Jump to content

[Resolved] Open relay


bobster

Recommended Posts

Subject: IP 202.38.59.146

It was reported for spam and blacklist today:

[if there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.]

After it was submit to Spamcop and listed, it was found and listed as open relay by

ORDB.

My question is if there is a recheck to determine if it is a open relay (listed) before delisting?

If not, is there a reporting method for this or it doesn't matter?

Main database status for 202.38.59.146 (202.38.59.146)

Look up this host in non-ORDB RBL's (May take a while to load)

First added to ORDB: 2005-11-22 10:53 GMT

First submitted by: xxxx

Last found to be relaying at: 2005-11-22 10:53 GMT

Headers from the mail that was relayed: (Need help understanding the lines below?)

Return-Path: <mdaemon[at]nina-industries.com>

X-Original-To: marvin[at]marvin.ordb.org

Delivered-To: marvin[at]bockscar.ordb.org

Received: from khi.ecell.com.pk (khi.ecell.com.pk [202.38.58.10])

by bockscar.ordb.org (Postfix) with ESMTP id 9D57B55D2

for <marvin[at]marvin.ordb.org>; Tue, 22 Nov 2005 10:53:41 +0000 (GMT)

Received: from nina-industries.com (dsl-202-38-59-146.khi.ecell.com.pk [202.38.59.146])

by khi.ecell.com.pk (8.13.5/) with ESMTP id jAMAoNXn028185

for <marvin[at]marvin.ordb.org>; Tue, 22 Nov 2005 15:50:30 +0500

Date: Tue, 22 Nov 2005 15:50:23 +0500

Message-Id: <200511221050.jAMAoNXn028185[at]khi.ecell.com.pk>

Received: from ordb.org ([217.10.16.93])

by nina-industries.com ([201.1.1.3])

with SMTP (MDaemon.Standard.v6.5.2.R)

for <marvin[at]marvin.ordb.org>; Tue, 22 Nov 2005 15:53:47 +0500

From: mdaemon[at]khi.ecell.com.pk

To: marvin[at]marvin.ordb.org

X-ORDB-Envelope-From: mdaemon

X-ORDB-Envelope-To: marvin[at]marvin.ordb.org

Subject: ORDB.org check (0.4774214384724830.9995826118) ip=202.38.59.146

X-Virus-Scanned: ClamAV 0.87/1182/Tue Nov 22 00:43:47 2005 on KHI.ecell.com.pk

X-Virus-Status: Clean

Thanks

Link to comment
Share on other sites

I don't know if there is a check to see if it is still an open relay before delisting. My guess is that there is not. The algorithym is designed to list when there is spam coming from that IP. If it still is an open relay and spam is reported, it won't delist. If there is no spam, then it would delist on schedule. If it is still an open relay, the chances that there would be no spam are small so that it will either continue to be listed or be relisted pretty quickly.

And, IIUC, someone could fix that open relay, but still be listed on other lists until they contacted the other lists and the other lists agree that it is no longer a spam source. So the scbl might not list them because it has been fixed while other lists would continue to list. That's one of the advantages to the scbl - that it is dynamic and automatic.

Miss Betsy

Link to comment
Share on other sites

I don't know if there is a check to see if it is still an open relay before delisting.  My guess is that there is not.  The algorithym is designed to list when there is spam coming from that IP.  If it still is an open relay and spam is reported, it won't delist.  If there is no spam, then  it would delist on schedule.  If it is still an open relay, the chances that there would be no spam are small so that it will either continue to be listed or be relisted pretty quickly.

And, IIUC, someone could fix that open relay, but still be listed on other lists until they contacted the other lists and the other lists agree that it is no longer a spam source.  So the scbl might not list them because it has been fixed while other lists would continue to list.  That's one of the advantages to the scbl - that it is dynamic and automatic. 

Miss Betsy

36429[/snapback]

Miss Betsy

The question is when it was listed by Spamcop, it was NOT listed as a open relay. A check after listing in Spamcop it was found that it was a NEW open relay (after the fact).

Link to comment
Share on other sites

Well, IIUC, that's the advantage of spamcop - that it lists quickly. If it is /now/ listed as an open relay, then the parser will /now/ show that. But I still don't think it affects the listing.

Someone else will have to get technical about how it works since I am not technically fluent. And I may be wrong all together. I am just basing my guess on the concept of how it works.

Miss Betsy

Link to comment
Share on other sites

When SpamCop's Parser thinks it has found a relay, it says "Possible relay: [IP Address]". If it also finds "[IP Address] listed in relays.ordb.org", it continues on. However, if it finds "[IP Address] not listed in relays.ordb.org", it checks its internal database, and says either "[IP Address] has already been sent to relay testers" or something like "Sending [IP Address] to relay testers", as appropriate. AFAIK, SpamCop does not send delisting requests to relay testers, and does not check open relay status before delisting from the SCBL.

Link to comment
Share on other sites

The question is when it was listed by Spamcop, it was NOT listed as a open relay.  A check after listing in Spamcop it was found that it was a NEW open relay (after the fact).

36430[/snapback]

That would be a very common result of a first time report of a spam using a new open relay. As Jeff G. stated, the parser will forward request for open relay testing as part of the parse but does not wait for any results to come back. So the results you stated are to be expected. As far as your question about reporting, there is no need to do anything differently than you are already doing.
Link to comment
Share on other sites

When SpamCop's Parser thinks it has found a relay, it says "Possible relay: [IP Address]".  If it also finds "[IP Address] listed in relays.ordb.org", it continues on.  However, if it finds "[IP Address] not listed in relays.ordb.org", it checks its internal database, and says either "[IP Address] has already been sent to relay testers" or something like "Sending [IP Address] to relay testers", as appropriate.  AFAIK, SpamCop does not send delisting requests to relay testers, and does not check open relay status before delisting from the SCBL.

36439[/snapback]

Jeff,

Not 100% sure if I understand everything your saying.

I sounds like if a report comes in it is checked against the open relay database. However, it does not re-check to see if it listed after that first check.

Interesting, the above did not come up as a possible relay and ordb.org did find it to be an open relay after it was submitted (minutes).

Thanks Jeff

Link to comment
Share on other sites

Interesting, the above did not come up as a possible relay and ordb.org did find it to be an open relay after it was submitted (minutes).

36443[/snapback]

If I am to understand you correctly, you reported the spam using SpamCop, but SpamCop didn't say it was sending that IP Address to open relay testers. That IP Address appears to have been last reported to ORDB for testing by you early this morning at 05:30 EST -0500 (10:30 UTC -0000), some 52 minutes after you submitted your SpamCop Reports at or shortly before 04:37:32 EST -0500 (09:37:32 UTC -0500).
Link to comment
Share on other sites

If I am to understand you correctly, you reported the spam using SpamCop, but SpamCop didn't say it was sending that IP Address to open relay testers.  That IP Address appears to have been last reported to ORDB for testing by you early this morning at 05:30 EST -0500 (10:30 UTC -0000), some 52 minutes after you submitted your SpamCop Reports at or shortly before 04:37:32 EST -0500 (09:37:32 UTC -0500).

36450[/snapback]

Yes,

The outstanding question, does it get re checked at delisting or it doesn't matter.

Link to comment
Share on other sites

You are welcome. (though you understood Steven U.'s post that's basically what everyone else was saying. Once the IP address is listed, it is not rechecked. If additional spam are submitted, then the parser may indicate something different. However, the listing is dependent on whether or not the IP address is reported, not on 'why' it is reported).

Miss Betsy

Link to comment
Share on other sites

You are welcome.  (though you understood Steven U.'s post that's basically what everyone else was saying.  Once the IP address is listed, it is not rechecked.  If additional spam are submitted, then the parser may indicate something different.  However, the listing is dependent on whether or not the IP address is reported, not on 'why' it is reported).

Miss Betsy

36482[/snapback]

Thanks Betsy,

Just wasn't 100% sure on the statement.

Thanks again

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...