Steven_W Posted March 8, 2004 Posted March 8, 2004 In particular, one server (217.169.20.13) has been listed on SPAMCOP -------- Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 57.8 days. In the past 42 hours, it has been listed 2 times for a total of 34 hours In the past week, this system has: Been reported as a source of spam less than 10 times ------------- Indeed, the "sample" listed in this case was only a bounce message to an incorrectly addressed email. The ISP in question replied (posted to the spamcop web site). They do not operate open relays, do not originate spam, and do not tolerate spam through their network. Is there anything more that they could have done to avoid such a listing ... Being listed twice over 34 hours seems a very small tolerance level before being listed. Steven
Miss Betsy Posted March 8, 2004 Posted March 8, 2004 I don't know because I don't know the technical details. Very often, there is a compromised machine that they haven't been able to find if they are doing everything else right. If they post here, some people will help them find out what it is before they get listed on other lists. If the sample is a bounce message, then it should not have been reported via spamcop and they should contact the deputies. Though there have been real spam disguised as a bounces recently. A lot of people don't like getting email bounces since they can be just as bad as spam. So perhaps they should rethink their policy of accepting email and then sending bounce messages to the spammer forged addresses. One of the weaknesses of the spamcop algorithym is that places with lower traffic get listed quickly. There have been lots of suggestions on how to correct this, but none that have been implemented. However, being listed twice is not good because something is happening so when they discover what it is, they may be grateful for the warning signal. Those all the suggestions that I have.
StevenUnderwood Posted March 8, 2004 Posted March 8, 2004 There is more information for that IP address: 217.169.20.13 listed in bl.spamcop.net (127.0.0.2) Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 57.8 days. In the past 43 hours, it has been listed 2 times for a total of 35 hours In the past week, this system has: Been reported as a source of spam less than 10 times Been detected sending mail to spam traps Been witnessed sending mail about 30 times The most important of those is the spamtrap. If you send a message to a SpamCop spamtrap, your IP will be listed (immediately, I believe). It takes at least two reports from different reporters to list an IP without a spamtrap. Spamtraps are addresses which have never been used and which should not receive email at all. If this machine is bouncing messages to a forged sender address (like all the current viruses use) rather than rejecting the message during the SMTP process, it is likely to keep being listed.
Ellen Posted March 8, 2004 Posted March 8, 2004 In particular, one server (217.169.20.13) has been listed on SPAMCOP -------- Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 57.8 days. In the past 42 hours, it has been listed 2 times for a total of 34 hours In the past week, this system has: Been reported as a source of spam less than 10 times ------------- Indeed, the "sample" listed in this case was only a bounce message to an incorrectly addressed email. The ISP in question replied (posted to the spamcop web site). They do not operate open relays, do not originate spam, and do not tolerate spam through their network. Is there anything more that they could have done to avoid such a listing ... Being listed twice over 34 hours seems a very small tolerance level before being listed. Steven Hi -- this is a bounce sent after acceptance of mail and it has been sent to at least one spamtrap. If you want to bounce mail it should be done during the SMTP transaction because the *reject* code 5.x.x or other is then sent to the actual connecting server rather than being sent to the 'from" or "envelope" which are usually forged in spam and viruses. The IP is now off the blocklist but further bounces may cause it to relist.
adeptcs Posted March 9, 2004 Posted March 9, 2004 Hello, These People are an ISP. Their mail servers will usually accept all mail for hosted domains and then may relay it to the end user's mail server which may then bounce some mail as recipient maybe unknown. So how can the ISP's mail server reject mail during SMTP transaction? It is not going to know what the end users mail server will want to reject in advance! Can you please flag this IP (217.169.20.13) as an ISP mail server and give it the latitude an ISP's mail server deserves. Classing bounce messages as spam and reporting it to you strikes me as abuse of your service and perhaps you should consider blacklisting the people whom abuse your service like this because it causes a great deal of inconvenience. Carl Thompson
turetzsr Posted March 9, 2004 Posted March 9, 2004 Hello, <snip> Classing bounce messages as spam and reporting it to you strikes me as abuse of your service and perhaps you should consider blacklisting the people whom abuse your service like this because it causes a great deal of inconvenience. Hi, Carl, ...That is SpamCop.Net's policy. FAQ: What if I break the rule(s)?. The ISP should submit evidence to bl <at > admin.spamcop.net (I believe that's the correct address -- someone please correct me if I'm wrong).
Wazoo Posted March 9, 2004 Posted March 9, 2004 I'm thinking deputies at admin.spamcop.net for first analysis of the submitted evidence as to wrongdoing, to see if they agree ... if so, then they will either take direct action or kick it over to Don at service at admin.spamcop.net ... but the evidence is what's at issue ... on one hand, the complaint of submitting complaints about bounces most bounces get rejected by the SpamCop parser, so is there more to the story? That this issue is described as one e-mail server forwarding to another e-mail server which then sends a bounce/rejection/or something, but the first e-mail server is found as "the bad guy" suggests that the chain test in the parser is failing at some point, which suggests that there's a misconfiguration in the e-mail servers and their handling of this "internal" forwarding ...
adeptcs Posted March 9, 2004 Posted March 9, 2004 Hello Wazoo, Thanks for your thoughts. Re “chain test in the parser is failing at some point” maybe but we would have to see the full headers to work that out. Some ISPs (including this one) also run a white listing system and mail filters for people whom have pop3 accounts. If the senders address is not in the white list then they get sent an email to request the sender confirms they are real. False sending addresses again could cause un-wanted white listing requests going to someone whom could report it to spamcop. Also the filters you can setup on your POP3 account (maybe to help stop spam) may well bounce a message if the body contains some keywords etc. The message would have to be accepted before it can be analysed fully so it could not be rejected during the SMTP session. The bounce would appear to come from the ISP’s mail server because its not been anywhere else yet. Classing bounces from an ISP’s mail server as spam seems mad. Do Spamcop have some sort of ISPs Database that flags an IP to have a much higher threshold before its blacklisted? Carl.
Wazoo Posted March 9, 2004 Posted March 9, 2004 If the senders address is not in the white list then they get sent an email to request the sender confirms they are real. Ouch! ... Challenge / Response .... This brings many issues to the forefront .. Might I invite you to look back into the early days of this Forum (ie, pick the "Last" page and walk back a bit .. look for a couple of Topics that have a rather large number in the "Replies" box ... Choicemail and Mailblocks are two systems that come to mind with this C/R thing as the main problem issue. Re “chain test in the parser is failing at some point” maybe but we would have to see the full headers to work that out. Agreed, without seeing the headers of the spam/complaint, I've no idea, so was just pointing out the possibility ... Classing bounces from an ISP’s mail server as spam seems mad And yet, this last week alone has been a nightmare for some folks because of the massive bounces from ISP servers. In most of these cases, what's mad has been the spammers' use of a normally "appreciated" function of most all e-mail server software. Do Spamcop have some sort of ISPs Database that flags an IP to have a much higher threshold before its blacklisted? No, all servers are "equal" ... the actual "listing" of a server is based on a formula, based on traffic totals (this is not a monitor on the actual server), total spam reports sent, spamtrap hits, etc. ... The SpamCop DNSbl is one based on a quick reaction, oriented towards knocking down a spam spew in progress ... The 48 hours oft mentioned is also based on the formula mentioned earlier, so some systems may come off automatically much sooner .. and of course, those systems that comtinue to spew .. much longer ... all based on when spew stops ..
Jeff G. Posted March 10, 2004 Posted March 10, 2004 If the senders address is not in the white list then they get sent an email to request the sender confirms they are real.Ouch! ... Challenge / Response .... This brings many issues to the forefront .. Might I invite you to look back into the early days of this Forum (ie, pick the "Last" page and walk back a bit .. look for a couple of Topics that have a rather large number in the "Replies" box ... Choicemail and Mailblocks are two systems that come to mind with this C/R thing as the main problem issue.Please see my mailblocks.com rant at http://forum.spamcop.net/forums/index.php?showtopic=85.
WB8TYW Posted March 12, 2004 Posted March 12, 2004 These People are an ISP. Their mail servers will usually accept all mail for hosted domains and then may relay it to the end user's mail server which may then bounce some mail as recipient maybe unknown. So how can the ISP's mail server reject mail during SMTP transaction? It is not going to know what the end users mail server will want to reject in advance! The relay server can test for being deliverable before completing the SMTP transaction. One of my e-mail forwarders do. If the remote system is temporarily unavailable so that the user can not be checked, it can reject the SMTP transaction with a 4xx code so that the sending mail server will retry later. Almost all spam and viruses are forging the from address. Bouncing such mail is now extremely abusive to those that have had their e-mail addresses spoofed. One famous case is TEST.COM which has been picked on by many Korean spammers. If a change in the SMTP protocol needs to be done, it is to set it up so that "bounces" have to go to the mail server that originated the SMTP traffic, and not to the apparent sender. Sending a bounce could reveal confidential information to a third party. Only the sending mail server has a responsibility of making sure that the actual sender gets notified of non delivery. -John Personal Opinion Only
Recommended Posts
Archived
This topic is now archived and is closed to further replies.