Jump to content

[Resolved] Gutsy spammer


postmaster-Tim

Recommended Posts

Posted
And my responses have been posed that most users don't have a clue.  Wondering why/how you missed that, but noting that you slipped over the mention of a domain name ...???

32374[/snapback]

I am not sure what you mean (actually, I don't have a clue) about "slipping over the mention of a domain name".

I haven't missed what you have posed. Most users believe that their email will be delivered intact, without any snooping by their ISP's. I guess most users would be terribly shocked. I haven't delved into my agreement with my ISP that deeply. Perhaps I should.

Brian

  • Replies 52
  • Created
  • Last Reply
Posted
I am not sure what you mean (actually, I don't have a clue) about "slipping over the mention of a domain name".

In post #18, you say "Incidentally, that domain was also not mentioned anywhere in this discussion."

In post #2, I included the following;

But there is a mail server running at the IP you list

220-host01.doctor-pc.com ESMTP Exim 4.52 #1 Fri, 26 Aug 2005 15:36:05 -0400

220-We do not authorize the use of this system to transport unsolicited,

220 and/or bulk e-mail.

I haven't missed what you have posed. Most users believe that their email will be delivered intact, without any snooping by their ISP's. I guess most users would be terribly shocked. I haven't delved into my agreement with my ISP that deeply. Perhaps I should.

32385[/snapback]

Exactly my point. When showing folks the headers of their e-mail, pointing out that a copy of that e-mail physically exists on each of the servers included, pointing out that good ISPs make backups, so there may be even more copies floating around .... then getting into things like PGP and comparing that scenario to why they put their letters inside of an envelope, even pointing out the things that might be said in a letter (stuffed into a sealed envelope) that they would never put on the back of a postcard .... I personally don't believe that "most users believe ....." ... again, as most users don't have a clue.

Kids bought grandma a cell phone .. she got to using that so much, she dropped her landline. Kids bought grandma a computer. One daughter still using 98, other daighter using Win-ME .. both confusing the heck out of grandma trying to figure out Win-XP .... they actually set-up OE using the "example" e-mail address. Picture grandma sitting there actually composing and "sending" e-mail to the kids ... wondering why no one ever wrote back. Imagine my surprise at being asked to troubleshoot grandma's computer .. and starting out with no connection to the outside world at all ....

Granted that this is an extreme case, but ..... true.

Posted
Awhile back, I started blocking a particular IP (205.234.132.30) as I noticed a steady flood of what appeared to be spam, being sent to at least one user on our mail server.

The guy who is on this IP (which he appears to be locally addressed to us), actually phoned us to ask why he's being blocked.

Is this guy (postmaster-Tim) as clueless as he appears, or is blocking the IP address of an intermediate relaying SMTP server commonplace?

And with the rambling account provided by "DoctorPC" is it any wonder that he isn't able to work something out with the other ISP?

Posted
...When you indicated that you would let your lawyer decide whether calling you a "Gutsy Spammer" with "a lot of balls" is libel or slander.  Perhaps I misunderstood.......
Perhaps. I still don't understand how challenging somebody's false claims is tantamount to admitting them. Does libel or slander only apply if the allegations are true?

32384[/snapback]

...IANAL, either, but in those few jurisdictions with whose defamation laws I am familiar, truth is an absolute defense.

...FWIW, since we're discussing the written, rather than the spoken word, here, we're almost certainly talking about libel.

Let's get some things straight (for the record).

1. I never sent any spam, nor was any spam sent from my server.

32384[/snapback]

...Excellent! That would seem to suggest that you are not the target of the "gutsy spammer" or "balls" remark. Therefore, whether you think Tim's remarks are libel is irrelevant (unless it turns out that Tim was referring to you, which we do not know, as he has not returned to post here to say).

32384[/snapback]

2. When I tried to talk to Tim, (not Tim specifically, but the company he works for), I was categorically dismissed. Then Tim made public statements (on this forum) that I was (am?) a "gutsy spammer"; that I have "some balls" trying to contact him to discuss this like human beings; and I was "lying through [my] teeth".

32384[/snapback]

...That may or not be true. How do you know Tim was referring to you?
4. Tim acted without a single complaint from his clients. He blocked my IP without any valid reason. OK, that may be his right, but it certainly isn't the way to make the internet a more friendly & functional place.

32384[/snapback]

...This may also be true or not. And, yes, that is his right (again, assuming his contract with his customers/subscribers does not prohibit it).
Posted
How do you know Tim was referring to you?

32446[/snapback]

He specifically quoted my IP address. That (I believe) is even more of an identifier than my full name.

Brian

Posted
How do you know Tim was referring to you?
He specifically quoted my IP address. That (I believe) is even more of an identifier than my full name.

32448[/snapback]

...Really? In that case, please explain the following:
My customer set up a forwarder to forward all of her email; not just the spam that comes from various sources. If she (who is also a customer of the company Tim represents) has actually asked for this mail and doesn't mind receiving it, it is Tim's option to not let her receive it?
I interpreted this to mean that your customer ("her"), not you, sent the "spam." Did I misunderstand? Did she somehow forward her e-mail through your personal PC (your IP address)?
Posted

doctorpc runs a server that allows forwarding of emails. doctorpc's customer receives spam on the address received at doctorpc's server which forwards it to the same persons account on Tim's server per the forwarding rule. All Tim sees in the connecting IP, which is doctorpc's server, and blocks it. This means that all email (good and bad) forwarded from doctorpc's server to Tim's is being dropped/rejected.

While all the mail Tim has seen is spam, that does not mean that future messages will all be spam. Or perhaps this person uses the address assigned to doctorpc's server as a first point of contact or some other reason it receives mostly spam. Their choice. I would like to hear from this customer of both admins to find out their feelings on Tim's block.

Posted

IIRC there are three such customers, but one gets lots of spam. I'd like to hear from all three.

Posted
doctorpc runs a server that allows forwarding of emails.  doctorpc's customer receives spam on the address received at doctorpc's server which forwards it to the same persons account on Tim's server per the forwarding rule.  All Tim sees in the connecting IP, which is doctorpc's server, and blocks it.

32451[/snapback]

...That's what I would have thought, except that Brian seems to me to be saying that he is being defamed by Tim because Tim called Brian (by virtue of referring to what Brian says is his IP address, as distinct from his server's IP address) a "gutsy spammer." If the "spam" came from Brian's IP address, then Brian's belief he was defamed makes sense but if it came from Brian's subscriber via Brian's server IP address, then I would doubt Tim was referring to Brian as a spammer but, rather, Brian's subscriber.
This means that all email (good and bad) forwarded from doctorpc's server to Tim's is being dropped/rejected.

<snip>

32451[/snapback]

...That's the whole point of identifying IP addresses as sources of spam, so MSPs and ISPs can take some action on e-mail coming from those IP addresses, right? We mostly agree, I think, that (assuming adequate storage space whose costs are reasonably allocated) tagging is preferred to blocking but we also most agree, I think, that that is the MSP or ISP's choice.
Posted
...That's what I would have thought, except that Brian seems to me to be saying that he is being defamed by Tim because Tim called Brian (by virtue of referring to what Brian says is his IP address, as distinct from his server's IP address) a "gutsy spammer."  If the "spam" came from Brian's IP address, then Brian's belief he was defamed makes sense but if it came from Brian's subscriber via Brian's server IP address, then I would doubt Tim was referring to Brian as a spammer but, rather, Brian's subscriber.

32466[/snapback]

Steve, Many people (even administrators) don't know how to read email headers or even try. The email logs will only show the connecting IP address so that is where the message "came from". Brian is the administrator of the IP forwarding the messages, so it is HIS IP address.

Just like the whole range of 199.79.137.0-255 are MY IP addresses. If someone claimed I was a "gutsy spammer" because I called an administrator that was blocking us because we offered a forwarding service, I would defend myself as well.

Posted
Steve, Many people (even administrators) don't know how to read email headers or even try.  The email logs will only show the connecting IP address so that is where the message "came from".  Brian is the administrator of the IP forwarding the messages, so it is HIS IP address.

<snip>

32468[/snapback]

...Brian's postings made me think he was sophisticated enough to know the difference between his personal IP address and his server's (servers'). Maybe I overestimated? :)
Posted

Ok, so, providing an IP address is in no way slander, IMO. I didn't state a name, I just called it as I saw it, which was an origin of spam entering our mail server. (I didn't think referencing an IP of spam origin, or possible open relay was slander)

I searched, with a fine tooth comb, a week's worth of email logs for valid email originating from this IP address, and saw no attempts of legit email sending from that server. Apparently during this period of a week, I was informed by Brian that legit email attempts were made by him to these customers. I can/would have seen any/all attempts, legit or not. I did not see email originating from "him". As for 3 customers, I have only ever seen email attempts from that IP to only one of our customers. I found out on the phone with Brian, about a possible 2nd and/or 3rd customer. As mentioned, in all my digging for info of this IP in question, I saw only traffic going to one customer here, no other.

There are times I block an IP for seeing actual spam coming through, until notified otherwise. Which was in this case. I see it initially as spam flood to an account on our server, I block it, then Brian calls me to indicate he has legit email sending through. Simple solution, I removed the blocking of his IP immediately. Where/how I was wrong in that, I don't understand. All it took was for him to indicate that he and his server are a legit source of email, and I took immediate action on my part to remove the IP from our block list. That was end of conversation. Seems he wants to keep this going for some reason now. I was led to believe this had all been cleared up with the fact that I removed the block upon receiving his phone call, and he explained the situation.

Case closed.

Tell me there are no other ISPs in the world who have had a similar situation, where a block is placed, contact from server owner afterwards to clear up the situation, then block is removed.

Tim

P.S. arin.net lookup on IP in question, how/where does this point to Doctor PC or the name Brian for that matter?

Server Central Network SCN-4 (NET-205-234-128-0-1)

205.234.128.0 - 205.234.255.255

HostForWeb Inc. HOSTFORWEB-14 (NET-205-234-132-0-1)

205.234.132.0 - 205.234.132.255

How/where would that imply you specifically? IP is not shown to be owned by Doctor PC. IP is owned by a company in Chicago it appears. :huh:

Posted
P.S. arin.net lookup on IP in question, how/where does this point to Doctor PC or the name Brian for that matter?

Server Central Network SCN-4 (NET-205-234-128-0-1)

                                  205.234.128.0 - 205.234.255.255

HostForWeb Inc. HOSTFORWEB-14 (NET-205-234-132-0-1)

                                  205.234.132.0 - 205.234.132.255

How/where would that imply you specifically? IP is not shown to be owned by Doctor PC. IP is owned by a company in Chicago it appears.  :huh:

32470[/snapback]

For the third time, see Post #2.

Posted
which was an origin of spam entering our mail server.

32470[/snapback]

Not going to get into the slander part of this, but your phrasing above is what started all this, IMHO. According to the facts presented so far, his IP was NOT the ORIGIN of the spam in question, just an intermediary, which you should have been able to determine without the block.

I would have investigated the messages sent and asked my customer if they had setup a forward through this other system. It could have been their own system, for all you know.

P.S. arin.net lookup on IP in question, how/where does this point to Doctor PC or the name Brian for that matter?

32470[/snapback]

This ARIN bit is also a bit of sloppy detective work. It is not hard to figure out that HostForWeb Inc. would probably be hosting many people and companies from their IP's. When you call out a specific IP, you are "calling out" the administration behind that IP. In this case, that was apparently Brian. You could have contacted HostForWeb Inc. and possibly gotten the same information.
Posted
Not going to get into the slander part of this, but your phrasing above is what started all this, IMHO.  According to the facts presented so far, his IP was NOT the ORIGIN of the spam in question, just an intermediary, which you should have been able to determine without the block.

I would have investigated the messages sent and asked my customer if they had setup a forward through this other system.  It could have been their own system, for all you know.This ARIN bit is also a bit of sloppy detective work.  It is not hard to figure out that HostForWeb Inc. would probably be hosting many people and companies from their IP's.  When you call out a specific IP, you are "calling out" the administration behind that IP.  In this case, that was apparently Brian.  You could have contacted HostForWeb Inc. and possibly gotten the same information.

32477[/snapback]

Man, I just want an end to this, at the same time trying to post my side of it again as well.

First off, I did not come out and specifically state who it was. I can see a problem if I specifically stated a name of person or company, but I did not. Right now, I cannot care less. This is pissing me off.

Stating an IP, and others choosing to look up info on it to find out who it is, is certainly not me pointing out who it is. I was in no way directly posting detailed information on the sender.

And I apologize for how I phrase things, that is just me. To get picky on how someone phrases something.... What happens if someone with poor English skills posts, and they do not phrase something right, and things are taken out of context? Don't shoot the person for not phrasing something well, please. I started this simply stating the facts that I saw at the time, which was incoming spam to our mail server (yes, which it IS my job to prevent spam to our system, especially when it affects the functionality of our mail server), I pointed out the IP that at the time, I was suspicious of being an open relay.

I know enough that the starting point of the email in question was not the IP I indicated, so use of the word "originating" was not a good choice. However, I suspected a possible open relay, with no logged entries of legit email originating (or relaying!) from the IP in question, so I put a block on it at the time. Notified by Brian with an explanation as to the situation, and I acted accordingly by removing the IP from being blocked.

I don't get how this is not straight forward.

Posted
I interpreted this to mean that your customer ("her"), not you, sent the "spam." Did I misunderstand?  Did she somehow forward her e-mail through your personal PC (your IP address)?

32449[/snapback]

Steve, Nowhere here has it been said that the IP in question was his personal PC. It is a server, paid for and administered by doctorpc or the company he represents. DoctorPC did not send the spam. The (common) customer did not send the spam. A (or many) third parties sent the spam to the common customer's address at doctopc's server. Doctorpc's server then followed the forwarding rules setup by the common customer and forwarded those messages on to Tim's server. THis is like using one of the many "permanent email address solutions" (netforward.com is one I have used) that accepts email for a custom email address and forwards it to whatever current address you want it delivered to. Spamcop's servers could be in the same position if I used the tagging option, 99% of my messages used to be spam until I dropped that netforward address I had created in 1996.

Tim could (and should, in my opinion) have investigated more before installing the block.

As I said in my previous message, I would have (and have is many situations) looked at all the headers of the messages in question and asked if the customer had setup messages to be forwarded from this other server. Then if the customer did not want the messages, you have let them know where to turn them off (on doctorpc's server).

Posted
However, I suspected a possible open relay, with no logged entries of legit email originating (or relaying!) from the IP in question, so I put a block on it at the time. Notified by Brian with an explanation as to the situation, and I acted accordingly by removing the IP from being blocked.

I don't get how this is not straight forward.

32479[/snapback]

"A lie told often enough becomes the truth."

1. In your original post, you verified that the server was not an open relay. In your complaint to SpamCop, you verified that the message (I think you are still beng misleading insofar as we are talking about one message) did not originate at our server.

2. I (first) contacted you August 26th. The block was removed (by your co-worker, not by you) on September 2nd, after several complaints about legitimate email not being able to get through. (I think the last straw was when a certain business in our community (hosted by us) was unable to contact their insurance company (hosted by you) for several days. That business owner contacted your co-worker and had the block removed.) At that time, you still had not returned any of my attempts to contact you.

Brian

Posted
<snip>

I interpreted this to mean that your customer ("her"), not you, sent the "spam." Did I misunderstand?  Did she somehow forward her e-mail through your personal PC (your IP address)?

32449[/snapback]

Steve, Nowhere here has it been said that the IP in question was his personal PC.

32480[/snapback]

...Yes, I understand that is the likely scenario; it is not how I interpreted what Brian wrote:
He specifically quoted my IP address. That (I believe) is even more of an identifier than my full name.

32448[/snapback]

If admins are going to refer to IP addresses of the servers they administer as "my IP," I doubt I'm the only one who is going to misunderstand (but that may be the case).
It is a server, paid for and administered by doctorpc or the company he represents.  DoctorPC did not send the spam. The (common) customer did not send the spam. A (or many) third parties sent the spam to the common customer's address at doctopc's server.  Doctorpc's server then followed the forwarding rules setup by the common customer and forwarded those messages on to Tim's server.  THis is like using one of the many "permanent email address solutions" (netforward.com is one I have used) that accepts email for a custom email address and forwards it to whatever current address you want it delivered to.

<snip>

32480[/snapback]

...And this is what Brian seemed to think Tim was obligated to do, whereas my point is that Tim is not so obligated (unless by contract to his [Tim's] customers).
Posted
"A lie told often enough becomes the truth."

1. In your original post, you verified that the server was not an open relay. In your complaint to SpamCop, you verified that the message (I think you are still beng misleading insofar as we are talking about one message) did not originate at our server.

2. I (first) contacted you August 26th. The block was removed (by your co-worker, not by you) on September 2nd, after several complaints about legitimate email not being able to get through. (I think the last straw was when a certain business in our community (hosted by us) was unable to contact their insurance company (hosted by you) for several days. That business owner contacted your co-worker and had the block removed.) At that time, you still had not returned any of my attempts to contact you.

Brian

32481[/snapback]

1.

I didn't fully verify that it was not an open relay, ordb.org is only one of many websites to test open relay. I suspected it as an open relay at the time, which I fealt necessary to block whether long term or temporarily, to prevent incoming flood of spam. Where in my first message, did I:

A. Indicate that my post to Spamcop was a complaint?

B. State/admit that it was not originating from your server? (putting words in my mouth now)

2.

Block removed by co-worker, sorry for having a damn life outside of work and taking a week off to enjoy time with my family. Christ. :angry:

I received two messages (while at work) in regards to this, and at the time was rather quite busy with all other ongoing duties I have in my job and could not contact you immediately at the time. You did end up reaching me shortly thereafter. Being the sole person to handle all administrative functions in an ISP environment, you may not always hear back from me within 5 minutes. :rolleyes:

Posted
<snip>

2.

Block removed by co-worker, sorry for having a damn life outside of work and taking a week off to enjoy time with my family.

<snip>

32483[/snapback]

...FWIW, Tim, "I took immediate action on my part to remove the IP from our block list" is a good bit different from "lock removed by co-worker rather than by me, because I was on vacation." Please don't diminish your (IMHO) clearly superior position here [not to denigrate Brian's well-phrased postings, which I enjoy and admire, in spite of mostly disagreeing] by being other than totally straightforward with us and allowing him to legitimately malign your credibility.
Posted
...FWIW, Tim, "I took immediate action on my part to remove the IP from our block list" is a good bit different from "lock removed by co-worker rather than by me, because I was on vacation."  Please don't diminish your (IMHO) clearly superior position here [not to diminish Brian's well-phrased postings, which I enjoy and admire, in spite of mostly disagreeing] by being other than totally straightforward with us and allowing him to legitimately dimish your credibility.

32484[/snapback]

Sorry about that, really. I was using "I" at the time, as I had no reason to bring my "co-worker" into the fray. Also, I find out all the sh** that happens when I get back from a week holiday. I keep the wheels in motion here, and when I'm gone, I come back to worse issues compared to this one.

I'm sorry, but I get nothing but accolades from my customers on "You are doing a great job keeping spam out", and "What would we do without you". I'm placed in a position to make judgement calls on who or what I can block on the mail server. For the most part it provides better service to our customers, with the occasional situation like as you see here. A blocking like this happens once a year here, where a legitimate server is blocked, but normally goes without a hitch for removal if/when server owner provides evidence that they are sending legitimate emails. In this case, it was not that straight forward, as I monitored for legitimate emails in a week timeframe, and did not see the evidence to justify removing the IP blocking ASAP.

And to be honest, this is not the first time I've had a spammer contact me directly to attempt being unblocked. I've played the game many times, and I will continue to act defensively in the beginning of a situation. Just doing my job here, which daily, is fighting spam to prevent it from our system, Brian's IP was one of those "once a year" hiccups that comes from doing this sort of work.

Posted
And this is what Brian seemed to think Tim was obligated to do, whereas my point is that Tim is not so obligated (unless by contract to his [Tim's] customers).

32482[/snapback]

Obligated, no. But it is "the right thing to do". I call it due diligence.
Posted
Obligated, no.  But it is "the right thing to do".  I call it due diligence.

32486[/snapback]

...Then we'll have to agree to disagree. As a customer, I far prefer an occassional false positive that the person writing to me can get corrected by convincing my provider's admin that e-mail from her/his servers should be let through. I consider this to be protecting my provider's resources, for which I am paying. I guess I'm pleased that there are admins like Tim that I can use and that there are admins like you, Steven, that those who disagree with me can use.

...Ultimately, the right thing seems to have happened. Tim seems to have overreacted to (in his original post here, not in having blocked) the apparent spam coming from Brian's servers. Brian seems to have incorrectly (although not entirely unreasonably) believed that Tim had defamed him. Hopefully, both learned a little and will find it much easier to work with each other in the future, should that be necessary.

Posted
And to be honest, this is not the first time I've had a spammer contact me directly to attempt being unblocked.

32485[/snapback]

Nor is it the second, third nth or last time, because the spammer did not contact you in this case.

Did you ever stop to think that maybe the others who contacted you also were not spammers?

My original question was basically "Would it not be better to shoot after asking the questions?" And now I'd add "...and maybe not paint evertbody who runs a webserver with the same brush?"

Incidentally, taking a week to "go through the mail logs with a fine tooth comb" is not very much of a vacation. Hopefully it's a better one next time.

Brian

Posted
Nor is it the second, third nth or last time, because the spammer did not contact you in this case.

Did you ever stop to think that maybe the others who contacted you also were not spammers?

My original question was basically "Would it not be better to shoot after asking the questions?" And now I'd add "...and maybe not paint evertbody who runs a webserver with the same brush?"

Incidentally, taking a week to "go through the mail logs with a fine tooth comb" is not very much of a vacation. Hopefully it's a better one next time.

Brian

32489[/snapback]

Sorry if it seemed to be implied that you are a spammer with my wording I used. I was trying to point out that I have been contacted by spammers attempting to claim their emails are legit. I don't have to stop to think that they are not spammers, when the emails incoming from them (directly) are XXX/porn, falsified From/Reply addresses etc... etc.. etc..

As for "Would it not be better to shoot after asking the questions", there are two types of emails blocked by a mail server, spam and virus emails. The whole job behind administering a mail server is to put a stop to the inbound emails in question, and deal with the resolution afterwards. You wouldn't let it run rampant during the time you are "looking into it". So no, with false positives, I deal with resolving blocking complaints from legit sources after the block is put in place.

A week going through log files? Wondering how in my previous post, it was even close to it sounding like that. :huh: The vacation comment and the "week worth of logs" comment are in two completely separate posts. :huh:

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...