Jump to content

getting summaries, but no actual complains, yet blacklisted


albunix

Recommended Posts

Hello,

I'm from 216.14.208.0/20 netblock.

We've getting reports such as

---------------------------------

IPs reported in past hour:

216.14.208.23

216.14.208.21

216.14.208.15

--------------------------------

Yet, we have gotten not even one single complaint

against our netblock.

We stay very much in top of abuse tickets, and even have an established

feedback loop with AOL which so far has not shown any issues for our mail server.

What's my options in here. We use SpamCop blocking lists ourselves, and

have found it to be very useful, yet at this point, seems we're cornered

without any options to proceed.

http://public.albunix.org/spamcop.JPG

supposedly shows we have 99 complaints, yet we have not received any actual one.

Thanks for your help in advance.

Link to comment
Share on other sites

Hi, albunix,

...Have you checked out the SpamCop CheckBlock page, http://www.spamcop.net/w3m?action=checkblock? It shows nothing for either of the first two IP addresses you list (although the SenderBase statistics sure look suspicious) and shows the following for the third IP address:

216.14.208.15 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Causes of listing

  • SpamCop users have reported system as a source of spam less than 10 times in the past week

<snip>

...Following the "Trace IP" link, the following is displayed:
Parsing input: 216.14.208.15

host 216.14.208.15 = mail01.secureserverdot.com (cached)

host 216.14.208.15 = mail01.secureserverdot.com (cached)

ISP does not wish to receive report regarding 216.14.208.15

SP does not wish to receive reports regarding http://216.14.208.15/ - no date available

<snip>

Using abuse net on abuse[at]successfulhosting.com

abuse net successfulhosting.com = abuse[at]successfulhosting.com

Using best contacts abuse[at]successfulhosting.com

So reports should have gone to abuse[at]successfulhosting.com.
Link to comment
Share on other sites

Hello,

thanks for looking into it so far.

Correct, abuse at successfulhosting.com is where we receive complaints.

There has been no complaints that we've received.

There has been only Alerts that we've generally received on the 20th minute of every hour

more or less making us aware of IP's being reported.

Yet, no further information, was ever received from us.

In the past we've received actual reports that start as follows

[ SpamCop V1.582 ]

This message is brief for your comfort. Please use links below for details.

...

...

...

and we'd get full headers showing where/what domain is being abusive.

Any ideas on what to follow through at this point?

bless you for all your help

Link to comment
Share on other sites

http://www.senderbase.org/?searchBy=ipaddr...g=216.14.208.23

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.8 .. 21595%

Last 30 days ... 2.0 ..... 231%

Average ......... 1.4

http://www.senderbase.org/search?searchString=216.14.208.21

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.9 .. 7947%

Last 30 days .. 2.5 .... 237%

Average ........ 2.0

http://www.senderbase.org/search?searchString=216.14.208.15

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.6 .. -83%

Last 30 days ... 3.8 .. -69%

Average ......... 4.3

Looking up albunix.org at whois.abuse.net.

postmaster[at]albunix.org (default, no info)

Suggest you register an abuse address at abuse.net .....

Parsing input: postmaster[at]albunix.org

64.81.196.17 is an mx ( 10 ) for albunix.org

host 64.81.196.17 (getting name) = moon.albunix.org.

chopping username "postmaster[at]" from URL: http://albunix.org/

Host albunix.org (checking ip) = 64.81.196.17

host 64.81.196.17 = moon.albunix.org (cached)

Routing details for 64.81.196.17

Cached whois for 64.81.196.17 : abuse[at]speakeasy.net

Using abuse net on abuse[at]speakeasy.net

abuse net speakeasy.net = abuse[at]speakeasy.net

Using best contacts abuse[at]speakeasy.net

Parsing input: 216.14.208.15

host 216.14.208.15 = mail01.secureserverdot.com (cached)

host 216.14.208.15 = mail01.secureserverdot.com (cached)

ISP does not wish to receive report regarding 216.14.208.15

ISP does not wish to receive reports regarding http://216.14.208.15/ - no date available

Routing details for 216.14.208.15

Cached whois for 216.14.208.15 : abuse[at]successfulhosting.com

Using abuse net on abuse[at]successfulhosting.com

abuse net successfulhosting.com = abuse[at]successfulhosting.com

Using best contacts abuse[at]successfulhosting.com

Actual reports sent out appear to depend on just how the IP/URL turns up in the submitted spam for parsing.

Based on the numbers showing at SenderBase, one could make an assumption that it would be based on the IP address of the spew sourcing, which then leads to the ISP does not wish to receive reports problem .... so the actual reports don't go anywhere but feeding the SpamCopDNSBL ....

You are at the mercy of an ISP that appears to have lost some control over some of their e-mail servers and yet, doesn't want to hear about it.

Link to comment
Share on other sites

All the reports showing are mole reporters, which is why you are only getting the summary. It might also be because of the ISP does not wish to receive reports issue.

Report History:

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 2:38:22 PM -0400:

Check up: Make other men envy you and girls worship you Most efficient produc...

1817011913 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 2:38:02 PM -0400:

Re: to kiyys

1817013479 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 11:56:19 AM -0400:

lowest prices possible

1816826635 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 9:56:32 AM -0400:

RE: yOur pi11z r3quest

1816655940 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 9:56:30 AM -0400:

Try 0ur pills. Interesting offers

1816656244 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 9:56:29 AM -0400:

Y0ur medicine is ready and waiting f0r y0u

1816656348 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Monday, June 26, 2006 4:34:33 PM -0400:

Your health, night-riding

1813708078 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Monday, June 26, 2006 3:21:47 PM -0400:

1813626304 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Monday, June 26, 2006 2:14:50 PM -0400:

Red Hot Stock Watch

1813546602 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Monday, June 26, 2006 1:06:41 PM -0400:

antonym

1813474797 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

Link to comment
Share on other sites

Hello,

please ignore albunix.org domainname, that's not the one I'm requesting help.

I understand the part that we're getting summaries only since these are mole reporters.

Could you please explain the part that the ISP does not wish to receive reports.

What do we at the 216.14.208.0/20 netblock owners have to do to rectify this?

Also, how can we at least get the Report History as you've listed it?

Thanks guys, this is helping out a lot.

Link to comment
Share on other sites

I understand the part that we're getting summaries only since these are mole reporters.

Could you please explain the part that the ISP does not wish to receive reports.

The information SpamCop uses to determine who should receive reports: http://www.spamcop.net/sc?action=rcache;ip=216.14.208.15

Tracking details

Display data:

"whois 216.14.208.15[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse[at]successfulhosting.com

216.14.208.0 - 216.14.223.255:abuse[at]successfulhosting.com

Routing details for 216.14.208.15

Using abuse net on abuse[at]successfulhosting.com

abuse net successfulhosting.com = abuse[at]successfulhosting.com

Using best contacts abuse[at]successfulhosting.com

However, somewhere in history, someone set the ISP account to "ISP does not wish to receive reports regarding http://216.14.208.15/". You would have to log into your ISP account to clear that record and begin getting reports again. Or you can contact deputies[at]spamcop.net and ask them about it.

What do we at the 216.14.208.0/20 netblock owners have to do to rectify this?

In a quick test, it may only be that 1 IP address not receiveng reports. Of course, if that is your primary mail server, that is bad ;)

for example:

Parsing input: 216.14.208.1

host 216.14.208.1 (getting name) = router.secureserverdot.com.

host 216.14.208.1 = router.secureserverdot.com (cached)

No recent reports, no history available

Routing details for 216.14.208.1

[refresh/show] Cached whois for 216.14.208.1 : abuse[at]successfulhosting.com

Using abuse net on abuse[at]successfulhosting.com

abuse net successfulhosting.com = abuse[at]successfulhosting.com

Using best contacts abuse[at]successfulhosting.com

Statistics:

216.14.208.1 not listed in bl.spamcop.net

More Information..

216.14.208.1 not listed in dnsbl.njabl.org

216.14.208.1 not listed in dnsbl.njabl.org

216.14.208.1 not listed in cbl.abuseat.org

216.14.208.1 not listed in dnsbl.sorbs.net

216.14.208.1 not listed in relays.ordb.org.

Reporting addresses:

abuse[at]successfulhosting.com

Also, how can we at least get the Report History as you've listed it?

If oyu are a paid reporter, you get access to the report summary I pasted. You can also post an IP here and someone will usually get it for you. I don't know if you get the same info through an ISP account or not. Will check later (time to go home, sorry).

Link to comment
Share on other sites

please ignore albunix.org domainname, that's not the one I'm requesting help.

Only going with where the data you provided leads me ....

I understand the part that we're getting summaries only since these are mole reporters.

Could you please explain the part that the ISP does not wish to receive reports.

What do we at the 216.14.208.0/20 netblock owners have to do to rectify this?

Are you the responsible agent/tech/whatever for this block? You never atually stated this, if this is true.

If so, follow the links to your ISP Control Center and modify some settings .... ????

If so, can you explain the SenderBase numbers?

Also, how can we at least get the Report History as you've listed it?

Thanks guys, this is helping out a lot.

As stated, this is a 'perk' of a paid reporting (or a SpamCop.net e-mail) account, something I don't even have.

Link to comment
Share on other sites

Just wanted to drop a note and say thanks to albunix. Finding ISPs that actually want to fix spam problems on their networks seems to be getting rarer and rarer (I guess as the cost of bandwidth goes down). It is very nice to actually see an admin trying to fix a problem on their network.

216.14.208.15 resolves to mail01.secureserverdot.com, so I'm guessing this (and the other two IPs you listed which resolve to similar names) are your actual SMTP servers and not the IPs of end users. This is going to make tracking down the sources a bit more difficult than "direct-to-MX" spam.

To have much success, you are probably going to have to get a couple of complete headers to examine so you can match times and Message IDs to your server logs. Unfortunately for that, noone here can help you. You will have to contact deputies[at]admin.spamcop.net as they are the only people with access to that information from mole reports.

Once you get some usable data from them it should be pretty easy for you to track down the source from your logs, but if we can be of any help with anything, I'm sure most of us will be happy to do what we can.

Unfortunately, many spamcop users choose to use mole reporting, which while it does let an admin know they have some kind of problem, provides just enough data to make it almost impossible to nail down when you're talking about the volume of email that moves through a production mailserver. Hopefully the deputies can provide you with the information you need to track this back to the offending user and pummel them... or at least get them to fix their compromised PC.

Link to comment
Share on other sites

Only going with where the data you provided leads me ....

Are you the responsible agent/tech/whatever for this block? You never atually stated this, if this is true.

If so, follow the links to your ISP Control Center and modify some settings .... ????

If so, can you explain the SenderBase numbers?

As stated, this is a 'perk' of a paid reporting (or a SpamCop.net e-mail) account, something I don't even have.

Wazoo,

correct. I'm assisting with finding out why 216.14.208.15 is getting blacklisted and how to prevent it in the future. We are currently looking to see if there is anything wrong with our ISP Control Center that I'm personally not familiar with.

We are a hosting company. I'm not sure what needs explaining from the SenderBase numbers.

The only thing that I can state is this

There is a legit Vol Change vs. Average showing from SenderBase.org site for these two IPs

216.14.208.21 + 216.14.208.23

Why you would ask? Well the moment we started getting blacklisted, we have to route

email out. This is done via 'outgoingip' feature of Qmail, which allows relaying out

email via a secondary/third IP bound to the mail server. We almost never use these two

IP's for our legit mail server mail01.secureserverdot.com

It is only during blacklisting period that we implement such. Being that there is almost never

any traffic originating from such IPs during the time that our mail server is not blacklisted,

you'd see how one can explain the increase in Vol Change vs. Average

The reason we're blacklisted could very well be our end user's autoresponders, yet without any form of header checking it is next to impossible to determine.

Link to comment
Share on other sites

correct. I'm assisting with finding out why 216.14.208.15 is getting blacklisted and how to prevent it in the future. We are currently looking to see if there is anything wrong with our ISP Control Center that I'm personally not familiar with.

Login to ISP account...Preferences tab,

Report Type selection

If you are bothered by reports which reference your network without authorization, you may disable some report types while ensureing that relevant reports still reach you.

source (Administrator of network where email originates) Refuse Accept

www (Administrator of network hosting website referenced in spam) Refuse Accept

email (Administrator of network hosting email address referenced in spam) Refuse Accept

relay (Administrator of network with open relays) Refuse Accept

notify (User defined recipient) Refuse Accept

ns (Name server for spamvertised domain) Refuse Accept

intermediary (Administrator interested in intermediary handling of spam) Refuse Accept

To possibly find out more information (possibly the type list you were looking for, but maybe not)...

Control Center tab,

Enter the IP address and Action: Find reports

I get the following back for your IP, but it is not my IP range so there may be a differnce:

216.14.208.15

Listed in bl.spamcop.net

Most recent spam reported about 5 hours ago

Hope this helps some.

Link to comment
Share on other sites

StevenUnderwood + Wazoo + the rest of the crew,

thanks for all your kind advice on this issue.

We've checked our ISP control panel and there was nothing wrong with it.

At this point we've decided to ask

deputies at spamcop.net for further assistance.

again bless all of you

Link to comment
Share on other sites

At this point we've decided to ask

deputies at spamcop.net for further assistance.

Seems the best choice at this time... please come back and let us know if there was anything more we missed.

One note, the deputies had been very busy for a while so providing as much relevant info in the original email will help them understand the problem quickly and get you a quicker answer. Also, if you don't get an answer in a day or 2, try again.

Good luck.

Link to comment
Share on other sites

Seems the best choice at this time... please come back and let us know if there was anything more we missed.

One note, the deputies had been very busy for a while so providing as much relevant info in the original email will help them understand the problem quickly and get you a quicker answer. Also, if you don't get an answer in a day or 2, try again.

Good luck.

StevenUnderwood,

there was nothing you guys missed for sure :)

We have not gotten any answers from deputies at admin.spamcop.net though

we've repeatedly tried to get in touch with them. Also, we left a VM at SpamCop's answering machine :)

In any event, we're storing message subjects, every 15 mins, for our outgoing queue.

In the event we would ever get bl'ed again, we would try and match such subjects

to the ones that you posted in this thread before. Hopefully we'd get a hit and we would

find out the cause.

I want to give SpamCop a big heads up. AOL implements what's called a "feedback loop". Basically

any complaints within the IP range you register, gets forwarded to the abuse address

that one registered at the time of feebackloop creation. Very, very useful :)

They scrub the AOL recipients as to make them into what spamcop refers to "moles"

We have had great success with their feedback loop, since we were able to find out and elminiate

any spammers, or anyone that was using our servers as a passthrough forward, and who was

reporting any email forwarded to such forwards as spam

SpamCop must wake up and smell the coffee. Mole reports are good and all, but what about the case

where users are simply forwarding their emails and one's servers are used only as passthrough value?

The hosting company is definetely not to blame, yet SpamCop makes no effort to either

1)provide the hosting company a way to check if anyone is forwarding emails than reporting them as spam

once they receive them on their ISP's account

2)no effort into providing some headers etc, so that our abuse technicians can identify what's happening

Hope someone will act upon my suggestions and change the tables around.

Link to comment
Share on other sites

SpamCop must wake up and smell the coffee. Mole reports are good and all, but what about the case

where users are simply forwarding their emails and one's servers are used only as passthrough value?

The hosting company is definetely not to blame, yet SpamCop makes no effort to either

1)provide the hosting company a way to check if anyone is forwarding emails than reporting them as spam

once they receive them on their ISP's account

2)no effort into providing some headers etc, so that our abuse technicians can identify what's happening

Hope someone will act upon my suggestions and change the tables around.

216.14.208.15 is an email server which is improperly configured as it is not stamping the IP source? SpamCop will only list a computer sending spam if that computers IP is not hidden (blocking spam as it is sent not after releasing that IP when spam stops) For an email server to get listed means a lot of spam is being sent from that IP from what I see (I'm only a SC user)

Mole reporting only provides statistics and does not count towards blocking, That is unless spam is also hitting SpamCop email traps (which are unguessable they have around 18 alphanumeric tags which is better than bank security of 128bit) No reports are sent when email hits spam traps untill it is listed (your IP has a not to be contacted flag)

216.14.208.15 has ISP does not wish to be contacted this may be a legacy issue which will be corrected if you wish and when SpamCop deputies reply. Monday to Friday is when more deputies are at the wheel and will be able to respond quicker and you should be able to release this if you choose

Link to comment
Share on other sites

I want to give SpamCop a big heads up. AOL implements what's called a "feedback loop". Basically

any complaints within the IP range you register, gets forwarded to the abuse address

that one registered at the time of feebackloop creation. Very, very useful :)

Once upon a time, all 'evidence' was in fact available, which made it easy for "us" to research things. However, this also made it easy for spammers to game the system, and based on that perspective, more and more data started disappearing from 'public' view .... back to the small handfull (call it three) Depuities trying to handle the characterized 800-1200 e-mails a day .....

SpamCop must wake up and smell the coffee. Mole reports are good and all, but what about the case

where users are simply forwarding their emails and one's servers are used only as passthrough value?

That would fall under the "bad reporting" parts of the Rules and agreements ... suspensions, fines, and outright bans involved .... see the SpamCop FAQ

The hosting company is definetely not to blame, yet SpamCop makes no effort to either

1)provide the hosting company a way to check if anyone is forwarding emails than reporting them as spam

once they receive them on their ISP's account

see above ....

2)no effort into providing some headers etc, so that our abuse technicians can identify what's happening

also see above, see the SpamCop FAQ ....

Link to comment
Share on other sites

We have not gotten any answers from deputies at admin.spamcop.net though

we've repeatedly tried to get in touch with them. Also, we left a VM at SpamCop's answering machine :)

In any event, we're storing message subjects, every 15 mins, for our outgoing queue.

In the event we would ever get bl'ed again, we would try and match such subjects

to the ones that you posted in this thread before. Hopefully we'd get a hit and we would

find out the cause.

I am not a server admin, but it seems as though you could use an existing spam filter to filter your outgoing mail right now.

SpamCop must wake up and smell the coffee. Mole reports are good and all, but what about the case

where users are simply forwarding their emails and one's servers are used only as passthrough value?

The hosting company is definetely not to blame, yet SpamCop makes no effort to either

1)provide the hosting company a way to check if anyone is forwarding emails than reporting them as spam

once they receive them on their ISP's account

2)no effort into providing some headers etc, so that our abuse technicians can identify what's happening

Hope someone will act upon my suggestions and change the tables around.

Again, I am not sure of the terminology, but I think that spamcop already does not allow 1) so if someone were doing that it would be quickly fixed, but you would be getting reports that you could reply to if it were not a mole and was causing the bl listing.

For 2) spamcop has to guard against spammers using the info. Unfortunately, since spam traps do not send email, if spam is hitting spam traps only, you won't get reports. Again, if you are suspicious of auto responders, can't you look at the outgoing mail and see who is sending them? Even if you don't have evidence that those emails are causing the bl listing, you can certainly contact the person and explain that they could in the future.

Miss Betsy

Link to comment
Share on other sites

  • 2 weeks later...

StevenUnderwood,

Hello again.

Is there a way to post in here some of the mole reports that are shown against

216.14.208.15 the last say week or so?

We've had one of our mail server temp blacklisted again :-/ and I'd like to try

and match up the email headers I've been saving since the last incident against

the mole reports.

Thanks a bunch.

Link to comment
Share on other sites

Lots of spam! (Remove your spammers!!!!!!!!!!!!!!)

These are mole reports (but no listwashing allowed)

Submitted: Wednesday, June 28, 2006 2:38:22 PM -0400:

Check up: Make other men envy you and girls worship you Most efficient produc...

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 2:38:02 PM -0400:

Re: to kiyys

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 11:56:19 AM -0400:

lowest prices possible

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 9:56:32 AM -0400:

RE: yOur pi11z r3quest

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 9:56:30 AM -0400:

Try 0ur pills. Interesting offers

--------------------------------------------------------------------------------

Submitted: Wednesday, June 28, 2006 9:56:29 AM -0400:

Y0ur medicine is ready and waiting f0r y0u

--------------------------------------------------------------------------------

Submitted: Monday, June 26, 2006 4:34:33 PM -0400:

Your health, night-riding

--------------------------------------------------------------------------------

Submitted: Monday, June 26, 2006 3:21:47 PM -0400:

<blank subject>

Link to comment
Share on other sites

Is there a way to post in here some of the mole reports that are shown against

216.14.208.15 the last say week or so?

We've had one of our mail server temp blacklisted again :-/ and I'd like to try

and match up the email headers I've been saving since the last incident against

the mole reports.

There is no way to post mole reports - that's why they are mole reports because nobody can see them.

I am not a server admin, but there must be a better way to find a spammer than to wait to be blacklisted. Since 80% of spam nowadays is sent by zombies, perhaps it would be a good idea to look for infected machines. There is another topic I'm at my wits end - keep getting listed where someone else is trying to find the hole in his system. Have you tried all the things he has tried?

Miss Betsy

Link to comment
Share on other sites

Merlyn,

thanks.

I still doubt they are spammers on our system, rather than forwards say

joe[at]domainname.com --> forwards to joeblow[at]att.net or smth else

In any event, I've started saving the headers from

June 30th onward, so anything you posted is not included on those lists.

Do you have any headers say from July 2nd onward?

Thanks again.

Link to comment
Share on other sites

Telarin,

i meant the mole report "headers"

of the following form.

Submitted: Monday, June 26, 2006 2:14:50 PM -0400:

Red Hot Stock Watch

1813546602 ( 216.14.208.15 ) To: mole[at]devnull.spamcop.net

I just need them to be from July 2nd onward date :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...