Jump to content

Why are these NOT being blocked?


lsadmin
 Share

Recommended Posts

We have been using SpamCop to file received spam reports for a decade or more.

Recently, we have received a high volume of spam, to multiple email addresses all from plusserver.de. Netblock: 62.75.202.0 - 62.75.202.255

We have been reporting via SpamCop the spam that we receive from this source for well over 60 days at this point, however NONE of the IPs we've reported, including the one's just reported in the previous 24 hours, are listed in the SpamCop blacklist. Why is this?

Here is a list of domains and IP addresses that have been used to send us UCE, specifically over the past 48 hours:

smrinfo.com

bawift.org

refreshhomes.com

wallstreetallocate.com

emailbootcom.com

62.75.202.148

62.75.202.149

62.75.202.182

62.75.202.189

62.75.202.203

62.75.202.224

62.75.202.240

62.75.202.246

62.75.202.250

62.75.202.253

62.75.202.50

62.75.202.74

62.75.202.84

62.75.202.98

I'd like to know what's going on with this?

Link to comment
Share on other sites

Hi, lsadmin,

...Sorry to hear of your problem.

...If I understand your question correctly, the answer will be found in the SpamCop FAQ Topic labeled "What is on the list?" especially the sections labeled "How the SCBL Works" and "SCBL Rules." Things to especially note:

  • SpamCop counts separate IP addresses as separate sources, so if you send 14 reports one against each server "owned" by plusserver.de, SpamCop does not count this as 14 reports against plusserver.de but, rather, one report against each IP address, as if each were "owned" by entirely different domains.
  • Reports from one user (for example, you) is not sufficient to list an IP address.
  • The number of reports by us reporters is compared to the total number of e-mails seen to be coming from the IP address in question and only those with a relatively high ratio of reports to total e-mails is likely to get on the blacklist.

Link to comment
Share on other sites

We have been using SpamCop to file received spam reports for a decade or more.

[snip abuse[at]plusserver.de reporting not effective)

I'd like to know what's going on with this?

Perhaps you may have success at forwarding as attachment to abuse[at]plusserver.de and certbund[at]bsi.bund.de

http://www.first.org/members/teams/cert-bund

Might be mre reactive when they see they are being reported to CERT as well?

Link to comment
Share on other sites

Aside from a SpamCop report you need to forward each spam as attachment to BOTH

abuse[at]colocrossing.com

AND

spam[at]uce.gov

In YOUR report show SpamCop tracking URL and other details like

"Unsubscribes don't work just worsen attack" or what ever

You will probably only get "list washed" but spam should stop.

Edited by petzl
Link to comment
Share on other sites

  • 2 weeks later...

Aside from a SpamCop report you need to forward each spam as attachment to BOTH

abuse[at]colocrossing.com

AND

spam[at]uce.gov

In YOUR report show SpamCop tracking URL and other details like

"Unsubscribes don't work just worsen attack" or what ever

You will probably only get "list washed" but spam should stop.

Thanks, the additional reports to uce.gov seem to have helped to stop the spam

Link to comment
Share on other sites

Thanks, the additional reports to uce.gov seem to have helped to stop the spam

The or any report needs BOTH abuse address of USA ISP and the uce.gov

then include some details in message from SpamCop track

171.33.254.71 (Administrator of IP block - statistics only)

and the track

http://www.spamcop.net/sc?id=z5911068694zb...574452b2b32ba3z

plus message (I use a boiler plate text)

BOTNET ATTACK HOST

BLOCK OUTBOUND PORT 25, 
RESERVE FOR LEGIT EMAIL SERVER
CHANGE TO SECURE PASSWORD 
SCAN INFECTED COMPUTER FOR MALWARE

which becomes in report

http://www.spamcop.net/sc?id=z5911068694zbd5a8876fc583e92f3574452b2b32ba3z

171.33.254.71 (Administrator of network where email originates)

BOTNET ATTACK HOST

http://cbl.abuseat.org/lookup.cgi?ip=171.33.254.71

BLOCK OUTBOUND PORT 25,

RESERVE FOR LEGIT EMAIL SERVER

CHANGE TO SECURE PASSWORD

SCAN INFECTED COMPUTER FOR MALWARE

Link to comment
Share on other sites

  • 6 months later...

This "serious" Company is free of pain. I receive since a few months spam from their "serious" customer and sent them all with the header first to the absue, later to all eMail-adresses that I found from them. also I called them a talked with them in a nice way to resolve this problme. later on I received this eMail from them

Dear Mr xyx ,

I have escalated this issue to our ABUSE management.
I was told by the local colleagues reported that the process now to the appropriate support area for clarification and correction with the operator of the server ( a Reseller) was passed.

Yours sincerely

IST_DOCH_REGAL
- Head of Technical Support -

That was in the first week of January ... On 13 January I get another spam eMail from the customer , and one more time I give them a phone call and they promised me the shutdown the server until further clarification , at the same time I also forwarded this problem to an Executive Assistant - ironically the server was OFFLINE for half an hour - but somebody has probably noticed ​​and turned the server on again or the cleaning lady has cleaned the room.

So I informed them seveal times to stop this customer, but I think the say hello to my lawyer. ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...