michaell Posted January 30, 2004 Share Posted January 30, 2004 with all due respect to Merlyn, the pinned post isn't very good as a FAQ - it's wordy and reads like a discussion (I didn't see it originally, but it was presumably written as part of a discussion). If it's going to be a FAQ, it could do with some work. The content is mostly ok, but it makes assumptions that Spamcop's list only lists spammers, and also that the reader is an end-user whose ISP's outgoing server has been listed. Those assumptions are quite possibly right in 80% of cases, but that means you're giving irrelevant and/or incorrect information to some... Link to comment Share on other sites More sharing options...
Jeff G. Posted January 31, 2004 Share Posted January 31, 2004 I'll work on it. Suggestions of new language for any parts or the whole thing, anyone? Thanks! Link to comment Share on other sites More sharing options...
michaell Posted January 31, 2004 Author Share Posted January 31, 2004 I'll work on it. Suggestions of new language for any parts or the whole thing, anyone? Thanks! Well if you don't do it before I have some time for it, I'll make some changes and post a revised version... probably not until next week though... Link to comment Share on other sites More sharing options...
Jeff G. Posted January 31, 2004 Share Posted January 31, 2004 Sure, any number can play! Link to comment Share on other sites More sharing options...
WB8TYW Posted January 31, 2004 Share Posted January 31, 2004 The FAQ post is oriented to a user who's ISP is blocked. It is not oriented to help a server administrator understand why their server might be listed. I will go fetch my last posting on this from spamcop.help. Link to comment Share on other sites More sharing options...
WB8TYW Posted January 31, 2004 Share Posted January 31, 2004 This is a public self help newsgroup, I do not represent spamcop.net, and that is the case for many of the posters. This is my understanding of the process. A listing in spamcop where someone complains here usually indicates one of the following in order of probability: 1. You have a security hole in your server or network. (almost always) 2. You have a user that has reported their own mail in a spam report by mistake. (Rare, but happens, usually when someone on your network automates their spam submissions with out any manual verification) 3. Some bug in the spamcop parser caused your mail server to be reported as a spam source by a user of your mail server. (rare but happens in bursts) 4. You are actually sending spam, and are trying to convince people here that they should opt out of things that they did not opt into. Most of this posting is dedicated to the first item. It is in everyone's interest to get real mail servers secured, so asking here for help in determining the cause of the listing will likely get you some help. So the first step is to look up your I.P. address in the spamcop.net listing to see approximately how long you have been listed and if there are any sample reports. You will need to provide the I.P. of the server that is blocked. That should be in the rejection message. Posting your domain name will require a guessing game and that will delay any resolution of the problem. That report used to give more details, but spammers were using it to be able to avoid being blocked. Now it may take a request for a deputy to look at what spam was sent, and they are the only ones that can look in a spamtrap. Those of us that are not deputies can also look for other evidence. http://www.moensted.dk/spam/ will show if the I.P. address is listed in other lists, and those lists may provide what the real problem is. Some of the lists specialize in listing certain types of spam exploits, or return codes identifying the exploit. For example if you have an open relay. + ORDB Open Relay DataBase: relays.ordb.org -> 127.0.0.2 This mail was handled by an open relay - please visit <http://ORDB.org/lookup/?host=X.X.X.X> Others may use http://www.google.com with the GROUPS search for your I.P. address And still others may submit your server to relay and open proxy tests and post the results. And some may be able to determine from what the spam headers look like, what exploit. There is currently a spammer that is exploiting SMTP servers with guest accounts or other accounts with weak passwords. The spamcop.net listing will expire automatically with in 48 hours of the last report of spam from it. Spammers will use any vulnerabilty that they can find in your network to use it to send spam. This include open proxies installed by viruses, weak passwords or guest accounts on servers, and web forms that send mail. An open relay test is not sufficient to test your server. There was one person here complaining of their mail server being blocked when they thought it was clean. It turned out that their firewall was not being a firewall, and the spammer was sending mail through the firewall to the mail server that got listed. There was another that was a big mystery that turned out that the spammer was uploading a mail server to a vulnerabilty on a web server, making a spam run just long enough to get listed, and then remove the uploaded files, leaving no trace. The owner of the compromised server finally put a network monitor on the system, and caught the spammer in the act. It may be worthwhile to find a good computer security person to perform an audit on your systems. For cases 2 and 3: Now if you are here because one of your own users reported your server by mistake, or a parser error, that should be evident from the sample headers. But unfortunately that now takes a deputy to investigate. Also according to what deputiies have posted in the past, spamcop.net users are not to report viruses, auto-acks, challenges from challenge response systems, or bounces. Those reporters are said to be warned, fined from paid accounts, or banned from using spamcop.net for reporting depending on the case. If you are auto-responding to viruses, spamcop.net should not be listing you, but that is an extreamly bad practice, and should be discontinued immediately. Those virus warnings are useless, and are not going to anyone that can stop the viruses from being sent to your network. Responding to them is just aiding the virus writer. If you are bouncing undeliverable messages, or bad content, spamcop should not be listing you, but please change to using SMTP rejects. If you must bounce a message that can not be delivered,. consider bouncing it to the postmaster of the I.P. address you received it from. That postmaster should be able to notify the real sender. These type of things can also cause spamtraps to automatically list your server, and spamcop.net is not the only DNSbl that will list from spamtrap hits. For case 4: My main e-mail provider prohibits me from unsubscribing from unsolicited e-mail that I did not subscribe to. They will stop accepting e-mail from any network that allows spam to be sent, even if the spam claims to comply with the U.S. can-spam law. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 2, 2004 Share Posted February 2, 2004 IMHO, all the info about how to find out if you are blocked is telling them more than they want to know. The essential part is to explain about the use of blocklists to block spam, to tell them how to use web mail, and to contact their ISP with just enough information about the difference between blackhats and whitehats so that they will know whether to change email providers or accept the ISP's explanation. A draft follows Miss Betsy Alternative boiler plate for "Why am I blocked?" SpamCop doesn't block your email, the recipient's mail server blocks all email coming from a particular IP address. The blocking is based not on your email address (which looks like username[at]example.com), but on the IP address (which looks like 10.123.123.123). SpamCop publishes a list of IP addresses (called a blocklist) that have been reported as a source of spam. Many providers use this blocklist to protect their customers from spam. If providers did not use blocklists, your recipient would receive dozens of spam emails as well as yours - if the listing was accurate. On the other hand, you can control over what email service you use - one that allows spam or one that does not. It is annoying to have your email blocked. It is also annoying to have a backhoe interrupt email service. However, until the blocking problem is resolved, you can email people through a web based email service (the most familiar are hotmail and yahoo). After you have taken care of the immediate problem of being able to communicate with someone by email, the next step is to see what can be done so this inconvenience does not happen to you again. The one thing you do not want to do is to complain to those correspondents who are using an email service that uses the SpamCop blocklist. They probably really like the reduction in spam! Your email service provider is the person to contact. Your ISP may have already acted on the Spamcop report he has received by the time you call. It may just have been a mistake on his part or, possibly, the reporter's part. As soon as your ISP stops the spam from being sent, or uses the procedures at SpamCop to point out the reporter's mistake, the IP address is taken off the blocklist (usually within 48 hours for spam; immediately for reporter error). It may be that your call is the first time your ISP has heard that SpamCop has listed your IP address. Listings are made, in addition to people reporting, automatically from spamtraps. If this is what has happened, urge your ISP to contact SpamCop and find out what the problem is." If you are interested in finding out more about blocklists and exactly why your email was blocked, you may post in the web forum or in the spamcop newsgroup. You will need to know your IP address for people to understand what has happened. There are many people who will explain to you what has happened and what you can do. Link to comment Share on other sites More sharing options...
Merlyn Posted February 2, 2004 Share Posted February 2, 2004 with all due respect to Merlyn, the pinned post isn't very good as a FAQ - it's wordy and reads like a discussion (I didn't see it originally, but it was presumably written as part of a discussion). If it's going to be a FAQ, it could do with some work. The content is mostly ok, but it makes assumptions that Spamcop's list only lists spammers, and also that the reader is an end-user whose ISP's outgoing server has been listed. Those assumptions are quite possibly right in 80% of cases, but that means you're giving irrelevant and/or incorrect information to some... No problem. I have used it for about a year and a half. I would love to see a complete canned answer we could all point to Link to comment Share on other sites More sharing options...
WB8TYW Posted February 3, 2004 Share Posted February 3, 2004 The portion Merlyn's post that explains why DNSbls are used is secondary to the issue of why an address is on the list, and probably should be a link to a main discussion on why the I.P. address is on the list. And who is actually blocking the mail is not relevant to a mail server operator that needs to know what the reason that they are on the list. And historically the majority of the mail server operators have some vulnerability that they either did not know about, or were convinced was not possible. But it also is not fair to accuse or imply that a the owner of a listed I.P. address is actually listed for spamming before checking the evidence available. That is why I formatted my post the way I did. Granted it could use some polish, but I think that the points in it are needed. Link to comment Share on other sites More sharing options...
michaell Posted February 4, 2004 Author Share Posted February 4, 2004 ok... further revised version. Jeff - would you like to look over these and make an update? thanks SpamCop doesn't block your email, the recipient's mail server blocks the email. The blocking is based not on your email address (which looks like username[at]example.com), but on the IP address (which looks like 10.123.123.123). Such an IP address is often called an IP for short. People who get spam may use SpamCop to examine it for its IP source, to report it to providers, and to add spamming IPs to a database, the SpamCop blocklist. Spamming IPs are listed until they stop sourcing spam. Listing errors are unusual. If your mail goes out from an IP on that list, many providers will block your mail along with spam. The delivery failure report usually names the IP. In order to talk about any listing, it is essential to know which IP has been reported and listed, only then may helpful information be obtained from the spamcop forum, webpages and faq, or newsgroups. Am I listed?: You can check the status of any server by entering its address at http://www.spamcop.net/bl.shtml. The reason an IP is listed can also be obtained from that page. SpamCop deputies have access to the full evidence for a listing. Usually the provider with the blocked IP has also been notified with the evidence of spam reports. Such a listing usually reflects a provider which hasn't prevented spamming through the IP. Deputies can delist IPs which are listed in error. While your email system's IP is listed, it may necessary to use some other mailing system to get your outgoing mail to a recipient. There are many free and pay mail services available. Link to comment Share on other sites More sharing options...
jefft Posted February 4, 2004 Share Posted February 4, 2004 ok... further revised version. Jeff - would you like to look over these and make an update? thanks SpamCop doesn't block your email, the recipient's mail server blocks the email. The blocking is based not on your email address (which looks like username[at]example.com), but on the IP address (which looks like 10.123.123.123). Such an IP address is often called an IP for short. People who get spam may use SpamCop to examine it for its IP source, to report it to providers, and to add spamming IPs to a database, the SpamCop blocklist. Spamming IPs are listed until they stop sourcing spam. Listing errors are unusual. If your mail goes out from an IP on that list, many providers will block your mail along with spam. The delivery failure report usually names the IP. In order to talk about any listing, it is essential to know which IP has been reported and listed, only then may helpful information be obtained from the spamcop forum, webpages and faq, or newsgroups. Am I listed?: You can check the status of any server by entering its address at http://www.spamcop.net/bl.shtml. The reason an IP is listed can also be obtained from that page. SpamCop deputies have access to the full evidence for a listing. Usually the provider with the blocked IP has also been notified with the evidence of spam reports. Such a listing usually reflects a provider which hasn't prevented spamming through the IP. Deputies can delist IPs which are listed in error. While your email system's IP is listed, it may necessary to use some other mailing system to get your outgoing mail to a recipient. There are many free and pay mail services available. I would changed and expand the first paragraph like this: SpamCop doesn't block your email, the recipient's mail server blocks the email. Your email doesn't pass through SpamCop's mail servers and we have no way of blocking or bouncing your email. The blocking is based not on your email address (which looks like username[at]example.com), but on the IP address (which looks like 10.123.123.123). Such an IP address is often called an IP for short. This IP address is assigned to the mail server you use, which is probably run by your internet service provider (ISP). You may share this same server with hundreds or thousands of their other customers. If one of their other customers is sending spam through that shared mail server, it will cause the IP address of that mail server to be put on the blocklist. Hopefully this doesn't make it too wordy, but the #1 complaint, I think, is "why are you blocking me". We need to emphasize that the block isn't targetted at the individual who comes here complaining (in most cases). Another possibility, maybe near the end or in the last paragraph is something like: Responsible ISP's will remove spammers quickly from their systems. This keeps their mail servers from being blocked. If your own mail is blocked regularly, you may want to ask your ISP what they are doing about spam sent from their network. JT Link to comment Share on other sites More sharing options...
jefft Posted February 4, 2004 Share Posted February 4, 2004 I'll just tag on here that I'm working on revamping the FAQ-o-matic system. I had originally hoped to integrate it with the help files found in this forum software, but they're too static. You can't have multiple levels of help and only the board admin can edit the whole thing. So, I'm going to be updating the faq-o-matic software and probably moving it to this more powerful machine. I also hope to expand the number of people able to work on the FAQs. It's really easy to write and add a FAQ. So, I'm aware there are issues with documentation. At least on the email side, stuff's pretty stable right now. So this is a good time to work on that. JT Link to comment Share on other sites More sharing options...
GreenLady Posted February 29, 2004 Share Posted February 29, 2004 Hopefully this doesn't make it too wordy, but the #1 complaint, I think, is "why are you blocking me". We need to emphasize that the block isn't targetted at the individual who comes here complaining (in most cases). Can I make some suggestions? Firstly, not all the visitors speak English as a first language (viz the post from Very Angry, an Italian). So a word such as "recipient" or jargon such as IP or SMTP may be confusing. Perhaps a glossary would also help? A really, really, newbie FAQ would be something like this (apologies for (A) the length and ( if I have misunderstood anything about the way spamcop works - I've only been using it for about a month myself!): 1. SpamCop itself is not blocking your email. The Internet Service Provider (ISP) of the person, or business, you are sending email "To" is blocking email from one, or more, of your ISP's computers (servers), using a list provided by SpamCop. 2. This list is comes from reports of "spam" (email which was not requested or subscribed too by the person receiving it), sent in by hundreds (thousands?) of people each day, submitted to SpamCop. 3. SpamCop looks at the email header and works out where the email actually came from. This is not usually the same as the "From" address that appears in your eMail reading program because "spammers" (companies that send spam, or people who do it on their behalf) forge the From line in the eMail (this is also known as "spoofing"). Other lists are generated from the IP address (Internet Protocol address - for example, 10.123.123.123 - the identity of a computer attached to a network, assigned by Internet organisations for each continent) of links in the eMail that the reporter suggests are the target of the advert. A listing is automatically added if a spammer sends eMail to a "spam trap" (an eMail address that is not used, nor published anywhere, so only gets eMail if someone is sending spam!). 4. Extracts from these reports are sent to the Internet Service Provider of the spammer. If more than 10 reports are made, or mail is sent to a spam-trap, then the server is added to the SpamCop list and other Internet Service Providers may start refusing to accept any eMail that originated from that server. This will include your emails, as well as the spammers. 5. When an ISP receives a report, then they can investigate, take any action needed - such as closing the spammers email account, or fixing the hole in their system - and then tell the spamcop deputies (people who run the spamcop service) what action they have taken. The server can then be de-listed. 6. If the ISP ignores spamcop reports, then the server will remain listed for a number of days. If the spam ceases, then the server will be automatically delisted 48 hours after the last report (?). If the ISP has an "open relay" (a "hole" in their security system that allows spammers to insert their eMails into the internet traffic and appear to come from your ISP), then your ISP will keep getting reports until the hole is fixed (they may not know they have a problem, or, how to fix it). If the ISP is known to be "spammer friendly" (for example, their email abuse address listed with the continental IP allocation organisation is never read or the emails bounce back because it does not exist or is full), then it may not be delisted for months. 7. What can you do? Firstly, if your eMail was urgent, and must be delivered within 48 hours, consider using an alternative ISP for that email, such as Yahoo or Mail.com or Hotmail. Secondly, contact your ISP - their helpdesk should know who to call - and ask them what action they are taking. Thirdly, if you get an unacceptable response, consider changing your ISP. 8. If you think a mistake has been made, after you have taken the actions in (6), then raise it in this forum. It is mainly used by people who submit reports to SpamCop, but also by the SpamCop deputies. You will need to include the IP number in the "delivery failure" report and check if your ISP's server is still listed. To do this, go to http://www.spamcop.net/bl.shtml. Make a note of the reason for the listing. For example "Been reported as a source of spam about 30 times" "Been detected sending mail to spam traps" as this is important. 9. SpamCop Deputies have access to all the emails submitted to SpamCop. If there has been an error, then they can delist your ISP's server. They may also fine, or ban, the person who made a wrong report, for wasting peoples time. 10. Please remember that this block is not aimed at you personally. Because there is no central address book for the internet - there is a limited number of IP addresses, so you, and the spammer, may get a different one each time you log-on - it has to be your Internet Service Provider who carries out the investigation and takes the action to address it. In the meantime, like post received without a stamp, the "post office" at the other end is at liberty to return the eMail in order to keep potential spam out of their eMail system and out of their customers' in-boxes. Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 29, 2004 Share Posted February 29, 2004 Can I make some suggestions? Firstly, not all the visitors speak English as a first language (viz the post from Very Angry, an Italian). So a word such as "recipient" or jargon such as IP or SMTP may be confusing. That's a good thing to remember. Though I think "recipient" would probably be all right for translation. There isn't more than one meaning. It would be nice to have it translated also in the new FAQ. this (apologies for (A) the length and ( if I have misunderstood anything about the way spamcop works - I've only been using it for about a month myself!): I was going to compare your length with the one I put together today (in Spamcop Lounge - I edited the alternative I had posted to include some of the comments), but I am just too tired. But I liked the links in the current FAQ to spamcop pages and certain posts to explain /how/ spamcop works. Some people may be interested, but most are so angry that first they need to know how to get their email sent and then what could be wrong and who to complain to and what to complain about. There are a lot of people who know about IP addresses and open relays, etc. who can really skip the FAQ or go to the link which is now there. That was in my new version. But you are exactly the person who should be making comments since you are a "newbie" Miss Betsy Link to comment Share on other sites More sharing options...
WB8TYW Posted February 29, 2004 Share Posted February 29, 2004 Greenlady, The number of reports that it takes to make the spamcop.net blocklists varies based on the amount of e-mail measured from the server at various points. It is not a hard number. For mail servers that rarely hit the monitoring points, only one or two reports apparently are needed, and spamtrap hits count double. ----- The pinned topic under discussion was recently changed. There are really three issues that need to be explained separately, and probably require people to go down separate links to get their answers. If you try to give too much information at once, it will overload them. With HTML done properly, you can spoon feed them a bit at a time, and let them follow links for more information. 1. I run a mail server, why is it on the spamcop.net blocking list? Quick Answer: 1. Check for a spammer exploit (most likely) 2. Check for a reporting error. 2. I am a user, why is my mail blocked? Quick Answer: Ask your ISP about the status of their mail servers. Here is how you can look up how long your ISP should have been getting complaints and allowed the problem to occur. [Provide links for looking up spam reports from spamcop.net, googe for news.admin.net-abuse.sigtings, and how to lookup MAPS-OPS reports] The spamcop.net blocking list is considered very aggressive and will sometimes list a spam source before it could reasonbly react to a spam report, or will list based on spamtrap hits where a mail server will not get avanced notice. [in a link for extended ifnormattion] In most cases, it is shown that when a real mail server is blocked, the ISP controlling it has been receiving reports about the problem for at least a week. And for an ISP that provides 24 hour operation, they should be able to stop a spam source in less than an hour after getting a report.. And a spam source on their network costs them operational cash, so if they do not shut it down as soon as they are notified about it, they have to cover the costs somewhere, and that usually means either cutting your service, or raising your rates. 3. Why is mail being blocked by I.P. addresses? Quick Answer: Medium to large e-mail servers pay a metered rate based on the amount of e-mail that they receive. To accept potential spam and filter it increases their costs. Most ISPs will use some sort of blocking to cut their costs. The faster a spam source can be identified, and the more spam blocked, the more money saved. [in a link with extended information] We are talking thousands of dollars per month on this in most cases. And all a mail server operator has to go on is the I.P. address of the server sending them the e-mail to go on to decide if they want ot pay for the e-mail or not. They do not even know how much it will cost them until they agree to accept the e-mail. A responsable mail server operator will take quick action to stop or prevent spam from being sent, If your mail server operator is not able to keep spam from coming from their server, why should a receiving mail server operator pay extra costs to separate the real e-mail from the spam. Some mail servers are run by non-profits and cooperatives, and they can not afford to incur the overhead of processing any spam that could be avoided. And optionaly add a fourth topic: 4. Why not just let the end user decide? 1. To do that requires that the mail server operator accept all even the spam. Current measurements are showing about 2 spam deliver attempts for every real e-mail, so doing so for many mailserver operators will triple their cash costs. These costs can easily be thousands of dollars per month and refusing e-mail from networks that allow spam is the only way to avoid them. Now do you really think that the majority of the users of a mail server will agree to pay an extra 5 to 10 dollars a month so that they can delete an average of 2 spams for every real e-mail that they get? Or which employee should be laid off to cover the increased cost for operating the corporate mail server? For a large company, that cost could easily be 48 thousand per year or more, if anyone is doing accounting at that level. 2. If the end user or a content filter makes an error on what is spam or not, neither he sender or the receiver is notified. When a real e-mail is stopped from a blocking list, the sender gets notified if at all possible. 3. Users are more likely to have real e-mail rejected because they can not delete the spam fast enough. 4. Some users will do stupid things with spam that they get, including trying to bounce it back to the sender with a spam filter that contains a "fake bounce" feature. All that does is in most cases is send the spam to some innocent victim that the spammer has picked. If it does go to the spammer, they can easily tell it is a fake bounce and they will know that the address is valid. A lot has been written on the subject, what is really needed is to get it presented in the most usable form. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 29, 2004 Share Posted February 29, 2004 I am posting a revised FAQ in the Spamcop Lounge under the topic: Why Am I blocked FAQ - Revised. I have tried to incorporate others' suggestions and the links to further information. Comments welcome! Miss Betsy Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.