Jump to content

John's revised post


Miss Betsy

Recommended Posts

This is a public self help newsgroup, I do not represent spamcop.net, and that is the case for many of the posters. This is my understanding of the process.

A listing in the spamcop blocklist usually indicates one of the following in order of probability:

1. You have a security hole in your server or network. (almost always). Spammers will use any vulnerability that they can find in your network to use it to send spam.

This includes open proxies installed by viruses, weak passwords or guest accounts on servers, and web forms that send mail. An open relay test is not sufficient to test your server.

2. You have a user that has reported you in a spam report by mistake.

(Rare, but happens, usually when someone on your network automates their spam submissions without any manual verification)

3. Some bug in the spamcop parser caused your mail server to be reported as a spam source by a user of your mail server.

(rare but happens in bursts)

4. You are actually sending spam, and are trying to convince people here that they should opt out of things that they did not opt into.

It is in everyone's interest to get real mail servers secured, so asking here for help in determining the cause of the listing will likely get you some help.

Information necessary to get useful help:

You will need to provide the I.P. address of the server that is blocked. That should be in the rejection message. Posting your domain name will require a guessing game and that will delay any resolution of the problem.

The first step is to look up your I.P. address in the spamcop.net listing to see approximately how long you have been listed and if there are any sample reports. (The sample reports do not give many details, as spammers were using the information to avoid being blocked.)

http://www.moensted.dk/spam/ will show if the I.P. address is listed in other lists, and those lists may provide what the real problem is. Some of the lists specialize in listing certain types of spam exploits, or return codes identifying the exploit.

For example if you have an open relay.

+ ORDB Open Relay DataBase: relays.ordb.org -> 127.0.0.2

This mail was handled by an open relay -

please visit <http://ORDB.org/lookup/?host=X.X.X.X>

You can also use http://www.google.com with the GROUPS search for your I.P. address to see if there are examples of recent spam posted.

For case #1 – insecure mail server

When you post here with the above information, there are people on the forum who may submit your server to relay and open proxy tests and post the results.

And some may be able to determine from what the spam headers look like, what exploit. There is currently a spammer that is exploiting SMTP servers with guest accounts or other accounts with weak passwords.

There was one person here complaining that a mail server was being blocked when it seemed to be clean. It turned out that their firewall was not being a firewall, and the spammer was sending mail through the firewall to the mail server that got listed.

There was another that was a big mystery. It turned out that the spammer was uploading a mail server to a vulnerability on a web server, making a spam run just long enough to get listed, and then remove the uploaded files, leaving no trace. The owner of the compromised server finally put a network monitor on the system, and caught the spammer in the act.

If the problem can’t be solved by the forum “experts,” it may be worthwhile to find a good computer security person to perform an audit on your systems.

For cases 2 and 3:

Now if you are here because one of your own users reported your server by mistake, or a parser error, that should be evident from the sample headers. You can try responding to the spamcop report if you think it is in error. If you phrase it so the reporter does not think you are a spammer trying to listwash him, the reporter may apologize and contact the deputies.

Spamcop.net users are not to report viruses, auto-acks, challenges from challenge response systems, or bounces. Depending on the case those reporters who do report those items are warned, fined from paid accounts, or banned from using spamcop.net.

If you are auto-responding to viruses, spamtraps may be listing you. Auto-responding to viruses is an extremely bad practice, and should be discontinued immediately. Those virus warnings are useless, and are not going to anyone that can stop the viruses from being sent to your network. Responding to them is just adding to the havoc created by the virus writer.

The same is true of sending bounce email messages. If you are accepting email and then sending emails to notify of undeliverable messages or bad content, spamcop should not be listing you, but please change to using SMTP rejects.

If you must return a message that can not be delivered, consider sending it to the postmaster of the I.P. address you received it from. That postmaster should be able to notify the real sender.

These type of things can cause spamtraps to automatically list your server, and spamcop.net is not the only DNSbl that will list from spamtrap hits.

A deputy is the only person who can look at the sample reports. If your IP address is listed as being caught by a spamtrap, or if you are reasonably certain that it is a reporter error, then you should email deputies at spamcop.net with the same information needed for forum “experts.”

For case 4:

Stop spamming!

-John

Personal Opinion Only

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...