FredR Posted December 4, 2004 Posted December 4, 2004 We have a problem that on the surface appears illogical and hope someone can shed some light on it. We recently appeared on the blacklist. Here’s what I know: - Until the end of October 2004 we were not listed and we have had a clean bill of health since 1999. - Starting sometimes in November 2004, we were listed 20 times to date. - It appears that we are listed for sending mail to a trap. This is what we did: - We removed all subscriptions received in the month of November 2004 and sent an Email to those affected, asking to confirm their subscription. - Only those that re-subscribed were added back in. Seems to me that should have taken care of whatever the problem may have been. We continue to be listed on a daily basis. As to how a trap mail got into our subscription based model is a mystery to me. Maybe it’s a simple as when we kept un-subscribing a very irate husband almost daily until we figured out that his wife kept signing up. They never talked. We are a thorn in the side of our many competitors and have been subjected to ferocious attacks in other parts of our operation. Any Ideas? Fred
Wazoo Posted December 4, 2004 Posted December 4, 2004 No specific data provided, so no research can be performed. Therefore, the only realistic answer at this point is to suggest reading the FAQ and/or the "Why Am I Blocked?" Pinned entry (a duplication of that item in the FAQ, only because this question gets asked so many times by folks that won't/don't try the FAQ) Bottom line, "you" sending an e-mail to a spamtrap is only one possible scenario of the many ....
Merlyn Posted December 4, 2004 Posted December 4, 2004 Post the IP and you will get plenty of people to do research.
FredR Posted December 4, 2004 Author Posted December 4, 2004 Post the IP and you will get plenty of people to do research. 20911[/snapback] Thanks for the quick replies. Should have done that in the first post 66.150.147.5 Fred
dra007 Posted December 4, 2004 Posted December 4, 2004 Your problem is not restricted to SpamCop, sounds like you might be <<Joe Jobed>> (am I using that correctly?): Ref: SBL14734 66.151.88.0/24 is listed on the Spamhaus Block List (SBL) 05-Mar-2004 21:54 GMT | SR03 Direct Q click / dq07.net Internap Network Services PNAP-06-2001 (NET-66-150-0-0-1) 66.150.0.0 - 66.151.255.255 Direct Q click PNAP-OCY-DQLICK-RM-06 (NET-66-151-88-0-1) 66.151.88.0 - 66.151.88.255 In fact your listing is quite EXTENSIVE (Click Here!)! What is more disturbing is the ROKSO listing!
FredR Posted December 4, 2004 Author Posted December 4, 2004 Your problem is not restricted to SpamCop, sounds like you might be <<Joe Jobed>> (am I using that correctly?): In fact your listing is quite EXTENSIVE (Click Here!)! What is more disturbing is the ROKSO listing! 20913[/snapback] The ROKSO listing points to another IP / Company. When I search there for the right IP, I get 66.150.147.5 is not listed in the SBL 66.150.147.5 is not listed in the XBL As to the first link, a lot of these reports were prior to 05/2004 - the date we started mailing on that IP. Following the remaining links, I cannot find and entry for our company and/or IP. Maybe I don't understand what this all means? Probably. What does <<Joe Jobed>> mean? Fred
dra007 Posted December 4, 2004 Posted December 4, 2004 As an interesting side note: > By hosting Hi-Speed Media on that space, you have probably permanently > damaged it. Even if SPEWS unlists it, others won't. It may be widely > firewalled, meaning any customer whom you put into that space is going > to have problems, and will not like you very much once it's pointed out > what you did to them. > > I suggest you retire that space, and try very hard to not ever make the > same mistake again. After all, ARIN doesn't accept 'we hosted spammers > and made our allocation unusable' as an excuse for getting more space > allocated. and this is only one example I came up with in the google search. Gurus here may be able to give you more sophisticated answers. Bottom line is that your ISP has been associated with bad spam practices in the past, regardless of the good reputation of the company you represent. I am not sure how that might impact your situation at present, it deffinitely sheds a bad light on it.
dra007 Posted December 4, 2004 Posted December 4, 2004 /snip. What does <<Joe Jobed>> mean? Fred 20914[/snapback] My initial suspition was that the spamtrap reports were a result of a mallicious registration using a known spamtrap address! Given the history of that IP range, that is not enirely unconciveable!
FredR Posted December 4, 2004 Author Posted December 4, 2004 My initial suspition was that the spamtrap reports were a result of a mallicious registration using a known spamtrap address! Given the history of that IP range, that is not enirely unconciveable! 20918[/snapback] Unfortunately, neither the openrbl report nor the rokso report make any sense to. Everything I see is in another IP range with companies I have never heard of. I do feel like a moron. As to the "known spamtrap" -- I was told they were secret. Is that no so? Fred
Wazoo Posted December 4, 2004 Posted December 4, 2004 Fot the actual use of the term "JoeJob" .. please see http://forum.spamcop.net/forums/index.php?...431entry14431 for a couple of links. There are just too many folks these days describing forged e-mail address as a JoeJob, but the actual definition of the term carries much more weight than the simple address misuse. Senderbase traffic count doesn't offer any glaring indicators of a server problem, the IP isn't currently listed on the SpamCop DNSBL, http://www.moensted.dk/spam/?addr=66.150.147.5&Submit=Submit lists an MX issue, but nothing glaring as far as anything currently happening (SPEWS is not SpamCop) .... Checking your site, the sign-up appears controlled (though did not try it out) .. but the descriptions might possibly factor in to some of this ... the phrase "periodic mailings" .... how often is "periodic" ..?? One of those signed up two or three months ago but long forgotten things? At this point, I'm going to say that I'm going to follow the data provided within the FAQ / Pinned item and suggest that you contact the Deputies, with enough detail that they can possibly look through the past database for entries involving the listings you describe.
StevenUnderwood Posted December 4, 2004 Posted December 4, 2004 Looking at the data available to us mere mortals, it is your mailing list causing the problems: Submitted: Friday, December 03, 2004 6:12:23 PM -0500: V 7 Issue 135 Holiday Extravaganza -------------------------------------------------------------------------------- Submitted: Thursday, December 02, 2004 10:11:44 PM -0500: V 7 Issue 134 Holiday Extravaganza -------------------------------------------------------------------------------- Submitted: Wednesday, November 24, 2004 11:08:05 PM -0500: V 7 Issue 128 Talking Turkey, More TG Recipes -------------------------------------------------------------------------------- Submitted: Wednesday, November 24, 2004 6:14:27 PM -0500: Subscription Details -------------------------------------------------------------------------------- Submitted: Wednesday, November 24, 2004 6:12:43 PM -0500: V 7 Issue 128 Talking Turkey, More TG Recipes Now there are several possibilities beyond what you have already cleaned up. Two I can think of immediately (both of which are mentioned in the FAQ I believe) are: 1.Do you automatically remove addresses that bounce for non-existing accounts? It could be someone was signed up for your list, changed their address but never unsubscribed, then someone else got that address and began reporting your list becasue THEY did not request it. 2.It could be "accidental" reporting because of the other blocklists causing it to be marked as spam and automatically reported by someone who may not even see it. This is one reason automatic reporting is not supported at spamcop. We are a thorn in the side of our many competitors and have been subjected to ferocious attacks in other parts of our operation. Also, is it possible to sign up an incorrect address to your list? It should not be, all requests should be confirmed at the time of submittal BEFORE being added to the actual list. The FAQ at the top of this forum also has some pointers on this type of thing.
FredR Posted December 4, 2004 Author Posted December 4, 2004 RE : "periodic mailings" .... how often is "periodic" ..?? That deals with our Alert. No way of knowing when green onions contain e.Coli. I'll try to make that more clear to the subscribers. RE: Do you automatically remove addresses that bounce for non-existing accounts Yes, our bounce list uses a "three strikes your out" method. RE: is it possible to sign up an incorrect address to your list? It should not be, all requests should be confirmed at the time of submittal BEFORE being added to the actual list. Yes, it is possible to sign up with an incorrect address. The third bounce removes them though. Yes, we do confirm any requests but they are instantly added [removed] to[from] the actual list. Looks like we need to make some changes, as in double opt in. Fred
dra007 Posted December 4, 2004 Posted December 4, 2004 /snip Following the remaining links, I cannot find and entry for our company and/or IP. /snip 20914[/snapback] Indeed, the problem with those may be upstream: IP address 66.150.147.5 is listed as internap.com spam-support. Please note that the following comments apply to internap.com since 66.150.147.5 seems to be owned or controlled by them. This does NOT mean that we ever received spam from 66.150.147.5. It just means that the upstream owner of that address block (which seems to be internap.com) is listed here for spam support. That upstream needs to resolve the below issues. "added 2002-01-22; on sprint.net" "added 2002-07-07; spam support - hosting sendoutmail.com and jdrmedia.com" "added 2002-07-22; spam support - hosting internetseer.com and roving.com" "added 2002-09-10; spam support - hosting randbad.com on 209.191.175.226" "added 2002-09-17; spam support - see spews.org/html/S373.html" "added 2002-10-07; spam support - hosting netflip.com" "added 2002-12-07; spam support - dns service for columbiahouse.com" "added 2003-01-15; spam support - see www.spamhaus.org/sbl/listings.lasso?isp=internap.com" "added 2003-02-04; spam support - transit for AS18633" "added 2003-04-13; spam support - transit for wholesalebandwidth" "added 2003-05-20; spam support - hosting www.pr0debtc0nsu1tants.com on 64.74.96.230, was on 63.251.163.110, was on verio" "added 2003-07-02; spam support - hosting www.adaniexports.com on 63.251.163.110" "added 2003-07-22; spam support - hosting e-i1.com spamming from NET-63-251-54-64-1" "added 2004-03-08; spam support - see www.spamhaus.org/SBL/sbl.lasso?query=SBL14734" "added 2004-07-31; spam support - see www.spamhaus.org/SBL/sbl.lasso?query=SBL10031" "added 2004-07-31; spam support - transit for AS30038 whose entire 69.63.160.0/20 is on the SBL" If some mail server is rejecting your email based on the above listing, ask them to either whitelist your address or to stop using this list. I don't know who is using blackholes.five-ten-sg.com to block email - it is my personal list used to protect my personal mail servers (and my clients). I make it public so that anyone who has mail rejected here can find out why it was rejected. You might want to search on Google in news.admin.net-abuse.* for internap.com. You might consider moving to a provider whose ip packets are more acceptable to the rest of the internet.
StevenUnderwood Posted December 5, 2004 Posted December 5, 2004 Yes, it is possible to sign up with an incorrect address. The third bounce removes them though. Yes, we do confirm any requests but they are instantly added [removed] to[from] the actual list. Looks like we need to make some changes, as in double opt in. Yes you do, but unless you want to sound like a spammer around here, you should use the phrase "confirmed opt-in" (a person needs to confirm they control the address they signed up to the list). A simple reply is not good enough either because of things like auto responders. Double opt-in is a phrase used by spammers to try and show that it is just a useless extra step trying to cause them harm. Your current method means I could sign up my neighbor for your list and as far as they are concerned, it is spam because they did not give you consent to send them anything. And most ISP's warn their customers (even forbid in some cases) clicking on a link or unsubscribing to any message they did not request. An incorrect address may be an active address and not bounce, which is where your problem could be.
FredR Posted December 9, 2004 Author Posted December 9, 2004 I wanted to thank all of you who contributed to this thread. Lots of food for thought and we will make the changes that were suggested. In the meantime, we have managed to stay of the list for about the last 48 hours. This is what we did to get there: We found that our Sunday mailing did not contain whatever triggered to get us on the list. However, the weekly mailings Mon-Fri would land us on the list without fail. We did a query to isolate the users that were receiving our daily mailings but not our sunday mailings. We removed all 4,750 of them and asked to them to re-subscribe. That worked. What we have learned in the process though is a bit disturbing. If in fact it was a spamtrap that caused this problem, it would have had to be submitted manually. Our confirmed opt-in coming on line soon should catch that, hopefully. Fred Roosli Chef2Chef.Net
turetzsr Posted December 9, 2004 Posted December 9, 2004 Hi, Fred! <snip> In the meantime, we have managed to stay of the list for about the last 48 hours. 21123[/snapback] ...Congratulations! <g> This is what we did to get there: We found that our Sunday mailing did not contain whatever triggered to get us on the list. However, the weekly mailings Mon-Fri would land us on the list without fail. We did a query to isolate the users that were receiving our daily mailings but not our sunday mailings. We removed all 4,750 of them and asked to them to re-subscribe. <snip> 21123[/snapback] ...That's a good thing to do periodically. For this and other good tips, see: FAQ Entry: Am I Running Mailing Lists Responsibly?.
Wazoo Posted December 9, 2004 Posted December 9, 2004 I wanted to thank all of you who contributed to this thread. Lots of food for thought and we will make the changes that were suggested. And in return, much thanks to you for the way you started this discussion, worked through the issues, and even topping all that by coming back with good news. The numbers involved certainly demand some kudos to the folks that worked through that mass of data. The downside of being famous <g> We did a query to isolate the users that were receiving our daily mailings but not our sunday mailings. We removed all 4,750 of them and asked to them to re-subscribe. You know of course that those direct market / advertising folks are just dieing to know .. how many subscriptions did you "lose" ... realizing that in reality, that there's a lot of reasons behind a non-renewal, even including that e-mail from that address had been filtered to the bit-bucket for ages. That worked. What we have learned in the process though is a bit disturbing. If in fact it was a spamtrap that caused this problem, it would have had to be submitted manually. Our confirmed opt-in coming on line soon should catch that, hopefully. Unfortunately, as wierd and wooly as some of those spamtrap addresses end up being, it's pretty well recognized that there are number of the main-sleeze spammers that include them in theri outgoing lists, primarily to put others in the same position as yourself ... assumedly to help spread that anti-SpamCop, anti-BL feeling. Any way, thanks for the hard work at working things through and being able to maintain that great outlook on things. (Now, if we could talk about things like cookies, standardization of recipe titles, and maybe an easier way to make the decision of which ones to try first <g>)
FredR Posted December 9, 2004 Author Posted December 9, 2004 I have an unfair advantage. I run a forum with 11k members and know exactly how much a civilized thread and a thank you note means to the folks running this board :-) As to the cookies, your best bet is Cynthia Bowan, the most prolific cookieholic I know. She does not disappoint. http://chef2chef.net/features/cynthia/article/2001-12.htm Merry Christmas. Fred
WB8TYW Posted December 12, 2004 Posted December 12, 2004 Spammers have been known to sign up suspected spam reporters and spam traps to mailing lists that do not use confirmed opt-in in order to either find the spam trap address, or to cause other problems. In accepting subscriptions, make sure that you let the subscriber know that you have recorded the I.P. address that the subscription request came in on by putting it in the confirmation request. Also subscription requests from open proxies or I.P. addresses listed by sbl.spamhaus.org are likely to be false. If I were running such a mailing list, I would also not be allowing subscriptions from I.P. addresses in the spamcop.net blocking list. Keeping track of the I.P. address pools were subscription requests come in that are not confirmed is probably a good idea. It can probably be used to predict when a request is likely to be fake. Of course, a confirmation request should be made and confirmed before the person is added to a mailing. That way the only thing that should be in the spamtrap is confirmation of subscription request with the originating I.P. address. While I can not predict what the spamcop deputies would do with such evidence, If I were to only see such reports in a spamtrap, I would tend to be more inclined to believe that the mail server was doing the best that they could do. If you can send the confirmation from a different I.P. address then the mailing list operates on, then it would be impossible for the confirmation requests sent to spamcop.net spamtraps to affect the mailing list. -John Personal Opinion Only
Recommended Posts
Archived
This topic is now archived and is closed to further replies.