Jump to content

[Resolved] Listed reason: System has sent mail to SpamCop spam traps


hmepas

Recommended Posts

Greetings!

I am an ISP sys. admin. Past month I getting my SMTP IP listed very often.

Ok when it's listed because spam reports so I am getting these report to my abuse[at] and seeing which of my users spamming so i could block him.

But last months I am getting followed spam reasons:

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

And what I could to do? I checked all users of mine who sending more than 30 messages per day. Blocked all which RCPTs looks like spam. I can't to analize whole log I have more than 3000+ customers! But am still getting listed.

And no reports why. How could I found user which got trapped to block him?

May be some way exists to get short message headers wichout spam traps but with full IP path?

My MTA page at SCBL:

http://www.spamcop.net/w3m?action=checkblock&ip=85.192.16.4

Any guidiances?

I looked for an answer in FAQs and at forum but didn't find solution.

I apologized if that answer was near.

P.S.: Sorry about my english, it's not my native.

Link to comment
Share on other sites

My MTA page at SCBL:

http://www.spamcop.net/w3m?action=checkblock&ip=85.192.16.4

Any guidiances?

P.S.: Sorry about my english, it's not my native.

Welcome, thanks for reading the FAQ! Your English is much better than my Russian :D

spam-trap only listings are often due to post-facto 'bounces' out-of-office, over-quota etc. switch them all off.

If these are coming from customers then it is the customer's IP that should be listed. Configure your server to include the originating IP in the headers - the SpamCop algorithm will then list them, not your server.

Alternatively you may be suffering from an SMTP/Auth hack.

A polite request to deputies[at]spamcop.net will get you the type of things that is hitting the traps but not full details

Link to comment
Share on other sites

Other hosts in this "neighborhood" with spam reports

85.192.15.8 85.192.15.18 85.192.16.9

Aside from sending to SpamCop Spamtraps which use better than bank security alphanumeric addresses (unguessable) There are or have been a largish number of spam messages also. You need to set-up a working abuse[at]address to get copies of SpamCop reports

Submitted: Thursday, 30 March 2006 3:46:28 PM +1100:

By ordering Penis Enlarge Patch you can get 25 Patches just for $99.95.

1704327568 ( 85.192.16.4 ) To: postmaster[at]yauza.ru

--------------------------------------------------------------------------------

Submitted: Thursday, 30 March 2006 3:46:27 PM +1100:

By ordering Penis Enlarge Patch you can get 25 Patches just for $99.95.

1704327569 ( 85.192.16.4 ) To: postmaster[at]yauza.ru

--------------------------------------------------------------------------------

Submitted: Thursday, 30 March 2006 3:46:27 PM +1100:

By ordering Penis Enlarge Patch you can get 25 Patches just for $99.95.

1704327632 ( 85.192.16.4 ) To: postmaster[at]yauza.ru

--------------------------------------------------------------------------------

Submitted: Thursday, 30 March 2006 3:46:26 PM +1100:

By ordering Penis Enlarge Patch you can get 25 Patches just for $99.95.

1704327642 ( 85.192.16.4 ) To: postmaster[at]yauza.ru

Link to comment
Share on other sites

spam-trap only listings are often due to post-facto 'bounces' out-of-office, over-quota etc. switch them all off.

Bad idea.

If these are coming from customers then it is the customer's IP that should be listed. Configure your server to include the originating IP in the headers - the SpamCop algorithm will then list them, not your server.

My server including whole IPs but my customers have "gray" IPs like 172.19.*.*

Link to comment
Share on other sites

Bad idea.

My server including whole IPs but my customers have "gray" IPs like 172.19.*.*

No, very GOOD idea. Your bouncing is as abusive as the original spam.

If you must reject, do it with a 5xx error-code at the time of the SMTP transaction. That way the real sender gets informed. The return envelope in spam is ALWAYS forged.

Link to comment
Share on other sites

Thank you for being responsible about stopping customers who spam!

I have copied the parts of the FAQ that might be helpful to you.

My guess is that you have a customer with a virus on his computer. Try looking in your firewall logs for unusual activity.

[*]is using auto-responses that are replying to spam with forged spamtrap email

addresses (such as Out-of-Office/Vacation notices, virus notifications, and 'bounces' created after accepting the email);

[*]has a computer with a virus that sends spam without the owner's knowledge;

[*]has a computer that has been compromised and spammers are remotely controlling it to transmit their spew

If the blocklist only lists spamtraps, then the likely culprits are auto-responders or misdirected bounces (that is, bounce emails sent after acceptance of the email instead of being rejected by the server during the SMTP phase, which would include emails such as "no such user", "non-existent mailbox", and/or "quota exceeded").

If the blocklist lists spam traps and reports,

If you do not find the problem, Contact SpamCop deputies via Web submission form. Only they can see what caused spam trap reports. They will tell you what to look for.

I am not a server admin. there are several here in the forum who will help you find the problem and correct it.

Miss Betsy

Link to comment
Share on other sites

Other hosts in this "neighborhood" with spam reports

85.192.15.8 85.192.15.18 85.192.16.9

Aside from sending to SpamCop Spamtraps which use better than bank security alphanumeric addresses (unguessable) There are or have been a largish number of spam messages also. You need to set-up a working

abuse[at]address to get copies of SpamCop reports

Submitted: Thursday, 30 March 2006 3:46:28 PM +1100:

By ordering Penis Enlarge Patch you can get 25 Patches just for $99.95.

1704327568 ( 85.192.16.4 ) To: postmaster[at]yauza.ru

Yep, it was but now it's resolved. One additional user was banned 30th Mar.

But I didn't got any reports via e-mail. While postmaster[at] wokring OK, just checked it. Only reports about 85.192.22.0/24. And last report about 85.192.16.4 i got dated 23 May.

And not 85.192.15.0/24 out of my control.

Link to comment
Share on other sites

No, very GOOD idea. Your bouncing is as abusive as the original spam.

If you must reject, do it with a 5xx error-code at the time of the SMTP transaction. That way the real sender gets informed. The return envelope in spam is ALWAYS forged.

Ah you about that. Sure my server always reject with 5xx and bounces sending only to postmaster[at]

And yes if one of my users send mail to non-existant recipient using fake e-mail in MAIL FROM: my server not sending bounce to that "MAIL FROM:"

So I am still confused how to work with that "System has sent mail to SpamCop spam traps...." list reason.

Link to comment
Share on other sites

have you sent an email to deputies 'at' spamcop.net , yet? They are likely to be able to let you know what type of messages are hitting the spamtraps (bounces or direct spam), and may be able to help you confirm the type of problem, and determine the right way to fix it.

Link to comment
Share on other sites

have you sent an email to deputies 'at' spamcop.net , yet? They are likely to be able to let you know what type of messages are hitting the spamtraps (bounces or direct spam), and may be able to help you confirm the type of problem, and determine the right way to fix it.

No I didn't. But used web-form. Is it the same?

Thanks!

Link to comment
Share on other sites

Ok, thanks you all for the help. Things become more cleanly for me.

After I send message via dispute web-form I got reply with headers of message which touched trap. I already banned this user but seems like a bit late. Looks like my SMTP clean for not time so I am waiting for delisting.

Thanks again for explanation.

Link to comment
Share on other sites

After I send message via dispute web-form

Really, the "Dispute" form wasn't really the 'correct' one, but .. it worked ...

I got reply with headers of message which touched trap. I already banned this user but seems like a bit late. Looks like my SMTP clean for not time so I am waiting for delisting.

http://www.spamcop.net/w3m?action=checkblock&ip=85.192.16.4

85.192.16.4 not listed in bl.spamcop.net

Marking as Resolved.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...