techfun Posted April 27, 2004 Share Posted April 27, 2004 Hey Folks, I am a bit confused about a listing in the bl.spamcop.net for one of our mail servers. The IP Address is: 209.204.64.8 http://www.spamcop.net/w3m?action=checkblock&ip=209.204.64.8 provides almost no information. And what it does provide seems to be from February? Our abuse department does get notices from SpamCop from time to time and when we do we act on them promptly, but we have not had any reports around the time this server got listed (seems to have happened late on Sunday 4/25/04). Is there anything I can do to get this de-listed or at least find out how it got listed so I know which customer I need to kill? It says: Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 182.6 days. In the past 508.2 days, it has been listed 2 times for a total of 43 hours In the past week, this system has: Been detected sending mail to spam traps Been witnessed sending mail about 530 times A sample sent sometime during the 24 hours beginning Sunday, February 01, 2004 7:00:00 PM -0500: Received: from -.-.net ([209.204.64.8]) by -.-.org with - (Exim -.-) id - for -[at]-.net- Mon, - Feb 2004 -8- - Subject: - improve - From: ve.. at ..l.com Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 27, 2004 Share Posted April 27, 2004 The line that probably got you is: Been detected sending mail to spam traps When the spamtraps receive messages, the source is added to the blacklist much quicker than with manual reports. They also do not send out reports to the ISP. To get more information, email the deputies at: deputies <at> spamcop.net with pretty much the same message you sent here. In the mean time, most spamtrap messages by legitimate servers recently have been caused by bouncing virus reports or can not deliver reports to the reply-to address, which is often forged. Link to comment Share on other sites More sharing options...
techfun Posted April 27, 2004 Author Share Posted April 27, 2004 Thanks! I sent it to that address. We do not send "sender alerts' for viruses - we only notify our on-net users so I doubt thats it. It could be the non-deliverable reports but is there anything and ISP like us can do about those without breaking the SMTP RFC's? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted April 27, 2004 Share Posted April 27, 2004 I am no expert on the RFC's but my understanding is if you reject the message during the SMTP transaction (RCPT TO is not valid), the sending server itself gets the message and should know who authorized the send. Once you accept the message, it is very difficult to get the message to the actual sending party. Perhaps the information from the deputies will clear it up more. Link to comment Share on other sites More sharing options...
techfun Posted April 27, 2004 Author Share Posted April 27, 2004 Good point. The server that has become listed is a gateway server that only knows what domains it accepts mail for, not the actual mailboxes. So it could potentially accept a message - pass it to virus scanning - and then hit the actual pop3 server and be rejected there. If thats the case the NDR would follow its path back out the same server but as a message instead of fatal error in the original SMTP session. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.