Spamcop blocking my messages

[Microlink]

I maintain an email list for an organization I belong to. As of today I have started to be unable to send mail to certain members and it indicates that the reason is tha Spamcop has somehow listed my ISP as generating spam.

I send no mail to anyone that has not provided me their email address.

Please remove my ISP from the list or provide some justification for this, this is inhibiting a non profit organization from effectively communicating with its membership.

IP address is below.

63.173.164.8

Should I have the ISP contact you to initiate remediation of this?

Thanx .

[loafman]

MicroLink,

Looks like at least 2 of your recipients thought it was spam. Here's the info that Spamcop has to report about your server. Not much data yet.

Do you operate a confirmed opt-in list? That would help.

...Ken

Query bl.spamcop.net - 63.173.164.8

DNS error: 63.173.164.8 is culverin.microlnk.com. but culverin.microlnk.com. has no DNS information

(Help) (Trace IP) (Senderbase lookup)

63.173.164.8 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 68.7 days. It has been listed for less than 24 hours.

* In the past week, this system has: Been witnessed sending mail about 40 times

[Wazoo]

As the BL reference page currently makes no mention of spamtrap hits, and the "mole reporter" thing seems to have changed, then it would seem likely that your ISP already has copies of the SpamCop reports/complaints. Reports would have gone to the crazy address of;

Parsing input: 63.173.164.8

host 63.173.164.8 = culverin.microlnk.com. (cached)

Reporting addresses:

jimb[at]concordei.com

The lack of a non-standard abuse address probably fits right in with the DNS issues.

[MicroLnkAdmin]

Hello. I'm the new system administrator for MicroLnk, I've been here a little over two months now. Late this afternoon, I got a call from one of our helpdesk people about mail being blocked. Spamcop was mentioned. A sample rejected message was forwarded to me, and I headed to spamcop.net and started looking more closely at the situation. I've used Spamcop myself, off and on, for reporting spam, and as a fairly long-time sysadmin, I'm quite familiar with blackhole lists.

After looking at the FAQ on how to get cleared from the list, I see talk about posting information in the forums. Well, imagine my surprise when I get into the forum, one of the most recent posts is... about us!

In the last two months, I've already done a lot to tighten security and clean up the server situation. The company I used to work for, for almost ten years, had their systems run by a guy who was basically Mr. Fort Knox when it came to security, and I've always agreed that things should be completely air-tight.

First thing I did just now was to update DNS to more accurately reflect the name (and IP) of our residential mail server. The forward and reverse mappings are now correct. "Culverin" is merely the internal name for the residential mail server, which is really just mail.microlnk.com. 63.173.164.8 should now resolve to mail.microlnk.com and vice versa.

This is currently on a Redhat 9.0 box, using the sendmail-8.12.8-9.90 RPM. (I am just about to replace this with Postfix, in fact. Partially for greater security, partially for more straightforward management and configuration, and partially to begin implementing stronger anti-spam measures. So today's situation is ironic.)

I can't say I've gone over the current Sendmail security with a fine-toothed comb. But unless I am mistaken, I think at the very least it is not an open relay. I would like to resolve the issue quickly if possible, as this is the main mail server for our residential customers. We do have a valid abuse address, but right now it redirects only to the root mailbox. Same as postmaster, so there are still large numbers of failed deliveries in it. I've gone through and cleaned out the mailboxes, though -- thousands of lingering messages -- and I do not recall seeing any Spamcop complaints.

(I'm familiar with what those look like as well, I saw one or two of them at the earlier mentioned company, which was also an ISP.) So I'm disappointed to be first learning of this issue by having our primary server blacklisted. I think the reporting party didn't realize this was our main residential server, due to the name that showed up, before I changed our DNS. It looks like that report must have come from someone at our parent company! I'm waiting on a couple of return phone calls right now, to check on this.

What can we do to move forward on the issue? Must we wait the 48 hours for the entry to expire, like the FAQs say? Is there anything else I need to do to secure the server itself, or is this more of a TOS-related issue? I'm 110% behind the fight against spam, don't worry about that. I also worry about false positives, though, it is important to avoid those.

Thanks.

--

System Administrator,

MicroLnk

[Spambo]

What can we do to move forward on the issue?  Must we wait the 48 hours for the entry to expire, like the FAQs say?

This may not be a lot of help, but the time on the SCBL is a maximum of 48 hours after the last spam was sent. AIUI the algorithm takes a number of factors into consideration so you could find the IP removed sooner, perhaps at any time.

spam reports concerning 63.173.164.8 would be sent to jimb[at]concordei.com, if you contact him he may be able to provide you with information as to why the IP was listed in the first place.

[yourbuddy]

To cut through all the "back and forth" with the helpful SpamCop users,

you can send email directly to deputies<at>spamcop.net and get help.

[MicroLnkAdmin]

Oh, I see now. I thought the concordei.com address was who sent in the complaint. So what that really means is I need to go update our WHOIS record so we get sent any complaints more directly than this.

And thanks for the deputies address, I'll check in with them.

--

System Administrator,

MicroLnk

[Spambo]

Oh, I see now.  I thought the concordei.com address was who sent in the complaint.  So what that really means is I need to go update our WHOIS record so we get sent any complaints more directly than this.

In particular - the ARIN whois records.

It would also be in your best interests to update the abuse.net records. Information at http://abuse.net/lookup.phtml?DOMAIN=microlnk.com