Server(s) Blocked

[Firevision]

Hi,

We operate some mail forwarding servers. These servers only provide mail forwarding, and unless someone sends mail from the command line (which would be for testing purposes by an admin only, there are no other accounts on these boxes) all they do is forward mail. There isn't even a web server on the boxes, no insecure website form that could be used by a spammer to send spam.

They are not used as a source of mail. They are checked regularly for open relays, and pass every time. Therefore they are not open relays either.

It seems that they servers are listed in SpamCop's BlackList however.

Query bl.spamcop.net - 62.121.2.60

62.121.2.60 is silver.firevision.net

It appears that SpamCop is looking at the Received: headers, and simply listing all servers following that header as being a source of that spam, even though with a valid e-mail service such as e-mail forwarding, that will introduce two Received: headers, one of which has nothing to do with being the source of the spam at all!

So how do we get a server removed from this blacklist?

How do we even get to see the mails, or at least a message id, of the e-mails that caused the server to get listed?

I'd appreciate any help or advice. I'd especially like for the server to be removed from the blacklist.

Graham

[Jeff G.]

Please contact the Deputies about this issue via email address "deputies at spamcop.net". Thanks!

[Wazoo]

Per parse and WHOIS data, abuse reports (if sent) would have gone to;

Parsing input: 62.121.2.60

host 62.121.2.60 = silver.firevision.net (cached)

Reporting addresses:

abuse[at]keme.net

So, these folks may have copies of spam complaints. Catch is the "mole reporting" status of some reporters may not have generated any actual outgoing reports. Thus JeffG's suggestion to contact one of the Deputies so they can look at what data they do have for this IPA.

Are the headers showing all needed data to show the proper handling of the e-mail flow through these Frowarding systems? i.e., IP matches name, incoming and outgoing, DNS and rDNS registered and correct, etc. Specifically headed to ... can SpamCop parse through your section of the headers to get to the actual source, or is the parse breaking because of some configuration / data issues at your servers?

[Firevision]

Per parse and WHOIS data, abuse reports (if sent) would have gone to;

Parsing input: 62.121.2.60

host 62.121.2.60 = silver.firevision.net (cached)

Reporting addresses:

abuse[at]keme.net

  So, these folks may have copies of spam complaints.  Catch is the "mole reporting" status of some reporters may not have generated any actual outgoing reports.  Thus JeffG's suggestion to contact one of the Deputies so they can look at what data they do have for this IPA. 

  Are the headers showing all needed data to show the proper handling of the e-mail flow through these Frowarding systems?  i.e., IP matches name, incoming and outgoing, DNS and rDNS registered and correct, etc.  Specifically headed to ... can SpamCop parse through your section of the headers to get to the actual source, or is the parse breaking because of some configuration / data issues at your servers?

We shouldn't have anything too drastic done to the headers of the e-mail. We use a fairly stock exim setup, so the headers should show the originating server, and that our server was just a forwarding server.

I'll have to look up to see who the "deputies" are to get this dealt with.

I'll contact our upstream provider at that location too to see if they got the abuse e-mails. We try to respond to all those that we receive from SpamCop, but we can't do that if we don't get them forwarded to us!

[Firevision]

My upstream provider has sent through the reports!

As I suspected, the spam e-mails never originated from our server, and these are clear in the Received: headers in the e-mails. 3 examples:

Received: from aannecy-204-1-31-122.w81-251.abo.wanadoo.fr ([81.251.135.122])

by silver.firevision.net with smtp (Exim 4.12)

id 1ArGiO-000CfW-00

for x; Thu, 12 Feb 2004 13:17:14 +0000

Received: from pd9526d52.dip.t-dialin.net ([217.82.109.82])

by silver.firevision.net with smtp (Exim 4.12)

id 1AplSW-000F6Z-00

for x; Sun, 08 Feb 2004 09:42:37 +0000

Received: from yahoo.com (mx2.mail.yahoo.com [64.156.215.6])

by pD9526D52.dip.t-dialin.net (Postfix) with ESMTP id 662935E80F

for <x>; Sun, 08 Feb 2004 16:28:43 -0500

Received: from wbar14.tampa1-4-4-151-219.tampa1.dsl-verizon.net ([4.4.151.219] helo=mfl-weiden.synlab.de)

by silver.firevision.net with esmtp (Exim 4.12)

id 1ANj7K-0000XD-00

for x; Sun, 23 Nov 2003 01:32:54 +0000

Received: from 94.5.63.82 by smtp.won.de;

Sun, 23 Nov 2003 01:08:29 +0000

I've got the upstream provider to update the RIPE records so that SpamCop reports will come to us now.

What is SpamCop's algorithm for detecting the originator of a spam message? It clearly looks like it doesn't take e-mail forwarding services into account!

[Ellen]

As I suspected, the spam e-mails never originated from our server, and these are clear in the Received: headers in the e-mails. 3 examples:

Received: from wbar14.tampa1-4-4-151-219.tampa1.dsl-verizon.net ([4.4.151.219] helo=mfl-weiden.synlab.de)

by silver.firevision.net with esmtp (Exim 4.12)

id 1ANj7K-0000XD-00

for x; Sun, 23 Nov 2003 01:32:54 +0000

Received: from 94.5.63.82 by smtp.won.de;

Sun, 23 Nov 2003 01:08:29 +0000

I've got the upstream provider to update the RIPE records so that SpamCop reports will come to us now.

What is SpamCop's algorithm for detecting the originator of a spam message? It clearly looks like it doesn't take e-mail forwarding services into account!

The parser wasn't recognizing your server as a valid forwardng server but it is now. I also delisted your server -- this takes 2 hours to propagate. Again let me urge you to write to deputies <at> admin.spamcop.net if you have problems where the parser is misparsing, not recognzing your server and/or listing your IP incorrectly -- or, as in ISP, you have other problems of this nature.

I try to keep up with the newsgroups but I don't get to read them as often as I would like.

[Firevision]

Thank you.