forwarded mail got us blocked

[rols]

One of our own users sent a bunch of mails to spamcop and got us blocked.

The mail arrived at our server and was then forwarded out to the user, who

then reported it.

Having looked at the original email and the Logic report I don't understand

why this resulted in a block for us. Perhaps someone can explain.

Here is the url for the particular block.

These are the relevant lines from the header

	Received: from qs384.pair.com (qs384.pair.com [216.92.131.249])
    by radonc.ccf.org (SGI-8.12.5/8.12.5) with SMTP id i5ENBbZo989570
    for <x>; Mon, 14 Jun 2004 19:11:37 -0400 (EDT)
	Received: (qmail 42589 invoked by uid 3002); 14 Jun 2004 23:21:14 -0000
	Delivered-To: copa-cirruspilots:org-x
	Received: (qmail 42582 invoked from network); 14 Jun 2004 23:21:13 -0000
	Received: from d216-232-37-17.bchsia.telus.net (216.232.37.17)
    by qs384.pair.com with SMTP; 14 Jun 2004 23:21:13 -0000
	X-Message-Info: GJVBK+nj94+yx+YUW+048/4173407544589
	Received: (qmail 99606 invoked by uid 37); Mon, 14 Jun 2004 23:24:16 -0100
	Date: Mon, 14 Jun 2004 17:17:16 -0700

So the mail was delivered to qs384.pair.com, then sent back out again to the

final recipient. The originating address was something in telus.net.

I looked at the Logic report and have picked out a few lines from it

216.92.131.249 is an MX for qs384.pair.com
216.92.131.249 is mx
Received line accepted
Relay trusted (pair.com)

..

Possible spammer: 216.232.37.17
Possible relay: 216.92.131.249
216.92.131.249 not listed in relays.ordb.org.
216.92.131.249 has already been sent to relay tester

Firstly - is it correct that our server is even identified as a possible relay in

this circumstance? It shows the mail as delivered so is there any other

possibility than a local .forward (which is what this was)?

Secondly, further up, it already says that pair.com is a 'trusted relay'.

Thirdly, I didn't think you listed relays anyway.

I already talked to the user and asked him NOT to report spam which

is forwarded through this account. I still don't understand however

why our address was deemed to be the culprit here.

[StevenUnderwood]

When I look at that link, I get the following result:

If reported today, reports would be sent to:

Re: 216.232.37.17 (Administrator of network where email originates)

abuse[at]telus.net

Firstly - is it correct that our server is even identified as a possible relay in

this circumstance? It shows the mail as delivered so is there any other

possibility than a local .forward (which is what this was)?

Yes, the same headers could show up if your server were an open relay. This did not cause a listing with spamcop, it simply sent the IP to ordb for further testing, which it does for all relaying machines.

Secondly, further up, it already says that pair.com is a 'trusted relay'.

That does not mean your configuraton has not changed since that determination was made. Spamcop is just being precautious.

hirdly, I didn't think you listed relays anyway.

It doesn't and no evidence you have provided here indicates that this report was the cause for your block. In addition, that IP is not blocked right now and shows no evidence as ever being blocked. Following is the full result of going to the bl lookup page here.

216.92.131.249 not listed in bl.spamcop.net

[rols]

216.92.131.249 not listed in bl.spamcop.net

t doesn't and no evidence you have provided here indicates that this report was the cause for your block. In addition, that IP is not blocked right now and shows no evidence as ever being blocked. Following is the full result of going to the bl lookup page here.

It's great to know it's as fast to get off the block list as on. I had the guy

who reported it mail and retract his report, perhaps that's why it no longer

shows up, possible? Two hours ago it said we were on the block list for

that IP for less than 10 reports.

I think I still have the original report up on my screen at work, I'll paste it in

tomorrow if I remember, it was different from this. I just want to know ready

for the next time.

[StevenUnderwood]

If the deputies recognized it as an incorrect listing, they could have easily removed the information pointing to a listing. Glad things worked out.

[Miss Betsy]

I just want to know ready

for the next time.

Thanks for not being irate at being listed for an error! And I am glad that you are interested in tracking down what went wrong. Sometimes it is a parser error, sometimes it is the reporter's error, and sometimes the way that the ISP configures the headers are just enough not 'typical' and cause the parser to stop. The first two happen, but are usually quickly corrected. And the last one is easily fixed.

Though the parser 'says' peculiar things like 'not trusted' when it really doesn't mean that - it just means that it is doing something else to check.

Too bad there isn't a 'whitehat' icon - I would award you one!

Miss Betsy

[rols]

Thanks for not being irate at being listed for an error!

Things happen, and it was corrected quickly. I'd prefer an occassional

accidental listing to even more spam. I now know something more

about how our ISP forwards mail than I did before and it goaded me

into turning up the spam filters on the .forwarded accounts.

All-in-all, not a bad day really.

Sometimes it is a parser error

I believe it may have been, I got this from the guy who sent the original

mail to SC and then sent a retraction it, it's from SpamCop

You're all set. I was able to take the server off the list Tuesday afternoon, but I didn't have time to answer email.

There was a parse meltdown that caused the problem. You should be OK going forward.

Too bad there isn't a 'whitehat' icon - I would award you one!