Jump to content

ISP Backup server listed - how to remove


Steven_W

Recommended Posts

In particular, one server (217.169.20.13) has been listed on SPAMCOP

--------

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 57.8 days. In the past 42 hours, it has been listed 2 times for a total of 34 hours

In the past week, this system has:

Been reported as a source of spam less than 10 times

-------------

Indeed, the "sample" listed in this case was only a bounce message to an incorrectly addressed email.

The ISP in question replied (posted to the spamcop web site). They do not operate open relays, do not originate spam, and do not tolerate spam through their network.

Is there anything more that they could have done to avoid such a listing ... Being listed twice over 34 hours seems a very small tolerance level before being listed.

Steven

Link to comment
Share on other sites

I don't know because I don't know the technical details. Very often, there is a compromised machine that they haven't been able to find if they are doing everything else right. If they post here, some people will help them find out what it is before they get listed on other lists.

If the sample is a bounce message, then it should not have been reported via spamcop and they should contact the deputies. Though there have been real spam disguised as a bounces recently.

A lot of people don't like getting email bounces since they can be just as bad as spam. So perhaps they should rethink their policy of accepting email and then sending bounce messages to the spammer forged addresses.

One of the weaknesses of the spamcop algorithym is that places with lower traffic get listed quickly. There have been lots of suggestions on how to correct this, but none that have been implemented.

However, being listed twice is not good because something is happening so when they discover what it is, they may be grateful for the warning signal.

Those all the suggestions that I have.

Link to comment
Share on other sites

There is more information for that IP address:

217.169.20.13 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 57.8 days. In the past 43 hours, it has been listed 2 times for a total of 35 hours

In the past week, this system has:

Been reported as a source of spam less than 10 times

Been detected sending mail to spam traps

Been witnessed sending mail about 30 times

The most important of those is the spamtrap. If you send a message to a SpamCop spamtrap, your IP will be listed (immediately, I believe).

It takes at least two reports from different reporters to list an IP without a spamtrap.

Spamtraps are addresses which have never been used and which should not receive email at all. If this machine is bouncing messages to a forged sender address (like all the current viruses use) rather than rejecting the message during the SMTP process, it is likely to keep being listed.

Link to comment
Share on other sites

In particular, one server (217.169.20.13) has been listed on SPAMCOP

--------

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 57.8 days. In the past 42 hours, it has been listed 2 times for a total of 34 hours

In the past week, this system has:

Been reported as a source of spam less than 10 times

-------------

Indeed, the "sample" listed in this case was only a bounce message to an incorrectly addressed email.

The ISP in question replied (posted to the spamcop web site). They do not operate open relays, do not originate spam, and do not tolerate spam through their network.

Is there anything more that they could have done to avoid such a listing ... Being listed twice over 34 hours seems a very small tolerance level before being listed.

Steven

Hi -- this is a bounce sent after acceptance of mail and it has been sent to at least one spamtrap. If you want to bounce mail it should be done during the SMTP transaction because the *reject* code 5.x.x or other is then sent to the actual connecting server rather than being sent to the 'from" or "envelope" which are usually forged in spam and viruses. The IP is now off the blocklist but further bounces may cause it to relist.

Link to comment
Share on other sites

Hello,

These People are an ISP. Their mail servers will usually accept all mail for hosted domains and then may relay it to the end user's mail server which may then bounce some mail as recipient maybe unknown. So how can the ISP's mail server reject mail during SMTP transaction? It is not going to know what the end users mail server will want to reject in advance!

Can you please flag this IP (217.169.20.13) as an ISP mail server and give it the latitude an ISP's mail server deserves.

Classing bounce messages as spam and reporting it to you strikes me as abuse of your service and perhaps you should consider blacklisting the people whom abuse your service like this because it causes a great deal of inconvenience.

Carl Thompson

Link to comment
Share on other sites

Hello,

<snip>

Classing bounce messages as spam and reporting it to you strikes me as abuse of your service and perhaps you should consider blacklisting the people whom abuse your service like this because it causes a great deal of inconvenience.

Hi, Carl,

...That is SpamCop.Net's policy. FAQ: What if I break the rule(s)?. The ISP should submit evidence to bl <at > admin.spamcop.net (I believe that's the correct address -- someone please correct me if I'm wrong).

Link to comment
Share on other sites

I'm thinking deputies at admin.spamcop.net for first analysis of the submitted evidence as to wrongdoing, to see if they agree ... if so, then they will either take direct action or kick it over to Don at service at admin.spamcop.net ...

but the evidence is what's at issue ... on one hand, the complaint of submitting complaints about bounces most bounces get rejected by the SpamCop parser, so is there more to the story?

That this issue is described as one e-mail server forwarding to another e-mail server which then sends a bounce/rejection/or something, but the first e-mail server is found as "the bad guy" suggests that the chain test in the parser is failing at some point, which suggests that there's a misconfiguration in the e-mail servers and their handling of this "internal" forwarding ...

Link to comment
Share on other sites

Hello Wazoo,

Thanks for your thoughts.

Re “chain test in the parser is failing at some point” maybe but we would have to see the full headers to work that out.

Some ISPs (including this one) also run a white listing system and mail filters for people whom have pop3 accounts. If the senders address is not in the white list then they get sent an email to request the sender confirms they are real. False sending addresses again could cause un-wanted white listing requests going to someone whom could report it to spamcop. Also the filters you can setup on your POP3 account (maybe to help stop spam) may well bounce a message if the body contains some keywords etc. The message would have to be accepted before it can be analysed fully so it could not be rejected during the SMTP session. The bounce would appear to come from the ISP’s mail server because its not been anywhere else yet. Classing bounces from an ISP’s mail server as spam seems mad. Do Spamcop have some sort of ISPs Database that flags an IP to have a much higher threshold before its blacklisted?

Carl.

Link to comment
Share on other sites

If the senders address is not in the white list then they get sent an email to request the sender confirms they are real.

Ouch! ... Challenge / Response .... This brings many issues to the forefront .. Might I invite you to look back into the early days of this Forum (ie, pick the "Last" page and walk back a bit .. look for a couple of Topics that have a rather large number in the "Replies" box ... Choicemail and Mailblocks are two systems that come to mind with this C/R thing as the main problem issue.

Re “chain test in the parser is failing at some point” maybe but we would have to see the full headers to work that out.

Agreed, without seeing the headers of the spam/complaint, I've no idea, so was just pointing out the possibility ...

Classing bounces from an ISP’s mail server as spam seems mad

And yet, this last week alone has been a nightmare for some folks because of the massive bounces from ISP servers. In most of these cases, what's mad has been the spammers' use of a normally "appreciated" function of most all e-mail server software.

Do Spamcop have some sort of ISPs Database that flags an IP to have a much higher threshold before its blacklisted?

No, all servers are "equal" ... the actual "listing" of a server is based on a formula, based on traffic totals (this is not a monitor on the actual server), total spam reports sent, spamtrap hits, etc. ... The SpamCop DNSbl is one based on a quick reaction, oriented towards knocking down a spam spew in progress ... The 48 hours oft mentioned is also based on the formula mentioned earlier, so some systems may come off automatically much sooner .. and of course, those systems that comtinue to spew .. much longer ... all based on when spew stops ..

Link to comment
Share on other sites

If the senders address is not in the white list then they get sent an email to request the sender confirms they are real.
Ouch! ... Challenge / Response .... This brings many issues to the forefront .. Might I invite you to look back into the early days of this Forum (ie, pick the "Last" page and walk back a bit .. look for a couple of Topics that have a rather large number in the "Replies" box ... Choicemail and Mailblocks are two systems that come to mind with this C/R thing as the main problem issue.
Please see my mailblocks.com rant at http://forum.spamcop.net/forums/index.php?showtopic=85.
Link to comment
Share on other sites

These People are an ISP. Their mail servers will usually accept all mail for hosted domains and then may relay it to the end user's mail server which may then bounce some mail as recipient maybe unknown. So how can the ISP's mail server reject mail during SMTP transaction? It is not going to know what the end users mail server will want to reject in advance!

The relay server can test for being deliverable before completing the SMTP transaction.

One of my e-mail forwarders do.

If the remote system is temporarily unavailable so that the user can not be checked, it can reject the SMTP transaction with a 4xx code so that the sending mail server will retry later.

Almost all spam and viruses are forging the from address. Bouncing such mail is now extremely abusive to those that have had their e-mail addresses spoofed.

One famous case is TEST.COM which has been picked on by many Korean spammers.

If a change in the SMTP protocol needs to be done, it is to set it up so that "bounces" have to go to the mail server that originated the SMTP traffic, and not to the apparent sender.

Sending a bounce could reveal confidential information to a third party. Only the sending mail server has a responsibility of making sure that the actual sender gets notified of non delivery.

-John

Personal Opinion Only

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...