RobertTinkelman Posted April 13, 2005 Posted April 13, 2005 Can someone give me a pointer to documentation on how SpamCop, when deciding where to direct a notification message, uses the various contacts in the ARIN whois database? I'm asking because some notifications are coming to me, in my role with ISPnet, related to email sent by some of our customers. I had thought I'd set up the SWIPs in a way that would cause the notifications to go to the customer, but clearly don't have it quite right. A recent example is an email that had originated at 69.48.133.19. The explanation in http://www.spamcop.net/sc?id=z751647436zc4...6723731a467370z states that | If reported today, reports would be sent to: | Re: 69.48.133.19 (Administrator of network where email originates) | bob[at]tink.com (That's me.) The relevant SWIPs are 69.48.128.0/18 (ISPnet's direct ARIN allocation) and 69.48.133.0/27 (a subnet we assigned to a customer). I would have assumed that the SpamCop logic would use the more specific. I guess that's the first thing I was looking to verify in SpamCop documentation. In the more specific SWIP, I am listed as NOCHandle, but both the OrgTechHandle and the AbuseHandle are set to addresses associated with our customer. Clearly my intent was that abuse reports (including SpamCop) get sent, by default, to the customer contact listed there. Any advice would be much appreciated. -- Bob Tinkelman <bob[at]tink.com> ISPnet, Inc. 718.464.4747
StevenUnderwood Posted April 13, 2005 Posted April 13, 2005 On the tracking URL you provided: Tracking message source: 69.48.133.19: Routing details for 69.48.133.19 Cached whois for 69.48.133.19 : bob[at]tink.com Using last resort contacts bob[at]tink.com From the routing details: Reports routes for 69.48.133.19: routeid:13419230 69.48.128.0 - 69.48.191.255 to:bob[at]tink.com Administrator found from whois records From the refresh/show: Tracking details Display data: "whois 69.48.133.19[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-69-48-133-0-1 Display data: "whois NET-69-48-133-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois myelen[at]aldoncci.com Ignoring small (31 IP) network checking NET-69-48-128-0-1 Display data: "whois NET-69-48-128-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) 69.48.128.0 - 69.48.191.255:bob[at]tink.com whois.arin.net contact: bob[at]tink.com Routing details for 69.48.133.19 Using last resort contacts bob[at]tink.com So, because the network is too small, it is using the larger network, which is yours. It should work for any larger networks you have setup. I know it works for my /24 at work.
Jeff G. Posted April 16, 2005 Posted April 16, 2005 Also, aldoncci.com's lack of an abuse address and standard fax numbers make it appear illegitimate.
RobertTinkelman Posted April 26, 2005 Author Posted April 26, 2005 Clearly the key is in the following: |"whois NET-69-48-133-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) | Found AbuseEmail in whois myelen[at]aldoncci.com | Ignoring small (31 IP) network | checking NET-69-48-128-0-1 So, a /27 is too small for SpamCop. Is a /26 OK? Whatever the answer, I cringe at the thought of using this as a justification with ARIN for sizing nets.
Wazoo Posted April 26, 2005 Posted April 26, 2005 Once upon a time, the FAQ entry at How can I get SpamCop reports about my network? used to be a form that led to filling in the particulars of where reports would go. Trust being what it is, that had to develop into filling out the form, but that request would be vetted a bit by the Deputies. With simply too much stuff going on, this form was changed to what it is now, an opportunity for an interested party to keep some tabs on their IP (block) .. solving both problems of sending reports to the spammer and providing enough data that the system could be played. The database can be massaged, a bit of detail to Deputies <at> admin.spamcop.net may be sufficient to receive what you ask (though they don't hang out here often, you may want to reference this discussion as having already happened .. just one of those other little details)
RobertTinkelman Posted April 27, 2005 Author Posted April 27, 2005 > The database can be massaged, a bit of detail > to deputies <at> admin.spamcop.net > may be sufficient to receive what you ask Thanks. I've taken your suggestion.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.