Jump to content

many false positives


Recommended Posts

Moving this to the SpamCop E-mail Account Forum section .. assumedly more appropriate than the Reporting section ...???

And once again noting that it's pretty hard to analyze something with no data ... how about the Tracking URL of a couple of your complained about items such that actual data can be seen / discussed?

Link to comment
Share on other sites

did spamcops blacklist get compromised?  i am getting much of my good mail held :(

edit:  i also used spamhause  blacklists.

39892[/snapback]

I can't say I'm noticing an increase in false positives although a few more messages are slipping through into my inbox of late. But that's one or two a week so not too bad.

Could it be the various block-lists you've selected and/or the SpamAssassin trigger level you've selected?

Try adjusting the various options you have and that could fix the problem - assuming you are using the Flat Rate Email service to handle this filtering.

Andrew

Link to comment
Share on other sites

did spamcops blacklist get compromised?  i am getting much of my good mail held :(

edit:  i also used spamhause  blacklists.

39892[/snapback]

You should inspect the headers of the held message to determine the reason for holding. Perhaps one of your redirectors (if you use them) are listed.

Link to comment
Share on other sites

here is a recently blocked email to me: info[at]netpaths.net

Edit: 2006/02/03 10:08 EST -0500 Jeff G. reduced the posted spam email message to Tracking URL http://www.spamcop.net/sc?id=z868763570za7...af49d561d8f6e5z (cancelled) and merged renoir's new Topic "blocked email" with its existing Topic "many false positives" because it looked like an example of one of the "many false positives".

Lines for future comment:

Received: from web5.zone53.net (209.8.23.180)

by mailgate.cesmail.net with SMTP; 3 Feb 2006 13:20:47 -0000

Received: from mx4.atomicpc.net ([216.154.232.135])

by web5.zone53.net with esmtps (TLSv1:AES256-SHA:256)

(Exim 4.52)

id 1F50rp-0001oa-4d

for info[at]netpaths.net; Fri, 03 Feb 2006 08:20:49 -0500

Received: by mx4.atomicpc.net (Postfix, from userid 501)

id 8BFFF48C6B5; Fri, 3 Feb 2006 05:20:43 -0800 (PST)

Received: from VALUEDC0EE74F5 (cpe-66-74-154-245.socal.res.rr.com [66.74.154.245])

by mx4.atomicpc.net (Postfix) with ESMTP id 34A8248C6B1;

Fri, 3 Feb 2006 05:20:42 -0800 (PST)

X-SpamCop-Checked: 192.168.1.101 209.8.23.180

X-SpamCop-Disposition: Blocked bl.spamcop.net

Link to comment
Share on other sites

It appears that you have some complex forwarding going on, and that the final hop before the SpamCop Email System, web5.zone53.net (209.8.23.180), was listed by the SCBL about 10 hours ago (see http://mailsc.spamcop.net/bl.shtml?209.8.23.180 and http://mailsc.spamcop.net/w3m?action=blcheck&ip=209.8.23.180 for details). Its Report History follows:

Submitted: Friday 2006/02/03 02:56:07 -0500:

Un manuel Photoshop 7 avec des exercices ?

1645275638 ( 209.8.23.180 ) To: spamcop[at]imaphost.com

1645275634 ( 209.8.23.180 ) To: abuse[at]btnaccess.com

1645275631 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com

--------------------------------------------------------------------------------

Submitted: Tuesday 2006/01/31 04:13:07 -0500:

tonton, tu as bien un exemple de Photoshop Newsletter ?

1641697376 ( 209.8.23.180 ) To: spamcop[at]imaphost.com

1641697366 ( 209.8.23.180 ) To: abuse[at]btnaccess.com

1641697359 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com

--------------------------------------------------------------------------------

Submitted: Saturday 2006/01/28 05:19:55 -0500:

tonton, connais-tu ce truc de Photoshop ?

1638426265 ( 209.8.23.180 ) To: spamcop[at]imaphost.com

1638426264 ( 209.8.23.180 ) To: abuse[at]btnaccess.com

1638426262 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com

--------------------------------------------------------------------------------

Submitted: Thursday 2006/01/26 10:25:27 -0500:

Bienvenue tonton !

1636384447 ( 209.8.23.180 ) To: abuse[at]btnaccess.com

1636384439 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com

Link to comment
Share on other sites

how can i get this cleaned up immediately?

39992[/snapback]

Please talk to your hosting company, zone53.net, BeyondTheNetwork, btnaccess.com, PCCW, Capital Area Internet Service, and/or Capital Area Internet Service. "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 8 hours." Temporarily, you could Uncheck "SpamCop Blacklist" at https://webmail.spamcop.net/horde/imp/spamcop/blacklists.php or http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php.
Link to comment
Share on other sites

the host  myriadnetwork.com said they deleted the account of the spammer.  they said they only sent 3 reported emails.  can you turn on  209.8.23.180?

39996[/snapback]

...Thank you for contacting them.

...Unfortunately, we here are (mostly) just other users of SpamCop and SpamCop admins do not allow us to remove IP addresses from the blacklist.

...However, this should happen automatically within the next 7 or 8 hours (SpamCop Checkblock for this IP address) if there are no more spam reports.

Link to comment
Share on other sites

can you turn on  209.8.23.180?

39996[/snapback]

Sorry, I can't. "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 7 hours."
Link to comment
Share on other sites

this is a copy of the email the service provider gave me. is there any way to bump this to an administrator?

support email:

The issue has already been investigated, and someone is losing their account over this for failing to comply with our AUP. They were not actually spamming at all - they just have a really poor mailing list setup (not opt-in/confirm/anything - just sign someone up and they're automatically subscribed). They chose to go against my recommendation to either:

1. make your list opt-in, or

2. take your mailing list elsewhere

As such they wound up resending an email to a person who had already complained about them once before. The funny thing is, they have ~15 - 20 people on this mailing list, and it took 1 person to complain about 3 times before we were blocked.

Link to comment
Share on other sites

this is a copy of the email the service provider gave me.  is there any way to bump this to an administrator?

<snip>

40000[/snapback]

...You (or, better, your e-mail provider's administrator) could write to the SpamCop Deputies at e-mail address deputies[at]spamcop.net. However, my guess would be that by the time they got to your request, decided whether they would bother to reply and actually acted, the automatic mechanism by which SpamCop de-lists IP addresses would already have de-listed this address.
Link to comment
Share on other sites

The funny thing is, they have ~15 - 20 people on this mailing list, and it took 1 person to complain about 3 times before we were blocked.

40000[/snapback]

They may not have the story completely right, however. Jeff G. presents 4 items which have been reported publically, and there could also be mole reports which the ISP would not have received.

The last public information I remember is that it takes more than one reporter to list an IP as well as the percentage of spam/valid email (seen by a network of domains) being above a certain percentage.

Link to comment
Share on other sites

http://www.spamcop.net/w3m?action=checkblock&ip=209.8.23.180

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 5 hours.

Causes of listing

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 371.5 days, it has been listed 6 times for a total of 4.4 days

http://www.senderbase.org/?searchBy=ipaddr...ng=209.8.23.180

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.5 .. -20%

Last 30 days .. 3.7 ... 20%

Average ........ 3.6

SenderBase's "Magnitude" Explained sure seems to suggest that the "3 or 4 e-mails" is a bit weak on lining up with the data seen. Even the "listed 6 times" seems to argue that a bit, even recalling that one of the ancient trip ponts was 2% of traffic being reported, there's no way to factor "3 or 4 e-mails" into any of the equations offered for an entry to the SpamCopDNSBL ....

Link to comment
Share on other sites

it cant be,  this is the ip of my hosting company  209.8.23.180

how can i get this cleaned up immediately?

39992[/snapback]

209.8.23.180 is a mail server? For SpamCop to be blocking a mail server means that this is the last identifiable link

If a provider is competently setup the last identifiable link (chain) would be the computer sending the spam which would then be the IP listed by SpamCop

SpamCop Members Blocking List

is like a radar stopping a spam while spam is being sent, quickly releasing that listed IP once the spam stops. This process is completely automatic but SpamCop has the worlds best staff and deputies checking in the unlikely case of something going wrong

(The spell checker now works)

Link to comment
Share on other sites

??? Hadn't seen or heard that it didn't ...???? Though noting that I also don't recall anyone asking for words to be added in either, if that's what you might mean.

40006[/snapback]

The old spell checker always "worked" just seemed pretty useless (always used the google toolbar one.

The new one works well

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...