rols Posted June 15, 2004 Share Posted June 15, 2004 One of our own users sent a bunch of mails to spamcop and got us blocked. The mail arrived at our server and was then forwarded out to the user, who then reported it. Having looked at the original email and the Logic report I don't understand why this resulted in a block for us. Perhaps someone can explain. Here is the url for the particular block. These are the relevant lines from the header Received: from qs384.pair.com (qs384.pair.com [216.92.131.249]) by radonc.ccf.org (SGI-8.12.5/8.12.5) with SMTP id i5ENBbZo989570 for <x>; Mon, 14 Jun 2004 19:11:37 -0400 (EDT) Received: (qmail 42589 invoked by uid 3002); 14 Jun 2004 23:21:14 -0000 Delivered-To: copa-cirruspilots:org-x Received: (qmail 42582 invoked from network); 14 Jun 2004 23:21:13 -0000 Received: from d216-232-37-17.bchsia.telus.net (216.232.37.17) by qs384.pair.com with SMTP; 14 Jun 2004 23:21:13 -0000 X-Message-Info: GJVBK+nj94+yx+YUW+048/4173407544589 Received: (qmail 99606 invoked by uid 37); Mon, 14 Jun 2004 23:24:16 -0100 Date: Mon, 14 Jun 2004 17:17:16 -0700 So the mail was delivered to qs384.pair.com, then sent back out again to the final recipient. The originating address was something in telus.net. I looked at the Logic report and have picked out a few lines from it 216.92.131.249 is an MX for qs384.pair.com 216.92.131.249 is mx Received line accepted Relay trusted (pair.com) .. Possible spammer: 216.232.37.17 Possible relay: 216.92.131.249 216.92.131.249 not listed in relays.ordb.org. 216.92.131.249 has already been sent to relay tester Firstly - is it correct that our server is even identified as a possible relay in this circumstance? It shows the mail as delivered so is there any other possibility than a local .forward (which is what this was)? Secondly, further up, it already says that pair.com is a 'trusted relay'. Thirdly, I didn't think you listed relays anyway. I already talked to the user and asked him NOT to report spam which is forwarded through this account. I still don't understand however why our address was deemed to be the culprit here. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 15, 2004 Share Posted June 15, 2004 When I look at that link, I get the following result: If reported today, reports would be sent to: Re: 216.232.37.17 (Administrator of network where email originates) abuse[at]telus.net Firstly - is it correct that our server is even identified as a possible relay in this circumstance? It shows the mail as delivered so is there any other possibility than a local .forward (which is what this was)? Yes, the same headers could show up if your server were an open relay. This did not cause a listing with spamcop, it simply sent the IP to ordb for further testing, which it does for all relaying machines. Secondly, further up, it already says that pair.com is a 'trusted relay'. That does not mean your configuraton has not changed since that determination was made. Spamcop is just being precautious. hirdly, I didn't think you listed relays anyway. It doesn't and no evidence you have provided here indicates that this report was the cause for your block. In addition, that IP is not blocked right now and shows no evidence as ever being blocked. Following is the full result of going to the bl lookup page here. 216.92.131.249 not listed in bl.spamcop.net Link to comment Share on other sites More sharing options...
rols Posted June 15, 2004 Author Share Posted June 15, 2004 216.92.131.249 not listed in bl.spamcop.net t doesn't and no evidence you have provided here indicates that this report was the cause for your block. In addition, that IP is not blocked right now and shows no evidence as ever being blocked. Following is the full result of going to the bl lookup page here. It's great to know it's as fast to get off the block list as on. I had the guy who reported it mail and retract his report, perhaps that's why it no longer shows up, possible? Two hours ago it said we were on the block list for that IP for less than 10 reports. I think I still have the original report up on my screen at work, I'll paste it in tomorrow if I remember, it was different from this. I just want to know ready for the next time. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 16, 2004 Share Posted June 16, 2004 If the deputies recognized it as an incorrect listing, they could have easily removed the information pointing to a listing. Glad things worked out. Link to comment Share on other sites More sharing options...
Miss Betsy Posted June 16, 2004 Share Posted June 16, 2004 I just want to know ready for the next time. Thanks for not being irate at being listed for an error! And I am glad that you are interested in tracking down what went wrong. Sometimes it is a parser error, sometimes it is the reporter's error, and sometimes the way that the ISP configures the headers are just enough not 'typical' and cause the parser to stop. The first two happen, but are usually quickly corrected. And the last one is easily fixed. Though the parser 'says' peculiar things like 'not trusted' when it really doesn't mean that - it just means that it is doing something else to check. Too bad there isn't a 'whitehat' icon - I would award you one! Miss Betsy Link to comment Share on other sites More sharing options...
rols Posted June 16, 2004 Author Share Posted June 16, 2004 Thanks for not being irate at being listed for an error! Things happen, and it was corrected quickly. I'd prefer an occassional accidental listing to even more spam. I now know something more about how our ISP forwards mail than I did before and it goaded me into turning up the spam filters on the .forwarded accounts. All-in-all, not a bad day really. Sometimes it is a parser error I believe it may have been, I got this from the guy who sent the original mail to SC and then sent a retraction it, it's from SpamCop You're all set. I was able to take the server off the list Tuesday afternoon, but I didn't have time to answer email. There was a parse meltdown that caused the problem. You should be OK going forward. Too bad there isn't a 'whitehat' icon - I would award you one! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.