lsadmin Posted September 24, 2013 Posted September 24, 2013 Hi, We have been spamcop members for a very long time. Yesterday, I received this, in total, about one of our servers: ----------------------------------- Subject: [spamCop] Alert IPs reported in past hour: 184.###.###.## ----------------------------------- (I have manually munged most of the IP above.) That's it, nothing more. Today, we were blacklisted at SpamCop. So I logged into my account here, and looked everywhere, all I could find is that the IP address was indeed blacklisted, but nowhere could I locate any detail, not even the barest munged summary with so much as a timestamp that would help us to determine which of our hosted member's account was responsible. There has GOT to be something I am missing here, otherwise, it would be totally fruitless to be on the report receiving list. I've looked through most all of the FAQs but nowhere can I find any reference for email service providers receiving detailed reports from SC. Please if anyone knows how I can get any detail about the report made against our server, please, please let me know. Thanks very much.
turetzsr Posted September 24, 2013 Posted September 24, 2013 Hi, lsadmin, ...Do I conclude correctly from the information you provided that you have a SpamCop ISP account? If so, I believe the summary information you describe receiving is by design. For a bit more on this, please see SpamCop FAQ (links to which appear near the top left of each SpamCop Forum page, which I guess you already know but I've added for the benefit of those who haven't already found their way to the FAQ) topic labeled "--> Additional data on ISP Accounts, Why can't I get more (actual) data?" The real details come to you in the form of some of the SpamCop reports which are described in SpamCop FAQ topic "SpamCop Report Types," which are sent to the registered abuse address of the IP address that SpamCop identifies as the spam source. However, this applies only to SpamCop user reporting and the registered abuse address receives nothing if spam is sent only to SpamCop spam Traps (see SpamCop FAQ article 'The SpamCop Checkblock page says: "System has sent mail to SpamCop spam traps...." How do I get information about spam trap hits?'). If you use the SpamCop Lookup Form and enter the IP address that is blacklisted, it will tell you whether there were spam trap hits and/ or user reports in a section labeled "Causes of listing." ...Good luck with your follow-up on the spam coming from your system and thank you for taking spamming seriously!
petzl Posted September 24, 2013 Posted September 24, 2013 Yesterday, I received this, in total, about one of our servers: ----------------------------------- Subject: [spamCop] Alert IPs reported in past hour: 184.###.###.## ----------------------------------- (I have manually munged most of the IP above.) IP address would help? Go here put in IP and see what it says? http://www.spamcop.net/bl.shtml If it says Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Then click link to SenderBase Lookup (you need to agree to terms before continuing) It may be a user has a compromised computer infected with malware which scans for passwords creditcards and so on!
lsadmin Posted September 24, 2013 Author Posted September 24, 2013 Regarding, "..Do I conclude correctly from the information you provided that you have a SpamCop ISP account?" Yes, and for a very long time. When I log in, I see a Preferences tab, and then Report Handling Options. On the options page I am seeing "Show Technical Details during reporting" however the description seems to imply that these are details going out, rather than reports that may come in, "SpamCop can reveal the logic it uses as it finds the right reporting parties for your spam. This can be helpful for advanced users who want to double-check SpamCop's logic, or for new users who want to learn from SpamCop's example. " Nevertheless, I will switch to "Show technical detail", just in case this helps. Then I will read the new FAQ entry you point out. Thanks for your assistance.
lsadmin Posted September 24, 2013 Author Posted September 24, 2013 Thanks, I wish I could say your response has helped, but so far, no good. Our Senderbase reputation for this particular server IP is (green) Good We have very serious, mulch-layered security implemented throughout. Changing reporting types? I found the page where these preferences are set. Starting here: http://www.spamcop.net/fom-serve/cache/266.html Excerpt, "You can elect to accept or refuse reports depending on their type (source of mail, web hosting, open relays, etc..). " I wish the above were true, but when I go to Change your preferences here --> General settings, we have these selections: Accept munged reports (default) Frequency: Hourly Sort: Most recent first SpamCop format (But I have switched to ARF just in case this will help.) Report Type selection (all set to Accept). So in light of this, I am still wondering why we would receive only the barest of bare bones reports that a complaint has been made involving our server IP with absolutely no other detail? By the way: Go here put in IP and see what it says? http://www.spamcop.net/bl.shtml If it says CODE Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) There was no such link, text or detail presented after using /bl.shtml with this particular IP, while it was listed. It has been de-listed at this point, but I am VERY INTERESTED in determining why our server IP became listed. Where in SpamCop can I find a history of complaints against this server IP, or even just the most recent one, and more importantly, where can I find even the slightest detail about the complaint? I don't care how munged it is. A timestamp? Anything, would help! Thank you. And also by the way, the sample report listed here: http://www.spamcop.net/fom-serve/cache/338.html ... is a world away, no, make that a universe away from what we are apparently able to receive from the SpamCop system. So what am I missing here???
SpamCopAdmin Posted September 24, 2013 Posted September 24, 2013 The account you are talking about is a spam reporting account, not an ISP services account. If you will EMAIL the account login username and the IP at issue, I will be happy to look into this for you. EMAIL: service[at]spamcop.net - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - .
petzl Posted September 24, 2013 Posted September 24, 2013 Thanks, I wish I could say your response has helped, but so far, no good. Our Senderbase reputation for this particular server IP is (green) Good Where in SpamCop can I find a history of complaints against this server IP, or even just the most recent one, and more importantly, where can I find even the slightest detail about the complaint? I don't care how munged it is. A timestamp? Anything, would help! Thank you. "Senderbase score" is a different link to "SenderBase lookup" If you first login to http://www.spamcop.net/ Then click "Site Map" and click SpamCop blocking list put in your IP you want to check by clicking button "Numeric IP address"] then click "trace IP" then click "[report history]" You can select report history up to 90 days If spam is NOT hitting spam traps you will see what it was If it is hitting spamtraps it is often someone setting out of office bounces http://forum.spamcop.net/scwik/AutoResponseSimple Or you have a compromised account
lsadmin Posted September 24, 2013 Author Posted September 24, 2013 Senderbase lookup is the one I used. Thanks for the reminder regarding senderscore. Currently at senderscore, I am seeing a score of 81 for the IP in question. The rest of it is all like this: Blacklists - Low Complaints - Low Infrostrcutre - Low Message Filtered - Medium Sender Rejected - Low spam Traps - 1 Unknown Users - Medium All the Sending domains listed are SPF-Pass That's it, no other useful detail, and no detail for the one hit to the spam trap. Again, all I need right now is a little more information from SpamCop, so we can do something about the recent listing, a munged report, a date stamp? Okay, with regard to the rest of your instructions: If you first login to http://www.spamcop.net/ Then click "Site Map" and click SpamCop blocking list put in your IP you want to check by clicking button "Numeric IP address"] COMMENT: Okay I did that, here's the response: [iP HERE] not listed in bl.spamcop.net then click "trace IP" COMMENT: Okay, I did that, but all I get are routing details, only useful if I were making the report against my own IP then click "[report history]" COMMENT: No such link as "report history" anywhere on this page. So again, I am stuck. P.S. If I got to Past Reports, then view Report History: Last week, our IP in question does not show up. I only see the detail of all the spam reports that we have submitted (as a result of spam received here).
petzl Posted September 25, 2013 Posted September 25, 2013 If you first login to http://www.spamcop.net/ Then click "Site Map" and click SpamCop blocking list put in your IP you want to check by clicking button "Numeric IP address"] COMMENT: Okay I did that, here's the response: [iP HERE] not listed in bl.spamcop.net then click "trace IP" COMMENT: Okay, I did that, but all I get are routing details, only useful if I were making the report against my own IP then click "[report history]" COMMENT: No such link as "report history" anywhere on this page. So again, I am stuck. P.S. If I got to Past Reports, then view Report History: Last week, our IP in question does not show up. I only see the detail of all the spam reports that we have submitted (as a result of spam received here). Go through what I said again IF any non-spamtrap reports made you will see "report history" log-in and click this link as example http://www.spamcop.net/mcgi?action=showhis...d;val=527672667 You should see this screenshot available to paid members (Cisco gave 15 meg making old members paid) https://dl.dropboxusercontent.com/u/50667687/SCBL.png
turetzsr Posted September 25, 2013 Posted September 25, 2013 Hi, lsadmin, ...Please do not overlook what will be the most useful advice you have gotten so far, from the most knowledgeable (and powerful) and the only "inside" contributor: 85939[/snapback].
lsadmin Posted September 25, 2013 Author Posted September 25, 2013 Hi, lsadmin, ...Please do not overlook what will be the most useful advice you have gotten so far, from the most knowledgeable (and powerful) and the only "inside" contributor: 85939[/snapback]. Okay, but the only thing that has worked is that someone from SpamCop finally sent me, via email a reduced header. Then I was finally able to see which email account was being used on this sever to send spam. You ask me not to overlook... What? I have carefully tried to follow all of the advice in this thread, and as far as I know there is absolutely no way to: A - Increase the detail on the email reports we received from SpamCop. B - Log into our account here to see the detail of the reports that have been made against our IP. No complaints, I think SpamCop is one of the best defenses we have for battling this noxious issue. But why on Earth would SpamCop reps, insiders or not, would want to be less than clear with supplying small email service providers like myself with the tools it would take to quickly shut down a spam transmission?????? I mean, sure, I grew up playing adventure games, looking for the slightest of hints that would lead to an answer, but so far as I can tell, this is one heck of a unresolvable problem. And I say this only after many hours of research today, and YEARS of being a reporting SpamCop member.
lsadmin Posted September 25, 2013 Author Posted September 25, 2013 Go through what I said again IF any non-spamtrap reports made you will see "report history" log-in and click this link as example http://www.spamcop.net/mcgi?action=showhis...d;val=527672667 You should see this screenshot available to paid members (Cisco gave 15 meg making old members paid) https://dl.dropboxusercontent.com/u/50667687/SCBL.png Sorry, I don't understand your response. Thanks for trying to help though. Apparently this WAS the result of a password compromised email account that sent spam to a spam-trap. But you say, 'any non-spamtrap reports made you will see "report history"'. Okay then, so you seem to be implying that, what? There are just going to be some spamcop reports we receive that will have ZERO detail? If so, then how would receiving such a zero detail report be of much use to any email service provider. That is, other than to become aware that there is an heretofore undetected breached email account on our end, out of possibly thousands..... Sorry, I can't help but to think that there is still something here that I am missing. But perhaps not. At any rate, someone finally sent us the brief header we needed to locate the breached email account in question, that is, after many hours of asking questions and trying to locate the exact info we were finally sent. So we are good for now, but holy-cow, there's just go to be a better way. Don't you agree?
turetzsr Posted September 25, 2013 Posted September 25, 2013 <snip> the only thing that has worked is that someone from SpamCop finally sent me, via email a reduced header. <snip> ...Ah, good, glad that happened! Thank you for including that bit of good news.You ask me not to overlook... What? <snip> ...I noticed that you had replied to much of the posts from others but had not mentioned Don D'Minion's (SpamCopAdmin) post, above 85939[/snapback]. Which now seems less important because of the bit that someone from SpamCop has provided.But why on Earth would SpamCop reps, insiders or not, would want to be less than clear with supplying small email service providers like myself with the tools it would take to quickly shut down a spam transmission?????? <snip> ...Because the very same information that can help you, provided in a public forum, can help spammers defeat SpamCop's algorithms. Private communications are much safer, and that is what Don D'Minion suggested.And I say this only after many hours of research today, and YEARS of being a reporting SpamCop member....Thank you very much for both of those, they are much appreciated!
lsadmin Posted September 25, 2013 Author Posted September 25, 2013 Regarding, "...Because the very same information that can help you, provided in a public forum, can help spammers defeat SpamCop's algorithms. Private communications are much safer, and that is what Don D'Minion suggested." Well of course, but I have also asked this in PM and direct email, and have scowered the extensive FAQs here, but still no dice. I just hate to think that I will have to go through another entire day of this every time we receive SpamCop report, which is very rare thank goodness, but while I am spending hours trying to find the info that SC has, the spammer continues to broadcast, so unless I am incorrect, the whole SC process fails in these somewhat common situations. No?
turetzsr Posted September 25, 2013 Posted September 25, 2013 <snip> I have also asked this in PM and direct email, and have scowered the extensive FAQs here, but still no dice. I just hate to think that I will have to go through another entire day of this every time we receive SpamCop report <snip> ...Unless you skip all the relatively valueless scouring of the FAQ and posts to this forum (which are normally the right things to do but, not in this case!) and PMs and go right to contacting Don (and/ or his fellow SpamCop Deputies at deputies[at]admin.spamcop.net)! They may be a bit slow at responding and you might even have to persist a bit but they are the people who can help you ... if you're hitting spam traps or SpamCop users are opting to not send reports to the abuse desk or you are not able to see reports to the abuse desk, the only people!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.