PROGAME Posted April 19, 2005 Posted April 19, 2005 would someone please enlighten me, how does adding gmail's server to a black list makes any sense at all? i mean, because of less than 10 people, does it make sense to block 1000s of emails from a huge email provider? how about blocking hotmail's 100000 of emails because of a few reports? ips like this one http://www.spamcop.net/w3m?action=blcheck&ip=64.233.162.201 should be white listed IMO
turetzsr Posted April 19, 2005 Posted April 19, 2005 Hi, PROGAME! ...Please read the posts labeled " Pinned:". Your questions are pretty well answered there. ...Briefly, I'll say that IMHO it makes sense for any IP addresses through which spam is sent to be on a blacklist whose purpose is advertised to be a list of IP addresses through which spam is sent. Blocking is a different matter -- what users of the blacklist do with the blacklist is for them to answer and that question is best directed to them. Finally, SpamCop does not put IP addresses from which "100000 of emails" are sent on its blacklist "because of a few reports." There is a complex formula (which you should be able to find in the aforementioned "Pinned:" items or in pages linked to from those items). ...Good luck with your research!
Derek T Posted April 19, 2005 Posted April 19, 2005 would someone please enlighten me, how does adding gmail's server to a black list makes any sense at all? 26653[/snapback] As, from the senderbase report, spammers have more control over this server than gmail does, it makes perfect sense to me!
PROGAME Posted April 19, 2005 Author Posted April 19, 2005 thank you for your reply i have read the important threads but no matter how complex the mathematical formula is, it has a big flaw IMO if it adds a gmail/hotamil/yahoo/... server to the list. that move is simply too drastic, no matter how i look at it, making so many emails to be blocked cannot be justifiable. even the huge vol change in senderbase doesn't convince me that cases like this should NOT be taken care of by contacting the respected provider in some kind of a direct channel. a channel set up especially for emergency spam reports. blacklisting without talking to the provider when so many emails are in stake is too harsh
DavidT Posted April 19, 2005 Posted April 19, 2005 I think you might be right, but there *is* a communications channel that's open for situations like this. It's the "dispute" URL found on the blocking list details page, and it's up to the admins of the system that's listed to make the contact. If you can contact Gmail, have them use this URL: http://www.spamcop.net/w3m?action=dispute;ip=64.233.162.201 It looks like that IP is due to fall off the list in about an hour, but it's been listed 4 times in the last 10.7 days, so there *does* need to be communication. BTW, someone has posted a message about this same issue in the Gmail Help Discussion found in Google Groups....was that you? I posted a response over there. DT
PROGAME Posted April 19, 2005 Author Posted April 19, 2005 nope, that wasn't me my point is that before blacklisting, it's spamcop that should contact gmail and not the other way around, because blacklisting a gmail server has a pretty big effect. EDIT: yes i saw the server is going to be...set free but I'll contact gmail about it later, i wonder if they have any recommendation for the end user when it happens (contact them somehow?)
Wazoo Posted April 19, 2005 Posted April 19, 2005 Actually, I don't recall some data existing being brought up in here. For instance, the line of data; System administrator has already delisted this system once suggests that someone was aware of the problem, and did the wrong thing ... resetting the flag without fixing the problem. SenderBase data has been pointed to, and this is one of the trigger points that should have gotten someone at GMail involved. There are many applications out there to monitor server loads and status. Although there could be various other reasons to explain the massive increase in traffic, (Date of first message seen from this address 2005-03-25 does suggest that it is a recently added server) the usual backgtound of such a massive spike is spammer control. This is what should have gotten GMail staff involved directly with analyzing that traffic. 1-2000% increase in traffic should have left a clue or two about. The fact that there were reports sent out (your notification request handled) should have been a secondary clue that something was happening. Recall that the SpamCopBL is a reactionary tool, it's the server owners and technicians involved that need to be pro-active.
StevenUnderwood Posted April 20, 2005 Posted April 20, 2005 my point is that before blacklisting, it's spamcop that should contact gmail and not the other way around, because blacklisting a gmail server has a pretty big effect. 26658[/snapback] Please re-read the FAQ...Every spamcop report (with the exception of spamtrap hits) generated a complaint directly to the abuse desk of the ISP responsible. It is only when those reports are ignored or not acted on in a timely manner that addresses get listed. Again, a report is generated for every complaint, it takes multiple complaints to be listed. Also, it is suggested that only a very small minority of people actually report any spam, so the 10 reports seen probably represent thousands of spam messages received by people.
Derek T Posted April 20, 2005 Posted April 20, 2005 my point is that before blacklisting, it's spamcop that should contact gmail and not the other way around, because blacklisting a gmail server has a pretty big effect. EDIT: yes i saw the server is going to be...set free but I'll contact gmail about it later, i wonder if they have any recommendation for the end user when it happens (contact them somehow?) 26658[/snapback] 1. They already hve done - several times and gmail have evidently ignored the warnings. 2. More spam reported, problem still not fixed, now 12 hours again!
DavidT Posted April 20, 2005 Posted April 20, 2005 I only see *one* new report regarding that IP since I last checked, which was just before it came off the list. So it appears that a *single* errant message from this very busy server was enough to get it listed again??? Here's a clue as to the innocence of this server: there aren't any reports in the "sightings" NG mentioning its IP. In fact, of the nine other IP addresses included in the "Other hosts in this neighborhood with spam reports" found on the "Information about the reasons for listing (blocking) your mail server (64.233.162.201)" page, I found three total reports in "sightings" -- one for each of three of the IPs. WRT the Senderbase data on these servers, I'm a bit skeptical about the validity of the stats, in that they've all been in service less than a month. When that's the case, I wonder exactly which "average" is referred to in the "Vol Change vs. Average" column that some of you are citing when making statements like "spammers have more control over this server than gmail does." I think you might be wrong. Bottom line, there does need to be two-way communication between the Gmail folks and the SC Blocking List admins, no matter who initiates it. DT
agsteele Posted April 20, 2005 Posted April 20, 2005 my point is that before blacklisting, it's spamcop that should contact gmail and not the other way around, because blacklisting a gmail server has a pretty big effect. 26658[/snapback] It seems that you may not fully understand how SpamCop reporting works. As soon as the first report is received a copy is sent to the admins for the server concerned to make them aware of the issue and indicating the fact that they may be listed in the blocklist. This would arrive prior to the entry onto the blocklist. Indeed, every report will generate a message to the administrators alerting them to the problem. If messages are being sent to so called spam traps then the listing is pretty quick but the admins have had notification. It would seem, since the the server has been listed more than once, that the admins for gmail haven't taken adequate action to tackle the problem. In those circumstances I'm within my rights to use whatever means I choose to reject Email routed via them until the problem is fixed. That's what many ISPs are choosing to do. The SpamCop blocklist is a very responsive tool to facilitate just that because it equally quickly de-lists servers when the problem is resolved. I presume you're a gmail user. I suggest you press their administrators to clean up the servers. Andrew
Derek T Posted April 20, 2005 Posted April 20, 2005 I only see *one* new report regarding that IP since I last checked, which was just before it came off the list. So it appears that a *single* errant message from this very busy server was enough to get it listed again??? 26685[/snapback] Sorry, which part of 'if NO further reports...' did you not understand?
PROGAME Posted April 20, 2005 Author Posted April 20, 2005 Sorry, which part of 'if NO further reports...' did you not understand? you fail to understand that having an important server listed for 12 hours because of one report is a very drastic action
turetzsr Posted April 20, 2005 Posted April 20, 2005 you fail to understand that having an important server listed for 12 hours because of one report is a very drastic action 26693[/snapback] ...You fail to understand that you have expressed an opinion (which you are more than welcome to express). On the contrary, agsteele'sI'm within my rights to use whatever means I choose to reject Email routed via them until the problem is fixed. That's what many ISPs are choosing to do. is an absolute fact.
StevenUnderwood Posted April 20, 2005 Posted April 20, 2005 you fail to understand that having an important server listed for 12 hours because of one report is a very drastic action 26693[/snapback] But it is more than 1 report, it is one ADDITIONAL report that added it back onto the list. The current list available to spamcop subscribed reporters showing 2 more since yesterday: Report History: -------------------------------------------------------------------------------- Submitted: Tuesday, April 19, 2005 8:28:40 PM -0400: Contact Makoto -------------------------------------------------------------------------------- Submitted: Tuesday, April 19, 2005 8:36:31 AM -0400: [Elfmania] nice wallpaper site - sabkhuch.com - now with daily updates -------------------------------------------------------------------------------- Submitted: Friday, April 15, 2005 9:10:45 PM -0400: Urgent And Confidential. -------------------------------------------------------------------------------- Submitted: Monday, April 11, 2005 8:49:24 PM -0400: Dear: Friend, -------------------------------------------------------------------------------- Submitted: Friday, April 08, 2005 11:33:18 PM -0400: Hello... -------------------------------------------------------------------------------- Submitted: Tuesday, April 05, 2005 8:22:01 AM -0400: =?ISO-8859-1?B?QLKz?= -------------------------------------------------------------------------------- As you can see yourself: 64.233.162.201 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 8 hours. Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) System administrator has already delisted this system once Because of the above problems, express-delisting is not available Listing History In the past 11.4 days, it has been listed 4 times for a total of 3.3 days
PROGAME Posted April 20, 2005 Author Posted April 20, 2005 ...You fail to understand that you have expressed an opinion (which you are more than welcome to express). On the contrary, agsteele's is an absolute fact. you didn't quote the lines/post/poster i quoted But it is more than 1 report, it is one ADDITIONAL report that added it back onto the list. yes i understand that. but i also understand that there is no way to stop spam completely from ANY big server. a few additional reports are nothing IMO
turetzsr Posted April 20, 2005 Posted April 20, 2005 Sorry, which part of 'if NO further reports...' did you not understand?you fail to understand that having an important server listed for 12 hours because of one report is a very drastic action ...You fail to understand that you have expressed an opinion (which you are more than welcome to express). On the contrary, agsteele's is an absolute fact.you didn't quote the lines/post/poster i quoted26698[/snapback] ...That's because (1) this application makes it difficult to do that -- it only copies in the non-quoted parts of the one to which one is replying and (2) I did not consider it relevant. I have corrected that in the above. yes i understand that. but i also understand that there is no way to stop spam completely from ANY big server. a few additional reports are nothing IMO 26698[/snapback] ...SpamCop's owner understands that, which is why he permits the one-time "express-delisting" and ages offending IP addresses off the list after a period of time of no additional spam complaints.
DavidT Posted April 20, 2005 Posted April 20, 2005 Sorry, which part of 'if NO further reports...' did you not understand? That's too simplistic, Derek. It's an unfortunate fact that not all SC reports are valid, so to have a server plonked back on the list for one more possibly errant click of a mouse by an ignorant or careless SC reporter *is* too extreme, especially considering the volume of mail being handled by this particular server. Logic would dictate that different report count threshholds should apply to servers of vastly different traffic statistics. BTW, do you still stand by the statement that "spammers have more control over this server than gmail does"? DT
Wazoo Posted April 20, 2005 Posted April 20, 2005 Logic would dictate that different report count threshholds should apply to servers of vastly different traffic statistics. Thresholds are discussed a bit in the FAQ entry at http://www.spamcop.net/fom-serve/cache/297.html .... Although recent reports are weighted 4:1, even I am a bit amazed that with a SenderBase magbitude of 5.1 showing a report or two would be sufficient to get this IP listed (again noting that the 'evidence' results aren't necessarily real-time [though Don told me that the results posted previously are]) .... that no spamtrap activity is noted does suggest something else may be going on ... query sent ....
StevenUnderwood Posted April 20, 2005 Posted April 20, 2005 Logic would dictate that different report count threshholds should apply to servers of vastly different traffic statistics. 26703[/snapback] Since being listed is based on a certain percentage of spam coming from a certain IP address, that is in fact the way it works. However, if you have already been listed and fallen off the list, a) your percentage of spam is already near the threshold and a single reported spam could push it back onto the list and I believe spamcop would (and should) be less tolerant of a server that continues to send spam, especially if someone took the easy way out and delisted without fixing anything.
DavidT Posted April 20, 2005 Posted April 20, 2005 Since being listed is based on a certain percentage of spam coming from a certain IP address, that is in fact the way it works. That assumes that the Gmail servers are being properly awarded "reputation points" as described on this page: http://www.spamcop.net/fom-serve/cache/297.html It's entirely possible that they're not, which would reduce their ratio. However, if you have already been listed and fallen off the list, a) your percentage of spam is already near the threshold and a single reported spam could push it back onto the list...(snip)...especially if someone took the easy way out and delisted without fixing anything. Here's a problem....apparently anyone visiting one of the "blcheck" URLs at www.spamcop.net can click on the 1-time delisting button. For example, I've been spammed today by a RoadRunner IP, and if you go to this page: http://www.spamcop.net/w3m?action=blcheck&ip=24.227.225.145 you can click on the button to delist it, even if you're not actually an authorized RoadRunner system admin. That's very stupid, IMO. So, in the case of the Gmail server, maybe one of the folks who got blocked and visited the "blcheck" URL went ahead and clicked the button. I'd say the odds are higher of that having occurred than an actual Google admin having shown up to do it. If I'm right about that, then that puts that server into a potentially worse situation than if nobody had clicked the "delist" button in the first place, true? DT
Derek T Posted April 20, 2005 Posted April 20, 2005 That's too simplistic, Derek. It's an unfortunate fact that not all SC reports are valid, 26703[/snapback] So you continually assert: my assertion is that very, very few are invalid and that action is taken against mis-reporters. In this case, Gmail have been getting notifications for a couple of weeks and have (apparently) done nothing about it. With traffic up by 150-fold I still think it likely that spammers have more control over this IP than does Google. In this case, SpamCop seems to be working exactly as it should.
DavidT Posted April 20, 2005 Posted April 20, 2005 With traffic up by 150-fold I still think it likely that spammers have more control over this IP than does Google. And yet, despite the high traffic, there's not a single spam report involving this IP in the "sightings" NG, and that the IP apparently isn't listed by any of the other BL's (check OpenRBL, RBLS.org, etc.), I find your statement entirely incredible. If 99.9999 percent of the traffic from the server is legit (which *might* be the case, neither of us can be sure, can we?), then how can you support such a statement? DT
DavidT Posted April 20, 2005 Posted April 20, 2005 So you continually assert I assert it when appropriate, and I've seen *plenty* of obvious mis-reporting to back it up. [Edit - to clarify] I'm not claiming that the reports regarding a truly "dirty" server (one involved in obvious spam runs) are bogus. In those cases, it's likely that all the reports are valid. My statements about bogus reports involve servers that handle high volumes of legitimate traffic, such as the Yahoo Groups and the Gmail servers. When I look at the SC report "History" on those IP's, I regularly see items that don't appear to be spam. my assertion is that very, very few are invalid and that action is taken against mis-reporters If and when they're actually caught doing so. My counter-assertion would be that many of the bogus reports are never challenged and/or analyzed. I don't think either one of us can prove the other wrong, so we'll just have to disagree on this issue. DT
Wazoo Posted April 20, 2005 Posted April 20, 2005 Just back from Ellen .. best I can do .... There is spam being sent thru some or all of the gmail servers. As the headers do not indicate the IP of the injecting user the gmail servers get listed. Other services such as yahoo and hotmail indicate the IP of the injecting/spamming user. As a result the gmail servers get listed and delisted and listed and delisted. Ellen SpamCop Please include all previous correspondence with replies ----- Original Message ----- From: "Wazoo" To: "deputies" Sent: Wednesday, April 20, 2005 3:33 PM Subject: GMail server listed - 64.233.162.201 Why/How? > http://forum.spamcop.net/forums/index.php?showtopic=3973 > GMail server listed, but details available don't seem to tell > the story ... Some paid-account users have posted some > of the 'history' items, but that sure deosn't explain, based > on the SenderBase taffic status ...???? > > http://www.spamcop.net/w3m?action=blcheck&ip=64.233.162.201 > shows it counting down again (was at "0 hours" a while back) > http://www.senderbase.org/?searchBy=ipaddr...=64.233.162.201 > says traffic is way up
Recommended Posts
Archived
This topic is now archived and is closed to further replies.