starion Posted July 26, 2004 Share Posted July 26, 2004 Our servers at 24.123.106.83 and 85 have been blocked for the first time. Since we use SpamCop on our own server, I have had to disable it to allow our user's email to go through. Both reports (if you could call them reports) state 10 complaints or less. We (as the ISP) have never received ANY communication or emailed reports from SpamCop. We believe a 2-hour error in setup may have allowed our system to be compromised for relaying. Please advise as to how we can get the reports (if there are legitimate problems, we will respond to them) and get de-listed. Thank you. Jeff J. Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 26, 2004 Share Posted July 26, 2004 Unfortunately hits that only go to spam traps do not generate reports. You need to contact deputies at spamcop.net to find out exactly what kind of hits they were (common causes: automatic virus reports or sending email bounces, SMTP/Auth exploits or open proxies/relays). You might check with them just in case it was not the relay problem. If you have fixed the relay problem, your listing will probably age off quickly (when no more reports of spam are made). Since the list is automatic, unless there is an error on spamcop's part, nothing can be done about the listing. The purpose of the listing is to prevent others from getting spam while you fix the problem. I am not sure, but I think delisting takes into account the history as well as how fast the problem gets fixed - no history and fast correction will mean a shorter stay on the bl - the longest is 48 hours after the last spam report - which is based on the date stamp in the spam, not when it was reported). Next time you have a problem, check the spamcop bl as the last thing you do after fixing the problem to see if spammers have used your computers. Since I am not an admin, I don't have any more specific advice. Miss Betsy Link to comment Share on other sites More sharing options...
DavidT Posted July 26, 2004 Share Posted July 26, 2004 According to the information found in the ARIN database and Abuse.net, reports would be sent to: abuse[at]rr.com Your account seems to be a commercial RoadRunner account, so you'll need to ask them for copies of any reports sent by SpamCop...those reports would have the details. I just looked at the "history" on the first IP and found some spams like this: Submitted: Sunday, July 25, 2004 17:30:33 -0700: Enlarge yo-ur* pe`n,i_s _. today .-. ptayeefp 1136069687 ( 24.123.106.83 ) To: abuse[at]rr.com (that's the report number that RR.com might need) Most of the items in the "history" on that IP are from a very brief time window on Sunday, as you described, but there are two older reports still on file: Submitted: Wednesday, July 21, 2004 16:46:57 -0700: Lose 19%, powerful weightloss now available where you are. 1127696645 ( 24.123.106.83 ) To: abuse[at]rr.com Submitted: Tuesday, July 13, 2004 16:21:50 -0700: Lose 19%, powerful weightloss now available where you are. 1111720697 ( 24.123.106.83 ) To: abuse[at]rr.com Was that IP also yours on those two dates? In any case, unless you can get RoadRunner to change the contact information in the ARIN database for those IP numbers, you won't receive reports...but wait...there's a way for "interested third parties" to get reports on specifid IP addresses...I don't know much about it, but you might contact a SpamCop deputy at: deputies (at) admin.spamcop.net David T. Link to comment Share on other sites More sharing options...
starion Posted July 26, 2004 Author Share Posted July 26, 2004 Yes, that is our STATIC IP. So I guess spamcop has listed us as a result of my own reporting. Just great. Jeff J. Link to comment Share on other sites More sharing options...
Merlyn Posted July 26, 2004 Share Posted July 26, 2004 Don't you check where you are sending reports? Link to comment Share on other sites More sharing options...
starion Posted July 26, 2004 Author Share Posted July 26, 2004 Yes, always. But it's not unusual to see spam reports go to our upstream provider. So why would I have flagged it mentally? Link to comment Share on other sites More sharing options...
Merlyn Posted July 26, 2004 Share Posted July 26, 2004 Maybe because it also showed that it was your IP address being larted :-) Link to comment Share on other sites More sharing options...
starion Posted July 26, 2004 Author Share Posted July 26, 2004 Okay, so I'm a bonehead for submitting a faulty report on my own IP. BUT, what kind of a parser can't even check to see if the reports about an IP are from the same IP that's reporting? How simple is that??? Jeff J. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 26, 2004 Share Posted July 26, 2004 Not as simple as you seem to think, since the reporter does not need to be at the IP that receives the messages. There is the mailhost configuration that was designed (in part) to eliminate this problem. Have you configured it yet? Link to comment Share on other sites More sharing options...
starion Posted July 26, 2004 Author Share Posted July 26, 2004 It's not the sender's IP I'm concerned about. If I'm sitting at 192.168.1.1 (or any other IP on the planet) and sending a report about 24.123.106.83 using the mail server at 24.123.106.83, then I'm probably reporting myself. I guess I can see that in the scenario of a large provider, one AOL user could be sending reports about spam coming out of the same server... In any case, our listing was removed, and our abuse email address was added as an interested party, so at least I can see where the problem is if it happens again. Jeff J. Link to comment Share on other sites More sharing options...
Wazoo Posted July 26, 2004 Share Posted July 26, 2004 It's not the sender's IP I'm concerned about. Not sure what this line is referring to. You were responding to a suggestion to run through the mail-host configuration, which relates to "your" IP / mail host string of your incoming e-mail .... Link to comment Share on other sites More sharing options...
starion Posted July 26, 2004 Author Share Posted July 26, 2004 Not as simple as you seem to think, since the reporter does not need to be at the IP that receives the messages. This is what I was referring to. Jeff J. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 26, 2004 Share Posted July 26, 2004 If I'm sitting at 192.168.1.1 (or any other IP on the planet) and sending a report about 24.123.106.83 using the mail server at 24.123.106.83, then I'm probably reporting myself. 1. The parser does not look at the headers of the message being used to submit the spam message. This could be changed if it were worth the effort, but.... 2. Many people don't use any mail server to report spam. The only time that would work was during email submission of spam, not for web based submission or for submission from the email system (VER or webpage). 3. Many people use a different mail server to submit their spam than they received it on. Think forwarding. 4. Many ISP's use different servers for incoming and outgoing so the IP's would not match. The reports only look at the incoming (Received) headers. Again, your problem is one of the reasons that the maihost configuration was implemented. You show spamcop all the paths that a message can get to you and it stores that information so it can compare during the parse. In the end, it is YOU that is sending the report to the ISP claiming the IP is a source of spam. It is YOUR responsibility for that information to be accurate, or YOUR reporting privlidges can be revoked. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.