Jump to content

Blacklisted... where are the header details?


jeffjustice

Recommended Posts

I see lots of examples of people showing header details to help track down spam and cut it off.

One of our IP addresses is listed but I can't find any of the header info for the people who have submitted reports (which makes it hard to track down a culprit and also make sure the recipient isn't contacted again). There have been 4 total (3 users and 1 mole) based on the daily summary report I receive.

I have tried using the "find report" and "close issues" features within my account but no further details are ever displayed.

What am I missing?

Thanks in advance.

Jeff

Link to comment
Share on other sites

  • Replies 63
  • Created
  • Last Reply

Hi, Jeff!

...Although I'm not certain what you are looking for, I think the answers to your questions may be in the FAQ that is linked to from Pinned: Original SpamCop FAQ Plus - Read before Posting on this forum's front page. Specifically, I see sections labeled "Help for abuse-desks and administrators" and "Assistance stopping spam:".

...HTH!

Link to comment
Share on other sites

Hi, Jeff!

...Although I'm not certain what you are looking for, I think the answers to your questions may be in the FAQ that is linked to from Pinned: Original SpamCop FAQ Plus - Read before Posting on this forum's front page.  Specifically, I see sections labeled "Help for abuse-desks and administrators" and "Assistance stopping spam:".

...HTH!

20846[/snapback]

Thanks, but I've scoured the FAQ a bit and haven't found what I'm looking for (yet).

To be more specific I see (and have seen in the past for my own IPs) reports like the following

http://www.spamcop.net/sc?id=z688279526z74...f4795bf9cc9776z

My question is, how do I get these similar detailed reports for the new IP range I'm leasing so that I can track it back through my smtp logs?

Thanks,

Jeff

Link to comment
Share on other sites

That is a user report and you can only see your own user reports and not others unless you post a tracking url.

More data was revealed previously but spammers took advantage of the information so it is withheld now.

What IP address do you think is listed?

Link to comment
Share on other sites

That is a user report and you can only see your own user reports and not others unless you post a tracking url.

More data was revealed previously but spammers took advantage of the information so it is withheld now.

What IP address do you think is listed?

20848[/snapback]

*sigh*

That makes it hard for those of us who are strictly white hat to honor people's desire to be left alone.

Here's the ip http://www.spamcop.net/w3m?action=checkblo...p=67.43.151.116

I have an email in to the deputies. In return so far I received three subject lines of the emails that were reported. Not quite enough detail though to clean up the situation and prevent it from happening again.

Thanks for the help.

Jeff

Link to comment
Share on other sites

I must say (and I do not say this very often) for an email marketing company resultsmail.com looks very clean. My hats off to you.

It could be they had someone that did not have a clean list, but from the looks of it they get rid of people using dirty lists.

Tthe reports went to loudpacket.com so they will probably be off the list in 17 hours.

Good luck, wish I could help more. Maybe the deputies will get back to you soon.

You aren't by chance the reduce stress in the workplace humorist???

Link to comment
Share on other sites

I must say (and I do not say this very often) for an email marketing company resultsmail.com looks very clean.  My hats off to you.

It could be they had someone that did not have a clean list, but from the looks of it they get rid of people using dirty lists.

Tthe reports went to loudpacket.com so they will probably be off the list in 17 hours.

Good luck, wish I could help more. Maybe the deputies will get back to you soon.

You aren't by chance the reduce stress in the workplace humorist???

20853[/snapback]

Thanks Merlyn, that means a lot to us here. We do give people the boot for not playing by the strict rules. This is why it is important to us to find out exactly what is going on with reports to spamcop. We attract customers with clean lists and keep them because we stay on top of problems.

Pretty much everyone here is a humorist B) Keeps the place fun!

Link to comment
Share on other sites

Looking at the traking url you provided, you realize that the TRAFFIC has gone up by >2000%. That alone should be a warning sign something fishy is going on! Perhaps as nasty as a trojan ?

20854[/snapback]

Actually we were migrated to this loudpacket block last month. So this IP went from zero activity to our richter scale of about 4-5.

Now, this may also be part of why we are seeing blocks. It is my understanding (and correct me if I am wrong) that complaints are weighted based on historical sender volume.

So daily volume of email sent is about 100,000 and we get 4 complaints we are blocked (current reports on us are 3 users and 1 mole in past 24 hours).

Granted these 4 complaints could be from new customers with lists that are "bad" or maybe just old (as in some people don't remember opting in)... but hard to know w/o the information to follow up.

Anyway, thanks for the help and input so far.

- Jeff

Link to comment
Share on other sites

Tthe reports went to loudpacket.com so they will probably be off the list in 17 hours.

If you can get loudpacket.com to provide you with the reports, you might be able to find out what you need. I am not sure of the procedures, but you might also be able to get the reports yourself in the future so you can take action more quickly.

Miss Betsy

Link to comment
Share on other sites

If you can get loudpacket.com to provide you with the reports, you might be able to find out what you need.  I am not sure of the procedures, but you might also be able to get the reports yourself in the future so you can take action more quickly.

The third-party notification request thing has been replaced. The new data replaced the old, but the link/URL is the same .. found in the FAQ here at the entry "How can I get SpamCop reports about my network?" ... One major change is that the Deputies don't have to immediately get involved in analyzing and deciding whether to grant approval .. the flip side is that the data provided in this mode is pretty much the same as anyone else can get ... so the "specifics" requested still won't be available.

Link to comment
Share on other sites

The third-party notification request thing has been replaced.  The new data replaced the old, but the link/URL is the same .. found in the FAQ here at the entry "How can I get SpamCop reports about my network?" ... One major change is that the Deputies don't have to immediately get involved in analyzing and deciding whether to grant approval .. the flip side is that the data provided in this mode is pretty much the same as anyone else can get ... so the "specifics" requested still won't be available.

20874[/snapback]

Yeah, I already have an ISP account to receive reports. That is what has started this whole discussion. I can confirm that no detail is provided in those reports as you mention ;)

So where does this leave legit marketers who's bandwidth provider can't be bothered with forwarding them complaint reports? (It has been 24 hours with no response yet from my provider).

Link to comment
Share on other sites

First of all, "67.43.151.116 not listed in bl.spamcop.net" .. so that part of the issue is solved for now.

Yeah, I already have an ISP account to receive reports.  That is what has started this whole discussion.  I can confirm that no detail is provided in those reports as you mention  ;)

So where does this leave legit marketers who's bandwidth provider can't be bothered with forwarding them complaint reports? (It has been 24 hours with no response yet from my provider).

Though discussing your bandwidth provider is best left between you and them, one must also look at the other side of the coin. In general, the scenario is that the bandwidth provider is contacted with a complaint about something that a user has decided meets the criteria of being spam. (Noting that bad reporting has consequences.) What should happen is that the ISP does some investigation, then handles the action item .. shutting down the account, checking off an Innocent Bystander status flag, or something in between. The "passing the complaint on to the 'spammer'" is usually seen as a bad thing. Before you get too excited, this is all presented from the perspective of the hapless spam victim.

Some of the issues with your particular situation appear to also be driven by timing and coincidence of other issues. For instance, as previously pointed out, the details shown at SenderBase unfortunately matches the scenario of an e-mail server/network being compromised and used by a spammer. So the first glance from most folks would tend to go down that path in making decisions. That you explained the circumstances "here" tend to allow one to set aside those immediate thoughts, it's unknown whether this data was provided in the previous dialog with the Deputies.

Now, this may also be part of why we are seeing blocks. It is my understanding (and correct me if I am wrong) that complaints are weighted based on historical sender volume.

Yes, no, kind of .... http://www.spamcop.net/fom-serve/cache/297.html breaks out the complicated math behind a BL listing.

So daily volume of email sent is about 100,000 and we get 4 complaints we are blocked (current reports on us are 3 users and 1 mole in past 24 hours).

The numbers used here make it hard to believe that you managed to get listed at all, but there are some parameters described in the above mentioned FAQ entry that "we" don't have access to ... the most critical would seem to be the places you're sending too as compared to those places "monitoring" traffic from your e-mail server (there used to be a 2% threshold between total traffic "seen" and spam, but I don't see that in the FAQ at present) The SenderBase line;

"Date of first message seen from this address 2004-11-06" may feed into a situation of a "newly discovered e-mail source" to the SpamCop parsing engine/database (which I notice also isn't mentioned in the FAQ entry suggested) .. if this was among the issues in getting listed, it should be resolved also, now both being identified and coming up on the end of the "probation" period. (I can't recall if there was a FAQ entry that didn't survive the fairly recent rewrite or if I'm remembering an ancient newsgroup conversation, but somewhere there was mention that a note to the Admin staff before bringing the server on-line could prevent this "newly discovered" thing from being an issue.)

Link to comment
Share on other sites

Thanks for the input/info.

I think we are starting to work it through. Deputies have since forwarded me two reports. One was pretty bad and that customer was immediately cancelled as a result (questionable content and hit a spam trap which proves he didn't really have consent to send).

When we first noticed this issue with SpamCop we notified the deputies immediately that we felt we were being punished due to the IP swap. I read the FAQs regarding their listing determination and figured we were getting pegged due to newly discovered volume. We were rarely listed on our old IP so it was a shock to us to find we were being blocked regularly on the new IP.

Doesn't really matter now though. We seem to be communicating and working towards resolution. Based on that one example they sent me I can't blame them for listing us. Just need better communication and details getting to me so we can act before it becomes a drawn out/daily issue.

ps. we are listed again :blink: summary report shows 5 complaints. again, volume in 24 hours is 100k or so.

Link to comment
Share on other sites

Here are some recent SpamCop Reports concerning that IP Address:

Submitted: Friday 2004/12/03 18:54:26 -0500:

4brokers Exclusive Leads Program

1305908120 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

--------------------------------------------------------------------------------

Submitted: Friday 2004/12/03 13:35:12 -0500:

Buy One, Get One

1305731715 ( http://www.pentabosol.com ) To: abuse[at]invotion.com

1305731712 ( http://www.pentabosol.com ) To: abuse[at]expresstechnologies.com

1305731711 ( http://www.pentabosol.com ) To: abuse#halfpricehosting.com[at]devnull.spamcop.net

1305731706 ( http://www.pentabosol.com ) To: postmaster[at]expresstech.net

1305731700 ( 67.43.151.116 ) To: spamcop[at]imaphost.com

1305731698 ( http://www.resultsmail.com/ ) To: abuse[at]loudpacket.com

1305731696 ( http://rm.resultsmail.com/unsubscribe.cfm?uid=2... ) To: abuse[at]loudpacket.com

1305731695 ( http://rm.resultsmail.com/route.cfm?mid=86676a9... ) To: abuse[at]loudpacket.com

1305731694 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

--------------------------------------------------------------------------------

Submitted: Friday 2004/12/03 12:33:14 -0500:

Buy One, Get One

1305686725 ( http://www.pentabosol.com ) To: postmaster[at]expresstech.net

1305686724 ( http://www.pentabosol.com ) To: abuse[at]invotion.com

1305686723 ( http://www.pentabosol.com ) To: abuse[at]expresstechnologies.com

1305686722 ( http://www.pentabosol.com ) To: abuse#halfpricehosting.com[at]devnull.spamcop.net

1305686721 ( 67.43.151.116 ) To: spamcop[at]imaphost.com

1305686720 ( http://www.resultsmail.com/ ) To: abuse[at]loudpacket.com

1305686719 ( http://rm.resultsmail.com/unsubscribe.cfm?uid=2... ) To: abuse[at]loudpacket.com

1305686718 ( http://rm.resultsmail.com/route.cfm?mid=86676a9... ) To: abuse[at]loudpacket.com

1305686717 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

--------------------------------------------------------------------------------

Submitted: Thursday 2004/12/02 13:00:14 -0500:

ASG/IBM meeting: Golfsmith Gift Card

1304886044 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

--------------------------------------------------------------------------------

Submitted: Thursday 2004/12/02 12:04:25 -0500:

ASG/IBM meeting: Golfsmith Gift Card

1304847317 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

--------------------------------------------------------------------------------

Submitted: Tuesday 2004/11/30 09:30:42 -0500:

2005 Masters Tournament

1303148313 ( http://www.sghgolf.com/specials.html ) To: mole[at]devnull.spamcop.net

1303148312 ( http://www.sghgolf.com ) To: mole[at]devnull.spamcop.net

1303148311 ( http://www.resultsmail.com/ ) To: mole[at]devnull.spamcop.net

1303148308 ( http://rm.resultsmail.com/route.cfm?mid=631d749... ) To: mole[at]devnull.spamcop.net

1303148305 ( 67.43.151.116 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Tuesday 2004/11/30 08:15:23 -0500:

Solicitation: Small Business Financing

1303022384 ( http://www.southwyndfinancial.com ) To: abuse[at]cogentco.com

1303022365 ( 67.43.151.116 ) To: spamcop[at]imaphost.com

1303022358 ( http://www.resultsmail.com/ ) To: abuse[at]loudpacket.com

1303022354 ( http://rm.resultsmail.com/unsubscribe.cfm?uid=c... ) To: abuse[at]loudpacket.com

1303022350 ( http://rm.resultsmail.com/route.cfm?mid=709b670... ) To: abuse[at]loudpacket.com

1303022339 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

--------------------------------------------------------------------------------

Submitted: Thursday 2004/11/25 03:39:48 -0500:

Ziba Music Presents: The Viper Room - Friday Nov 26

1299286201 ( 67.43.151.116 ) To: spamcop[at]imaphost.com

1299286197 ( http://www.resultsmail.com/ ) To: abuse[at]loudpacket.com

1299286195 ( http://rm.resultsmail.com/unsubscribe.cfm?uid=7... ) To: abuse[at]loudpacket.com

1299286193 ( http://rm.resultsmail.com/route.cfm?mid=a6cbe4e... ) To: abuse[at]loudpacket.com

1299286187 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

--------------------------------------------------------------------------------

Submitted: Wednesday 2004/11/24 23:47:34 -0500:

Nov.discount code, Conversion video is ready.

1299187010 ( http://www.finafarm.com ) To: abuse[at]ev1.net

1299187008 ( 67.43.151.116 ) To: spamcop[at]imaphost.com

1299187007 ( http://www.resultsmail.com/ ) To: abuse[at]loudpacket.com

1299187006 ( http://rm.resultsmail.com/unsubscribe.cfm?uid=b... ) To: abuse[at]loudpacket.com

1299187005 ( http://rm.resultsmail.com/route.cfm?mid=3adecb0... ) To: abuse[at]loudpacket.com

1299187004 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

--------------------------------------------------------------------------------

Submitted: Tuesday 2004/11/23 01:11:34 -0500:

Help Us Fund Recount Ohio's Media Campaign: Contribute $20 in the Next Two Days

1297567510 ( 67.43.151.116 ) To: abuse[at]loudpacket.com

Link to comment
Share on other sites

  • 2 weeks later...

What is interesting is we've found that an overwhelming majority (95% or so) of the reported complaints are being flagged with SpamAssassin as failing the FORGED_MUA_MOZILLA test.

Pretty interesting considering we don't have an X-Mailer header at all. I think there's a fly in the ointment personally as this has only recently become a problem.

That said, every complaint is investigated and if our customer can not provide us with proof of where they got their email list, and this proof does not match our terms of service, they will be cancelled.

As mentioned, we have recently removed one customer as a result of sending mail to a spam trap (not to mention the message itself was extremely spammy).

Link to comment
Share on other sites

Well I hope you dumped these spammers:

From wwwmybalancedscoreca[at]bounce.resultsmail.com Mon Dec 13 12:13:58 2004

Delivery-date: Mon, 13 Dec 2004 12:13:58 -0500

Received: from [67.43.151.116] (helo=smtp1.resultsmail.com)

by mail.victim.example with esmtp (Exim 4.41)

id 1Cdtlm-0001x5-59

for x; Mon, 13 Dec 2004 12:13:58 -0500

Received: from nathan [10.1.2.101] by smtp1.resultsmail.com with ESMTP

(SMTPD32-8.13) id AD9C35F0070; Mon, 13 Dec 2004 09:13:00 -0800

Date: Mon, 13 Dec 2004 09:13:04 -0800 (PST)

From: "ActiveStrategy, Inc." <marketing[at]mybalancedscorecard.com>

To: psbltrap[at]kernelnewbies.nl

Subject: Webinar Reminder - Bringing Balanced Scorecards and Process Management Together

Mime-Version: 1.0

Looks like they are using harvested addresses. Thier address list is not "Confirmed" I guarantee it!!!!!!

You also had problems with them back in the spring and they are at it again. Why do you let spammers repeat themselves?

Link to comment
Share on other sites

Well, maybe I will change my mind.

67.43.151.116 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 6 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

You are letting ActiveStrategy, Inc. use harvested email addresses(again/still), a lot of them. Doesn't look too good. Better get rid of your spammers.

Are you actively supporting spammers now?

Link to comment
Share on other sites

Well, ya missed another one!

67.43.151.116 listed in bl.spamcop.net (127.0.0.2)

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

listings in sightings!

Looks like your clients at Ziba Music and RK promotion are spamming http://www.conceptk.net/nye/ through your system.

Will you be removing your spammers?

Link to comment
Share on other sites

Well, ya missed another one!

67.43.151.116 listed in bl.spamcop.net (127.0.0.2)

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

listings in sightings!

Looks like your clients at Ziba Music and RK promotion are spamming http://www.conceptk.net/nye/ through your system.

Will you be removing your spammers?

21765[/snapback]

With adequate proof we remove spammers.

We just shut down one spammer this morning.

If you wish to provide full details please PM me.

The problem we have is we do not receive detailed reports... hence my original reason for posting on this board. We are more than willing to work with all of you to help keep our system clean but I'm not getting very far in my efforts. 99% of the complaints I have seen full reports on are due to false positives via SpamAssassin. Certainly details regarding who is tripping spam traps are a major concern... but again... we don't receive those details.

I'm not going to post anymore to defend ourselves. Either work with us to help us remove offenders or don't. If you don't work with us it just takes us that much longer to remove them but eventually it does get done.

Link to comment
Share on other sites

I really don't understand the mechanism described in;

What is interesting is we've found that an overwhelming majority (95% or so) of the reported complaints are being flagged with SpamAssassin as failing the FORGED_MUA_MOZILLA test.

On the other hand, Julian has been working something out with the SpamAssassin folks, referenced in the Topic at http://forum.spamcop.net/forums/index.php?showtopic=3129

As far as "working with you" ... are you in touch with any of the Deputies? On one hand, I can sympthize with your lack-of-data issues ... but, that others seem to have no problems finding spam samples, I'm still not sure of the SpamAssassin tie-in at all.

This is primarily a user-to-user support area, and I've not seen your 'evidence' of the SpamAssassin connection or why you're not believing some of the other referenced spam samples, which certainly appear to have some connection to resources you say you control. No accusations, no name-calling, just pointing out that you seem to be ticked off about the discussion thus far, so also needing to point out that it's hard to discuss things not seen. The Deputies will have access to stuff "we" can't touch.

Link to comment
Share on other sites

I apologize for my tone but this has been a frustrating experience.

Been in touch with deputies. That didn't end up leading anywhere other than them supplying me with small snippets of headers. I thought we had made some progress after one round they provided me full headers but then it just went back to limited detail which was not helpful at all (just telling me the subjects of offending messages).

It doesn't help to check on this thread and see nothing but accusations posted by the same person over and over again since I last commented here. If accusations are to be made we need more proof in order to act on them. We do act to remove customer's who violate our terms as has been shown not only to this thread (my word only I understand) but also to the deputies (they have been blind cc'd on notifications I've sent to customers we've cancelled after they have provided us details).

My hosting provider is forwarding some complaints. The majority of the ones forwarded to me have been scored false positives via SpamAssassin.

Here's a sample of the issue we are having with SpamAssassin scores

Content preview:  [ SpamCop V1.389 ] This message is brief for your

  comfort. Please use links below for details. Email from 67.43.151.116 /

  Wed, 8 Dec 2004 21:18:23 -0500

  http://www.spamcop.net/w3m?i=z1310126068z8...0ba3bdb3c09634z

  [...]

Content analysis details:   (7.2 points, 5.0 required)

pts rule name              description

---- ----------------------

--------------------------------------------------

0.9 FROM_ENDS_IN_NUMS      From: ends in numbers

0.7 FOR_FREE               BODY: No such thing as a free lunch (1)

0.1 EXCUSE_10              BODY: "if you do not wish to receive any more"

0.2 EXCUSE_14              BODY: Tells you how to stop further spam

0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us

0.1 HTML_LINK_CLICK_HERE   BODY: HTML link text says "click here"

0.8 HTML_30_40             BODY: Message is 30% to 40% HTML

0.6 HTML_WEB_BUGS          BODY: Image tag intended to identify you

0.0 HTML_MESSAGE           BODY: HTML included in message

0.4 HTML_FONT_INVISIBLE    BODY: HTML font color is same as background

0.6 DATE_IN_PAST_06_12     Date: is 6 to 12 hours before Received: date

2.7 FORGED_MUA_MOZILLA     Forged mail pretending to be from Mozilla

0.0 CLICK_BELOW            Asks you to click below

So you can deduct 4.2 points from this score and it goes through to the recipient.

Here are the headers for that message

Return-Path: <wwwpaloaltoresearchc[at]bounce.resultsmail.com>

Received: from smtp2.dnd.ca (gps11.ndhq.dnd.ca [131.137.250.218])

        by clover.marlant.hlfx.dnd.ca (8.11.2/8.11.2) with SMTP id iB91mX411459

        for <x>; Wed, 8 Dec 2004 21:48:34 -0400

Received: (from root[at]localhost)

        by smtp2.dnd.ca  with  id iB92IU025724

        for x; Wed, 8 Dec 2004 21:18:30 -0500 (EST)

Received: from smtp1.resultsmail.com (smtp1.resultsmail.com [67.43.151.116])

        by smtp2.dnd.ca  with ESMTP id iB92IMD25277

        for <x>; Wed, 8 Dec 2004 21:18:23 -0500 (EST)

Received: from nathan [10.1.2.101] by smtp1.resultsmail.com with ESMTP

  (SMTPD32-8.13) id AE56119C00B2; Wed, 08 Dec 2004 09:48:06 -0800

Message-ID: <1425______________________________STEM[at]nathan>

Date: Wed, 8 Dec 2004 09:48:13 -0800 (PST)

From: Prentiss Brown <pbrown[at]mail-net.com>

To: x

Subject: A Log Management Strategy for VISA CISP Compliance

Mime-Version: 1.0

Content-Type: multipart/alternative;

        boundary="----=_Part_1307915_32995288.1102528093625"

X-mTrak-mID: e01f0164-1615-4307-8f98-5c35c6469024

X-mTrak-cID: 699c4087-b206-4d2c-ba6a-4afb1da82dc5

Status:  

X-Mozilla-Status: 8001

X-Mozilla-Status2: 00000000

X-UIDL: 3d0fae2f00003f24

Our from's do not end or start in numbers and we provide no X-mailer header at all. So how they determined we were forging Mozilla is beyond me. Also our dates are not in the past.

As spam traps are super secret we do not receive reports on when these are triggered. However, this is a problem because we'd like to know who is using a harvested list as this is clearly against our terms of service and would be an aggrevated offense if our customer was also found to be in violation of CAN-spam.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...