jimmyz Posted July 7, 2005 Share Posted July 7, 2005 this can't be right Link to comment Share on other sites More sharing options...
Wazoo Posted July 7, 2005 Share Posted July 7, 2005 this can't be right I agree. Someone who took the time to register, took the time to make a post, surely would have provided some data to work with. Knowing for a fact that Microsoft/MSN/HotMail uses more than one server, I'm not inclined to spend time looking for just which server is in question .... Bottom line .. Got Data? Link to comment Share on other sites More sharing options...
jimmyz Posted July 7, 2005 Author Share Posted July 7, 2005 Give me a few min's and i'll go through the logs on exchange and get the info. We have everything deleted when it gets flaged by spamcop so i don't have the e-mails to get the headers off them. Link to comment Share on other sites More sharing options...
jimmyz Posted July 7, 2005 Author Share Posted July 7, 2005 servers that got blocked. 64.4.61.51 64.4.56.22 64.4.56.41 "07/07/05 12:57:11","Blacklist/Whitelist Module","mike_mahne[at]hotmail.com","mike.mahne[at]vericore.com","test to vericore and yahoo","Deleted","Sending mail server found on bl.spamcop.net" "07/07/05 12:39:09","Blacklist/Whitelist Module","mike_mahne[at]hotmail.com","mike.mahne[at]vericore.com","test","Deleted","Sending mail server found on bl.spamcop.net" "07/07/05 12:38:28","Blacklist/Whitelist Module","washmore[at]hotmail.com","aaron.vicknair[at]vericore.com","RE: hey","Deleted","Sending mail server found on bl.spamcop.net" Link to comment Share on other sites More sharing options...
Wazoo Posted July 7, 2005 Share Posted July 7, 2005 64.4.56.22 not listed in bl.spamcop.net 64.4.56.41 not listed in bl.spamcop.net 64.4.61.51 not listed in bl.spamcop.net Link to comment Share on other sites More sharing options...
jimmyz Posted July 7, 2005 Author Share Posted July 7, 2005 64.4.56.22 not listed in bl.spamcop.net 64.4.56.41 not listed in bl.spamcop.net 64.4.61.51 not listed in bl.spamcop.net 29985[/snapback] Don't know what to say then. Logs showed that they where on the bl, and that was the ip address reported in exchange log that they where sent from. Any know know of any problems in GFI MailEssentials that could have caused this? Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 7, 2005 Share Posted July 7, 2005 Don't know what to say then. Logs showed that they where on the bl, and that was the ip address reported in exchange log that they where sent from. Any know know of any problems in GFI MailEssentials that could have caused this? 29986[/snapback] It is possible they WERE listed and have since fallen off. You do understand how the Spamcop Bl works (since you are using it), correct? Link to comment Share on other sites More sharing options...
WB8TYW Posted July 7, 2005 Share Posted July 7, 2005 servers that got blocked. 64.4.61.51 64.4.56.22 64.4.56.41 "07/07/05 12:57:11","Blacklist/Whitelist Module","mike_mahne[at]hotmail.com","mike.mahne[at]vericore.com","test to vericore and yahoo","Deleted","Sending mail server found on bl.spamcop.net" The first thing that you should realize is that the bl.spamcop.net is an aggresive blocking list and will on occasions list real mail servers. A real mail server is typically listed for the following reasons in order of probaility: 1. Weak passwords on SMTP auth. 2. Mail server auto-responding or bouncing spam/viruses to the known forged addresses. 2. A multi-hop exploit where spamcop.net does not detect that it is only a relay. (Spamcop.net tries not to list muti-hop outputs) 3. A different security hole where spammers have control of the server. 4. A user of that mail server reports their own mail server. A paying spamcop member can see if there is a past history for those I.P. addresses. So if you are using b.spamcop.net, you are going to have noticable false positives from time to time. "Deleted" The second thing is that it is bad to silently delete detected spam, but not quite as bad as to bounce it to the forged address that it came from. Detected viruses should be sent to a human to determine where to notify the proper network owner if you can not reject them in the SMTP transmission. When a mail server is not going to deliver a message, it should end the SMTP session with a 500 series code like 550 to indicate such, and supply a brief text message as to why. This is part of the SMTP protocol. If it is a mail server that is a gateway to other mail servers, if it can not determine that the end mail server can accept the message, then it should reject the SMTP session with a 400 series code like 440 with a text message. Then a real mail server will retry later. spam and viruses will usually not retry. The 500 series code or too many 400 series codes will cause the sender's mail server (if it is a real e-mail) to send a notice to the original sender so that they know what happened. That way when a real message is mis-classified as spam, the sender will be notified, and when you have intermittent network issues, the mail will eventually get through. Since a real mail server usually is not on the bl.spamcop.net list long, some mail server operators reject mail from those listing with a 400 series code, so the real e-mail is only delayed by a little bit. A mail server or spam filter that can not issue the 4xx or 5xx codes for detected spam or non-existant users is not robust enough for the current internet e-mail system as it has no way to non-abusively notify senders of real mail that gets mis-classified. -John Personal Opinion Only Link to comment Share on other sites More sharing options...
Wazoo Posted July 7, 2005 Share Posted July 7, 2005 A bit confused by this last newsgroup posting; From: "jimmy" Newsgroups: spamcop Subject: Re: spamcop is blocking hotmail.com servers!!! Date: Thu, 7 Jul 2005 15:54:43 -0500 Message-ID: <dak4ql$fhh$1[at]news.spamcop.net> NNTP-Posting-Date: Thu, 7 Jul 2005 20:54:45 +0000 (UTC) Ok, just ran a new test. i had to BL running turned them off except bl.spamcop.net. hotmail was blocked from this server this time. 64.4.56.32 Module","mike_mahne[at]hotmail.com","jimmy.riley[at]vericore.com","spamcop off","Deleted","Sending mail server found on sbl-xbl.spamhaus.org" 64.4.56.33 Is there a global shared list between the BL servers? I thought the "work" definition said only SpamCopDNSBL was turned on, but the 'block' is based on a spamhaus listing ... no, there is no connection between SpamCop and spamhaus ... 64.4.56.32 not listed in bl.spamcop.net 64.4.56.33 not listed in bl.spamcop.net Link to comment Share on other sites More sharing options...
Miss Betsy Posted August 4, 2005 Share Posted August 4, 2005 64.4.51.220 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours. Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) * SpamCop users have reported system as a source of spam about 40 times in the past week Automatic delisting If you are the administrator of bigip.bay107.hotmail.com and you are sure it will not be the subject of any more reports of spam, you may cause the system to be delisted without waiting for us to review the issue. Looking for potential administrative email addresses for 64.4.51.220: cannot find an mx for bigip.bay107.hotmail.com cannot find an mx for bay107.hotmail.com 65.54.190.230 is an mx ( 5 ) for hotmail.com Listing History In the past 82.8 days, it has been listed 14 times for a total of 78.6 days Other hosts in this "neighborhood" with spam reports 64.4.51.90 I didn't follow this thread before, but now I have received a legitimate email from hotmail that was tagged. Just FYI Miss Betsy PS spamassassin analysis 0.9 FROM_ENDS_IN_NUMS From: ends in numbers 1.1 MAILTO_TO_SPAM_ADDR URI: Includes a link to a likely spammer email 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [blocked - see <http://www.spamcop.net/bl.shtml?64.4.51.220>] 0.8 MSGID_FROM_MTA_HEADER Message-Id was added by a relay Link to comment Share on other sites More sharing options...
GraemeL Posted August 4, 2005 Share Posted August 4, 2005 They wouldn't be listed if they plugged whatever new hole they have. I only archive the stuff that makes it through to my server, but I remember reporting at least 10 others recently that got snagged by SC and ended up in held mail. Two examples: From info[at]ukwinningonline.org Sun Jul 24 16:22:23 2005 Return-Path: <info[at]ukwinningonline.org> Received: from hotmail.com (bay16-f23.bay16.hotmail.com [65.54.186.73]) by dellboy.highspot.net (8.13.4/8.13.4) with ESMTP id j6OFMEAj008983 for <spamtrap[at]highspot.net>; Sun, 24 Jul 2005 16:22:23 +0100 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 24 Jul 2005 08:22:07 -0700 Message-ID: <BAY16-F2352898F722F839A701727CFCB0[at]phx.gbl> Received: from 213.181.81.245 by by16fd.bay16.hotmail.msn.com with HTTP; Sun, 24 Jul 2005 15:22:06 GMT X-Originating-IP: [213.181.81.245] X-Originating-Email: [info[at]ukwinningonline.org] X-Sender: info[at]ukwinningonline.org From: "BRIAN HUNT" <info[at]ukwinningonline.org> Bcc: Subject: WINNING NOTIFICATION. Date: Sun, 24 Jul 2005 15:22:06 +0000 Mime-Version: 1.0 Content-Type: text/html; format=flowed X-OriginalArrivalTime: 24 Jul 2005 15:22:07.0387 (UTC) FILETIME=[7418C6B0:01C59063] X-spam-Flag: YES X-spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on Dellboy X-spam-Level: ****** X-spam-Status: Yes, score=7.0 required=5.0 tests=BAYES_50,HTML_50_60, HTML_MESSAGE,HTML_SHOUTING3,MIME_HTML_ONLY,MISSING_HEADERS, MSGID_FROM_MTA_HEADER,NIGERIAN_BODY1,SUBJ_ALL_CAPS,URIBL_JP_SURBL From [x][at]msn.com Tue Aug 2 03:52:08 2005 Return-Path: <[x][at]msn.com> Received: from hotmail.com (bay105-f32.bay105.hotmail.com [65.54.224.42]) by dellboy.highspot.net (8.13.4/8.13.4) with ESMTP id j722pvC0014374 for <spamtrap[at]highspot.net>; Tue, 2 Aug 2005 03:52:07 +0100 Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 1 Aug 2005 19:51:25 -0700 Message-ID: <BAY105-F32581D19F067509DCB2162CEC20[at]phx.gbl> Received: from 65.54.224.200 by by105fd.bay105.hotmail.msn.com with HTTP; Tue, 02 Aug 2005 02:51:24 GMT X-Originating-IP: [65.54.224.200] X-Originating-Email: [abacha21[at]msn.com] X-Sender: abacha21[at]msn.com From: "Mariam Abacha" <abacha21[at]msn.com> Bcc: Subject: URGENT RESPONSE. Date: Tue, 02 Aug 2005 02:51:24 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 02 Aug 2005 02:51:25.0171 (UTC) FILETIME=[128FCC30:01C5970D] X-spam-Flag: YES X-spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on Dellboy X-spam-Level: *********** X-spam-Status: Yes, score=11.6 required=5.0 tests=BAYES_50,DNS_FROM_RFC_POST, MISSING_HEADERS,MSGID_FROM_MTA_HEADER,NIGERIAN_BODY1,NIGERIAN_BODY2, NIGERIAN_SUBJECT2,RCVD_IN_BL_SPAMCOP_NET,SUBJ_ALL_CAPS,URG_BIZ Link to comment Share on other sites More sharing options...
Merlyn Posted August 4, 2005 Share Posted August 4, 2005 It's about time. I have been getting tons of 419's from Hotmail servers. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.