renoir Posted February 1, 2006 Share Posted February 1, 2006 did spamcops blacklist get compromised? i am getting much of my good mail held edit: i also used spamhause blacklists. Link to comment Share on other sites More sharing options...
Wazoo Posted February 1, 2006 Share Posted February 1, 2006 Moving this to the SpamCop E-mail Account Forum section .. assumedly more appropriate than the Reporting section ...??? And once again noting that it's pretty hard to analyze something with no data ... how about the Tracking URL of a couple of your complained about items such that actual data can be seen / discussed? Link to comment Share on other sites More sharing options...
agsteele Posted February 1, 2006 Share Posted February 1, 2006 did spamcops blacklist get compromised? i am getting much of my good mail held edit: i also used spamhause blacklists. 39892[/snapback] I can't say I'm noticing an increase in false positives although a few more messages are slipping through into my inbox of late. But that's one or two a week so not too bad. Could it be the various block-lists you've selected and/or the SpamAssassin trigger level you've selected? Try adjusting the various options you have and that could fix the problem - assuming you are using the Flat Rate Email service to handle this filtering. Andrew Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 1, 2006 Share Posted February 1, 2006 did spamcops blacklist get compromised? i am getting much of my good mail held edit: i also used spamhause blacklists. 39892[/snapback] You should inspect the headers of the held message to determine the reason for holding. Perhaps one of your redirectors (if you use them) are listed. Link to comment Share on other sites More sharing options...
Merlyn Posted February 1, 2006 Share Posted February 1, 2006 Neither list is compromised. Please post the headers of one of the emails you think was wrongly listed. Link to comment Share on other sites More sharing options...
renoir Posted February 3, 2006 Author Share Posted February 3, 2006 here is a recently blocked email to me: info[at]netpaths.net Edit: 2006/02/03 10:08 EST -0500 Jeff G. reduced the posted spam email message to Tracking URL http://www.spamcop.net/sc?id=z868763570za7...af49d561d8f6e5z (cancelled) and merged renoir's new Topic "blocked email" with its existing Topic "many false positives" because it looked like an example of one of the "many false positives". Lines for future comment: Received: from web5.zone53.net (209.8.23.180) by mailgate.cesmail.net with SMTP; 3 Feb 2006 13:20:47 -0000 Received: from mx4.atomicpc.net ([216.154.232.135]) by web5.zone53.net with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1F50rp-0001oa-4d for info[at]netpaths.net; Fri, 03 Feb 2006 08:20:49 -0500 Received: by mx4.atomicpc.net (Postfix, from userid 501) id 8BFFF48C6B5; Fri, 3 Feb 2006 05:20:43 -0800 (PST) Received: from VALUEDC0EE74F5 (cpe-66-74-154-245.socal.res.rr.com [66.74.154.245]) by mx4.atomicpc.net (Postfix) with ESMTP id 34A8248C6B1; Fri, 3 Feb 2006 05:20:42 -0800 (PST) X-SpamCop-Checked: 192.168.1.101 209.8.23.180 X-SpamCop-Disposition: Blocked bl.spamcop.net Link to comment Share on other sites More sharing options...
Jeff G. Posted February 3, 2006 Share Posted February 3, 2006 It appears that you have some complex forwarding going on, and that the final hop before the SpamCop Email System, web5.zone53.net (209.8.23.180), was listed by the SCBL about 10 hours ago (see http://mailsc.spamcop.net/bl.shtml?209.8.23.180 and http://mailsc.spamcop.net/w3m?action=blcheck&ip=209.8.23.180 for details). Its Report History follows: Submitted: Friday 2006/02/03 02:56:07 -0500: Un manuel Photoshop 7 avec des exercices ? 1645275638 ( 209.8.23.180 ) To: spamcop[at]imaphost.com 1645275634 ( 209.8.23.180 ) To: abuse[at]btnaccess.com 1645275631 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com -------------------------------------------------------------------------------- Submitted: Tuesday 2006/01/31 04:13:07 -0500: tonton, tu as bien un exemple de Photoshop Newsletter ? 1641697376 ( 209.8.23.180 ) To: spamcop[at]imaphost.com 1641697366 ( 209.8.23.180 ) To: abuse[at]btnaccess.com 1641697359 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com -------------------------------------------------------------------------------- Submitted: Saturday 2006/01/28 05:19:55 -0500: tonton, connais-tu ce truc de Photoshop ? 1638426265 ( 209.8.23.180 ) To: spamcop[at]imaphost.com 1638426264 ( 209.8.23.180 ) To: abuse[at]btnaccess.com 1638426262 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com -------------------------------------------------------------------------------- Submitted: Thursday 2006/01/26 10:25:27 -0500: Bienvenue tonton ! 1636384447 ( 209.8.23.180 ) To: abuse[at]btnaccess.com 1636384439 ( 209.8.23.180 ) To: postmaster[at]btnaccess.com Link to comment Share on other sites More sharing options...
Merlyn Posted February 3, 2006 Share Posted February 3, 2006 It is not a false positive, a lot of spam coming from that IP. Link to comment Share on other sites More sharing options...
renoir Posted February 3, 2006 Author Share Posted February 3, 2006 it cant be, this is the ip of my hosting company 209.8.23.180 how can i get this cleaned up immediately? Link to comment Share on other sites More sharing options...
Jeff G. Posted February 3, 2006 Share Posted February 3, 2006 how can i get this cleaned up immediately?39992[/snapback] Please talk to your hosting company, zone53.net, BeyondTheNetwork, btnaccess.com, PCCW, Capital Area Internet Service, and/or Capital Area Internet Service. "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 8 hours." Temporarily, you could Uncheck "SpamCop Blacklist" at https://webmail.spamcop.net/horde/imp/spamcop/blacklists.php or http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php. Link to comment Share on other sites More sharing options...
renoir Posted February 3, 2006 Author Share Posted February 3, 2006 the host myriadnetwork.com said they deleted the account of the spammer. they said they only sent 3 reported emails. can you turn on 209.8.23.180? Link to comment Share on other sites More sharing options...
turetzsr Posted February 3, 2006 Share Posted February 3, 2006 the host myriadnetwork.com said they deleted the account of the spammer. they said they only sent 3 reported emails. can you turn on 209.8.23.180?39996[/snapback] ...Thank you for contacting them. ...Unfortunately, we here are (mostly) just other users of SpamCop and SpamCop admins do not allow us to remove IP addresses from the blacklist. ...However, this should happen automatically within the next 7 or 8 hours (SpamCop Checkblock for this IP address) if there are no more spam reports. Link to comment Share on other sites More sharing options...
Jeff G. Posted February 3, 2006 Share Posted February 3, 2006 can you turn on 209.8.23.180?39996[/snapback] Sorry, I can't. "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 7 hours." Link to comment Share on other sites More sharing options...
renoir Posted February 3, 2006 Author Share Posted February 3, 2006 this is a copy of the email the service provider gave me. is there any way to bump this to an administrator? support email: The issue has already been investigated, and someone is losing their account over this for failing to comply with our AUP. They were not actually spamming at all - they just have a really poor mailing list setup (not opt-in/confirm/anything - just sign someone up and they're automatically subscribed). They chose to go against my recommendation to either: 1. make your list opt-in, or 2. take your mailing list elsewhere As such they wound up resending an email to a person who had already complained about them once before. The funny thing is, they have ~15 - 20 people on this mailing list, and it took 1 person to complain about 3 times before we were blocked. Link to comment Share on other sites More sharing options...
turetzsr Posted February 3, 2006 Share Posted February 3, 2006 this is a copy of the email the service provider gave me. is there any way to bump this to an administrator? <snip> 40000[/snapback] ...You (or, better, your e-mail provider's administrator) could write to the SpamCop Deputies at e-mail address deputies[at]spamcop.net. However, my guess would be that by the time they got to your request, decided whether they would bother to reply and actually acted, the automatic mechanism by which SpamCop de-lists IP addresses would already have de-listed this address. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 3, 2006 Share Posted February 3, 2006 The funny thing is, they have ~15 - 20 people on this mailing list, and it took 1 person to complain about 3 times before we were blocked. 40000[/snapback] They may not have the story completely right, however. Jeff G. presents 4 items which have been reported publically, and there could also be mole reports which the ISP would not have received. The last public information I remember is that it takes more than one reporter to list an IP as well as the percentage of spam/valid email (seen by a network of domains) being above a certain percentage. Link to comment Share on other sites More sharing options...
Wazoo Posted February 4, 2006 Share Posted February 4, 2006 http://www.spamcop.net/w3m?action=checkblock&ip=209.8.23.180 If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 5 hours. Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) System administrator has already delisted this system once Because of the above problems, express-delisting is not available Listing History In the past 371.5 days, it has been listed 6 times for a total of 4.4 days http://www.senderbase.org/?searchBy=ipaddr...ng=209.8.23.180 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 3.5 .. -20% Last 30 days .. 3.7 ... 20% Average ........ 3.6 SenderBase's "Magnitude" Explained sure seems to suggest that the "3 or 4 e-mails" is a bit weak on lining up with the data seen. Even the "listed 6 times" seems to argue that a bit, even recalling that one of the ancient trip ponts was 2% of traffic being reported, there's no way to factor "3 or 4 e-mails" into any of the equations offered for an entry to the SpamCopDNSBL .... Link to comment Share on other sites More sharing options...
petzl Posted February 4, 2006 Share Posted February 4, 2006 it cant be, this is the ip of my hosting company 209.8.23.180 how can i get this cleaned up immediately? 39992[/snapback] 209.8.23.180 is a mail server? For SpamCop to be blocking a mail server means that this is the last identifiable link If a provider is competently setup the last identifiable link (chain) would be the computer sending the spam which would then be the IP listed by SpamCop SpamCop Members Blocking List is like a radar stopping a spam while spam is being sent, quickly releasing that listed IP once the spam stops. This process is completely automatic but SpamCop has the worlds best staff and deputies checking in the unlikely case of something going wrong (The spell checker now works) Link to comment Share on other sites More sharing options...
Wazoo Posted February 4, 2006 Share Posted February 4, 2006 (The spell checker now works) 40005[/snapback] ??? Hadn't seen or heard that it didn't ...???? Though noting that I also don't recall anyone asking for words to be added in either, if that's what you might mean. Link to comment Share on other sites More sharing options...
Merlyn Posted February 4, 2006 Share Posted February 4, 2006 They were not actually spamming at all - they just have a really poor mailing list setup (not opt-in/confirm/anything - just sign someone up and they're automatically subscribed). 40000[/snapback] That is called spam. Link to comment Share on other sites More sharing options...
petzl Posted February 4, 2006 Share Posted February 4, 2006 ??? Hadn't seen or heard that it didn't ...???? Though noting that I also don't recall anyone asking for words to be added in either, if that's what you might mean. 40006[/snapback] The old spell checker always "worked" just seemed pretty useless (always used the google toolbar one. The new one works well Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.