jjbdiamond Posted May 24, 2005 Posted May 24, 2005 This message comes up when I enter our IP Address: If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately zero time. I'm assuming zero time means NOW.... Please get us off your list so we can conduct business. Thanks, James Bourque IS Manager, Diamond Diagnostics, Inc.
DavidT Posted May 24, 2005 Posted May 24, 2005 Not sure if you took the time to read any of the FAQs, but this is basically a "users helping other users" resource, so WE can't get you off OUR list, because we don't have any power to do so. Admins and "Deputies" drop by here from time to time, but there are more efficient methods of getting their attention. Let me see if I can shed more light on your particular problem, however... I'm guessing that the IP that was listed is [65.160.124.98], and if so, it would appear that your server has been sending messages to various SC "spam trap" addresses. In fact, your server has been listed on the SCBL eight times over the last two months, and because a server admin has already used the one-time "delisting" option, you couldn't do it this time. My guess would be that perhaps your server is doing some sort of auto-replies or more likely, "after the fact" bouncing, so when an infected machine starts spewing forged messages to your domain, perhaps your server is responding to those addresses, rather than rejecting those transactions during the initial SMTP transaction. Here's a link to a SC FAQ page about that problem: http://mailsc.spamcop.net/fom-serve/cache/329.html This is the most logical explanation of your problem...please respond and we can help you find a way to keep this from happening over and over. One more thing...it appears that if your server were ever involved in any spamming, that reports would be sent upstream to Sprint, rather than directly to you. I'm not sure why that is...although I see that you don't have any information on file at "Abuse.net," so that may be the explanation. However, SC reports aren't sent in response to spamtrap hits, IIUC, so this isn't really that germane to this situation. DT
Wazoo Posted May 24, 2005 Posted May 24, 2005 If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately zero time. I'm assuming zero time means NOW.... Please get us off your list so we can conduct business. I seem to recall placing an entry into the Forum FAQ recently addressing "Zero Time" .... As in other previous responses, there is a lot of data found in this FAQ, having been developed using input from this very Forum to flush out the original www.spamcop.net FAQ.
jjbdiamond Posted May 24, 2005 Author Posted May 24, 2005 I'm responding to this trying to get help for my situation. We keep getting listed and I've checked everything that would cause this. I'm going to double-check for auto-responding today. Thanks the help I've been given so far. We want this to not continue not only for our sake but for the others who might see us as spamming. Sorry I posted in the wrong area.
Wazoo Posted May 24, 2005 Posted May 24, 2005 This is another one of those 'interesting' situations ... turns out that the posting IP is the same IP offered up as the MX for the domain in question. As of the time of this posting; 65.160.124.98 not listed in bl.spamcop.net http://www.senderbase.org/?searchBy=ipaddr...g=65.160.124.98 shows: Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.3 .. 60% Last 30 days .. 3.1 .. 11% Average ........ 3.1 Do you have a possible explanation for the increase in traffic? A TELNET shows : 220 server.DiamondDiagnostics.local Microsoft ESMTP MAIL Service, Version: 5.0.2 195.6713 ready at Tue, 24 May 2005 13:18:21 -0400 Is this updated, patched, configured? Is there even a firewall in place? In response to DavidT's remarks on the reporting address; Parsing input: 65.160.124.98 host 65.160.124.98 (getting name) = server.diamonddiagnostics.com. Display data: "whois 65.160.124.98[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-65-160-124-96-1 Display data: "whois NET-65-160-124-96-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Ignoring small (15 IP) network whois.arin.net contact: hostmaster[at]harvard.net checking NET-65-160-0-0-1 Display data: "whois NET-65-160-0-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) 65.160.0.0 - 65.174.255.255:noc[at]sprint.net whois.arin.net contact: noc[at]sprint.net Routing details for 65.160.124.98 Using abuse net on noc[at]sprint.net abuse net sprint.net = abuse[at]sprint.net Using best contacts abuse[at]sprint.net abuse[at]sprint.net redirects to abuse-quiet[at]sprint.net In conjunction with Derek T's input, there is a FAQ entry on signing up for an ISP account to get some information on specific IP report/complaint traffic ...
Derek T Posted May 24, 2005 Posted May 24, 2005 Report History: Submitted: Wed, 23 Mar 2005 20:03:20 GMT: spam:Re: Drrugs FRX:95 * 1387715748 ( 65.160.124.98 ) To: abuse#sprint.net[at]devnull.spamcop.net * 1387715747 ( 65.160.124.98 ) To: spamcop[at]imaphost.com
DavidT Posted May 24, 2005 Posted May 24, 2005 Submitted: Wed, 23 Mar 2005 That's a single SC report from two months ago. That has nothing to do with the current listing...I saw it when looking up the host this morning, but considered the information to be basically "noise." DT
DavidT Posted May 24, 2005 Posted May 24, 2005 Do you have a possible explanation for the increase in traffic? I think that's probably obvious. I'll bet that for any given Monday-through-Friday business, you'd see a similar one-day increase from Sunday to Monday. I'd imagine that very little email goes out from that server on the weekends, and then it jumps into action on Monday. DT
DavidT Posted May 24, 2005 Posted May 24, 2005 In conjunction with Derek T's input ? Or maybe "David T."? Derek didn't respond until after you wrote this, Wazoo.... DT
StevenUnderwood Posted May 24, 2005 Posted May 24, 2005 I think that's probably obvious. I'll bet that for any given Monday-through-Friday business, you'd see a similar one-day increase from Sunday to Monday. I'd imagine that very little email goes out from that server on the weekends, and then it jumps into action on Monday. 28468[/snapback] OK, you are reading the numbers quite differnetly than I do, then: Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.0 136% Last 30 days 4.0 125% Average 3.7 I read this as: The lifetime average load is: 3.7 Over the last day, the load has been 4.0 or an increase of 136% over the lifetime average. Over the last 30 days, the load has been 4.0 for an increase of 125% over the lifetime average.
DavidT Posted May 24, 2005 Posted May 24, 2005 Steven, Which IP/server's data are you looking at? The one that both Wazoo and I looked at was: http://www.senderbase.org/?searchBy=ipaddr...g=65.160.124.98 where you'll see: Magnitude Vol Change vs. Average Last day 3.3 60% Last 30 days 3.1 11% Average 3.1 The "Last day" would be Monday, and so these numbers support what I've stated. DT
StevenUnderwood Posted May 24, 2005 Posted May 24, 2005 Steven, Which IP/server's data are you looking at? The one that both Wazoo and I looked at was: 28473[/snapback] OK, I could have sworn I used the link provided by Wazoo, but obviously I openend a different page when copying the data. Sorry for any confusion.
Wazoo Posted May 24, 2005 Posted May 24, 2005 OK, I could have sworn I used the link provided by Wazoo, but obviously I openend a different page when copying the data. Sorry for any confusion. You're not alone. I was going on and on with one response, then realized I was troubleshooting using the data in another Topic ... causing a bit of editing 'here' .. which then led to DavidT asking how I could have responded with someone else's data before someone else had posted it <g> .... I think that's probably obvious. I'll bet that for any given Monday-through-Friday business, you'd see a similar one-day increase from Sunday to Monday. I'd imagine that very little email goes out from that server on the weekends, and then it jumps into action on Monday. I'm not as sure about that, going with the "daily increase" being compared to the "average" .... have been checking a few other IP addresses to see if I can come down one side or the other on that particular ....
Ellen Posted May 24, 2005 Posted May 24, 2005 There is/was spam being sent thru that IP to the traps. It was not bounce messages. The IP has been listed/delisted since 5/12 or longer. It is now delisted but unless someone has figured out which computer is infected or whether the server is insecure the spammer will surely return. Re the message about will delist in 0 hours. That means that the IP is eligable for delisting/has entered the delist process. It can take up to 3 hours or a bit longer for the process to complete and the delist to propagate.
DavidT Posted May 24, 2005 Posted May 24, 2005 Q for Ellen (or anyone who knows for sure): Does traffic sent to the spamtraps generate any reports back to the responsible ISPs? I'm guessing that it doesn't. So, in a case where spamtrap hits are the only thing causing an IP to be listed, how does an admin find out enough to deal with the situation? Perhaps only by direct communication via email with the Deputies? In this particular case would signing up for an "ISP account to get some information on specific IP report/complaint traffic" do any good for the OP if no reports are actually generated? DT
Wazoo Posted May 24, 2005 Posted May 24, 2005 Q for Ellen (or anyone who knows for sure): Does traffic sent to the spamtraps generate any reports back to the responsible ISPs? No reports are sent. I'm guessing that it doesn't. So, in a case where spamtrap hits are the only thing causing an IP to be listed, how does an admin find out enough to deal with the situation? Perhaps only by direct communication via email with the Deputies? As stated in the FAQ, Miss Betsy's FAQ entry .... though even that data points back to the monitoring of outgoing traffic ... most of these "we've been blocked" do seem to indicate that some lights should have been brighter than normal <g> In this particular case would signing up for an "ISP account to get some information on specific IP report/complaint traffic" do any good for the OP if no reports are actually generated? In this specific case with the data existing thus far, no help at all. On the other hand, it's actually pretty rare that "only spamcop spamtraps" get hit .. there is usually other evidence found elsewhere or that may show up later ... noting that it wouldn't be news that a particular spammer was working to "spread the joy" about how nasty the SCBL is by hitting on "the innocent" and specially targetting their "owned box" spew .... There is/was spam being sent thru that IP to the traps. It was not bounce messages. The IP has been listed/delisted since 5/12 or longer. It is now delisted but unless someone has figured out which computer is infected or whether the server is insecure the spammer will surely return. Again, this suggests that there should be some other evidence showing up somewhere eventually ...??? Re the message about will delist in 0 hours. That means that the IP is eligable for delisting/has entered the delist process. It can take up to 3 hours or a bit longer for the process to complete and the delist to propagate. As stated, this is now a Forum FAQ entry.
DavidT Posted May 24, 2005 Posted May 24, 2005 ... most of these "we've been blocked" do seem to indicate that some lights should have been brighter than normal Well...the server that hosts the nonprofit that I do volunteer work for is on the SCBL again, and I can't see the lights, but the SenderBase data don't indicate the expected increase before being listed... the other hand, it's actually pretty rare that "only spamcop spamtraps" get hit .. there is usually other evidence found elsewhere or that may show up later Actually, it's happened multiple times to the server I mentioned above. We're blocked right now due only to spamtrap hits. Again, this suggests that there should be some other evidence showing up somewhere eventually Not necessarily. I've run many of these server IPs (the ones that show up in this forum, specifically) through other searches, such as Google Groups (where you'd expect to see some action in "sightings"), OpenRBL.org, RBLS.org and others, and often, SpamCop is the only resource that's having any problems with a given IP. I've seen this many times. DT
Wazoo Posted May 25, 2005 Posted May 25, 2005 Having to watch words back in my 'government' days, in particular those R&D situations with contractors involved, then that long stint of trying to handle my side of a divorce (not being a laywer had its distinct disadvantages <g>) ... I do note that I left myself plenty of 'wiggle room' in that which you challenge .. There is no argument at all, we all know it happens. But I stand on the "most of them ..." that make it to 'complaint level' here usually have evidence showing elsewhere. It's been quite a while since I'd seen one like this, having problems finding 'any' supporting data ... Though I can't point to any evidence, it is my opinion that Ralsky was doing this specific targeting to spamtraps a while back when he was on the Exchange server exploit binge ...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.