petzl Posted October 29, 2012 Posted October 29, 2012 http://www.spamcop.net/sc?id=z5422452403zd...642bd7b5d25175z abuse[at]iol.it are asleep at the wheel IP 212.52.84.103 has no abuse address? the only contact address is hostmaster[at]iol.it IP 212.52.84.103 does not appear to be a email server (run by spammer or zombie?)
turetzsr Posted October 29, 2012 Posted October 29, 2012 ...Since you've been here a while, I think you are asking more of a rhetorical question, or asking "what is keeping this from being listed?" and that you know this but, for those who don't, the answer to the generic question of when an IP address will be listed is found in the SpamCop Forum FAQ (links to which are found near the top left of all SpamCop Forum pages) article labeled "What is on the list?" in the section labeled "SCBL Rules."
petzl Posted October 29, 2012 Author Posted October 29, 2012 ...Since you've been here a while, I think you are asking more of a rhetorical question, or asking "what is keeping this from being listed?" and that you know this but, for those who don't, the answer to the generic question of when an IP address will be listed is found in the SpamCop Forum FAQ (links to which are found near the top left of all SpamCop Forum pages) article labeled "What is on the list?" in the section labeled "SCBL Rules." It seems to be botnet spam that has been spewing for sometime not getting listed Just wish to have SpamCop BL checked if working Yes I know the supposed algorithm which once was? Now IMO the SCBL seems to only respond to spamtraps? Seems this Botnet is flooding confirmed email addresses showing a weakness in relying on spamtraps only Very common now to see an IP listed without a manual report backing it up, not the other way If you look at report history (need to log in) seems a lot of reports for it not to be listed http://www.spamcop.net/mcgi?action=showhis...d;val=239354262 It don't appear to be a genuine email server? Always has a forged IP 172.31.0.225 listed as injection point (indicating its an internal IP. Run by spammer?) abuse[at]iol.it don't seem to care the only address given is hostmaster[at]iol.it Going to website they give it as abuse[ at ]staff.libero.it
SpamCopAdmin Posted October 30, 2012 Posted October 30, 2012 I think we should see the IP list fairly soon. - Don D'Hopeful - SpamCop Admin - - Service[at]Admin.SpamCop.net -
petzl Posted October 30, 2012 Author Posted October 30, 2012 I think we should see the IP list fairly soon. - Don D'Hopeful - SpamCop Admin - - Service[at]Admin.SpamCop.net - Thanks Don After going to their website and checking SenderScore looks like a Webmail system with a lot of compromised accounts
Farelf Posted October 30, 2012 Posted October 30, 2012 A few thoughts in general ... 212.52.84.103 is outrelay03.libero.it, high volume network relay (SB magnitude ~ 4.7), fiendishly difficult to list on the basis of reports alone due to spam:ham ratio. But the spam volumes are increasing and indeed it has now made it to the SCbl (3 hours ago by the looks). In my timezone - 24 reports and counting 30 Oct - 12 reports on 29 Oct - very few before. Hasn't made it to the CBL yet, which is the bl giving the best information about any sender-server exploits (just possibly none in this case). Needless to say if libero.it had heeded the SC reports when they first started coming in about that server, they could have nipped in the bud whatever there is using it to assail the internet. That's what the SCbl is all about, but, disappointingly, not all find it "economic" to use it like that. Be careful judging all libero.it as a spamsource simply on the basis of pbl.spamhaus.org (and similar) listings and "POOR" reputation listings of their dynamic IP ranges. Networks (particularly those of them raddled with beancounters) seem to volunteer their dynamic addresses for DNSBL listing knowing they should not be sending direct to the internet (and, one suspects) saving them the expense of doing anything more active/proactive to control their user-abusers. The "policy" blocklists/bl zones (pbl.spamhaus.org, dul.dnsbl.sorbs.net, etc.) don't look at actual spam.
petzl Posted October 30, 2012 Author Posted October 30, 2012 A few thoughts in general ... 212.52.84.103 is outrelay03.libero.it, high volume network relay (SB magnitude ~ 4.7), fiendishly difficult to list on the basis of reports alone due to spam:ham ratio. But the spam volumes are increasing and indeed it has now made it to the SCbl (3 hours ago by the looks). In my timezone - 24 reports and counting 30 Oct - 12 reports on 29 Oct - very few before. Hasn't made it to the CBL yet, which is the bl giving the best information about any sender-server exploits (just possibly none in this case). Needless to say if libero.it had heeded the SC reports when they first started coming in about that server, they could have nipped in the bud whatever there is using it to assail the internet. That's what the SCbl is all about, but, disappointingly, not all find it "economic" to use it like that. Be careful judging all libero.it as a spamsource simply on the basis of pbl.spamhaus.org (and similar) listings and "POOR" reputation listings of their dynamic IP ranges. Networks (particularly those of them raddled with beancounters) seem to volunteer their dynamic addresses for DNSBL listing knowing they should not be sending direct to the internet (and, one suspects) saving them the expense of doing anything more active/proactive to control their user-abusers. The "policy" blocklists/bl zones (pbl.spamhaus.org, dul.dnsbl.sorbs.net, etc.) don't look at actual spam. Went to their website appears to be a Webmail provider with no registered abuse address. It is listed now in our SCBL I now don't think it is a trojan. Just a too easy to sign-up to a free webmail, or accounts have been compromised senderScore have it as low (near zero) reputation and very high (spammers paradise?) volume sender
turetzsr Posted October 30, 2012 Posted October 30, 2012 <snip> It is listed now in our SCBL ...Thanks, petzl, marking this topic as "Resolved" based on your finding.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.