EricM Posted February 9, 2005 Share Posted February 9, 2005 Hello. I sell web hosting and we today had a customer who used his account to send ebay fraud spam. The problem is ONE spamcop user reported the same email 8 times within 5 minutes and got our server IP blocked. I know that spamcop blocks an IP automatically after a certain # of results but spamcop should make sure that these reports come from different user. A single user should not have the power to block any site he wishes by submitting the same spam multiple times. His user name is "Allan Holm". Thanks, Eric Link to comment Share on other sites More sharing options...
loafman Posted February 9, 2005 Share Posted February 9, 2005 The problem is ONE spamcop user reported the same email 8 times within 5 minutes and got our server IP blocked. I know that spamcop blocks an IP automatically after a certain # of results but spamcop should make sure that these reports come from different user. A single user should not have the power to block any site he wishes by submitting the same spam multiple times. I quite often get 10-20 identical spams to spamtraps, all delivered at the same time, and all reported as quickly as possible. I do not think that SC will make an SCBL entry on just one reporter's submissions, even if they do 10 in a row. There must have been a 2nd or 3rd reporter involved. Link to comment Share on other sites More sharing options...
Merlyn Posted February 9, 2005 Share Posted February 9, 2005 Glad to see that Allan is reporting all of his spam instead of just one and deleting the dupes. Link to comment Share on other sites More sharing options...
Derek T Posted February 9, 2005 Share Posted February 9, 2005 Hello. I sell web hosting and we today had a customer who used his account to send ebay fraud spam. The problem is ONE spamcop user reported the same email 8 times within 5 minutes and got our server IP blocked. I know that spamcop blocks an IP automatically after a certain # of results but spamcop should make sure that these reports come from different user. A single user should not have the power to block any site he wishes by submitting the same spam multiple times. His user name is "Allan Holm". Thanks, Eric 24118[/snapback] Care to share the IP address that is listed? 'We' could then look at the evidence. Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 9, 2005 Share Posted February 9, 2005 I sell web hosting and we today had a customer who used his account to send ebay fraud spam. The problem is ONE spamcop user reported the same email 8 times within 5 minutes and got our server IP blocked. If you have gotten rid of the customer, I don't see what the problem is. Your server was only listed while the spam was being sent so that others did not receive it. Some of your other customers may have inexperienced a slight delay in sending email while you took care of the situation, but it was probably not more inconveniencing than a backhoe or thunderstorm and, unfortunately because of the spammers, is one of the realities of internet life. The purpose of the spamcop blocklist is to prevent other people from receiving the ebay fraud spam. As long as it was being sent, the IP address was blocklisted (though the listing should be based on more than one reporter. OTOH, one report to a spamtrap will list a server and you will not receive a report.) When you received the first report, presumably you did something about it so the spam stopped. Then it doesn't matter how many other reports are made. The listing is based on when the last spam came from that IP address. Miss Betsy Link to comment Share on other sites More sharing options...
Wazoo Posted February 9, 2005 Share Posted February 9, 2005 As original poster has yet to respond, not a lot of time right now, I'll just add this if someone wants to spend the time trying to dig out the specific (making an assumption that there is a relationship) ... route: 83.70.0.0/15 descr: eircom, Ireland origin: AS5466 Link to comment Share on other sites More sharing options...
EricM Posted February 10, 2005 Author Share Posted February 10, 2005 The IP is 69.57.134.80 After removing the site i went to check if the IP was blocked. I guess it could have been a spamtrap i dont know. The only reports i got from spamcop was the 8 dupes of the same spam all within 5 minutes. So i just assumed that the block was based on those reports from that one user seeing as i did not get any others. The problem is that i did not even get a chance to deal with the problem before it was blacklisted. Link to comment Share on other sites More sharing options...
Wazoo Posted February 10, 2005 Share Posted February 10, 2005 The IP is 69.57.134.80 Thanks, but would have been nice to know at your first post. The only reports i got from spamcop was the 8 dupes of the same spam all within 5 minutes. So i just assumed that the block was based on those reports from that one user seeing as i did not get any others. Assumptions sometimes suck. You say "8 dupes" .. where it was more likely 8 people reporting the same spam ... but again, I didn't see the reports. The problem is that i did not even get a chance to deal with the problem before it was blacklisted. Again, short on data here, but ... SenderBase shows some increase in traffic ... would you have any other reason for this increase beyond your "single spammer" ..??? http://www.senderbase.org/?searchBy=ipaddr...ng=69.57.134.80 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 3.5 .. 70% Last 30 days ... 3.3 .. 20% Average ........ 3.3 Link to comment Share on other sites More sharing options...
Derek T Posted February 10, 2005 Share Posted February 10, 2005 The IP is 69.57.134.80 After removing the site i went to check if the IP was blocked. I guess it could have been a spamtrap i dont know. The only reports i got from spamcop was the 8 dupes of the same spam all within 5 minutes. So i just assumed that the block was based on those reports from that one user seeing as i did not get any others. The problem is that i did not even get a chance to deal with the problem before it was blacklisted. 24182[/snapback] Yes, we see only the 8 e-bay phishes within 5 minutes. Duplicate spam to the same address is very common. Spamtrap evidence is not available to us but it seems very likely that if there is only one 'human' reporter spamtraps were also involved. Mole reporters could also have fed the blocklist. I notice that this is not the first phishing trip from your server: there were 5 duplicated phishes on 24 November last too. You'd be classed as a re-offender. As for your last point, I don't know why you're unhappy: this is SpamCop doing exactly what it says on the tin: the listing gave you the 'heads-up', you dealt with it and were de-listed within a few hours. SpamCop exists to stop current spews, no-one makes a judgement or 'puts' you on the list: it's all automatic, as is de-listing. IMHO you should be thanking SpamCop for a job well done: without the quick warning you might have ended up on other lists that are a lot more difficult (or costly) to get off! Link to comment Share on other sites More sharing options...
Merlyn Posted February 10, 2005 Share Posted February 10, 2005 I see more than 8 reports and I also see phishes for sun trust bank along with ebay phishes and reports from more than 1 person! Also reports for this IP go to the EV1 abuse desk so you would probably only see what they send you. Link to comment Share on other sites More sharing options...
Derek T Posted February 10, 2005 Share Posted February 10, 2005 I see more than 8 reports and I also see phishes for sun trust bank along with ebay phishes and reports from more than 1 person! Also reports for this IP go to the EV1 abuse desk so you would probably only see what they send you. 24200[/snapback] Aye but the Sun Trust phishes are from Nov 04 so can't conribute to this listing surely? Link to comment Share on other sites More sharing options...
Merlyn Posted February 10, 2005 Share Posted February 10, 2005 Thank's, missed that one Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.