ankur Posted June 25, 2004 Posted June 25, 2004 Hi, I'm a webhost and my server has been blocked again by spamcop. I haven't received any of the spam mails or headers from spamcop and so, can't even start locating the spammer. Does anyone know how I can get this information? Ankur
turetzsr Posted June 25, 2004 Posted June 25, 2004 Hi, Ankur! ...Here are some places to start: SpamCop - Help for spam report recipients Pinned: FAQ Entry: Why is my email blocked? SpamCop FAQ: How can I be de-listed Pinned: Why Am I Blocked FAQ ...If, after looking through these, you still have questions, please return here to post follow-ups. ...Good luck!
Wazoo Posted June 25, 2004 Posted June 25, 2004 The bad part is that you say "again" ... I was going to go see if I could delve up some of the data that you didn't provide, but also noted that this is Post #1 for you, so there wouldn't appear to be anything previous here to go look at. You say "web-host" but then say "server is blocked" ... First of all, SpamCop doesn't have the capability to block anything, much less get involved with blocking of a web-site/host. SpamCop does run a DNSbl, but this is a list of IP addresses associated with sourcing spam spew. So is it possible that you are also running an e-mail server? This would have been much easier had you provided an IP to look up, a rejection notice that stated who and why they stated that you were blocked .. please follow SteveT's advice, then follow up with some data that can be looked at in order to try to offer an answer.
ankur Posted June 25, 2004 Author Posted June 25, 2004 Hi, I'm sorry for not being clear. I am running a mail server too and people that host with us get access to the POP and SMTP server too. In this case, one of them has been sending spam. Someone reported this spam and spamcop added my IP address (67.18.128.178) to the blocked list. From the link http://www.spamcop.net/w3m?action=blcheck&ip=67.18.128.178 this has happened 3 times. Now, I understand that spamcop doesn't and can't block any server. It's the servers that use spamcop's blocked list that block out mails from my IP. I'm not blaming spamcop or the ISPs that use the spamcop blocked list (I apologize if the wording of my first post implied this) So, let me explain what happened this time round: Firstly, I got to know that spam was being sent from my server when I couldn't send mails to some addresses and received a link to spamcop in the mail delivery failure message. When I checked at that time, my IP had been listed 2 times in 5-6 days or so. So, I setup better mail logging and waited. When the user spammed again, I was able to figure out who it was and warned them (next step is to terminate their account, if they spam again). As you can see, I got to know about the spam situation after it was reported 2 times in 5-6 days and was able to catch them after another round of spamming. I was wondering if there is a quicker way - if I could get the email headers of the mail when spam from my IP is reported, I could check my logs and get to the bottom of the problem faster. I don't care about the TO and CC headers - just the FROM, timestamp and subject. As I understand it, spamcop does send spam reports. So, my question is how can I signup to start receiving spam reports for 67.18.128.178 ? Thanks in advance. Ankur Edit: I'm also aware that if the user doesn't spam again, my IP will be delisted in 48 hours.
Wazoo Posted June 25, 2004 Posted June 25, 2004 Thanks for the excellent follow-up and the actions taken thus far in handling the situation. The first issue starts with the following data ... Parsing input: 67.18.128.178 host 67.18.128.178 = calvin.globedomain.com (cached) Reporting addresses: abuse[at]theplanet.com Do you have direct relations with these folks? You can also ask to be set up as an "interested thrid-party", but will note that due to past abuse of this option, a large number of reporters will uncheck this address in the outgoing reports. But, you can head to http://www.spamcop.net/fom-serve/cache/94.html to check this option out. Now the 'evidence' pages is showing Listing History In the past 8.6 days, it has been listed 3 times for a total of 6.6 days This listing is based on a bit of a mathematical model, including things like e-mail traffic "seen", spam reported, spamtrap hits, and time .... Last I knew, there was a 2% threshold ,, and the listing times itself ranges from a minimum of a half-hour to the maximum of 48 hours after the spew stops ... it appears that you've been close to the tipping point thoughout most of this listing time, so if you've your spammer's attention, you'll probably drop off the list fairly quick.
Derek T Posted June 25, 2004 Posted June 25, 2004 Just to add another possible avenue of exploration to Wazoo's excellent post: if you follow the senderbase link on the blocklist lookup page you will see an almost 1500% increase in output in the last day. Could it be that you have a compromised machine with hacked/unauthorised throughput rather than a spamming customer? woirth exploring? what server software are you using? therre is a very helpful faq on sealing down Exchange which comes with some very nasty defaults set 'on'. Sorry if this is teaching my grandmother to suck eggs but I was alarmed by the increase in taffic. Edit: sorry, make that 2000%
ankur Posted June 25, 2004 Author Posted June 25, 2004 Hi all, Thanks for your help and patience. I've sent a mail to sign up for third party reports and will try to get my datacenter (thePlanet.com) guys to allow me to receive administrative reports for my IPs. Yes, I think I had better check if the server's been compromised, while I'm at it. Doesn't hurt to check more, but does hurt to check less Thanks a lot Ankur
turetzsr Posted June 25, 2004 Posted June 25, 2004 Hi all, Thanks for your help and patience. I've sent a mail to sign up for third party reports and will try to get my datacenter (thePlanet.com) guys to allow me to receive administrative reports for my IPs. Yes, I think I had better check if the server's been compromised, while I'm at it. Doesn't hurt to check more, but does hurt to check less Thanks a lot Ankur Hi, Ankur, ...We thank you! This thread is a shining example of how this forum should work. Your patience and willingness to work to solve the problem is very much appreciated.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.