Jump to content

[Resolved] Blackholing China (cn.rbl.cluecentral.net) broken


Recommended Posts

I just received spam from 220.164.222.17.

However, 17.222.164.220.cn.rbl.cluecentral.net resolves to 127.0.0.2, which means that it should have been blocked. The IP is not a recent addition to the RBL, I already noticed the exact same problem a few days ago.

What's this? The RBL is not always lightning fast to respond, maybe there's a timeout which is too short?

Link to comment
Share on other sites

  • Replies 68
  • Created
  • Last Reply

Top Posters In This Topic

http://forum.spamcop.net/forums/index.php?...838entry16838 was my last attempt at identifying the various BLs available ... which ones are you using? For instance, within the last couple of weeks, Steve at Spamhaus stated that he'd widened up the China Railroad spew source to an entire /11 in the SBL/XBL list ...??? From here, that's about all I can offer ....
Link to comment
Share on other sites

http://forum.spamcop.net/forums/index.php?...838entry16838 was my last attempt at identifying the various BLs available ... which ones are you using?  For instance, within the last couple of weeks, Steve at Spamhaus stated that he'd widened up the China Railroad spew source to an entire /11 in the SBL/XBL list ...??? From here, that's about all I can offer ....

26815[/snapback]

Here is the current list available within spamcop webmail:

DNS Blacklist DNS Zone Website

SpamCop Blacklist bl.spamcop.net www.spamcop.net/bl.shtml

SPEWS level 1 l1.spews.dnsbl.sorbs.net www.spews.org

DSBL open relays list.dsbl.org dsbl.org

Spamhaus Blacklist sbl.spamhaus.org www.spamhaus.org/sbl/

South Korea (the country) korea.services.net korea.services.net

China (the country) cn.rbl.cluecentral.net www.cluecentral.net/rbl/

Nigeria nigeria.blackholes.us www.blackholes.us

Argentina argentina.blackholes.us www.blackholes.us

Brazil brazil.blackholes.us www.blackholes.us

Composite Blocking List cbl.abuseat.org cbl.abuseat.org

Spamhaus XBL xbl.spamhaus.org www.spamhaus.org/xbl/

SORBS DNSbl dnsbl.sorbs.net www.dnsbl.sorbs.net

Link to comment
Share on other sites

I received this spam from 220.164.222.17, which is a Chinese IP.

I have enabled the cn.rbl.cluecentral.net RBL to blackhole China, so the spam should have been blocked.

17.222.164.220.cn.rbl.cluecentral.net resolves to 127.0.0.2, which means that the IP is listed in the China RBL, and the error lies with Spamcop, it has not blocked the spam although it was listed in that blacklist.

I suggested that Spamcop's error might be that it's not waiting long enough for the blacklist to respond, because it is sometimes a bit slow.

Any clearer now?

Link to comment
Share on other sites

Thanks David ... a dozen windows open here, parse results for 5 queries from 2 other users, e-mail being created to go to Don, conversations going on in ICQ and Yahoo .... I didn't notice the placement of this discussion .. moved it.

Link to comment
Share on other sites

I totally understand ... thus the question / suggestion on adding other BLs into the mix.

A blacklist is not queried properly, and I want that fixed. I don't want to work around it by enabling other blacklists.

About posting in the wrong forum, sorry about that.

Link to comment
Share on other sites

A blacklist is not queried properly, and I want that fixed. I don't want to work around it by enabling other blacklists.

26835[/snapback]

In my Trash folder (2+ days) of spam, the cn.rbl.cluecentral.net RBL has trapped 14 spam including a couple this morning, the the list is working. Also, of the messages that have slipped through and were manually reported, I can not remember the lastone that was of Chinese origin. Perhaps there was a problem at the time that (those?) messages went through?

Link to comment
Share on other sites

In my Trash folder (2+ days) of spam, the cn.rbl.cluecentral.net  RBL has trapped 14 spam including a couple this morning, the the list is working.

Yes, usually it is, but not always. Several Chinese spams per day are blocked, but during the last few days, 5 or so went through, and when I checked the IP, it was always on that black list. Querying it can sometimes take 5 seconds or so, so I'm still suggesting that maybe Spamcop needs to relax some timeout interval.

Link to comment
Share on other sites

A blacklist is not queried properly, and I want that fixed. I don't want to work around it by enabling other blacklists.

I could start with the things in life I want and the things I'd rather not have to do to get them, but .... how about if I just point out once again to a bit of text I placed into each Forum Section .... "The primary mode of support here is peer-to-peer, meaning users helping other users. (please remember this at all times!)" ... From there we walk over to the sign that says "The Net is a nebulous thing" ... I know of three sites that have been / are undergoing a DoS attack starting yesterday morning, so we know that there's traffic 'out there' ... Failure to resolve one of these BL lookups is designed to fail with a 'pass' result. From this side of the screen, it's hard to say whether cluecentral was having issues (maybe even down?) or JT's machines were crunching through ton-loads of incoming at the time, or even that danged butterfly in China participating in the "theory of chaos" experiment screwed things up. You are the one that suggested a timeout with one BL, thus the suggestion to include others, expecially as you specified an IP that exists in a number of databases. You didn't bother to state that you'd reported yours, perhaps helping to get it onto SpamCop's own BL, as far as that goes. At any rate, your bit of outrage is mis-placed.

Link to comment
Share on other sites

...Something that may not be entirely clear at this point is that, last I knew, this forum was the primary way to contact JT about SpamCop e-mail matters, so this thread should be sufficient to get his attention. Hopefully, he'll actually post here to indicate his awareness of the problem and plan to address it (or announcement that it's been addressed), although past history has shown that doesn't always happen....

Link to comment
Share on other sites

The primary mode of support here is peer-to-peer

Spamcop is a service I'm paying for, and it should darn well have a possibility to report bugs in the system. As it is, this forum is the only way to do so, and so the message above, basically saying "let the other users handle this", is really, really ridiculous.

You didn't bother to state that you'd reported yours, perhaps helping to get it onto SpamCop's own BL, as far as that goes.

I thought that would be taken for granted. But if it's necessary, I will bother to state that I always report any spam, whether by quick reporting the stuff in "Held Email" daily, or by immediately submitting spam that gets through.

At any rate, your bit of outrage is mis-placed.

I honestly don't think so. For example, what about this thread? I really appreciate your efforts to help me regarding that matter, but why the hell can't any of the responsible coders at Spamcop look into that problem??

Back to the original topic, today another spam from China went through. I reported it and immediately checked the cn.rbl.cluecentral.net blacklist - surprise, surprise, the IP was on it. It took about 15 seconds for the blacklist to reply, so I still maintain my theory that some blacklist timeout at Spamcop has to be relaxed a little.

FWIW, the URL for the reported spam is

this, no idea if any of you powers-that-be can use it without my login.

Thanks for your time, sometimes I just wished that there was a less futile way to report Spamcop bugs.

Link to comment
Share on other sites

Spamcop is a service I'm paying for, and it should darn well have a possibility to report bugs in the system.

This is one avenue. I take it you've not visited the FAQ here?

As it is, this forum is the only way to do so, and so the message above, basically saying "let the other users handle this", is really, really ridiculous.

I don't follow your translation of "The primary mode of support here is peer-to-peer" .... The point is that you can get as mad as you want, but you are yelling at other users for the most part .. the same users that are voluntering their time and knowledge to try to help you out. Again, you must not have yet visited the FAQ here.

I thought that would be taken for granted. But if it's necessary, I will bother to state that I always report any spam, whether by quick reporting the stuff in "Held Email" daily, or by immediately submitting spam that gets through.

If things are taken for granted, then everything usually works out wrong. Just last night, I "assumed" that I didn't need to include the "user" data in setting up OE to read newsgroups as the user stated that he was already hitting the Microsoft newsgroups. What a surprise when the problem turned out to be the munged e-mail address he was trying to use in the set-up, and OE was complaining. There's a boat-load of folks that don't report anything.

I honestly don't think so. For example, what about this thread? I really appreciate your efforts to help me regarding that matter, but why the hell can't any of the responsible coders at Spamcop look into that problem??

Again, I don't have a clue who's involved with that specific problem. You've got IromPort hardware at one end, your system/browser at the other, and Akamai systems in the middle (Akamai won't talk to me, Deputies don't have an answer apparently, and then there's Julian. I responded there, even indicating that I'd sent it upstream before with no response. Julian is "the" coder for the SpamCop parsing and reporting tool. Of the many things on his plate, I don't have a clue where a single (known) user is having an issue with a specific browser submitting spam ... with other users stating no issues ....????

Back to the original topic, today another spam from China went through. I reported it and immediately checked the cn.rbl.cluecentral.net blacklist - surprise, surprise, the IP was on it. It took about 15 seconds for the blacklist to reply, so I still maintain my theory that some blacklist timeout at Spamcop has to be relaxed a little.

And along the same line, some other options were suggested, but met with "I don't want to" .... just a bit of a spoiler there ...

FWIW, the URL for the reported spam is

this, no idea if any of you powers-that-be can use it without my login.

Nope. A Tracking URL is the only option to share the data.

Thanks for your time, sometimes I just wished that there was a less futile way to report Spamcop bugs.

I can sympathize .. the 'support' forum for this application has me showing 160+ posts .. out of those posts are a half-dozen questions .. none of them have an actual answer .. the remaining are my replies to help other folks out that didn't take the time to look things up ot are asking things I've already figured out on my own.

Anyway, again from this side of the screen, you want an assumed timeout extended to assumedly solve your issue, yet neither you ot I have a clue as to what the system load looks like and the impact of taking more time on these lookups. A similar scenario is talked about at http://forum.spamcop.net/forums/index.php?...indpost&p=27119 Personally, I see 15 seconds as a bit of forever when talking server speed/load for thousands of users. JT's servers support this Forum, the SpamCop NNTP newsgroups, and the SpamCop E-Mail accounts are just a portion of his CES business.

That said, note sent upstream on your behalf on this one also.

Link to comment
Share on other sites

This is one avenue.  I take it you've not visited the FAQ here?

Of course I did. Under "How can I get help? How can I report a bug? How can I suggest a feature?" it says that posting here or on Usenet is the only way.

I don't follow your translation of "The primary mode of support here is peer-to-peer" .... The point is that you can get as mad as you want, but you are yelling at other users for the most part .. the same users that are voluntering their time and knowledge to try to help you out.  Again, you must not have yet visited the FAQ here.

Again, yes I did. The only channel to report bugs being "primarily peer-to-peer" is what I'm complaining about.

Of the many things on his plate, I don't have a clue where a single (known) user is having an issue with a specific browser submitting spam ... with other users stating no issues ....????

As I'm an Opera programmer, I can verify with absolute certainty that this is a problem in all Opera versions since at least Opera 6.0. I suppose the number of people manually reporting spam is quite small (as you suggested yourself), the fraction of spam bigger than 10 kB makes the probability even smaller, and the number of those people actually using Opera diminishes it even more, with the number of people actually bothering to report it probably being exactly one, me.

If it was simply an Opera-problem/incompatibility, I'd just fix it, but it's a direct violation of the RFC, so whether it affects many people or not, I really think it should be addressed.

Nope.  A Tracking URL is the only option to share the data.

OK. I've just discovered how to retrieve it from the internal report URL - by choosing to "Parse" again.

Personally, I see 15 seconds as a bit of forever when talking server speed/load for thousands of users.  JT's servers support this Forum, the SpamCop NNTP newsgroups, and the SpamCop E-Mail accounts are just a portion of his CES business.

You are quite probably right, a longer timeout value might well be impractical for Spamcop. However, that timeout was just a theory of mine, maybe there is a completely different bug, that's why I think it should at least be looked at. If it's indeed a timeout, which can't be increased, well, too bad, but I'd like to hear that from someone who knows.

That said, note sent upstream on your behalf on this one also.

Thanks a lot! I really appreciate all the work you do here. If you ask me, what's desperately needed is to separate newbie questions and general hand-holding from real bug reports. If it must happen in these forums, then there should be one titled "Bugs in the Spamcop system", with all threads that don't really report bugs being quickly moved out of it so it becomes a usable resource for Julian.

Link to comment
Share on other sites

not a bad idea. Another alternative would be a 'moderater-posting-only' forum where wazoo, et al, could move posts from the help section to the bug section, posts marked open/resolved/unsolvable/etc. That may help maintain a manageable bug/problem list with a traceable history, and make the JT/Deputy jobs at least a little easier. (I guess there's a reason Information management is a multi-million dollar industry.)

Of course, then Wazoo, et al. (is there an et al?) become the ones that people will bitch at about moving their problem post to the bug forum.

Edited by Jank1887
Link to comment
Share on other sites

Of course I did. Under "How can I get help? How can I report a bug? How can I suggest a feature?" it says that posting here or on Usenet is the only way.

27234[/snapback]

How about: How can I contact a SpamCop representative? There are also places where it is mentioned that contacting deputies (deputies<at>spamcop.net) is the best option. They have direct contact with Julian

but I'd like to hear that from someone who knows.

Even when things that get fixed you will not hear about it, it will simply start working. Communication is the biggest problem with spamcop and has been for more than the 2 years I have been here. This app helps the problem greatly but there are times when contact should be made from the top.

Link to comment
Share on other sites

OK, for starters .... response to last night's e-mail ...

Don't quite know what to say about this -- I can't recreate it in my version

of Opera which is fairly old. I have sent it on to Julian.

Ellen

SpamCop

Though not knowing what happened to the last upstream query or again where this will end up on Julian's to-do list, this is about all I can do for you.

"How can I get help? How can I report a bug? How can I suggest a feature?" it says that posting here or on Usenet is the only way.

The FAQ 'here' includes the link How can I contact a SpamCop representative? which actually points back to a www.spamcop.net FAQ / page entry ...

If it's indeed a timeout, which can't be increased, well, too bad, but I'd like to hear that from someone who knows.

As above, that one person has been queried.

Question about a new Forum section ... I've got PM traffic, more posts in this Topic,

postings in another section, all dealing with suggestions on this .. later remarks possible at this point.

Link to comment
Share on other sites

  • 4 weeks later...
I just received spam from 220.164.222.17.

However, 17.222.164.220.cn.rbl.cluecentral.net resolves to 127.0.0.2, which means that it should have been blocked. The IP is not a recent addition to the RBL, I already noticed the exact same problem a few days ago.

What's this? The RBL is not always lightning fast to respond, maybe there's a timeout which is too short?

26811[/snapback]

Stock Spammer using Chinese IP 60.221.56.178

Please add this range to china block

60.220.0.0

60.223.25.255

Those logged into VER should be able to see

Link to comment
Share on other sites

Here's a whole week of "china leakers"

I have copied them to Spamcop mail support.

Here are some more China source that shouldn't have got through since I

nominally have cn.rbl.cluecentral.net selected in spamcop mail

http://www.spamcop.net/sc?id=z765006065z48...2cdcb8785878c7z

218.79.197.80 17:12 18/May/05

http://www.spamcop.net/sc?id=z765446192z21...20aca58c501b11z

219.140.28.58 21:16 19/May/05

http://www.spamcop.net/sc?id=z765446873ze4...fb829b53dc3da5z

61.186.117.147 21:19 19/May/05

http://www.spamcop.net/sc?id=z766111077z9d...2432da435ba93cz

221.10.137.15 14:57 21/May/05

http://www.spamcop.net/sc?id=z767272949ze3...7c00b9b7897699z

61.173.18.79 16:53 24/May/05

http://www.spamcop.net/sc?id=z767273813z02...8546d3e8168067z

221.201.64.214 16:56 24/May/05

http://www.spamcop.net/sc?id=z767981487z08...c12416e471e867z

222.222.143.179 16:46 26/May/05

Link to comment
Share on other sites

  • 2 weeks later...
Here's a whole week of "china leakers"

I have copied them to Spamcop mail support.

Here are some more China source that shouldn't have got through since I

nominally have  cn.rbl.cluecentral.net selected in spamcop mail

http://www.spamcop.net/sc?id=z765006065z48...2cdcb8785878c7z

218.79.197.80  17:12 18/May/05

http://www.spamcop.net/sc?id=z765446192z21...20aca58c501b11z

219.140.28.58  21:16 19/May/05

http://www.spamcop.net/sc?id=z765446873ze4...fb829b53dc3da5z

61.186.117.147  21:19 19/May/05

http://www.spamcop.net/sc?id=z766111077z9d...2432da435ba93cz

221.10.137.15  14:57 21/May/05

http://www.spamcop.net/sc?id=z767272949ze3...7c00b9b7897699z

61.173.18.79  16:53 24/May/05

http://www.spamcop.net/sc?id=z767273813z02...8546d3e8168067z

221.201.64.214  16:56 24/May/05

http://www.spamcop.net/sc?id=z767981487z08...c12416e471e867z

222.222.143.179  16:46 26/May/05

28600[/snapback]

more Chinese leaking

58.66.103.90

Google Sightings

Range start

58.66.0.0

end

58.67.255.255

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share


×
×
  • Create New...