Jump to content

[Resolved] Blackholing China (cn.rbl.cluecentral.net) broken


Recommended Posts

Hey, those of you following this ongoing topic....HOLD IT. WRT the "cn.rbl.cluecentral.net" blocklist that has been one of the options for SC email account users:

China (the country) cn.rbl.cluecentral.net www.cluecentral.net/rbl/

if you go to the Cluecentral website:

http://www.cluecentral.net/?page_id=7

you'll see that:

RBL

The DNS-blacklist rbl.cluecentral.net has ceased to exist in november 2005. This has been announced on the NANOG-mailinglist and in the anti-spam workgroup at RIPE. The kind folks at BIT have adopted the list into their own version, email noc [at] bit.nl for more information.

Oh...wait...just did a little searching....and found this same related Topic right here:

rbl.cluecentral.net status, Web page says it's stopping/stopped

and at the end of that one, Wazoo said:

Please take any follow-on to this Topic to the discussion in the New Feature Request / Suggestions Forum at http://forum.spamcop.net/forums/index.php?showtopic=5799

and in THAT topic, he said (back in January):

thanks, data passed on

(presumably to JT) and was asked if there was any reply from JT, but Wazoo never commented further.

Folks this one has fallen through the cracks, and instead of our friend petzl continuing to post each time something slips through from China, we need to ask Wazoo to intercede on behalf of the SC email users once again (with JT) and call his attention to the demise of the Cluecentral RBL and show him that there's a replacement available. I too am getting FAR too much spam from China, and I *thought* that the "China" BL entry in my SC email Options was supposed to be helping with that.

DT

Link to comment
Share on other sites

  • Replies 68
  • Created
  • Last Reply

we need to ask Wazoo to intercede on behalf of the SC email users once again (with JT)

David: You and any other email user has teh very same access that Wazoo has. Simply email him the problem you are seeing?

I can not remember the last email that got through to my inbox that came from .cn so do not feel any reason to complain.

Link to comment
Share on other sites

You and any other email user has teh very same access that Wazoo has.

No, Wazoo's access is demonstrably much more effective. He's able to "page" (not sure what kind of paging) JT during server outages, etc. He also mentions escalating other issues on a fairly routine basis. I'll send along a message as you suggested and see what happens.

I can not remember the last email that got through to my inbox that came from .cn so do not feel any reason to complain.

You don't literally mean "From .cn" do you, as in an unforged message with an address ending in ".cn"? That's not what I'm taking about. Much of the spam that leaks through to my inbox originates from IP space in China, and that's also the experience of many others, from what I've read here and elsewhere. Surely you've seen all the detailed reports from Petzl?

DT

Link to comment
Share on other sites

No, Wazoo's access is demonstrably much more effective. He's able to "page" (not sure what kind of paging) JT during server outages, etc. He also mentions escalating other issues on a fairly routine basis. I'll send along a message as you suggested and see what happens.

I regularly email JT and get responses. I doubt Wazoo would page JT unless it was of the magnitude of a server down.

You don't literally mean "From .cn" do you, as in an unforged message with an address ending in ".cn"? That's not what I'm taking about. Much of the spam that leaks through to my inbox originates from IP space in China, and that's also the experience of many others, from what I've read here and elsewhere. Surely you've seen all the detailed reports from Petzl?

No, I mean that the IP address of the source has not been from .cn space for quite a while. I just double checked my past reports, and not one of them has gone to a .cn address.

I'm just checked my old reports... 42 total spams with reports to .cn addresses in the last 1252 reports sent since 7/23/2006. Only one of those, way back on 7/24/2006, was a full report because it slipped by the existing filters. One other spam report went to .cn for web page only, but the source on that one was .pl

Link to comment
Share on other sites

Hmmm....is it possible that China is actually managing to supress the amount of spam that was formerly flooding out of their IP space? I'll have to poke around for some of those "spam by country of origin" stats.

Here's one link:

http://tqmcube.com/origins.php

and on the same site...the "Dirty Dozen"

http://tqmcube.com/dirty12.php

China still looks pretty darn active. Here's a related page at SpamHaus:

http://www.spamhaus.org/statistics/countries.lasso

but the source on that one was .pl

Take a look at the huge increase from Poland over the last few months at that first link.

DT

Link to comment
Share on other sites

Hmmm....is it possible that China is actually managing to supress the amount of spam that was formerly flooding out of their IP space? I'll have to poke around for some of those "spam by country of origin" stats.

I am just talking about my spam "profile". I see many people with very different types of spam than I receive. You may still be receiving loads of spam from China. I also have gone through different periods receiving different types of spam, with it stopping for no real reason. I started with SpamCop when I was receiving a bunch of porn type spam. I have not received one of those in a couple of years now, though I know a couple of the people I work with still receive it almost daily (maybe reporting helps there???).

And to answer the question I originally saw which was replaced by the time I hit the reply button, these are all messages directed through my spamcop account. This includes emails directly to spamcop (currently my main account), a yahoo account, a gmail account, and my ISP account. I only full report any spam that slips by the spamcop filters, maybe 5 a week. The rest are quick reported from my held mail folder.

Link to comment
Share on other sites

Hmmm....is it possible that China is actually managing to suppress the amount of spam that was formerly flooding out of their IP space? I'll have to poke around for some of those "spam by country of origin" stats.

China's IP range is forever increasing and I use whitelisting for email I get from there to get around any blocklist

The odd spam I get that passes through SpamCop I post here along with the entire IP range for that Chinese IP (As well as proof)

Surprisingly, spam from that IP range then seems to be blocked? I am not 100% sure if a SpamCop rep is adding it to a/their old hard coded cn.rbl.cluecentral.net but I think it is

I also believe China is increasing its efforts to stop spam but are still not yet very effective

Link to comment
Share on other sites

Surprisingly, spam from that IP range then seems to be blocked? I am not 100% sure if a SpamCop rep is adding it to a/their old hard coded cn.rbl.cluecentral.net but I think it is

I've seen Wazoo's response.

Can you show where an email was not blocked, then the same IP was blocked, and tell us what list caused the block? THis has me very interested. Is it that the SA filters are catching the later ones?

Link to comment
Share on other sites

based on the conversation he and I had last night, no way ... there is simply not enough time ....

I didn't think so. I think that petzl was speculating about an explanation to explain observations about what's *not* getting through. StevenUnderwood has also recently mentioned that his SC email account currently receives very little from China. Given that China's IP space still ranks very high on the various global lists of spam sources, there must be *some* logical explanation why it's apparently not getting through.

on edit: The phrase "not getting through" probably needs a little clarification. I think that Petzl's many reports of stuff "getting through" means that it's bypassing all the BLs that he's selected in his SC email config, perhaps also bypassing being caught by whatever his SA threshhold is set at...is that correct, Petzl?

StevenU first said:

I can not remember the last email that got through to my inbox that came from .cn

and then:

the IP address of the source has not been from .cn space for quite a while. I just double checked my past reports, and not one of them has gone to a .cn address.

He also clarified that this includes quick reporting done on stuff in his Held Mail. I'm assuming that he knows that many of the SC reports regarding China-based IPs have gone to some sort of MCI backbone-related address, as opposed to being sent directly to ".cn" addresses (this has been the case for years....is it still true?).

IAC, when I "cherry pick" stuff to report, either from something that got by all filtering, or something in my Held Mail, I have often seen the source being in China IP space, but something seems to have wiped away data from our "Past Reports" off the SC system (I think I've seen something about database/server issues in other topics), so I can't back that up with any stats. When I check most of my current spam, that doesn't seem to be the case, which is very puzzling, given all the information currently at hand. However, much of my incoming email first passes through a Barracude spam Firewall at my web host, and that device doesn't just "tag and release," but tends to do some outright blocking, so this might be the explanation in my own case.

Just trying to shed more light on this issue, and get some forward movement on the defunct Cluecentral BL that's still active in our SC email account BL options.

DT

Link to comment
Share on other sites

Thanks for your assistance on this issue, Wazoo. I've just found my fist item in my Held Mail put there due to the new BL...here's the proof:

X-SpamCop-Disposition: Blocked cn.countries.nerd.dk

It would have made it to my inbox, and from parsing the IP, it's not instantly obvious that it's is in China's IP space:

Parsing input: 58.100.136.175

host 58.100.136.175 (getting name) no name

host 58.100.136.175 (getting name) no name

[report history]

Routing details for 58.100.136.175

[refresh/show] Cached whois for 58.100.136.175 : tim[at]hzdtv.com

Using last resort contacts tim[at]hzdtv.com

Without visiting the "hzdtv" website, I wouldn't have know that the spam source was from China, but the "City From IP" at DNSStuff confirmed it. I'm glad to have one more tool active to keep spam out of my inbox.

DT

Link to comment
Share on other sites

Great that this problem is (hopefully) finally resolved!

However, there seems to be another blacklist problem with spam from Korea.

As most of you will have experienced, they send massive amounts of spam. Most of it gets caught by my SpamAssassin settings, but the odd one that isn't very rarely gets caught by the korea blacklist, though it does work sometimes.

Just now, it failed again. Example:

http://mailsc.spamcop.net/mcgi?action=gett...rtid=1982114925

Pinging 105.114.164.221.korea.services.net at the precise moment of reporting the spam shows that it resolves, i.e. that 221.164.114.105 is on the blacklist as it should be.

Anyone else seeing that?

Link to comment
Share on other sites

Great that this problem is (hopefully) finally resolved!

However, there seems to be another blacklist problem with spam from Korea.

This whole discussion is about the China listings .... Although somewhat located in proximity, Korea isn't the same place, same BL, etc ....

As most of you will have experienced, they send massive amounts of spam. Most of it gets caught by my SpamAssassin settings, but the odd one that isn't very rarely gets caught by the korea blacklist, though it does work sometimes.

Just now, it failed again. Example:

http://mailsc.spamcop.net/mcgi?action=gett...rtid=1982114925

If you really wanted someone else to take a look at your example, please see the references to Tracking URL .. Dictionary, FAQ, Glossary, Wiki .... a Report-ID is of no value to 99.9999% of the folks here ....

Pinging 105.114.164.221.korea.services.net at the precise moment of reporting the spam shows that it resolves, i.e. that 221.164.114.105 is on the blacklist as it should be.

Anyone else seeing that?

Perhaps in you new Topic posting, you might explan exactly what you were trying to say here .. maybe something to do with the parsing results, but...????

Please .... keep any further dialog in this Topic related to the China issue ....

Link to comment
Share on other sites

If you really wanted someone else to take a look at your example, please see the references to Tracking URL .. Dictionary, FAQ, Glossary, Wiki .... a Report-ID is of no value to 99.9999% of the folks here ....

Ah, sorry, did that mistake with the tracking URL vs. report ID before...

Please .... keep any further dialog in this Topic related to the China issue ....

OK, new topic here:

http://forum.spamcop.net/forums/index.php?showtopic=7337

Link to comment
Share on other sites

not a bad idea. Another alternative would be a 'moderater-posting-only' forum where wazoo, et al, could move posts from the help section to the bug section, posts marked open/resolved/unsolvable/etc. That may help maintain a manageable bug/problem list with a traceable history, and make the JT/Deputy jobs at least a little easier. (I guess there's a reason Information management is a multi-million dollar industry.)

Of course, then Wazoo, et al. (is there an et al?) become the ones that people will bitch at about moving their problem post to the bug forum.

Nahhh! What we need is a Bugzilla.SpamCop.Net. B) Half-seriously, maybe a combination of things where a moderator posts bug reports to Bugzilla from the forum and JT/Julian/Deputies look at resolving the problems.

Then again, if you REALLY want to make sure you get someone's attention, you could always send an email to Julian using his web form (hint: his URL is his first AND last name, then click on the "contact me" button to get to the web form.) I don't know if it's likely to speed things up any. IMNSHO, I doubt it. He's probably more likely to respond to something sent to him by the Deputies or a moderator here.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...