server, which runs postfix v2.8. When I was checking the logs, I noticed that incoming notifications of spamcop reports I'd submitted were deferred by postscreen because of a listing on dnsbl.sorbs.net. This is addressed fairly easily by whitelisting Spamcop's servers at my end.

My best guess at the moment is that someone who has received spamcop reports wasn't too happy about it. Another possible explanation, which I find slightly less plausible, is that they didn't understand what they were reading.

Link to comment
Share on other sites

Thanks for bringing this to attention lisati

Well, this is definitely a reporting issue affecting notifications to some users so I will be moving it to the Reporting Help forum. SC staff will probably be aware of the SORBS listings but if they are not then they will be more likely to view this in the specific location. Also I shall amend the title to give some clue as to what this is about before the topic is viewed.

I suppose it is possible someone has achieved this deliberately (can't quite imagine how), but, recalling Auric Goldfinger's dictum "Once happenstance, twice coincidence, third time enemy action" or whatever, it might be a touch more than possible, and it has happened before. But this time there is a real rash of hits on SORBS causing the listing. 22-23 December, betting sites "spamvertizing", affecting many or most of the SC-IronPort SMTP bulk servers (sc-smtpN-inbound.soma.ironport.com and sc-smtpN-bulkmx.soma.ironport.com where "N" is a 1 or 2 digit numeric).

Before I exceeded my query limit, I found the following SORBS evidence:

[b]sc-smtpN-inbound.soma.ironport.com[/b]

204.15.82.101
Record Created:	03:26:30 23 Dec 2011 GMT+00
Message ID (munged):	rid*********00[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.vegasonlinedot.com Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	08:45:27 18 Oct 2010 GMT+00
Message ID (munged):	rid*********00[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
healthrxtablets.ru	Hostname has been marked as hosting a spamvertised website/URL.
*************************************************************
204.15.82.104
Record Created:	04:57:22 23 Dec 2011 GMT+00
Message ID (munged):	rid*********12[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.vegasbestslot.com	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	00:33:57 23 Dec 2011 GMT+00
Message ID (munged):	rid*********57[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.vegasonlinedot.com	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	19:19:52 22 Dec 2011 GMT+00
Message ID (munged):	rid*********82[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.premierplayersfirst.eu	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	00:36:32 31 May 2011 GMT+00
Message ID (munged):	rid*********22[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.roundclear.com	Hostname has been marked as hosting a spamvertised website/URL.
www.w3.org	Hostname has been marked as hosting a spamvertised website/URL.
*************************************************************
204.15.82.110
Record Created:	20:27:45 22 Dec 2011 GMT+00
Message ID (munged):	rid*********59[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.luckywinner Hostname has been marked as hosting a spamvertised website/URL.
www.luckywinnersclub.com Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	18:51:26 22 Dec 2011 GMT+00
Message ID (munged):	rid*********12[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.premierplayerweb.eu Hostname has been marked as hosting a spamvertised website/URL.
*************************************************************
204.15.82.113
Record Created:	13:23:44 23 Dec 2011 GMT+00
Message ID (munged):	rid*********46[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.premieropengaming.eu	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	20:24:08 22 Dec 2011 GMT+00
Message ID (munged):	rid*********87[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.premierplayerdot.eu	Hostname has been marked as hosting a spamvertised website/URL.
*************************************************************
204.15.82.114
Record Created:	04:38:22 23 Dec 2011 GMT+00
Message ID (munged):	rid*********60[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.vegassuperslots.com	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	12:59:20 05 Jun 2011 GMT+00
Message ID (munged):	rid*********58[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
thurl.in	Hostname has been marked as hosting a spamvertised website/URL.
*************************************************************
204.15.82.115
Record Created:	19:24:34 22 Dec 2011 GMT+00
Message ID (munged):	rid*********14[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.gopremierplayers.eu	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	19:27:16 23 May 2011 GMT+00
Message ID (munged):	rid*********05[at]msgid.spamcop.net
widg.me	Hostname has been marked as hosting a spamvertised website/URL.
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
*************************************************************
[b]sc-smtpN-bulkmx.soma.ironport.com[/b]

204.15.82.123
Record Created:	03:13:33 23 Dec 2011 GMT+00
Message ID (munged):	rid*********48[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.hotvegascash.com	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	19:40:55 22 Dec 2011 GMT+00
Message ID (munged):	rid*********37[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.premierplayersstar.eu	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	00:04:35 25 Jun 2011 GMT+00
Message ID (munged):	rid*********92[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
aftfj.petqueen.ru	Hostname has been marked as hosting a spamvertised website/URL.
www.openspf.org	Hostname has been marked as hosting a spamvertised website/URL.

Description:	spam Received from this host
Record Created:	23:16:12 17 Apr 2011 GMT+00
Message ID (munged):	rid*********20[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
issafepill.com	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	23:16:10 17 Apr 2011 GMT+00
Message ID (munged):	rid*********19[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
issafepill.com	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	23:16:10 17 Apr 2011 GMT+00
Message ID (munged):	rid*********18[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
issafepill.com	Hostname has been marked as hosting a spamvertised website/URL.
*************************************************************
204.15.82.124
Record Created:	22:54:34 22 Dec 2011 GMT+00
Message ID (munged):	rid*********36[at]msgid.spamcop.net
www.spamcop.net	Hostname has been marked as hosting a spamvertised website/URL.
www.vegassuperbetting.com	Hostname has been marked as hosting a spamvertised website/URL.

Record Created:	20:01:47 22 Dec 2011 GMT+00
Message ID (munged):	rid*********83[at]msgid.spamcop.net

....

Link to comment
Share on other sites

Not to worry. I'm aware of the bogus SORBS listings, and have been from the beginning.

I have managed to get past their Son Of Robbie robot, which rejected my removal request, but have not heard back from an actual person yet.

Just so there is no confusion... SORBS is an automatic system. There is no human review until a complaint is lodged by somebody like me.

I'm sure they will eventually take care of business, but I just don't know when. The last time, it took over two weeks to get our servers removed.

- Don D'Angry Admin -

Link to comment
Share on other sites

Thanks Don, marking this "resolved" then since as much as can be done has been, and it is in the right (and appropriately disgruntled) hands.

Meantime, anyone missing those SC notifications to complete reporting - just check your member page to see if you have reports pending verification and release in case your service provider has blocked them.

Link to comment
Share on other sites

Thanks Don, marking this "resolved" then since as much as can be done has been, and it is in the right (and appropriately disgruntled) hands.

Meantime, anyone missing those SC notifications to complete reporting - just check your member page to see if you have reports pending verification and release in case your service provider has blocked them.

Was just about to post about this happening again.

Sorbs started blacklisting 204.15.82.113 again.

ec 24 11:11:12 phuct postfix/smtpd[26591]: NOQUEUE: reject: RCPT from sc-smtp12-inbound.soma.ironport.com[204.15.82.113]: 554 5.7.1 Service unavailable; Client host [204.15.82.113] blocked using dnsbl.sorbs.net; Currently Sending spam See: http://www.sorbs.net/lookup.shtml?204.15.82.113; from=<spamid.5205215538[at]bounces.spamcop.net> to=<xxx[at]yyyzzz.net> proto=ESMTP helo=<sc-smtp12-inbound.soma.ironport.com>

Link to comment
Share on other sites

:lol:

Description: Possible Hacked or Trojaned Host

Record Created: 00:18:07 19 Dec 2011 GMT+00

HELO command used by remote: anaconda.sorbs.net

Additional Information: spam Sending Trojan or Proxy attempted to send mail from/to from=matthew+anaconda.sorbs.net[at]sorbs.net to=submit-vuln[at]<hidden to protect domain owner>

First of 10 entries, log-in has to negotiate browser security warnings about security certificate to get that far. Oh well, shows all is working to specification.

Link to comment
Share on other sites

Delisting of SC servers appears to have started and is seen to be proceeding progressively. Apparently it doesn't happen all at once, not even for an individual server - the address apparently comes off some lists (the more "serious") first. That's not counting the automated "unlisting" (off new.spam after 48 hours, off recent.spam after 28 days, etc.). But at least one with "hits" 22/12 was completely delisted by/during 29/12.

Link to comment
Share on other sites

Grrrr! I didn't know about 204.15.82.113

I have requested delisting.

Apparently, each server needs to have its own ticket with SORBS. After I argued with Michelle Sullivan about our server listings, I submitted separate tickets, and they removed all the servers from their list.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

Link to comment
Share on other sites

I'm seeing four, including 204.15.82.113, all in the same state. They are currently listed on

problems.dnsbl.sorbs.net

spam.dnsbl.sorbs.net

recent.spam.dnsbl.sorbs.net

old.spam.dnsbl.sorbs.net

The other three are

204.15.82.104

204.15.82.110

204.15.82.115

Four lists is an improvement on what they were before, I think (no "aggregate zone" listing, for instance which I'm thinking was there before). There could be other IP addresses - the above are just the ones remaining from the short list in my earlier post which wasn't complete. But nearly so, maybe.

Link to comment
Share on other sites

What happens is SORBS takes control of an expired domain, and turns it into one of their traps.

The problem is that one of the addresses at that domain is still showing up in a Whois lookup as the contact address for IPs that are sending spam.

The address will go defunct in a short time, but in the meantime, SpamCop is sending spam reports to the address, and SORBS puts the reporting servers on their list.

While I am arguing with SORBS volunteers, the Whois lookup changes and we stop sending reports to the trap address, which is a good thing, but our servers are still listed.

- Don -

Link to comment
Share on other sites

What sort of lookup are you doing that reveals that info? It's a source I'm not aware of. ...

http://multirbl.valli.org/dnsbl-lookup/ or http://www.robtex.com/ip/204.15.82.104.html#blacklists - either way need to find some IP addresses to feed in to check. I've been using http://www.senderbase.org/ (with any of the IP addresses) for a list of "associated" servers, pick the active ones. Not very elegant but it gets there. There are probably better ways but that's how I do it.
Link to comment
Share on other sites

http://multirbl.valli.org/dnsbl-lookup/ or http://www.robtex.com/ip/204.15.82.104.html#blacklists - either way need to find some IP addresses to feed in to check. I've been using http://www.senderbase.org/ (with any of the IP addresses) for a list of "associated" servers, pick the active ones. Not very elegant but it gets there. There are probably better ways but that's how I do it.

OK. Thanks for the info!

- Don -

Link to comment
Share on other sites

You're welcome and thanks for the further insights. It would be child's play (for some) to scri_pt the requisite DNS lookups on recent.spam.dnsbl.sorbs.net to be able to know almost immediately when a vulnerable server hits a SORBS trap (assuming network operations can keep the vulnerable list up to date for you) but that is not the real problem.

What happens is SORBS takes control of an expired domain, and turns it into one of their traps.

The problem is that one of the addresses at that domain is still showing up in a Whois lookup as the contact address for IPs that are sending spam. ...

THAT of course is the problem. It would be unconscionable of SORBS to include still-live Whois-listed abuse/contact addresses (especially, but not limited to abuse[at] and postmaster[at]) in their traps, knowing full well that SC and many, many others will be "caught" before the domain records are purged. Especially ironic when it is SC and other spamfighters that might be at least partly responsible for some of those domains going defunct and becoming available to SORBS for their spamtraps. I suppose it all comes down to the degree of reliance on cached lookups in the end. Impossible to do live lookups in volume all the time - the registrars would not stand for it. No doubt SORBS make it difficult for data harvesters to reveal their domain-gobbling. A real dilemma - no doubt Michelle has justified putting SC into this situation to hirself, somehow.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...