bobster Posted November 22, 2005 Share Posted November 22, 2005 Subject: IP 202.38.59.146 It was reported for spam and blacklist today: [if there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours.] After it was submit to Spamcop and listed, it was found and listed as open relay by ORDB. My question is if there is a recheck to determine if it is a open relay (listed) before delisting? If not, is there a reporting method for this or it doesn't matter? Main database status for 202.38.59.146 (202.38.59.146) Look up this host in non-ORDB RBL's (May take a while to load) First added to ORDB: 2005-11-22 10:53 GMT First submitted by: xxxx Last found to be relaying at: 2005-11-22 10:53 GMT Headers from the mail that was relayed: (Need help understanding the lines below?) Return-Path: <mdaemon[at]nina-industries.com> X-Original-To: marvin[at]marvin.ordb.org Delivered-To: marvin[at]bockscar.ordb.org Received: from khi.ecell.com.pk (khi.ecell.com.pk [202.38.58.10]) by bockscar.ordb.org (Postfix) with ESMTP id 9D57B55D2 for <marvin[at]marvin.ordb.org>; Tue, 22 Nov 2005 10:53:41 +0000 (GMT) Received: from nina-industries.com (dsl-202-38-59-146.khi.ecell.com.pk [202.38.59.146]) by khi.ecell.com.pk (8.13.5/) with ESMTP id jAMAoNXn028185 for <marvin[at]marvin.ordb.org>; Tue, 22 Nov 2005 15:50:30 +0500 Date: Tue, 22 Nov 2005 15:50:23 +0500 Message-Id: <200511221050.jAMAoNXn028185[at]khi.ecell.com.pk> Received: from ordb.org ([217.10.16.93]) by nina-industries.com ([201.1.1.3]) with SMTP (MDaemon.Standard.v6.5.2.R) for <marvin[at]marvin.ordb.org>; Tue, 22 Nov 2005 15:53:47 +0500 From: mdaemon[at]khi.ecell.com.pk To: marvin[at]marvin.ordb.org X-ORDB-Envelope-From: mdaemon X-ORDB-Envelope-To: marvin[at]marvin.ordb.org Subject: ORDB.org check (0.4774214384724830.9995826118) ip=202.38.59.146 X-Virus-Scanned: ClamAV 0.87/1182/Tue Nov 22 00:43:47 2005 on KHI.ecell.com.pk X-Virus-Status: Clean Thanks Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 22, 2005 Share Posted November 22, 2005 I don't know if there is a check to see if it is still an open relay before delisting. My guess is that there is not. The algorithym is designed to list when there is spam coming from that IP. If it still is an open relay and spam is reported, it won't delist. If there is no spam, then it would delist on schedule. If it is still an open relay, the chances that there would be no spam are small so that it will either continue to be listed or be relisted pretty quickly. And, IIUC, someone could fix that open relay, but still be listed on other lists until they contacted the other lists and the other lists agree that it is no longer a spam source. So the scbl might not list them because it has been fixed while other lists would continue to list. That's one of the advantages to the scbl - that it is dynamic and automatic. Miss Betsy Link to comment Share on other sites More sharing options...
bobster Posted November 22, 2005 Author Share Posted November 22, 2005 I don't know if there is a check to see if it is still an open relay before delisting. My guess is that there is not. The algorithym is designed to list when there is spam coming from that IP. If it still is an open relay and spam is reported, it won't delist. If there is no spam, then it would delist on schedule. If it is still an open relay, the chances that there would be no spam are small so that it will either continue to be listed or be relisted pretty quickly. And, IIUC, someone could fix that open relay, but still be listed on other lists until they contacted the other lists and the other lists agree that it is no longer a spam source. So the scbl might not list them because it has been fixed while other lists would continue to list. That's one of the advantages to the scbl - that it is dynamic and automatic. Miss Betsy 36429[/snapback] Miss Betsy The question is when it was listed by Spamcop, it was NOT listed as a open relay. A check after listing in Spamcop it was found that it was a NEW open relay (after the fact). Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 22, 2005 Share Posted November 22, 2005 Well, IIUC, that's the advantage of spamcop - that it lists quickly. If it is /now/ listed as an open relay, then the parser will /now/ show that. But I still don't think it affects the listing. Someone else will have to get technical about how it works since I am not technically fluent. And I may be wrong all together. I am just basing my guess on the concept of how it works. Miss Betsy Link to comment Share on other sites More sharing options...
Jeff G. Posted November 22, 2005 Share Posted November 22, 2005 When SpamCop's Parser thinks it has found a relay, it says "Possible relay: [IP Address]". If it also finds "[IP Address] listed in relays.ordb.org", it continues on. However, if it finds "[IP Address] not listed in relays.ordb.org", it checks its internal database, and says either "[IP Address] has already been sent to relay testers" or something like "Sending [IP Address] to relay testers", as appropriate. AFAIK, SpamCop does not send delisting requests to relay testers, and does not check open relay status before delisting from the SCBL. Link to comment Share on other sites More sharing options...
dbiel Posted November 22, 2005 Share Posted November 22, 2005 The question is when it was listed by Spamcop, it was NOT listed as a open relay. A check after listing in Spamcop it was found that it was a NEW open relay (after the fact).36430[/snapback] That would be a very common result of a first time report of a spam using a new open relay. As Jeff G. stated, the parser will forward request for open relay testing as part of the parse but does not wait for any results to come back. So the results you stated are to be expected. As far as your question about reporting, there is no need to do anything differently than you are already doing. Link to comment Share on other sites More sharing options...
bobster Posted November 22, 2005 Author Share Posted November 22, 2005 When SpamCop's Parser thinks it has found a relay, it says "Possible relay: [IP Address]". If it also finds "[IP Address] listed in relays.ordb.org", it continues on. However, if it finds "[IP Address] not listed in relays.ordb.org", it checks its internal database, and says either "[IP Address] has already been sent to relay testers" or something like "Sending [IP Address] to relay testers", as appropriate. AFAIK, SpamCop does not send delisting requests to relay testers, and does not check open relay status before delisting from the SCBL. 36439[/snapback] Jeff, Not 100% sure if I understand everything your saying. I sounds like if a report comes in it is checked against the open relay database. However, it does not re-check to see if it listed after that first check. Interesting, the above did not come up as a possible relay and ordb.org did find it to be an open relay after it was submitted (minutes). Thanks Jeff Link to comment Share on other sites More sharing options...
Jeff G. Posted November 22, 2005 Share Posted November 22, 2005 If you are the administrator of that server, please search http://www.ordb.org/lookup/?host=202.38.59.146 for "I am the administrator of this server" without quotes. Thanks! Link to comment Share on other sites More sharing options...
Jeff G. Posted November 22, 2005 Share Posted November 22, 2005 Interesting, the above did not come up as a possible relay and ordb.org did find it to be an open relay after it was submitted (minutes).36443[/snapback] If I am to understand you correctly, you reported the spam using SpamCop, but SpamCop didn't say it was sending that IP Address to open relay testers. That IP Address appears to have been last reported to ORDB for testing by you early this morning at 05:30 EST -0500 (10:30 UTC -0000), some 52 minutes after you submitted your SpamCop Reports at or shortly before 04:37:32 EST -0500 (09:37:32 UTC -0500). Link to comment Share on other sites More sharing options...
bobster Posted November 22, 2005 Author Share Posted November 22, 2005 If I am to understand you correctly, you reported the spam using SpamCop, but SpamCop didn't say it was sending that IP Address to open relay testers. That IP Address appears to have been last reported to ORDB for testing by you early this morning at 05:30 EST -0500 (10:30 UTC -0000), some 52 minutes after you submitted your SpamCop Reports at or shortly before 04:37:32 EST -0500 (09:37:32 UTC -0500). 36450[/snapback] Yes, The outstanding question, does it get re checked at delisting or it doesn't matter. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 22, 2005 Share Posted November 22, 2005 Yes, The outstanding question, does it get re checked at delisting or it doesn't matter. 36455[/snapback] It does not matter, only actual spam being reported from that source. Link to comment Share on other sites More sharing options...
bobster Posted November 22, 2005 Author Share Posted November 22, 2005 It does not matter, only actual spam being reported from that source. 36458[/snapback] StevenUnderwood THANK YOU I have an answer. Link to comment Share on other sites More sharing options...
Miss Betsy Posted November 22, 2005 Share Posted November 22, 2005 You are welcome. (though you understood Steven U.'s post that's basically what everyone else was saying. Once the IP address is listed, it is not rechecked. If additional spam are submitted, then the parser may indicate something different. However, the listing is dependent on whether or not the IP address is reported, not on 'why' it is reported). Miss Betsy Link to comment Share on other sites More sharing options...
bobster Posted November 22, 2005 Author Share Posted November 22, 2005 You are welcome. (though you understood Steven U.'s post that's basically what everyone else was saying. Once the IP address is listed, it is not rechecked. If additional spam are submitted, then the parser may indicate something different. However, the listing is dependent on whether or not the IP address is reported, not on 'why' it is reported). Miss Betsy 36482[/snapback] Thanks Betsy, Just wasn't 100% sure on the statement. Thanks again Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.