spiralocean Posted January 15, 2005 Share Posted January 15, 2005 Hello, About 2 days ago, all my incoming email is being listed as spam and in the held queue. This includes email sent from the spamcop website, like password reminder. I've been going through and whitelisting all valid email. I have been using spamcop over a year and it's been working fine until a couple of days ago. I deleted my mailhosts and re-added them again. And the verification emails from spamcop were listed as spam as well. I am now starting to get bounced messages from emails I send out that my email sent to them was considered as spam as well. Any thoughts to why this may be happening? Thank you. Link to comment Share on other sites More sharing options...
dbiel Posted January 15, 2005 Share Posted January 15, 2005 Assumption, you are using a SpamCop Email Account If all incomming mail is being filtered into your held mail folder, I would check your blocking lists. spam Assassin is possibly set too low, try a higher setting 3-5. Also check to see if you have it set to block all mail except for white listed mail. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 15, 2005 Share Posted January 15, 2005 The probable cause for all messages being held after everything was working is that a forwarding account is on one of the blocklists. Check the headers of a few of them and see what the X-spam* headers look like. Specifically, X-SpamCop-Disposition: which will tell you why a message was held and X-SpamCop-Checked:, the last address of which will tell you what server was listed. If you have trouble, post the x-spam* headers here and we should be able to help you sort it out. Link to comment Share on other sites More sharing options...
Wazoo Posted January 15, 2005 Share Posted January 15, 2005 I deleted my mailhosts and re-added them again. And the verification emails from spamcop were listed as spam as well. The MailHost configuration thing is only used during the parsing/reporting actions. There is no connection between the MailHost configuration and your SpamCop e-mail filtered account. I am now starting to get bounced messages from emails I send out that my email sent to them was considered as spam as well. Others have made suggestions, but based on your "sudden, immediate, and universal" mode change of "all" e-mail being moved to the Held folder .. there's almost got to be a single checked box somewhere that's causing this to happen. The other side of the coin is that you mention in your Topic Title that "you are now on blac ..." ... you didn't provide an IP, but yes, one could make the jump that your ISP's e-mail server is listed on thr SCBL .. all your white-listing actions are adding e-mail addresses/Domains/etc. to your database, but the e-mail is being moved to Held nased on where it's coming from (in this possible scenario, your ISP) ... but again, you didn't offer much specific data to dig through. Your posting IP basically says Big ISP, nation-wide access points, and way too many -mail servers listed to try to guess which one your e-mail might be traversing. Link to comment Share on other sites More sharing options...
Merlyn Posted January 15, 2005 Share Posted January 15, 2005 If you are forwarding your email to spamcop then you might want to check and see if your ip is listed. This would cause this problem also. Just a guess Link to comment Share on other sites More sharing options...
spiralocean Posted January 17, 2005 Author Share Posted January 17, 2005 Thank you everyone for your responses! Further clarification: I am using a SpamCop email account, one I've had for about two years. I have removed spam Assasin (it was set to 5) and all mail is still being held. I have not reported any new spam in a couple months. Just quick reporting from the held mail (which is spam already reported). I found where to look up my email server IP: http://www.spamcop.net/w3m?action=blcheck&ip=217.160.230.40 It seems this server is no longer on a blacklist. It was when I posted this post. One question I have: My SMTP mailserver is shared by thousands of other users, and the IP address blacklisted... is my mailserver? Or my specific mailserver account? Fears I have: 1. Someone has cracked my password, which I change every 3 months, and is sending email out my SMTP server. 2. Someone is maliciously reporting my email address as spam. (It could be accidental as well) But I have no idea who or why someone would want to do this. 3. I'm pretty sure my computer hasn't been compromised. First, I have a mac, while that doesn't gaurantee anything, it helps keep trojans and viruses down. I'm also sitting behind a Router-Firewall (Lynksys with default settings) and a software-firewall. Here are the headers of the email reply that I received: Your time is appreciated more than you know. Thank you. ---------------- From - Sat Jan 15 11:59:24 2005 X-Account-Key: account3 X-UIDL: UID14379-1073534494 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 Return-Path: <> Delivered-To: spamcop-net-mySpamcopEmail[at]spamcop.net Received: (qmail 9034 invoked from network); 15 Jan 2005 18:55:31 -0000 Received: from unknown (192.168.1.101) by blade2.cesmail.net with QMQP; 15 Jan 2005 18:55:31 -0000 Received: from mout.perfora.net (217.160.230.40) by mailgate.cesmail.net with SMTP; 15 Jan 2005 18:55:31 -0000 Received: from mout.perfora.net[217.160.230.41] (helo=mout.perfora.net) by mx.perfora.net with ESMTP (Nemesis), id 0MKv6A-1Cpt5841GO-000713; Sat, 15 Jan 2005 13:55:30 -0500 To: MyOtherEmail[at]MyDomain.com From: "Mail Delivery System" <Mailer-Daemon[at]perfora.net> Subject: Mail delivery failed: returning message to sender Date: Sat, 15 Jan 2005 13:55:30 -0500 Message-ID: <0MKzcw-1Cpt5841Ar-0000P0[at]mout.perfora.net> Precedence: bulk X-Original-ID: 0MKz5u-1Cpt581D1O-0007yY X-spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) on blade2.cesmail.net X-spam-Level: X-spam-Status: hits=0.5 tests=AWL version=3.0.0 X-SpamCop-Checked: 192.168.1.101 217.160.230.40 X-SpamCop-Disposition: Blocked bl.spamcop.net X-SpamCop-Whitelisted: mailer-daemon[at]perfora.net This message was created automatically by mail delivery software NEMESIS/mout on mout.perfora.net[217.160.230.40]. The delivery of the mail below has failed due to the following reasons: PersonIsentEmailTo[at]TheirDomain: recipient PersonIsentEmailTo[at]TheirDomain rejected by 207.228.225.131 command : rcpt response: 553 Blocked - see http://www.spamcop.net/bl.shtml?217.160.230.40 ----------------------------------------------------------------- Received: from 67-41-125-169.dnvr.qwest.net[67.41.125.169] (helo=[192.168.1.100]) by mrelay.perfora.net with ESMTP (Nemesis), id 0MKz5u-1Cpt581D1O-0007yY; Sat, 15 Jan 2005 13:55:30 -0500 Message-ID: <41E96721.5060809[at]MyDomain.com> Disposition-Notification-To: My Name <MyOtherEmail[at]MyDomain.com> Date: Sat, 15 Jan 2005 11:55:29 -0700 From: My Name <MyOtherEmail[at]MyDomain.com> Reply-To: MyOtherEmail[at]MyDomain.com Organization: My Company Name User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Person I Sent Email To" <PersonIsentEmailTo[at]TheirDomain> Subject: Re: Video transfer References: <BE0D81A3.5315%PersonIsentEmailTo[at]TheirDomain> In-Reply-To: <BE0D81A3.5315%PersonIsentEmailTo[at]TheirDomain> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: perfora.net abuse[at]perfora.net login:f51f122ef4b1ca9b798487d7d8e9aa2f ----------------------------------------------------------------- Link to comment Share on other sites More sharing options...
spiralocean Posted January 17, 2005 Author Share Posted January 17, 2005 One off topic but pertinant post: for those who haven't discovered LaunchBar yet... http://www.obdev.at/products/launchbar/ It's insane how awesome this program is! I just programed an automatic search function into it so I can type: command+spacebar sb then paste the ip into it and it automatically opens a webpage to the spamcop blacklist checker with that IP! Because the IP is in the URL: http://www.spamcop.net/w3m?action=blcheck&ip=217.160.230.40 I just enter this into Launchbar http://www.spamcop.net/w3m?action=blcheck&ip=* to "program" it. If you try it... you'll be hooked. 'nuff said. Link to comment Share on other sites More sharing options...
Wazoo Posted January 17, 2005 Share Posted January 17, 2005 I am using a SpamCop email account, one I've had for about two years. Good info, suggesting that you've seen some tings change, other things have remained the same ... I have removed spam Assasin (it was set to 5) and all mail is still being held. Technically, this doesn't appear to be the reason for the problems you're asking about .. but still a good troubleshooting step .. thanks for trying to work things out and reporting the results ... I have not reported any new spam in a couple months. Just quick reporting from the held mail (which is spam already reported). Now we're getting into some gret area here .. the "which is spam already reported" rings some beels tight off the bat. The Held Mail folder is simply e-mail that was mover there for some reason .. but the "reported" action doesn't happen until you actually follow through and perform that step. That said, you will find more than a few cautionary notes associated with Quick-Reporting. When it works, it's great. But it is a kbown fact that "stuff happens" .. and when something goes wrong, it's almost always with the worst possible results, usually meaning that you in fact do end up "reporting yourself" .... I found where to look up my email server IP: http://www.spamcop.net/w3m?action=blcheck&ip=217.160.230.40 It seems this server is no longer on a blacklist. It was when I posted this post. Agreed to that. Additionally, the next step would be to check the SenderBase data at http://www.senderbase.org/?searchBy=ipaddr...=217.160.230.40 .. Data here answers questions you ask later ... The next step would be a Google search: http://groups-beta.google.com/groups?q=217.160.230.40 ... which shows some spam folks have placed into sightings ... is any of this "evidence" your outgoing e-mail? (note that these are just samples posted by some of the few that know about this newsgroup, have figured out how to make a post there, and felt like taking the time to post it .. so don't think that there were only 15 spam e-mails sent out <g>) The next step might be to check your own reporting history and look up your last reports, looking for the following reporting addresses which might indicate that you were reporting yourself ... Parsing input: 217.160.230.40 host 217.160.230.40 = mout.perfora.net (cached) ISP believes this issue is resolved: 217.160.230.40 - no date available Cached whois for 217.160.230.40 : abuse[at]schlund.de Using abuse net on abuse[at]schlund.de abuse net schlund.de = abuse[at]schlund.de Using best contacts abuse[at]schlund.de One question I have: My SMTP mailserver is shared by thousands of other users, and the IP address blacklisted... is my mailserver? Or my specific mailserver account? Note the Volume of e-mail reported, compared to use of the earthquake richter scale ... at a 5.6 magnitude, this server is cranking out some serious e-mail ... suggesting that the ownership and support for that specific server would be from an office with more than one support person ... looking at the line "# of domains controlled by this network owner 9763" would suggest that you are not the only user of this server ... Fears I have: 1. Someone has cracked my password, which I change every 3 months, and is sending email out my SMTP server. See above - is any of that "sightings" traffic actually your outgoing e-mail? 2. Someone is maliciously reporting my email address as spam. (It could be accidental as well) But I have no idea who or why someone would want to do this. Forged e-mail addresses in the From: and/or Reply-To: is the current state of spam .. but this has nothing to do with a SpamCopBL listing ... Please see the FAQ 3. I'm pretty sure my computer hasn't been compromised. First, I have a mac, while that doesn't gaurantee anything, it helps keep trojans and viruses down. I'm also sitting behind a Router-Firewall (Lynksys with default settings) and a software-firewall. This data is only 'interesting' if any of the "sightings" traffic is "your e-mail" ... Again, a more likely connection to "your computer" would be the Quick-Reporting mode gone bad .... Link to comment Share on other sites More sharing options...
DavidT Posted January 17, 2005 Share Posted January 17, 2005 the "which is spam already reported" rings some beels tight off the bat. The Held Mail folder is simply e-mail that was mover there for some reason Wazoo, I think you misunderstood what spiralocean meant by that. I think that spiralocean meant that the stuff in their Held Mail folder was there because the source of the items were on the SpamCop Blacklist (and perhaps others) and so those sources have been "already reported" by others, but not by spiralocean. As for the server IP, I see that although the ISP has reported to SpamCop that things are "resolved," there's still spam coming out of the server and even being reported by SpamCop users. Here's a Subject line from today: Submitted: Monday, January 17, 2005 04:04:35 -0700: US GreenCard 2005 register- Leben und Arbeiten in USA / Live and work in USA... prior to that there's one from Saturday: Submitted: Saturday, January 15, 2005 06:33:39 -0700: Your Charter One Bank Account May Be Suspended but the items seem to be few in number, overall. I'd speculate that "self reporting" could be a possibility, but I see mention above of mailhosts configuration, or there might be other SC users on the same SMTP server that are self reporting. DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 17, 2005 Share Posted January 17, 2005 I think that spiralocean meant that the stuff in their Held Mail folder was there because the source of the items were on the SpamCop Blacklist (and perhaps others) and so those sources have been "already reported" by others, but not by spiralocean. Except that is not necessarily true, especially if spamassassin is in use (which it originally was for this user). Also, some blocklists do NOT report the spam to the ISP, simply adding the IP to the list. Link to comment Share on other sites More sharing options...
DavidT Posted January 17, 2005 Share Posted January 17, 2005 Except that is not necessarily true, especially if spamassassin is in use Right...but I was trying to interpret what they apparently meant. DT Link to comment Share on other sites More sharing options...
spiralocean Posted January 18, 2005 Author Share Posted January 18, 2005 Right...but I was trying to interpret what they apparently meant. DT 23197[/snapback] You interpreted correctly. Thank you for posting. Regardless, I always go through and check my held mail and do not blindly report it. Still, if I reported spam from my held list that was detected by SpamAssasin and not the SpamCop Blacklist, and if my mailhosts changed, then I suspect it is possible that I self reported. I have since then removed SpamAssasin and deleted and reconfigured my mailhosts. Thank you all for your help! Link to comment Share on other sites More sharing options...
spiralocean Posted January 18, 2005 Author Share Posted January 18, 2005 ... which shows some spam folks have placed into sightings ... is any of this "evidence" your outgoing e-mail? (note that these are just samples posted by some of the few that know about this newsgroup, have figured out how to make a post there, and felt like taking the time to post it .. so don't think that there were only 15 spam e-mails sent out <g>) The next step might be to check your own reporting history and look up your last reports, looking for the following reporting addresses which might indicate that you were reporting yourself ... 23186[/snapback] I looked up that google group, pretty ingenious! Thanks for showing me that. It appears that the only way to look through the reporting history is to go back and review all reports for that IP. It may be a good idea to allow a user to search their history based on IP address reported? If the spam emails are parsed into a DB, which I'm assuming they are but probably aren't, it would be easy to set up an efficient search. If it's all text & HTML, maybe a google search would work on the reports? Thanks Wazoo. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 18, 2005 Share Posted January 18, 2005 We have had problems in the recent past with spammers using any information given out by spamcop to mold their spamming to work around the blocklist. Spammers ruin it for everybody. With a paid reporting account, you do get to look up recent reports on any IP with minimal details (time reported, subject, and where the reports went to). Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.