Why is my mailserver blacklisted

[Intrex.Net]

I am the abuse contact for 209.42.192.236 - the primary mail server for Intrex.Net. We are currently listed via bl.spamcop.net, but I have not received any notifications to either of the email addresses listed of spamcop reports. The explanation given by spamcop's page is:

# Been detected sending mail to spam traps

# Been witnessed sending mail about 480 times

What spam traps have been sent mail?

What users sent this mail?

Where can I get headers for these messages so I can stop the problem if it's legitimate?

Why was I blacklisted with out even the curtosey of warning me that there was a problem first? I don't expect days or even many hours to respond, but at least an email letting me know we were black listed would be the minimum of consideration I would expect.

Sincerely,

Aaron S. Joyner

System Administrator

Intrex.Net Internet Services

abuse at you can figure it out dot net

[fabian.lucchi]

Same problem for us. I'm abuse[at]infomaniak.ch and receive several complaints reporting that one of our 3 mail servers, 212.23.249.98, is being blakclisted by Spamcop. No spam report message have been received, we're not listed anywhere else, and the spamcop tool only shows the same useless message that reports have been sent. What reports ? About which message ? How can we react to spam report if we can't even know what this is all about ?

Please answer as soon as possible as we're processing more than 1,000,000 messages a day and one server blacklisted is really painfull, especially when we're so aggressive against spammer amongst our own customers !

Furthermore, I've looked at this IP and the other two we maintain as our mail servers and they're all above 620% of volume for each IP and only one is blacklisted.

[fabian.lucchi]

And how could you fight the source of spam if it is unknown to you, the sysadmin ? We're hosting more than 17,000 domains and managing 150,000 email addresses. Withouth nowing the identified source of spam, we can't do a thing. And being blacklisted without further info is really useless.

[Miss Betsy]

If you are aggressive against spammers, and the spam has only been reported by spamtraps, then the likelihood is that there is a user with a compromised machine on your network, or you send automatic virus notifications or other notifications.

You might be able to find the source yourself by looking at outgoing logs on other ports than the usual ones.

Try emailing deputies <at> spamcop.net. They are the only ones who can see what has been sent to a spamtrap. And unfortunately, since spam traps are not human, they don't send reports. The reason is that since spamtraps are not real email addresses, they only receive emails from senders who have 'harvested' them. But the biggest reason is that spammers were using the reports to get around being blacklisted.

Hope you get it fixed soon.

Miss Betsy

[Bumpkin]

As an Intrex.net dial-up customer, I'm interested as well.

It shows the server has been sending to spam traps. Is there an anti-virus program sending automatic replies to (usually) forged senders? That seems to be the culprit quite often.

[Intrex.Net]

We do use Amavisd-new and ClamAV on our front end mail servers. They do send virus reports when appropriate. They do not send virus reports for viruses which are on a list of viruses known to forge the sender address. That list is human-maintained (by me personally) and occasionally a big behind the virus definitions. I don't believe that's the case in this situtation, although I appreciate the suggestion. If someone (one of the deputies) could confirm what the message was, or at least the headers of it, then perhaps I could say for sure...

After 24 hours I find it to be quite unreasonable and irresponsible that we have recieved no notification from SpamCop that we were blacklisted, with no information or evidence presented as to why. In my opinon, it is equally irresponsible that people are using only SpamCop reports to do absolute rejection on production mail systems. Tagging and weighting, fine, sure. Flat-out mail rejection based on that one test? Clearly a bad idea.

Aaron S. Joyner

System Administrator

Intrex.Net Internet Services

[Miss Betsy]

I agree with you that 'no notification' is not a good thing. However, what other blacklists send notifications? It might not be a bad idea for admins to periodically check the bl just so they don't get surprised since the spammers have, again, rendered normal netiquette useless.

Spamcop uses its bl for tagging. What other people use it for is up to them. Actually, I like the idea of blocking rather than tagging because it does alert people that messages are not going through and that there is a problem. In this case that is the notification that you want. Tagging usually results in deletion with no notification.

I hope that you have heard from the deputies (again, a delay caused by the spammers who used 'evidence' to prevent blocking of their spew).

Virus notifications are good, if they go to the appropriate person. So few of the current viruses don't forge the return path, that perhaps it is not worth it to continue the notifications. Or to take the time spent updating the list, to look at the headers instead and send emails to the appropriate abuse desk. Only one per desk is usually necessary.

Miss Betsy

[Chris Parker]

We do use Amavisd-new and ClamAV on our front end mail servers.

You mention "front email mail servers". If mail comes in to a non-existant address do the "front end mail servers" reject the message or is it accepted and then a NDN (nondelivery notification) sent? NDN bounces (aka backscatter) to spam traps can get you listed.

[dwsmmc]

:angry: I agree with all the other mail servers here. We are a small ISP in Maine that has taken extrodinary means to stop use of our mail servers by spammers, both internal and external and limit the effects of viruses from within and outside of out network. We are getting many more emails from Spammers with one of hundreds of legitimate domains on our server and with forged reply to addresses. Those bounces are the problems. How is it that ISP's have to limit DSN's on these without hitting the spamtraps?

[Chris Parker]

:angry: I agree with all the other mail servers here.  We are a small ISP in Maine that has taken extrodinary means to stop use of our mail servers by spammers, both internal and external and limit the effects of viruses from within and outside of out network.  We are getting many more emails from Spammers with one of hundreds of legitimate domains on our server and with forged reply to addresses. Those bounces are the problems.  How is it that ISP's have to limit DSN's on these without hitting the spamtraps?

It's a classic argument.

I would say that mail server operators need to configure their mail servers in such a way as to *not* generate AV, NDN, and DSN notices. I understand this can be complicated, but these days it's what's needed to be a good member of the internet community. Everyone needs to take responsibility for their own networks to not polute the internet.

If you don't, you are contributing to mail box clutter. Why is it that I have to deal with bounces from poorly configured servers to messages that I didn't send in the first place.

[Ellen]

I am the abuse contact for 209.42.192.236 - the primary mail server for Intrex.Net.  We are currently listed via bl.spamcop.net, but I have not received any notifications to either of the email addresses listed of spamcop reports.  The explanation given by spamcop's page is:

# Been detected sending mail to spam traps

# Been witnessed sending mail about 480 times

What spam traps have been sent mail?

What users sent this mail?

Where can I get headers for these messages so I can stop the problem if it's legitimate? 

Why was I blacklisted with out even the curtosey of warning me that there was a problem first?  I don't expect days or even many hours to respond, but at least an email letting me know we were black listed would be the minimum of consideration I would expect.

Sincerely,

Aaron S. Joyner

System Administrator

Intrex.Net Internet Services

abuse at you can figure it out dot net

I think you wrote us about this and I already responded? If not write to the address in my sig.

[Ellen]

And how could you fight the source of spam if it is unknown to you, the sysadmin ? We're hosting more than 17,000 domains and managing 150,000 email addresses. Withouth nowing the identified source of spam, we can't do a thing. And being blacklisted without further info is really useless.

You wrote to deputies and I have responded to you.

[StevenUnderwood]

We are a small ISP in Maine that has taken extrodinary means to stop use of our mail servers by spammers, both internal and external and limit the effects of viruses from within and outside of out network.

The entire internet community thanks you for your efforts.

We are getting many more emails from Spammers with one of hundreds of legitimate domains on our server and with forged reply to addresses.

That is happening to everyone.

Those bounces are the problems. How is it that ISP's have to limit DSN's on these without hitting the spamtraps?

If you reject the invalid email addresses at the SMTP level, the sending server will generate the DSN to their valid user who sent a valid message to an invalid address. Any open relay redirecting spam to your servers will probably drop the reject on the floor, not notifying the spammer, which is why he inserted the fake return address in the first place.

Only when you accept the message and then generate the "bounce" on your machine is it impossible to be sure the DSN is getting where it really needs to go. Please turn off this "feature" of your email/virus scanning software.

In this way, there is no way for a DSN to reach either a spamtrap address to the address of an innocent third party (which the spamtrap addresses actually are).

[Miss Betsy]

Well, IIUC, what you are saying correctly you are not taking into account the hundreds (thousands) of people who not only get spam directly but also get the bounces from those spam that use their forged email address.

I am not an admin so I don't understand this problem from the admin side. IIUC, the reason that emails are accepted and then bounced to the return path is because some people want to send email from other places, but have it returned to their inbox. I admit that I don't quite know how that works or how often it is done, but ISTM, that that particular facet of email has also fallen victim to the spammers' irresponsible intrusion into email. People will either have to realize that they won't know if emails are delivered or not if they use that system or stop doing it. ISTM, that there would be many more people inconvenienced by getting email bounces for forged return paths than there would be people who are using different return paths for legitimate reasons who would be getting an undeliverable email bounce.

And anyway, spamcop does not allow reporting of those bounces. I guess that if they hit spamtraps, an IP address gets listed until the admin responds, but I would think that even if spamtraps report them, spamcop would immediately delist since it is against policy. But maybe not.

Miss Betsy

[Intrex.Net]

I did not receive your response. Did you send it to abuse at the domin in question (intrex dot net)?

Aaron S. Joyner

System Administrator

Intrex.Net Internet Services

[Wazoo]

I did not receive your response.  Did you send it to abuse at the domin in question (intrex dot net)?

Aaron S. Joyner

System Administrator

Intrex.Net Internet Services

Ellen is but one of a small handful of Deputies. She'd already responded with "I think I responded" .... and she's experienced enough to guess that if she responded, it would have gone back to the address that sent the e-mail .... catch is, she may have also meant that she believes that 'someone' responded, i.e. one of the Deputies ....

This web-based thing is really seen by them when they get the time or they get a heads up that they are needed ... so as she's already pooped in here, tried to answer, my guess is that she's back to handling her e-mail ... if you haven't seen a response (again check the account of whoever sent the origianl e-mail to Deputies) .. you may want to drop another note in their direction. On the other hand, there are times that they are behind the power curve of all their incoming 'requests for special attention' <g>

[Miss Betsy]

Since you are anti-spam, then the reasons have already been explained in the FAQ and the posts to this thread.

If you haven't been able to find the problem yourself, then you may have to wait (or find) the deputies' answer to get delisted.

There are other small ISP's who are usually willing to give suggestions on where to look if you want ask for suggestions. Many are not willing to take the time for someone who just thinks it is unfair that they were listed. Sometimes you can google your IP address in nanas and find an example - particularly if it is a compromised machine.

Miss Betsy

[Wazoo]

I see another instance that may have led to Ellen's "I think I responded" .... at least one of the "poster's with issues" also posted the same query over in the newsgroups ... so we've got the same thing going over there, thus the "did I or didn't I" question ....