Mailservers getting listed (how to prevent?)

[snowolfe]

Ok here's the situation. I have about 8 mailcleaners (filters for spam) that deliver mail to my clustered pop server. The pop server uses spamcop for blocking mail on about 300 or 400 domains that are not filtered.

This morning, out of the blue, two of my cleaners were suddenly listed, thus making my pop server reject mail from them.

Now... these are not open relays, and if you look at our ip block (209.209.192.0/24) you can clearly see that we have a very low rate of complaints.

Now... If a person off our network reports a mail to spamcop... it has our filters in the header... and your system does not seem to properly distinguish the filters from the original source.

How do we keep this from happening?

[Wazoo]

[How to] post a question has some data that would help us help you. A Tracking URL would certainly help, such that the headers involved could be examined. A specific IP address would certainly help (I for one don't see the fun in trying to take a stab at just which items in your suggested /24 might be at issue .... not sure at all why you bring up "open relays" ...

Some of the most obvious/typical issues .. lack of a FQDN being used by your internal handling, identification by each server in the process not being provided in each (added) Received line, etc., etc., etc. ... but without data, it's pretty hard to guess at anything from this side of the screen.

[Jeff G.]

For starters, http://www.senderbase.org/search?searchStr...ichOthers=%2F24 shows 12 "Addresses in 209.209.192.0/24 used to send email".

[Merlyn]

Reports from that /24 go to postmaster at bayou.com

Have you taken a looked at them?

What IP are you referring to?

[snowolfe]

Whoops... my bad...

I had started this message in the beginning and it contained the ip addresses.

Looks as if, from the list above, someone here already put in some of our ip addresses. So now I need to go find what login that is.

The ip addresses in question were 209.209.192.67 and .71 - which by the link above are not in the sender base... so that's what I obviously need to get corrected.

Looks like we also need to get the reports changed from postmaster.

This is what happens when you come in behind other people that never wrote any notes.

Oh, and on the links... all we were getting was the complaints with a single link to the lookup for the ip address.

Oh well, at least that answered all my questions. Thanks.

[snowolfe]

UPDATE:

just got this.

IPs reported in past hour:

209.209.192.67

209.209.192.68

209.209.192.71

209.209.192.66

but when I search on the site....

ISP control center

209.209.192.67

Most recent spam reported about 3.2 days ago

So... which is it? Did I just get reported or not?

[Jeff G.]

Looks as if, from the list above, someone here already put in some of our ip addresses.

36053[/snapback]

The lists at SenderBase of IP Addresses "used to send email" appear to be automated.

So now I need to go find what login that is.

36053[/snapback]

That is probably not necessary.

The ip addresses in question were 209.209.192.67 and .71

36053[/snapback]

Thanks for those. Report History for them follows:

Submitted: Friday, November 11, 2005 16:04:09 -0500:

Tele Camcorder Hookup!

    * 1554019105 ( http://zofdf.ineedu2nite.org/a1/getmeoff.php ) To: mole[at]devnull.spamcop.net

    * 1554019104 ( http://buamk.ineedu2nite.org/a1 ) To: mole[at]devnull.spamcop.net

    * 1554019103 ( 209.209.192.67 ) To: mole[at]devnull.spamcop.net

Submitted: Thursday, October 27, 2005 12:58:31 -0400:

b()()st your satisfaction with C1alis softt[at]bs

    * 1541098597 ( http://91egepwdfufjk99kw9rkw9r9.cowslipef.com/ ) To: mole[at]devnull.spamcop.net

    * 1541098596 ( 209.209.192.67 ) To: mole[at]devnull.spamcop.net

Submitted: Thursday, September 22, 2005 11:03:04 -0400:

Florida Bahamas and RCL Cruise

    * 1513519709 ( http://www.livelyhopeful.com/ ) To: mole[at]devnull.spamcop.net

    * 1513519708 ( http://www.bayou.com ) To: mole[at]devnull.spamcop.net

    * 1513519707 ( 209.209.192.67 ) To: mole[at]devnull.spamcop.net

Submitted: Tuesday, August 30, 2005 15:53:10 -0400:

=?iso-8859-1?Q?Re:_ll_My_Problem_Solved_VIAGRR=E5?=

    * 1498701891 ( http://www.pgfl.com.hyrotecve.com ) To: mole[at]devnull.spamcop.net

    * 1498701890 ( 209.209.192.67 ) To: mole[at]devnull.spamcop.net

Submitted: Friday, November 11, 2005 14:00:35 -0500:

CYGT - Cygnus Lands Expedia Contract

    * 1553314140 ( http://numerha.com/080E1E141300001300321B1C131F... ) To: mole[at]devnull.spamcop.net

    * 1553314139 ( 209.209.192.71 ) To: mole[at]devnull.spamcop.net

Submitted: Friday, November 11, 2005 12:52:15 -0500:

CYGT - Cygnus Lands Expedia Contract

    * 1553210499 ( http://numerha.com/080E1E141300001300321B1C131F... ) To: mole[at]devnull.spamcop.net

    * 1553210498 ( 209.209.192.71 ) To: mole[at]devnull.spamcop.net

Submitted: Tuesday, August 30, 2005 15:52:40 -0400:

Hey- Don't get ripped off!

    * 1498701509 ( http://www.meebwn.com/pt/?14&ssdkxhjqglmpljbo ) To: mole[at]devnull.spamcop.net

    * 1498701508 ( 209.209.192.71 ) To: mole[at]devnull.spamcop.net

Submitted: Tuesday, August 30, 2005 15:52:31 -0400:

Ever See A Small Oil-Stock Take Off?

    * 1498701163 ( 209.209.192.71 ) To: mole[at]devnull.spamcop.net

It looks like you've got a mole on your internal network.

- which by the link above are not in the sender base... so that's what I obviously need to get corrected.

36053[/snapback]

That is also probably not necessary.

Looks like we also need to get the reports changed from postmaster.

36053[/snapback]

Yes. The best way to do that is to "Mail new and updated contact info only to update[at]abuse.net" per http://www.abuse.net/addnew.html. http://www.spamcop.net/sc?action=showroute...67;typecodes=17 currently says:

Reports routes for 209.209.192.67:

routeid:7490801 209.209.192.0 - 209.209.223.255 to:postmaster[at]bayou.com

Administrator found from whois records

SpamCop's Parser currently says:

"whois 209.209.192.67[at]whois.arin.net" (Getting contact from whois.arin.net )

Using postmaster[at]bayou.com instead of jerry[at]bayou.com

209.209.192.0 - 209.209.223.255:postmaster[at]bayou.com

whois.arin.net contact: postmaster[at]bayou.com

Routing details for 209.209.192.67

Using abuse net on postmaster[at]bayou.com

abuse net bayou.com = postmaster[at]bayou.com, jerry[at]bayou.com

Using best contacts postmaster[at]bayou.com jerry[at]bayou.com

This is what happens when you come in behind other people that never wrote any notes.

36053[/snapback]

Sorry to hear that.

Oh, and on the links... all we were getting was the complaints with a single link to the lookup for the ip address.

36053[/snapback]

Would you care to share one? Thanks!

[Jeff G.]

It appears that this application has a limit of 10 quotes per Post.

Please note my addition of the second half of my previous Post. Thanks!

[Wazoo]

So... which is it? Did I just get reported or not?

36057[/snapback]

There's "Reporting" and there's "Reporting" .... There is data available (suggesting looking at "Mole Reporting is back" in the Announcements section) .. and there is data that is not going to be made available. Best guess, yes you were "reported" by someone using the Mole reporting status, which would also explain the lack of you/someone receiving complaints. Public data available is that Mole reports alone will not get an IP listed.

On the other hand, I still don't see any of the suggested data offered as suggested in my first post to this Topic. The report data offered suggests that reports/complaints have been made, but none of this touches on your original query of "why" these "filtering servers(?)" are being identified as the source of this spew. Or has the story changed a bit since your first post?

[snowolfe]

There's "Reporting" and there's "Reporting" .... There is data available (suggesting looking at "Mole Reporting is back" in the Announcements section) .. and there is data that is not going to be made available.  Best guess, yes you were "reported" by someone using the Mole reporting status, which would also explain the lack of you/someone receiving complaints.  Public data available is that Mole reports alone will not get an IP listed.

On the other hand, I still don't see any of the suggested data offered as suggested in my first post to this Topic.  The report data offered suggests that reports/complaints have been made, but none of this touches on your original query of "why" these "filtering servers(?)" are being identified as the source of this spew.  Or has the story changed a bit since your first post?

36062[/snapback]

Ok I did the update[at]abuse.net... so hopefully that will fix the no reporting issue.

Something I did notice that was weird is we would get a complaint from some one... we could golook up the ip... the ip would not show as blocked and said last reported spam 3 days ago... yet the message they got was less that a couple of hours old. Next one I get I will try to demonstrate.

Basically I guess the whole entire question gets to... is there a way to "register" our mail servers so this stops happening?

[Jeff G.]

Next one I get I will try to demonstrate.

36388[/snapback]

How about the last one you got?

[Wazoo]

Ok I did the update[at]abuse.net... so hopefully that will fix the no reporting issue.

Won't guess on that one right now .. would have to fo research more on that one, but in reading the previous posts, I'm not sure that I've got the right data to work with, especially the hand-offs that you suggested that are in use internally ... I believe 'm still looking for some actual header data to look at any/all of that stuff.

Something I did notice that was weird is we would get a complaint from some one... we could golook up the ip... the ip would not show as blocked and said last reported spam 3 days ago... yet the message they got was less that a couple of hours old. Next one I get I will try to demonstrate.

I find this possibly confusing. If you receive a "report from someone" ... why would that tie back to the history of a SpamCop.net report being sent out?

Basically I guess the whole entire question gets to... is there a way to "register" our mail servers so this stops happening?

36388[/snapback]

No, there is no whitelisting of servers available. On the other hand, if there is something wonky about your set-up (again, without headers actually showing the internal hand-offs you described in your first post, this is still an unknown) .. it may be possible that some "data" could be manipulated by a couple of people that have access to that function, such that the wonkiness might be taken into account for future parsing ... but again, with no data to work with ...????