Spamcop "probing"?

[mailguy99]

This email came through to one of our helpdesk accounts:

Received: from newabe.citeglobe.com ([209.44.124.120]) by mail.xxx.au with MailMarshal (v6,5,4,7535)

id <B4f2f385e0000>; Mon, 06 Feb 2012 13:18:06 +1100

Date: Sun, 5 Feb 2012 20:53:49 +0000 (UTC)

From: Cerys Macdonald via LinkedIn <member[at]linkedin.com>

Reply-To: Cerys Macdonald <billroberts[at]newmail.spamcop.net>

To: helpdeskxxx.au <helpdeskxxx[at]xxx.au>

Message-ID: <1392939564.36279827.1588003540399.JavaMail.app[at]ela9-bed53.prod>

Subject: Cerys Macdonald sent you a message via LinkedIn

MIME-Version: 1.0

Content-Type: text/html; charset=UTF-8

Content-Transfer-Encoding: 7bit

Our helpdesk software generated a "Thanks for your enquiry" message back to billroberts[at]newmail.spamcop.net and we appear on SCBL and can't send mail to key clients. ??!

The forged linkdIn message is pharmacy spam, and I understand the general issue of auto-responders - but what *spammer* sets a reply-to address to spamcop.net?

- mailguy99

[turetzsr]

<snip>

The forged linkdIn message is pharmacy spam, and I understand the general issue of auto-responders - but what *spammer* sets a reply-to address to spamcop.net?

...One that either wants you to get on blacklists or wants you to think SpamCop is spamming or both.

...Now that you understand the issue of auto-responders, you have turned yours off, right?

...It is unlikely that this one auto-response alone will have caused you to be listed unless billroberts[at]newmail.spamcop.net is a spam trap. If you wish to see the details, go to SpamCop FAQ (links near top of every SpamCop Forum page) entry labeled "What is on the list?" for an explanation -- scan down to the sections labeled "How the SCBL Works" and "SCBL Rules."

[SpamCopAdmin]

209.44.124.120 = newabe.citeglobe.com was the problem. It was on our list for a couple of days, but it was removed Tuesday, February 07, 2012 09:16:38 -0700 because the host assured us the problem was fixed, and there hasn't been any spam since.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

[mailguy99]

209.44.124.120 = newabe.citeglobe.com was the problem. It was on our list for a couple of days, but it was removed Tuesday, February 07, 2012 09:16:38 -0700 because the host assured us the problem was fixed, and there hasn't been any spam since.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

Thanks Don, as I said it *was* spam from them - the puzzle for me is why the reply-to address on the spam they were sending led to a spamcop spamtrap.

- mailguy99

[petzl]

Thanks Don, as I said it *was* spam from them - the puzzle for me is why the reply-to address on the spam they were sending led to a spamcop spamtrap.

- mailguy99

The IP seemed to be sending a lot of "spam" possibly vacation notices (I only see subject lines)? This to real peoples email accounts.

Spamtraps alone will not get you listed, they have to be backed up by real reports.

Also the abuse reports to that IP are disabled "abuse (#) netelligent.ca"?

Pay to ask for it to be re-enabled maybe. The spam is still coming from real people today but may be late submissions (just two so far)

[SpamCopAdmin]

>- why the reply-to address on the spam they were sending led to a spamcop spamtrap.

What makes you think the address is a trap address? It doesn't look like one to me.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -