Raccoon Posted January 13, 2021 Share Posted January 13, 2021 (edited) Hello all, First off i'd like to thank whomever replies with any possible solution to my/our issue here at my job. We have been having alot of spam issues with one of our employees. We created her a new email with suddenlink and it aswell gets caught as spam. Below is the copy and paste of the email and what has been flagged. Quote From: **** <****@johnrhibbard.com> Subject: FW: Mail System Error - Returned Mail Date: January 13, 2021 at 1:49:09 PM CST To: ***** <******@icloud.com> On 1/13/21, 1:29 PM, "Mail Administrator" <Postmaster@suddenlink.net> wrote: Unfortunately your message was not delivered because : Each of the following recipients was rejected by a remote mail server. The reasons given by the server are included to help you determine why each recipient was rejected. Recipient: <*****r@LEAFnow.com> Reason: spamcop.mimecast.org Blocked - see https://www.spamcop.net/bl.shtml?208.180.40.71. - https://community.mimecast.com/docs/DOC-1369#550[v_wIQ0uPNaKZxFgUemo50A.us514] This message was created automatically by the mail system A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: <*****@LEAFnow.com>,<*****@icloud.com> The email account that you tried to reach does not exist. Please try double-checking the recipient's email address for typos or unnecessary spaces. Learn more at: http://help.suddenlink.com The following attachments have been removed from the bounce message: Angels, Shenandoah, IA Resigned Lease.pdf Reporting-MTA: dns; dalofep01.suddenlink.net Arrival-Date: Wed, 13 Jan 2021 13:26:47 -0600 Received-From-MTA: dns; [47.222.150.119] Final-Recipient: RFC822; <LEAFcopier@LEAFnow.com> Action: failed Status: 5.1.1 Remote-MTA: dns; us-smtp-inbound-1.mimecast.com(205.139.110.141) Diagnostic-Code: smtp; 550 spamcop.mimecast.orgBlocked - see https://www.spamcop.net/bl.shtml?208.180.40.71. - https://community.mimecast.com/docs/DOC-1369#550[v_wIQ0uPNaKZxFgUemo50A.us514] From: ***** <******@johnrhibbard.com> Subject: Funding Documentation For App. No. 629587 Date: January 13, 2021 at 1:26:45 PM CST To:***** <LEAFcopier@LEAFnow.com> Hi Kim, Please see the attached resigned lease and let me know if you need anything further. I believe this is what you guys request. I can provide other information if requested. Edited January 13, 2021 by Raccoon Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 13, 2021 Share Posted January 13, 2021 The IP does appear to be listed. https://www.spamcop.net/w3m?action=blcheck&ip=208.180.40.71 208.180.40.71 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours. It appears that enough reports were files to get 208.180.40.71 listed. Since I am just a user, I am not able to look up much more. I would suggest that you have your employee scan their computer for viruses and have them make sure they do not have malware or spyware. Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 13, 2021 Share Posted January 13, 2021 14 minutes ago, gnarlymarley said: The IP does appear to be listed. https://www.spamcop.net/w3m?action=blcheck&ip=208.180.40.71 I should also note, that this might be a good idea to have all devices (such as camera or refrigerators) that share that same IP to be checked for sending spam. Hackers love abusing other people's computers so their IPs get listed instead of their own. Once all the devices are secured, the IP will be automatically removed from the list. Quote Link to comment Share on other sites More sharing options...
Raccoon Posted January 14, 2021 Author Share Posted January 14, 2021 (edited) Hello Gnarlymarly, Thank you a ton for replying so freaking FAST!! Totally appreciated! Yea man, So that IP "208.180.40.71" I believe to be one of suddenlink' smtp server IP addresses. Although when I ping smtp.suddenlinkmail.com i've gotten the IP 208.180.40.68. I think that they also use the .71.. the user works from home and her email is flagged the most. We have another user that has gotten an email blocked by a customer' smtp server as well; If you would like I could provide that one as well. As for the user with the most issues, The problem is that they possibly have a virus? I believe their windows laptop stopped working so she started using a Mac. From what I am uderstanding, attempt to send another email after 22 hours and it might be delisted? I appologize for a ton of questions for a new account with only (2) posts. This issue has been a problem of our for quite some time now. (3-6 mo) I have attempted to call suddenlink' business support and all they have managed to tell me after 4-7 calls is to forward the email to "spam@suddenlink.net" which ended as a return error invalid user. Again - thank you for your support! Edited January 14, 2021 by Raccoon Quote Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 14, 2021 Share Posted January 14, 2021 7 hours ago, Raccoon said: As for the user with the most issues, The problem is that they possibly have a virus? I believe their windows laptop stopped working so she started using a Mac. The cause of listing section says that spam is being received by spamtraps and users coming from 208.180.40.71. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week I have seen where a virus, malware, spyware, or router can be remotely controlled and then the hacker uses the device to send spam. If that is an open MTA, then anyone can connect and use it it to send spam. I see the time is changing between 23 and 22 hours, so it would appear that the spam action is still going on. According to the neighborhood section of https://www.spamcop.net/w3m?action=blcheck&ip=208.180.40.71, I do not see 208.180.40.68 listed. It would appear to be almost all is from 208.180.40.71. Securing that IP, and/or the router in front of it should help eliminate the spam that appears to be coming from it. Quote Link to comment Share on other sites More sharing options...
Raccoon Posted January 14, 2021 Author Share Posted January 14, 2021 Good morning Gnarlymarley, Thank you for responding back so promptly to my questions. I believe I am starting to get the gist of all of this. I appreciate you for spelling it out for me. Not only are you teaching me you are also confirming. 1 hour ago, gnarlymarley said: received by spamtraps and users coming from 208.180.40.71. Since this is Suddenlink being flagged is it other users (other than us) that are causing this to be flagged? I'm not confident in that because - we have a similar email(same @johnrhibbard.com hosted via suddenlink) that we use here at the shop that sends out requests to customers for a monthly count. We do not get any flags on that email. Or all in all, is this just being flagged by the IP using the suspect email(s) : ****@johnrhibbard.com; *****@johnrhibbard.com? I rechecked the time for the delisting and its at 22 hours. I don't think its changed at all since your last report previously. 😥 Quote Link to comment Share on other sites More sharing options...
petzl Posted January 14, 2021 Share Posted January 14, 2021 7 hours ago, Raccoon said: I rechecked the time for the delisting and its at 22 hours. I don't think its changed at all since your last report previously. 😥 The SpamCop blocklist is spam traps getting hit , spamtraps are factious email address's that should not be getting email (like a radar) When a spamtrap is hit ir resets the the block back to 24 hours Some have been sent to real addresses and been reported as spam These are some of the reported subject lines which look "spammy" to me Those whishing to do "email marketing" should learn about "Double Opt-in" Order premium generic healing production here. Inviting:-) can u chat? Let's try to idyllic talks;-) My Mister charming =?utf-8?q?=5Bpossible_spam=5D?= Hi Y o u R TransUni0n, Equifax_And Experian Credit Scores In_Sec0nds For 0 Dolla... Own top rated treatment products here! https://www.spamcop.net/w3m?action=checkblock&ip=208.180.40.71 Listing History In the past 87.5 days, it has been listed 20 times for a total of 50.4 days Other hosts in this "neighborhood" with spam reports 208.180.40.73 208.180.40.74 Quote Link to comment Share on other sites More sharing options...
Raccoon Posted January 15, 2021 Author Share Posted January 15, 2021 16 hours ago, petzl said: When a spamtrap is hit ir resets the the block back to 24 hours Hello Good morning petzl, Thank you for replying! I've been looking at different threads within the forum and seen your name/comments. You guys really know what's up with this email stuff! -- On the subject of the spamtraps; checking the log this morning it is down to 4 hours! Now I know that they could get hit at any time and it restarts... but yea. That's something new. The IPs that are getting hit are the 71,73,74...(mainly the 71) When I configure the workspace' computers and devices I stand behind using smtp.suddenlinkmail.com.. which results in "208.180.40.68"... On 1/14/2021 at 6:15 AM, gnarlymarley said: According to the neighborhood section of https://www.spamcop.net/w3m?action=blcheck&ip=208.180.40.71, I do not see 208.180.40.68 listed. According to Gnarlymarley that smtp server I usually use isn't in that bit of IPs. I am trying to pinpoint exactly what my issue is at hand : 1: Is it Suddenlink SMTP server service entirely at fault causing these issues in sending emails? 2: Is it likely that the emails that are used by said user on a compromised PC/network that sends out spam? Please understand I do appreciate you guys for reaching out and answering my questions. Rather than just looking for a fix I am looking for the future knowledge to head into such a issue with some idea of what is happening. Quote Link to comment Share on other sites More sharing options...
Raccoon Posted January 15, 2021 Author Share Posted January 15, 2021 17 hours ago, petzl said: Those whishing to do "email marketing" should learn about "Double Opt-in" I looked into the Double Opt in for Marketing... Now, We do sell a certain brand of copiers; we do not send out any flyer emails or anything like that. The 2 emails that said person uses gets blocked a lot to different emails that she has had contact with in the past. They are not spam emails, they are regular emails talking about invoices/purchases which may include an attachment .pdf or two. We have another email that I use that to send out emails to our customers requesting the monthly count from the copiers. Since all this has started I have not gotten a delivery blockage via there. Quote Link to comment Share on other sites More sharing options...
petzl Posted January 15, 2021 Share Posted January 15, 2021 (edited) 4 hours ago, Raccoon said: The 2 emails that said person uses gets blocked a lot to different emails that she has had contact with in the past. They are not spam emails, they are regular emails talking about invoices/purchases which may include an attachment .pdf or two. You are not the only one using that/those IP's unfortunately some clown has bought a scam mailing list full of "poisoned" or spamtrap email addresses A spamtrap email address are hidden in web pages in which a "spambot" has crawled through gathering email addresses. Some good, some spamtrap ones! Might pay to consider a different email provider? A very popular spam filter is SpamAssassin that uses the SpamCop blocklist to help score/decide what is spam or not Then there big email providers have secret blocklists and spam recognition programs that they don't disclose publicly, Cisco email servers are the best at sorting "spam from ham" and don't bother telling if mail has been deleted (they have no need to, they are that good) I don't see it and just don't care. All non-spam email goes to my inbox 100% accurate. Edited January 15, 2021 by petzl Quote Link to comment Share on other sites More sharing options...
Raccoon Posted January 15, 2021 Author Share Posted January 15, 2021 1 hour ago, petzl said: You are not the only one using that/those IP's unfortunately Yeaa I figured it was that way.. As of 2 hours ago the 208.180.40.71 is no longer being blacklisted. Again - I know this is subject to change if said clown decides to continue messing with that server. 2 hours ago, petzl said: Might pay to consider a different email provider? Yes - I have already started into looking at another option incase this issue continues on. Considering the help we get/got from suddenlink themselves we are better off alone. After its being delisted, We can only hope it stays that way. Sure is funny how after all this time its been such a problem.. Now that I am here talking to you guys .. it stops literally a day or so later. Quote Link to comment Share on other sites More sharing options...
Raccoon Posted January 16, 2021 Author Share Posted January 16, 2021 Been looking around and this was just beginning last year... https://answers.microsoft.com/en-us/outlook_com/forum/all/spamcop-blocking-my-emails-from-office-outlook/c4bd8237-9aa9-4dde-a227-8381663be444 I did a search by year and it didn't drag any others like that out; The similarities are scary. Practically spit image of my current issue. Not to mention MAYBE same time line..? Quote Link to comment Share on other sites More sharing options...
petzl Posted January 16, 2021 Share Posted January 16, 2021 (edited) 2 hours ago, Raccoon said: Been looking around and this was just beginning last year... https://answers.microsoft.com/en-us/outlook_com/forum/all/spamcop-blocking-my-emails-from-office-outlook/c4bd8237-9aa9-4dde-a227-8381663be444 I did a search by year and it didn't drag any others like that out; The similarities are scary. Practically spit image of my current issue. Not to mention MAYBE same time line..? SpamCop is a "Bot" The main problem with spamtraps email addresses is that spammers can find out what they are and use revenge attacks on servers they object to? I get on my throwaway Gmail account I use for marketers a fictitious "unsubscribe" which posts to a 100 spamtrap addresses this activates a blocklist? Edited January 16, 2021 by petzl Quote Link to comment Share on other sites More sharing options...
Raccoon Posted January 20, 2021 Author Share Posted January 20, 2021 It's back on the blacklist. Measures are being taken on our side to get away from suddenlink. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.