Which IP address triggered blacklist?

[chrislott]

During the middle of last week (I just realized), list.dsbl.org blocked some stuff. I received personal mail from two people (married) who use broadband at home and send email via yahoo and hotmail. I'm guessing that their home IP address was used at some point to send spam, and marked as an open relay.

How can I gell *which* IP address triggered the spam blocking?

chris...

[StevenUnderwood]

The reject message that the person who sent the original message received should include that information.

As an alternative, the suspected account could send an email to another account and have the headers inspected to see what route the message took to exit the ISP.

I'm having trouble reading into your message whether it was email you were trying to receive or send that was bolcked.

[Wazoo]

I checked the FAQ, list.dsbl.org is a selectable item ... then blew about 15 minutes trying to find someone else's Tracking URL that would have popped up one that showed the Blocked line so I could paste in in here as an example of what to look for ... Can't find one .. weird ...

So lacking an easy "picture" for an exmple, and still not exactly sure of the described problem .. here's something just pulled out of the air ... if you look at the blocked e-mail headers, there should be a line that includes a list of IP addresses .. the IP at the end of that line is the one that "triggered" the block.

Any help? If not, please provide something for "us" to look at.

[DavidT]

I checked the FAQ, list.dsbl.org is a selectable item ...

Yes, SC Email users can turn that one on and off.

then blew about 15 minutes trying to find someone else's Tracking URL that would have popped up one that showed the Blocked line so I could paste in in here as an example of what to look for ... Can't find one .. weird ...

Here's one from my recently-submitted stuff:

http://www.spamcop.net/sc?id=z675163113zac...06a16b8d072ffaz

and yes...assuming you're an SC Email customer and you're asking about items that wound up in your Held Mail, you'd want to look at the:

X-SpamCop-Checked:

line in the headers. If you want to check the current status of your friends, have them send you a message and see if it winds up in your Held Mail again.

DT

[Wazoo]

Here's one from my recently-submitted stuff:

And what a fine example it is <g> ... I've been sitting here for a while marvelling over all the work that went into that particular piece of crap .. playing that "where's Waldo" game in reverse, trying to figure out just what was included that doesn't look spammy ....

[chrislott]

Here's a bit more information. Yes, I was writing about email that was sent to me but landed in my held-mail folder (currently message 961 if anyone has the power to look). The originating IP (their ADSL-assigned IP address) is 68.76.44.88, and that's also the last IP address on the X-SpamCop-Checked line. I checked with www.dsbl.org and it certainly has a black mark next to that IP; the problem dates from March 2004.

Unfortunately, even though ADSL providers tend to move around IP addresses, dsbl.org only removes an IP when asked to do so; doesn't sound like they do any aging of their records.

chris...

[Merlyn]

First of all this is a dynamic IP, no one should be accepting mail from it they should be using their ISP's server to send mail. Many ISP's will not accept email from a dynamic IP.

Next, I would say more than 1 black mark:

NJABL Not Just Another Blacklist.: dnsbl.njabl.org -> 127.0.0.3

swbell.net PPPoX DSL Pools -- 1071415970 (Sun Dec 14 16:32:50 2003)

NJABLDYNA NJABL list of dynamic ip spaces: dynablock.njabl.org -> 127.0.0.3

Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html

DSBLLIST Distributed Sender Boycott List: single-stage relays tested by trusted users: list.dsbl.org -> 127.0.0.2

http://dsbl.org/listing?68.76.44.88

DSBLUNCONFIRMED Distributed Sender Boycott List: single-stage relays, multihop relays and listings by anonymous users: unconfirmed.dsbl.org -> 127.0.0.2

http://dsbl.org/listing?68.76.44.88

NOMOREFUNN local bl at moensted.dk: no-more-funn.moensted.dk -> 127.0.0.3

ameritech.net. Dial-Up/Cable/DSL/Home IP Range - Use your providers SMTP Gateway or whitelist your server at: http://moensted.dk/spam/no-more-funn/?addr=68.76.44.88 \

STBL spam Trap dnsbl: bl.spam-trap.net -> 127.0.0.4

1087845710 (Mon Jun 21 21:21:50 2004) sbc.com 68.72.0.0/13 Blocked by STBL, see http://www.stop-spam.info/lookup.php?ip=68.76.44.88

SORBS spam and Open Relay Blocking System: Aggregate zone: dnsbl.sorbs.net -> 127.0.0.10

Dynamic IP Address See: http://www.dnsbl.sorbs.net/lookup.shtml?68.76.44.88

SORBSDUL Dynamic IP Address ranges (NOT a Dial Up list!): dul.dnsbl.sorbs.net -> 127.0.0.10

Dynamic IP Address See: http://www.dnsbl.sorbs.net/lookup.shtml?68.76.44.88

DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

http://dsbl.org/listing?68.76.44.88

68.76.44.88 See http://www.dnsbl.sorbs.net/cgi-bin/lookup?NAME=68.76.44.88

DNSBLAUDSBL Distributed Server Boycott List: dsbl.dnsbl.net.au -> 127.0.0.2

http://dsbl.org/listing?68.76.44.88

Hope this helps

[chrislott]

Merlyn,

I completely don't understand your comment about "no one should be accepting mail" (from a dynamic IP). Yes, it's a dynamic IP, that's what you get on ADSL at home. Further, it's my understanding that when you use a webmail setup like Yahoo or Hotmail, it notes the IP of the PC where the mail originated in one of the "Received" lines added by SMTP processes along the way. My email corresondents were indeed using their ISP's server (yahoo or hotmail).

Or did I miss something fundamental here?

chris...

[Wazoo]

I believe you did miss something or your background evidence is changing. At this point, to clear things up, either provide a set of headers or run the e-mail through the parser (cancel the report) but post the Tracking URL ... If you want specific answers on a specific sample, "we" need to see the specifics.

Yes, Hotmail / Yahoo add the origination IP, but as an X-Line ... (though this is a blanket statement that can be made wrong by things like the way these accounts ar accessed / abused) .... So the point is, you offer up the imaginary story about an e-mail from someone, pull in three separate systems that the e-mail allegedly trafficed, and your findings on where that e-mail ended up. So the problem right now is that you have "us" guessing at what the headers actually look like, and the only seemingly real fact is that you state that the IP in question is both in the headers as a travelled IP and that this IP appears in the SpamCop Checked: line. The rest of data provided here thus far is the current status on that IP as seen around the "net" ... and that information points to a serious problem with a computer sitting at that IP.

[StevenUnderwood]

If this is indeed the spamcop webmail system we are talking about holding some valid messages, it works a little differently than you normally use a dnsbl.

Spamcop scans ALL IP addresses in the received lines, not just the connecting server.

The last IP address in the X-SpamCop-Checked: header entry will be the one that caused the match (if it is a dnsbl match).

In this example:

X-SpamCop-Checked: 192.168.1.101 69.56.175.228 203.240.185.54

X-SpamCop-Disposition: Blocked korea.services.net

203.240.185.54 is on the korea.services.net dnsbl.

[DavidT]

Yes, Hotmail / Yahoo add the origination IP, but as an X-Line ...

Hotmail does that, but not Yahoo!Mail...I just ran some tests. Yahoo webmail actually puts the IP of the originating computer in the first Received header, like this:

Received: from [68.99.x.x] by web14423.mail.yahoo.com via HTTP; Wed, 29 Sep 2004 07:11:57 PDT

(don't really want to make my IP public, but it's a Cox Cable connection)

and sure enough, SpamCop checked that IP:

X-SpamCop-Checked: 192.168.1.101 216.136.174.217 68.99.x.x

So, if the IP was listed on any blocklists, this message could have wound up in my Held Mail. In my Hotmail test, my IP was not only in the "X-Originating-IP" line but also in the first Received line, so SpamCop also checked it as the source of the message. SpamCop wouldn't flag these as spam simply due to my IP being dynamic, but if my IP was listed on one of my selected blocklists, it would have put them into my Held Mail. I think that as far as Yahoo is concerned, the "X-line" is only included in Yahoo!Groups messages.

DT

[Wazoo]

I did say that this statement could be proven wrong .. but I was basing that on the different ways that both web-mail services can be "connected to" and that changes the contents of the header lines. Thanks for the researc, but I didn't want to get bogged down in all that, it was more that I wanted some specific headers to "talk" about ... As I tried to hin t in my last, that a specific IP address shows up in a received e-mail isn't that big of a thing, but then finding that this specific IP has a history and is listed all over, it gets to is this due to the current user at that IP or is it that this user is paying some price for someone else's previous "problems" ...

Which, I suppose takes this out of the original poster's query (why isn't the e-mail address simply whitelisted) and needs to be addressed to the persons sending the e-mail that caused the query ...???

[DavidT]

...but then finding that this specific IP has a history and is listed all over...

I think that some of those listings are simply due to the dynamic nature of the particular IP. Those listings are there to flag/block mail that's being sent directly from a dynamic IP to an SMTP server....not through webmail systems such as Hotmail or Yahoo. However, in addition to simply being in dynamic IP space, there could indeed have been previous abuse from a user of that IP, and if so, the current user should contact their IP for re-assignment.

But as for the original question, if it turns out that webmail sent by users of a dynamic IP that's not associated with any recent abuse is being routed to Held Mail by one of the third-party BLs offered in the SpamCop Email system, I'd rcommend not selecting that particular BL in the BL configuration screen.

DT

[chrislott]

Sorry, I keep forgetting that this is a user community, not a sysop community, and users cannot peek into my spamcop webmail inbox. Complete headers are below for the message from hotmail sent to spamcop, which I read via spamcop webmail. (No fancy forwarding, POPing, or anything else going on here.) The suspect IP appears in both an X-Originating-IP and a Received line. I can post headers for the msg from yahoo if you're not totally sick of this issue yet.

chris...

-------

Return-Path: <my_cousin_email_changed_for_anonymity[at]hotmail.com>

Delivered-To: spamcop-net-chrislott[at]spamcop.net

Received: (qmail 3296 invoked from network); 22 Sep 2004 13:13:25 -0000

Received: from unknown (192.168.1.101)

by blade2.cesmail.net with QMQP; 22 Sep 2004 13:13:25 -0000

Received: from bay9-f30.bay9.hotmail.com (HELO hotmail.com) (64.4.47.30)

by mailgate.cesmail.net with SMTP; 22 Sep 2004 13:13:25 -0000

Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;

Wed, 22 Sep 2004 06:07:04 -0700

Received: from 68.76.44.88 by by9fd.bay9.hotmail.msn.com with HTTP;

Wed, 22 Sep 2004 13:06:59 GMT

X-Originating-IP: [68.76.44.88]

X-Originating-Email: [my_cousin_email_changed_for_anonymity[at]hotmail.com]

X-Sender: my_cousin_email_changed_for_anonymity[at]hotmail.com

From: "My Cousin" <my_cousin_email_changed_for_anonymity[at]hotmail.com>

To: chrislott[at]spamcop.net

Bcc:

Subject: RE: Tix to ..

Date: Wed, 22 Sep 2004 09:06:59 -0400

Mime-Version: 1.0

Content-Type: text/plain; format=flowed

Message-ID: <BAY9-F30YSl1q4gtopW0004a365[at]hotmail.com>

X-OriginalArrivalTime: 22 Sep 2004 13:07:04.0969 (UTC) FILETIME=[0EB02790:01C4A0A5]

X-spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on blade2.cesmail.net

X-spam-Level:

X-spam-Status: hits=0.0 tests=none version=2.64

X-SpamCop-Checked: 192.168.1.101 64.4.47.30 68.76.44.88

X-SpamCop-Disposition: Blocked list.dsbl.org

[StevenUnderwood]

I thought this was pretty well answered already but to answer your original question (the topic for this post):

X-SpamCop-Checked: 192.168.1.101 64.4.47.30 68.76.44.88

X-SpamCop-Disposition: Blocked list.dsbl.org

As you mentioned earlier, IP 68.76.44.88 tripped on list.dsbl.org

Spamcop email scans EVERY IP address a message has touched, not just the connecting IP like a standard DNSBL implementation.

[chrislott]

Based on Steven Underwood's note, it sounds to me like there might be a mismatch between the data from DNSBL and SC's use of it in the blacklist filter in this case. It appears that the use of DNSBL.org (as part of the SC blacklist filters when reading email via webmail) increases the chances of an innocent email being tapped as spam. I don't know at all how much those chances are increased. Is that safe to conclude from all this?

chris...

[Wazoo]

define "innocent" .... use of the BLs is to snag e-mail coming from an identified spam source, that's it. As repeatedly identified, an IP in the received e-mail headers shows that it travelled through / from an IP identified in a BL as having issues. Your call as to whether that's a problem. There's some stuff in the FAQ dealing with filters, BLs, whitelisting, and the results thereof based on how your access your account. Have you been there yet?

[StevenUnderwood]

The spamcop email system will trap more messages coming from spam sources than the standard DNSBL configuration because it scans all IP addresses.

For any implementation to scan all IP addresses, they would need to accept the data portion of the message and then could not reject it and could only bounce an error message to the usually forged sender address.

There is no "mismatch", only a different use of the data.

[dbiel]

During the middle of last week (I just realized), list.dsbl.org blocked some stuff.  I received personal mail from two people (married) who use broadband at home and send email via yahoo and hotmail.  I'm guessing that their home IP address was used at some point to send spam, and marked as an open relay. 

How can I gell *which* IP address triggered the spam blocking?

chris...

17845[/snapback]

In rereading this entire thread, I am wondering at what the original intent/purpose of the question actually was?

Since we are talking about a SpamCop Email user recieving mail and having it sent to the heldmail folder, the simple solution is to whitelist the senders address making the IP address meaningless.

Since the BL causing the listing "list.dsbl.org" is outside of the SpamCop domain, what is the purpose for the question?

Then again, maybe it is me that has no idea of what I am talking about?

Also failing to list the parsing results leads to much guess work as to how the parser would handle the "sending" IP addresses as it is NOT a SMTP server or relay, but simply the actual source (representative name) of the email address sending the message. but instead of listing the email address (easily forged by the sender) the actually IP addresses was used instead allowing for easier tracking of the actual source of the message when combined with the date stamp and the SMTP server logs.

And "instead" is probably the wrong use of terms when you compare hte following hotmail listing

"Received: from 68.76.44.88 by by9fd.bay9.hotmail.msn.com with HTTP;

Wed, 22 Sep 2004 13:06:59 GMT"

with a standard Earthlink listing

"Received: from 24-205-131-xxx.mpk-eres.charterpipeline.net ([24.205.131.xxx] helo=xxxxxxx) by avocet.mail.pas.earthlink.net with smtp (Exim 3.33 #1)"

Other than not including any additional information, both show dynamic IP addresses as the "source" of the message neither of which are SMTP servers them selves.

First of all this is a dynamic IP, no one should be accepting mail from it they should be using their ISP's server to send mail.  Many ISP's will not accept email from a dynamic IP.<snip>

17918[/snapback]

The above quote turns out to be way off base in its assumption that the sending IP is a SMTP server which it is not.

And to say that one should not accept mail from dynamic IP addresses is absurd, but then that is not what Merlyn is really saying anyway, he just failed to realize that the IP represented a user not a server.

Well I have rambled on enough, in fact too much.

So back to the original question, since the IP is dynamic who really cares what it is, its going to change anyway.

Remember SpamCop is known for over agressive filtering (for a reason) and blocks nothing. Whitelisting solves the problem.

[chrislott]

Thanks for all the help. Yes, my original question was answered (which IP was viewed as a spammer). And I got new insights into Spamcop.

Next time I have a question, I promise I'll post full message details up front.