Jump to content

Filters have failed on webmail


Recommended Posts

All webmail filters on my account have failed as of yesterday

Which set of filters are you referring to specifically? The whitelist/blacklist filters applied when a message arrives in your inbox and redirects messages between the Held Mail and Inbox folders, or the custom filters only available when logged into webmail?

I used to have a bunch of the custom filters setup but do not use that function any longer. I could set some up again as a test if that is what you are referring to.

*Moderator hat* Moved to Email forum and cliffski notified.

Link to comment
Share on other sites

YES! SpamCop gone bonkers...

What's going on?

I just spent an hour weeding through all the spam ...

finding GOOD mail in the "Held Mail" folder.

(SpamCop has NEVER done this before!)

*** EVEN email I have set filters for is NOT being filtered.

*** EVEN email I have clicked "Release and Whitelist"

I found a half dozen in the spam folder, and on each one

I clicked "Release and Whitelist" ... one is from a frequent

listserv I subscribe to.

An hour later, there were MORE of them in the spam folder.

What can I do to get SpamCop interface to begin properly

filtering again.

?????

Link to comment
Share on other sites

showker:

That can happen when your ISP's server gets listed. To determine exactly why your messages are being held, you need to look at the headers of the held message, specifically the x-spamcop-* ones at the bottom of the headers.

Also, If you release and whitelist a message, other messages from that same address will NOT be automatically released. You need to do that manually.

Also, I am still not sure if cliffski's problem is spamcop filtering or webmail filtering related as I have had no reply to my query.

Link to comment
Share on other sites

Mr. Underwood thus spoke:

> That can happen when your ISP's server gets listed.

> To determine exactly why your messages are being

> held, you need to look at the headers of the held

> message, specifically the x-spamcop-* ones at the

> bottom of the headers.

Oh, but it's not just email that would be from my server, it's

email from all over.

Are these the headers you speak of:

> X-spam-Checker-Version:

> SpamAssassin 3.0.0 (2004-09-13) on blade6

> X-spam-Level:

> X-spam-Status: hits=0.2 tests=NO_REAL_NAME version=3.0.0

> X-SpamCop-Checked: 192.168.1.101 65.173.133.16

> X-SpamCop-Disposition: Blocked bl.spamcop.net

This particular email is from an online form containing a

sendmail scri_pt. Yes, it is our server (Sprintlink) however,

the first IP noted in the "SpamCop-Checked" is from the

Internet Assigned Numbers Authority (IANA) in California noting:

> IANA Special Use

> NameServer: BLACKHOLE-1.IANA.ORG

> NameServer: BLACKHOLE-2.IANA.ORG

> Comment: This block is reserved for special purposes.

> Comment: Please see RFC 1918 for additional information.

specifically named "BLACKHOLE" ... I guess meaning the server

is for some reason black listed.

It should NOT be blacklisted.

Do the headers indicate that our server is black listed?????

Of course, the problem wasn't JUST mail from my ISP, it was

a number of different mails from other ISPs elsewhere.

One family of email now being filtered is a listserv I've subscribed

to for ages. I even made a folder for that list, and a local

'rule' that would move the list mail into the folder. Obviously

SpamCop pulls "spam" before referring to the local user's

filters.

No, I don't agree with you that it's "your ISP's server gets listed"

Then you said:

> Also, If you release and whitelist a message, other messages

> from that same address will NOT be automatically released.

> You need to do that manually.

What does that mean? What does the system "whitelist" if not

the address?

If this condition is going to be the defacto, ongoing condition, how

can I "whitelist" the good mail?

Link to comment
Share on other sites

X-SpamCop-Checked: 192.168.1.101 65.173.133.16

> X-SpamCop-Disposition: Blocked bl.spamcop.net

According to those headers, the IP address 65.173.133.16 was listed when this message passed through it. It is not currently listed, but did have a bunch of the standard spam through it yesterday.

Only the last IP address listed is significant for the purpose of determining which IP caused the block. Spamcop searches out ALL IP addresses in the received lines to determine whether to block or not.

No, I don't agree with you that it's "your ISP's server gets listed"

You can agree or not. If all of the messages that were held looked like the above (had 65.173.133.16 in the headers), that is why they were held.

What does that mean? What does the system "whitelist" if not

the address?

It does whitelist the address, but the whitelist would only be looked at for any new messages coming into the server. Any messages already in the Held Mail folder would not automatically be transferred into the Inbox. I was addressing something you may not have been asking, but others have asked the same thing (Why when I whitelist an address do all of the messages that apply not get transferred to the inbox?).

The process is a virtual straight line.

0.Check for virus and drop message.

1.Process all headers for documentation purposes, checking for applied blocklists.

2.Does the personal whitelist apply, send it to the Inbox.

3.Do the applied blocklists apply, send it to the Held Mail folder.

4.Does the personal blacklist apply, send it to the Held Mail folder.

Nothing else is done automatically at the time the message is received.

Link to comment
Share on other sites

Okay... thanks for your speedy reply.

I was not disagreeing to disagree.

... > You can agree or not.

... > If all of the messages that were held looked like the above

... > (had 65.173.133.16 in the headers), that is why they were held.

No. It's just that it was the only example I had saved.

How do I get it to STOP filtering 65.173.133.16 --

that's MY server, and I assure you we are NOT spammers.

There were many others from all kinds of other ISPs (IP blocks)

that are known safe and not usually over in the spam folder.

Like DOZENS of them, not just this one.

For instance SpamCop was putting mail into the "Held" folder

from all kinds of sources that I've been getting "safely" for

ages -- from major known "good" sources, like www.Apple.com,

to small ISPs with personal email accounts that would not

be filtered. The Adobe Acrobat PDF list was one as well.

Unless SpamCop has started blocking Apple.com and Adobe.com

(Which sometimes I think it SHOULD!)

That's why I was so alarmed -- and resolved it must be some sort

of software change on the SpamCop side. Otherwise I never

log into this forum. (In fact I had to dig and dig to find my password.)

SpamCop has always worked flawlessly until now. (With the exception

of the POP mail back to me not working.)

I'll watch carefully over the next few days and see if it clears up.

By the way... how did you get this forum to put the QUOTES into

those fancy boxes?

Thanks again for responding.

Fred

See: http://www.aacug.org/UCE/FTC_1.html

(Meet spam Cop)

Link to comment
Share on other sites

How do I get it to STOP filtering 65.173.133.16 --

that's MY server, and I assure you we are NOT spammers.

Unless you turn off the bl.spamcop.net check, you can not get it to stop filtering on an IP address. You would need to whitelist any email addresses sending you email through that IP address.

Also, either spam is coming from your server (possible virus or trojan) or you are reporting yourself using quick reporting. You may wish to re-check your submissions from yesterday to see if you were reporting your own IP. If you are reporting, I would configure mailhosts and make sure that ALL servers your email travel through are included within the mailhost configuration. That will eliminate reporting them as sources and getting them blocklisted due to your own reporting.

The following is available if you plug the IP address into the parser and click on the [report history] link. All these (and probably more) went to abuse[at]sprint.net.

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:27:30 PM -0500:

Discount Drugs

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:27:26 PM -0500:

Application approval for x Tue, 08 Feb 2005 06:16:48 -0800

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:27:21 PM -0500:

Do you need losing wt? blubber

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:27:20 PM -0500:

paris hilton sex video frree

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:27:15 PM -0500:

check out free Cameron Diaz footage

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:27:07 PM -0500:

Get back iiinto shape

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:26:35 PM -0500:

Take p0siti0ns bef0re breaking news explOsi0n

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:26:35 PM -0500:

watch p4ris h1lt0n for free

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:21:49 PM -0500:

Tadalafil Soft Tabs - Great results!

--------------------------------------------------------------------------------

Submitted: Tuesday, February 08, 2005 4:21:48 PM -0500:

Pre-approved Application #91826869E

--------------------------------------------------------------------------------

For instance SpamCop was putting mail into the "Held" folder

from all kinds of sources that I've been getting "safely" for

ages -- from major known "good" sources

Without you posting the IP addresses, I can not comment on any particulars, but many hosts end up on the blocklist from time to time. How long they stay on the list is a factor of how they respond to the reports. Post the blocked IP's (the last in the list) or do your own investigation... you have the same tools I do if you have a spamcop email account with the associated reporting account. Place the IP address (only) into the paste-it-in parser and look at the report history link.

By the way... how did you get this forum to put the QUOTES into

those fancy boxes?

There is a How to use FAQ in these forums dealing with this, but basically, I click the QUOTE button above the text I am entering, paste the text I want to quote, and hit the QUOTE button again to close the quote. You can also quote whole messages, but you should edit out the un-needed parts to limit the size of your reply.

Link to comment
Share on other sites

The problem went away, now it's back.

I inquired:

>> How do I get it to STOP filtering 65.173.133.16 --

>> that's MY server, and I assure you we are NOT spammers.

Then Mr. Underwood said:

> Unless you turn off the bl.spamcop.net check, you can

> not get it to stop filtering on an IP address.

I do not understand. HOW do I turn "OFF" the "bl.spamcop.net check" ???

I believe some low-life spammer has been spoofing my domain,

making it appear that spam has come from our server.

Then Mr. Underwood said:

> Also, either spam is coming from your server (possible virus

> or trojan) or you are reporting yourself using quick reporting.

My admin looked and said there are no holes in the system.

He ALSO has not gotten any SpamCop reports. So he says.

Mr. Underwood also said:

> If you are reporting, I would configure mailhosts and

> make sure that ALL servers your email travel through

> are included within the mailhost configuration.

Sorry... to seem so stupid... but again I don't understand.

How do I "configure mailhosts" to accomplish what you suggest???

and then. . .

> you have the same tools I do if you have a spamcop email

> account with the associated reporting account.

> Place the IP address (only) into the paste-it-in parser and

> look at the report history link.

Where would I find the "paste-it-in parser" ?

I looked at the SpamCop "Reports" and none of them contained

our IP numbers. Should they if we got reported?

In essence: I need to WHITELIST my IP addresses, right?

I also need to somehow get my server removed from the black-list,

and somehow white-listed...

is this correct?

Link to comment
Share on other sites

The problem went away, now it's back.

I inquired:

  >> How do I get it to STOP filtering 65.173.133.16 --

  >> that's MY server, and I assure you we are NOT spammers.

Then Mr. Underwood said:

  > Unless you turn off the bl.spamcop.net check, you can

  > not get it to stop filtering on an IP address.

I do not understand.  HOW do I turn "OFF" the "bl.spamcop.net check" ???

I believe some low-life spammer has been spoofing my domain,

making it appear that spam has come from our server.

Here is the procedure for turning "OFF" the "bl.spamcop.net check":
  • Login to Webmail (if you haven't already).
  • Click "Options" on the top row, which should take you to the "Mail :: User Options" Page.
  • Click "SpamCop Tools" near the top of the middle "Mail Management" column, which should take you to the "Mail :: User Options" / SpamCop Tools Page (shortcuts: secure and insecure).
  • Click "Select your email filtering blacklists." near the left middle of the page, which should take you to the "Mail :: Blacklist Filters" / Blacklists Page (shortcuts: secure and insecure).
  • Scroll down to the "DNS Blacklists" section.
  • To the left of "SpamCop Blacklist" (which should really read "SpamCop BlockList"), uncheck the checkbox. This will stop the SCBL from being used to filter your mail.
  • Make any other changes as appropriate.
  • Scroll to the bottom and click the "Submit" Button. This will save any changes you made.
  • Scroll to the bottom again and this time click the "Return to SpamCop Tools" Link (shortcuts: secure and insecure) to return you to the "Mail :: User Options" / SpamCop Tools Page.
  • Click the "Save Options" Button in the bottom left corner. This may not in fact be necessary for "SpamCop Options".
  • Click another Button on the top row to go back to what you were doing, and later Logout as appropriate.

Then Mr. Underwood said:

  > Also, either spam is coming from your server (possible virus

  > or trojan) or you are reporting yourself using quick reporting. 

My admin looked and said there are no holes in the system.

He ALSO has not gotten any SpamCop reports. So he says.

Mr. Underwood also said:

  > If you are reporting, I would configure mailhosts and

  > make sure that ALL servers your email travel through

  > are included within the mailhost configuration.

Sorry... to seem so stupid... but again I don't understand.

How do I "configure mailhosts"  to accomplish what you suggest???

Please see How do I configure Mailhosts for SpamCop?.

and then. . .

  > you have the same tools I do if you have a spamcop email

  > account with the associated reporting account.

  > Place the IP address (only) into the paste-it-in parser and

  > look at the report history link.

Where would I find the "paste-it-in parser" ?

It's the big white box on this page. The results of parsing just your IP Address should also tell you where (to what email address) the Parser wants to send SpamCop Reports for your server's IP Address - please make sure your admin is reading email sent to that email address.
I looked at the SpamCop "Reports" and none of them contained

our IP numbers.  Should they if we got reported?

Yes.
In essence: I need to WHITELIST my IP addresses, right?
That is essentially what Mailhosts does
I also need to somehow get my server removed from the black-list,

and somehow white-listed...

is this correct?

24334[/snapback]

Yes, but removal from any particular blacklist or blocklist is only necessary if your server is currently listed by that blacklist or blocklist.
Link to comment
Share on other sites

Okay... now I think we're getting someplace.

Here is the results of that check:

I submitted : 65.173.133.16

SpamCop Said:

> Statistics:

> 65.173.133.16 listed in bl.spamcop.net (127.0.0.2)

>

> More Information..

> 65.173.133.16 not listed in dnsbl.njabl.org

> 65.173.133.16 not listed in dnsbl.njabl.org

> 65.173.133.16 not listed in cbl.abuseat.org

> 65.173.133.16 not listed in dnsbl.sorbs.net

> 65.173.133.16 not listed in relays.ordb.org.

Which obviously means that I accidentally let one of my OWN emails

get "Reported" to SpamCop via the "REPORT AS spam" button

in the "HELD MAIL" section !!!!

And, I knew that would happen because there are so many it's

difficult to check each one several times a day.

SO -- the BIG question is:

HOW do I get 65.173.133.16 REMOVED from the bl.spamcop.net ????

AND...

WHICH if any, of the OTHER black lists should I subscribe to???

(Since I removed the bl.spamcop.net in the "SpamCop Tools" won't

it cease filtering and trapping the spam from my mail?)

Thanks for the above-and-beyond-the-call-of-duty help.

Fred

Link to comment
Share on other sites

HOW do I get 65.173.133.16 REMOVED from the bl.spamcop.net ????

24363[/snapback]

65.173.133.16 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 9 hours.

Delisting is automatic. Make sure that this machine is clean and not sending spam. Use a proper mailhost setup to avoid reporting yourself.

Link to comment
Share on other sites

Okay... now I think we're getting someplace.

Here is the results of that check:

I submitted : 65.173.133.16

SpamCop Said:

  > Statistics:

  > 65.173.133.16 listed in bl.spamcop.net (127.0.0.2)

  >

  > More Information..

  > 65.173.133.16 not listed in dnsbl.njabl.org

  > 65.173.133.16 not listed in dnsbl.njabl.org

  > 65.173.133.16 not listed in cbl.abuseat.org

  > 65.173.133.16 not listed in dnsbl.sorbs.net

  > 65.173.133.16 not listed in relays.ordb.org.

Which obviously means that I accidentally let one of my OWN emails

get "Reported" to SpamCop via the "REPORT AS spam" button

in the "HELD MAIL" section !!!!

No, It means that the spamcop bl is more sensitive that other blocklists. The main goal is to get it on the list while a spam run is in progress and drop it once the spam has stopped. Other bl's are harder to get on, but usually harder to get off as well.

And, I knew that would happen because there are so many it's

difficult to check each one several times a day.

If you configure mailhosts, it is unlikely you will report your own servers.

SO -- the BIG question is:

HOW do I get 65.173.133.16 REMOVED from the bl.spamcop.net ????

AND...

WHICH if any, of the OTHER black lists should I subscribe to???

(Since I removed the bl.spamcop.net in the "SpamCop Tools"  won't

it cease filtering and trapping the spam from my mail?)

Thanks for the above-and-beyond-the-call-of-duty help.

Fred

24363[/snapback]

Your choice of blocklists is completely up to you. I have ALL blocklists provided by spamcop enabled and combined with my whitelist provides very little false positive (last one was about 2 months ago when one of my vendors changed domain). Below is a sample of the spam recently submitted as coming from that IP address. This nformation with report ids is available to paid reporters.

Submitted: Monday, February 14, 2005 4:39:58 PM -0500:

DP_CONTACT_INQUIRY

Submitted: Tuesday, February 08, 2005 4:27:20 PM -0500:

paris hilton sex video frree

Submitted: Tuesday, February 08, 2005 4:27:15 PM -0500:

check out free Cameron Diaz footage

Submitted: Tuesday, February 08, 2005 4:27:07 PM -0500:

Get back iiinto shape

Submitted: Tuesday, February 08, 2005 4:26:35 PM -0500:

Take p0siti0ns bef0re breaking news explOsi0n

Submitted: Tuesday, February 08, 2005 4:26:35 PM -0500:

watch p4ris h1lt0n for free

Submitted: Tuesday, February 08, 2005 4:21:49 PM -0500:

Tadalafil Soft Tabs - Great results!

Submitted: Tuesday, February 08, 2005 4:21:48 PM -0500:

Pre-approved Application #91826869E

Link to comment
Share on other sites

  > Statistics:

  > 65.173.133.16 listed in bl.spamcop.net (127.0.0.2)

Which obviously means that I accidentally let one of my OWN emails

get "Reported" to SpamCop via the "REPORT AS spam" button

in the "HELD MAIL" section !!!!

Is this "your" e-mail server? Are you the "only" user of this e-mail server?

SO -- the BIG question is:

HOW do I get 65.173.133.16 REMOVED from the bl.spamcop.net ????

This is a "Frequently Asked Question" ....and as such, you will find lots of data in addition to this when looking through the Forum FAQ - Please read before Posting .... A lot of this even put into a special Pinned item titled "Why am I Blocked?"

Link to comment
Share on other sites

How do I get it to STOP filtering 65.173.133.16 --

that's MY server, and I assure you we are NOT spammers.

This would be a New Feature Request.

(I have the same problem: my ISP is listed from time to time causing all emails to be held by spamcop.)

3.Do the applied blocklists apply, send it to the Held Mail folder.

should be modified with

IPs of my mailhosts (from the mailhost configuration or a personal list) should not be checked in this step.

Lukas

Link to comment
Share on other sites

IPs of my mailhosts (from the mailhost configuration or a personal list) should not be checked in this step.

As has been mentioned previously when this topic comes up, the mailhost configuration is completely unrelated to the mail system. The mailhost configuration is a tool to help the reporting system. They are like 2 seperate companies under one name, reporting and email. They are not even on the same coast.

Also, personally, I would not want that type of system. I get spam regularly through my ISP's servers for other users of that ISP. I don't want to get all that spam and I report every one. I just check the parse to be sure that the spam did come from my ISP. I also report these manually to the ISP. As I never get any valid email to my ISP account, it is as good as a spamtrap.

Link to comment
Share on other sites

As has been mentioned previously when this topic comes up, the mailhost configuration is completely unrelated to the mail system.  The mailhost configuration is a tool to help the reporting system.  They are like 2 seperate companies under one name, reporting and email.  They are not even on the same coast.

24503[/snapback]

They are unrelated now, but they could be linked. The west coast company could make their mailhost file available to the east coast company, which could use the information for user-specific exceptions to blocklists.

Also, personally, I would not want that type of system.  I get spam regularly through my ISP's servers for other users of that ISP.  I don't want to get all that spam and I report every one.  I just check the parse to be sure that the spam did come from my ISP.  I also report these manually to the ISP.  As I never get any valid email to my ISP account, it is as good as a spamtrap.

24503[/snapback]

This feature could be made optional. The user would check a box to activate it.
Link to comment
Share on other sites

and hit the QUOTE button again to close the quote.  You can also quote whole messages, but

oh, thanks. :) Because I have been using the QUOTE button below the message, and it, like REPLY, quotes way to much. I'm always deleting to keep it short. So does this technique mean you have already copied the text because the "code button" QUOTE brings up a dialog box. Then you can paste into it.

Humm, seems easy enough to just reply, delete parts out, and be done. Yes I read the FAQ once, last week. Maybe missed something.

Link to comment
Share on other sites

This would be a New Feature Request.

(I have the same problem: my ISP is listed from time to time causing all emails to be held by spamcop.) ........ IPs of my mailhosts (from the mailhost configuration or a personal list) should not be checked in this step.

They are unrelated now, but they could be linked. The west coast company could make their mailhost file available to the east coast company, which could use the information for user-specific exceptions to blocklists.

This feature could be made optional. The user would check a box to activate it.

If this is a "New Feature Request" it should be posted as such into that Forum section created for that purpose .. vice sitting here buried in a discussion ... However the reality (and suggested ease) of this would be pretty nebulous.

oh, thanks.   :) Because I have been using the QUOTE button below the message, and it, like REPLY, quotes way to much.  I'm always deleting to keep it short.   So does this technique mean you have already copied the text because the "code button" QUOTE brings up a dialog box.  Then you can paste into it.

Humm, seems easy enough to just reply, delete parts out, and be done.  Yes I read the FAQ once, last week.  Maybe missed something.

The buttons arem't in the FAQ .. there is some descriptiom available under the Help screens on this application, but a previous reference was to a write-up or two in the Forum Section titled "How to use ...." one section being this Forum ..

Hey, if one needs to know this procedure in 3 months or whatever, how would he find it, like a FAQ?

A really nice guy/girl would take the time and write up a nice procedure and post it somewhere for future access ... As above, the "How to Use ..." or even the FAQ Development Forum seem like a couple of good starting points <g>

Link to comment
Share on other sites

Hey, if one needs to know this procedure in 3 months or whatever, how would he find it, like a FAQ?

24511[/snapback]

Thanks for the reminder. I have posted it at FAQ Entry: How To Stop Filtering With The SCBL, for SpamCop Email System Customers for your convenience, and I expect Wazoo will be along shortly to wedge it into Original SpamCop FAQ & Added Forum Items just after "Blocking and Blackhole lists available".
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...