Jump to content

Tring to find out why we keep being listed


w0rmy

Recommended Posts

Hi,

I admin a server hosted on 202.55.97.69 which often ends up being listed by spamcop.

I am trying to track down why these listings keep happening, we recieve no reports from spamcop nor our provider. Our provider says they do not get the reports either (We can neither confirm nor deny this) so we are trying to figure out whats causing these listings, yet without any luck.

When trying to find reports to track down what is being classed as spam to stop it, I keep finding myself running into a wall.

The listing entry shows:

202.55.97.69 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.

A delisiting time of 0 hours?

Ok, it appears one of our users has someone sent email to a SpamCop spamtrap, perhaps some form of DSN or bounce message, but as no reports are there, I am unsure how I am to address this issue.

I would like to resolve this issue once and for all, but without information additional to http://www.spamcop.net/mcgi?action=showhis...d;val=107443292 I realy have no idea how I can achieve this.

Any help would be appreciated.

Link to comment
Share on other sites

...I admin a server hosted on 202.55.97.69 which often ends up being listed by spamcop. ...I am trying to track down why these listings keep happening, we recieve no reports from spamcop nor our provider. ... I would like to resolve this issue once and for all, but without information additional to http://www.spamcop.net/mcgi?action=showhis...d;val=107443292 I realy have no idea how I can achieve this. ...
Reports aren't routinely made available in the case of hits on spamtraps. Nevertheless, if you can convince the Deputies of who you are they may be able to offer enough for you to search your logs. That's a similar situation to one Steve T recently responded to, and his advice in the lower part of Post 11, "IP 201.28.110.218 IS BLOCKED in SpamCOP". But I guess your contact with the provider would be kenneth.liew[at]hdsnz.com - from SenderBase

HTH

Link to comment
Share on other sites

Spamcop reports would be sent to:

Tracking details

"whois 202.55.97.69[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)

Display data:

kl689-ap = kenneth.liew[at]hdsnz.com

whois.apnic.net 202.55.97.69 = kenneth.liew[at]hdsnz.com

whois: 202.55.96.0 - 202.55.111.255 = kenneth.liew[at]hdsnz.com

Routing details for 202.55.97.69

Using abuse net on kenneth.liew[at]hdsnz.com

No abuse net record for hdsnz.com

Using default postmaster contacts postmaster[at]hdsnz.com

There is one regular report I now see but that was kept in house at spamcop to an address that seems new:

Report History:

--------------------------------------------------------------------------------

Submitted: Tuesday, July 18, 2006 2:03:23 PM -0400:

Delivery Status Notification (Failure)

1842057197 ( 202.55.97.69 ) To: uube[at]devnull.spamcop.net

One could guess that uube[at]devnull.spamcop.net is a new way thay are trying to disseminate some info about spamtrap hits that seem to be misdirected bounces, but that is only a guess.

Link to comment
Share on other sites

The listing entry shows:

202.55.97.69 listed in bl.spamcop.net (127.0.0.2)

http://www.spamcop.net/w3m?action=checkblo...ip=202.55.97.69 now shows;

202.55.97.69 not listed in bl.spamcop.net

Is your host reading his e-mail?

Parsing input: 202.55.97.69

host 202.55.97.69 = smtp3a.mailprimer.com (cached)

host 202.55.97.69 = smtp3a.mailprimer.com (cached)

Routing details for 202.55.97.69

[refresh/show] Cached whois for 202.55.97.69 : kenneth.liew[at]hdsnz.com

Using abuse net on kenneth.liew[at]hdsnz.com

No abuse net record for hdsnz.com

Using default postmaster contacts postmaster[at]hdsnz.com

Not registered with abuse.net with an abuse address ....

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it.

And did you look at the original FAQ? Did you try the single-page access point to the SpamCop FAQ here ( that is also much expanded) ...???? Did you take a look at the "Why am I Blocked?" that exists as its own entry as a Pinned item in this Forum Section in addition to being included in the SpamCop FAQ here?

A delisiting time of 0 hours?

Yet anothjer item explained here in the SpamCop FAQ .. see SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained

Ok, it appears one of our users has someone sent email to a SpamCop spamtrap, perhaps some form of DSN or bounce message, but as no reports are there, I am unsure how I am to address this issue.

One user? For starters, once again the SpamCop FAQ entry titled "What is on the list?" You can make the math work with a single e-mail?

For a better handle on the issue, take a look at http://www.senderbase.org/?searchBy=ipaddr...ng=202.55.97.69 and explain the numbers seen there ....

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.4 ... 98%

Last 30 days .. 3.7 .. 237%

Average ........ 3.1

I would like to resolve this issue once and for all, but without information additional to http://www.spamcop.net/mcgi?action=showhis...d;val=107443292 I realy have no idea how I can achieve this.

Any help would be appreciated.

Are you sending out bogus non-delivery notices. out-of-office e-mail, some other type of auto-responses that are going to forged addresses? There are many other experiences related within this forum section. Many have sorted out where the traffic was coming from and stopped it. Have you at least looked at any other of the similar Topics/Discussions already in place to see how others have gone through the struggle?

Link to comment
Share on other sites

Is your host reading his e-mail?

Parsing input: 202.55.97.69

host 202.55.97.69 = smtp3a.mailprimer.com (cached)

host 202.55.97.69 = smtp3a.mailprimer.com (cached)

Routing details for 202.55.97.69

[refresh/show] Cached whois for 202.55.97.69 : kenneth.liew[at]hdsnz.com

Using abuse net on kenneth.liew[at]hdsnz.com

No abuse net record for hdsnz.com

Using default postmaster contacts postmaster[at]hdsnz.com

Not registered with abuse.net with an abuse address ....

Yes he is. As you can see his email address is kenneth.liew[at]hdsnz.com. But reports are not sent there.

I dont understand why abuse.net records are used for contact, when accurate records of contact details are held at apnic.

I cant force my provider to register at abuse.net, nor can I force him to change how they handle their postmaster email. As far as he is concerned, he has accurate records at apnic, and peoples choice not to use them is theres, not his.

And did you look at the original FAQ? Did you try the single-page access point to the SpamCop FAQ here ( that is also much expanded) ...???? Did you take a look at the "Why am I Blocked?" that exists as its own entry as a Pinned item in this Forum Section in addition to being included in the SpamCop FAQ here?

Yes. But I was unable to find the answers I was looking for, so I am posting here.

Yet anothjer item explained here in the SpamCop FAQ .. see SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained

And I read that prior to posting here.

According to everything I have been provided:

We were listed at approx 9pm Sat 12th (NZST) GMT+12

We were delisted between my post and your reply 2:16pm Monday 14th (NZST) GMT+12

I had read your post regarding the 0 hours to delay, But I felt the need to query it, as the period was much longer than the 24hour listing + 2 to 3 hours to go through the system.

Software has problems every now and then, I was simply querying to ensure there wasnt one on the spamcop side of things.

One user? For starters, once again the SpamCop FAQ entry titled "What is on the list?" You can make the math work with a single e-mail?

For a better handle on the issue, take a look at http://www.senderbase.org/?searchBy=ipaddr...ng=202.55.97.69 and explain the numbers seen there ....

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.4 ... 98%

Last 30 days .. 3.7 .. 237%

Average ........ 3.1

Are you sending out bogus non-delivery notices. out-of-office e-mail, some other type of auto-responses that are going to forged addresses? There are many other experiences related within this forum section. Many have sorted out where the traffic was coming from and stopped it. Have you at least looked at any other of the similar Topics/Discussions already in place to see how others have gone through the struggle?

Never said a single mail caused this, I realise it takes a little more than one but yes, the potential is it is just a singular user. They may have implimented something on their mailserver (which may have many users) that SpamCop doesnt like. But I am unsure, without more info than the above, how am I supposed to find out which one of our customers is doing this?

I am sure one of our customers is sending bogus dsn/vacation or some other autoresponder

I see the senderbase increase, but without a timestamp, subject line, messageid, from address... SOMETHING to check through the thousands of smtp transactions, I am at a loss as how to find our problem.

Link to comment
Share on other sites

Reports aren't routinely made available in the case of hits on spamtraps. Nevertheless, if you can convince the Deputies of who you are they may be able to offer enough for you to search your logs.

I have attempted to contact deputies 10 days ago now but am yet to have a reply. I presume the lack of reply is due to my inability to provide proof that I do infact admin the server on the IP i have requested information for or perhaps a high work load and this delay is normal?

Yes, my contact with the provider is kenneth.liew[at]hdsnz.com, any reports generated though, are not being sent to there.

Link to comment
Share on other sites

Not speaking for the Depitoes, but .... I'd agree .. you are probably running up against the same issue as your ISP contact .. the use of a non-role account as the contact address. Once again, one of those things the spammers have poisoned.

As far as "did read the FAQ entries prior to posting your questions" .... how about explaining why you feel that the answers didn't exist?

Link to comment
Share on other sites

Not speaking for the Depitoes, but .... I'd agree .. you are probably running up against the same issue as your ISP contact .. the use of a non-role account as the contact address. Once again, one of those things the spammers have poisoned.

Our provider may not check postmaster[at]

But I do, for all our domains. postmaster[at] our domains, are all real working addresses, Im presuming I have run into a different issue.

As far as "did read the FAQ entries prior to posting your questions" .... how about explaining why you feel that the answers didn't exist?

Perhaps its a gap in the language barrier, perhaps not.

I followed the links, from the spamcop main page:

It sends me here: http://www.spamcop.net/fom-serve/cache/1.html

I follow the link to here: http://www.spamcop.net/fom-serve/cache/290.html

Non of which cover my question.

So I browsed the forums: http://forum.spamcop.net/forums/index.php?

Going here: http://forum.spamcop.net/forums/index.php?showforum=11

I read this: http://forum.spamcop.net/forums/index.php?showtopic=5597

I read this: http://forum.spamcop.net/forums/index.php?showtopic=972

Specifically these parts:

Q: Who do I contact to correct this problem? A: Your ISP (email service provider) first

Usually the ISP with the blocked IP address has also been notified with the evidence of spam reports. Your ISP may have already acted on the Spamcop report they have received by the time you call.

Have contacted my ISP, they state they have not been sent reports, The SpamCop website appears to confirm this.

I continue browsing that, to look for a "What do I do if neither i nor my provider recieve reports" which I find nothing relating to this so I return 1 page.

I then have a look at this: http://forum.spamcop.net/forums/index.php?showtopic=4351 which appears to be about how to setup your forum account.

At this point, I attempt to post to this forum in request for help, as I have tried and am unable to find the answers I want.

I also read other threads with similar issues, which inform people to email deputies, which I did, 10 days ago and am still awaiting a reply.

Please point out where I have gone wrong, I want to get this issue fixed, and have no idea where to go from here. I dont think I have taken the easy approach, I have read through as much as I could find, I figured people such as yourself, would have additional info, that may help me.

Also in regards to this comment here by you

And did you look at the original FAQ? Did you try the single-page access point to the SpamCop FAQ here ( that is also much expanded) ...???? Did you take a look at the "Why am I Blocked?" that exists as its own entry as a Pinned item in this Forum Section in addition to being included in the SpamCop FAQ here?

You posted that bit to a piece of info I copied diorectly from the spamcop website. I was not querying the info, merely trying to provide you forum users with as much detail as I could find, i was simply trying to lower the amount of work others had to do to help me.

Link to comment
Share on other sites

So I browsed the forums: http://forum.spamcop.net/forums/index.php?

Going here: http://forum.spamcop.net/forums/index.php?showforum=11

I read this: http://forum.spamcop.net/forums/index.php?showtopic=5597

I read this: http://forum.spamcop.net/forums/index.php?showtopic=972

Specifically these parts:

Q: Who do I contact to correct this problem? A: Your ISP (email service provider) first

Usually the ISP with the blocked IP address has also been notified with the evidence of spam reports. Your ISP may have already acted on the Spamcop report they have received by the time you call.

Have contacted my ISP, they state they have not been sent reports, The SpamCop website appears to confirm this.

I continue browsing that, to look for a "What do I do if neither i nor my provider recieve reports" which I find nothing relating to this so I return 1 page.

I then have a look at this: http://forum.spamcop.net/forums/index.php?showtopic=4351 which appears to be about how to setup your forum account.

At this point, I attempt to post to this forum in request for help, as I have tried and am unable to find the answers I want.

I also read other threads with similar issues, which inform people to email deputies, which I did, 10 days ago and am still awaiting a reply.

You must have skipped over the section for server admins. We have debated about whether to include information for both end users and server admins in the same FAQ and finally put links in a special section for server admins followed by a 'simple' explanation for the non-technically fluent.

Unfortunately, since I am technically non-fluent, I can't help you to find that 'single' customer who is sending autoresponses. However, there has to be a way because other server admins do not have this problem.

Since I am technically non-fluent, I would begin by informing all my customers that all those things are not good practice any more (including using the 'bounce' feature on Mailwasher) and no longer will be allowed as part of the AUP. As reasons why not, be sure to describe horror stories of admins who receive thousands an hour! And some sob stories of novices who were terrified or horrified to see their email addresses being bounced! Then I would filter outgoing mail to look for likely culprits.

Miss Betsy

PS If you do discover how to fix this problem, please post back and perhaps we can add it to the FAQ. I don't think that we have any FAQ for server admins that describes how to fix your problem. It is not exactly a spamcop FAQ, but you aren't the first person to be asking these questions.

PPS if you senderbase statistics have gone way up (and now that I have started to type, I am not sure about that), then probably one of your customers is infected. The logs to look in are not the email logs but other ports since infections usually don't use Port 25 (again I am not technically fluent, so my terminology may not be correct).

Link to comment
Share on other sites

You must have skipped over the section for server admins. We have debated about whether to include information for both end users and server admins in the same FAQ and finally put links in a special section for server admins followed by a 'simple' explanation for the non-technically fluent.

I must have missed it, as you can see, i looked, perhaps it needs to be somewhere more forward facing?

Unfortunately, since I am technically non-fluent, I can't help you to find that 'single' customer who is sending autoresponses. However, there has to be a way because other server admins do not have this problem.

Without being passed some form of information at all (At this stage we know we were blocked, for something, which may have been a misdirected bounce, but thats all we know) I do not see how this is possible. SMTP transactions are logged, we act on spam complaints, we do the best we can, but without 'something' to over the logs looking for there is nothing I can do.

Since I am technically non-fluent, I would begin by informing all my customers that all those things are not good practice any more (including using the 'bounce' feature on Mailwasher) and no longer will be allowed as part of the AUP. As reasons why not, be sure to describe horror stories of admins who receive thousands an hour! And some sob stories of novices who were terrified or horrified to see their email addresses being bounced! Then I would filter outgoing mail to look for likely culprits.

If only it was this easy.

PS If you do discover how to fix this problem, please post back and perhaps we can add it to the FAQ. I don't think that we have any FAQ for server admins that describes how to fix your problem. It is not exactly a spamcop FAQ, but you aren't the first person to be asking these questions.

I know the solution.

I be passed a report/evidence of the reasoning for this block, then I act on it preventing it happening again.

I cannot however, order our developers to fix software, when I am unable to provide them with a fault.

PPS if you senderbase statistics have gone way up (and now that I have started to type, I am not sure about that), then probably one of your customers is infected. The logs to look in are not the email logs but other ports since infections usually don't use Port 25 (again I am not technically fluent, so my terminology may not be correct).

Senderbase stats will go up and down often, depending on which development release we are using. The IP in question here, had only been up for less than a week, running our new version of code.

Its apparent we do have issues, we wish to fix them.

But without someone providing us a report/evidence I fail to see how we are to find this fault.

Link to comment
Share on other sites

<snip>

Its apparent we do have issues, we wish to fix them.

But without someone providing us a report/evidence I fail to see how we are to find this fault.

The only way to get evidence for spam trap reports is by emailing the deputies (or using the web form).

And the problem you have, as I see it, is that you have to 'prove' that you are really the server admin which is difficult because of your non-conforming abuse/mx records or whatever (remember I am technically non-fluent).

The spammers have ruined the 'reports' system. Again, there must be some way that other server admins find the problems. I don't have any time to research for you. This has been a really BAD day for me (you don't really want to know the details of why! remember I am technically non-fluent and spamcop is not the only place where I have dealings - not to mention the human factorand other places where I am not technically fluent!).

Nobody can give you what you want except the deputies and they will only give you the subject line, IIRC. That's because we don't want you to 'listwash' but to fix the problem. And it has to be possible because others have done it.

Sorry I can't be more help. As I said, I have my own problems.

Miss Betsy

Link to comment
Share on other sites

And the problem you have, as I see it, is that you have to 'prove' that you are really the server admin which is difficult because of your non-conforming abuse/mx records or whatever (remember I am technically non-fluent).

I have to prove i am responsible for this server. But how do I do this, our abuse/mx records are correct. postmaster[at]mailprimer.com comes dirrectly to me, and our SOA/NS/MX/SPF records are all accurate. We just purchase the use of this address off our provider.

Our providers abuse contact address is within accordance with APNIC policys. Spamcop seems to prefer the opinion of abuse.net over the details held at APNIC. This doesnt quite make sense to me,

Surely APNIC > abuse.net when it comes to contact details. If someone is DDoSing you, you dont whois the IP, find the contact address, then send your complaint to a different address.

Nobody can give you what you want except the deputies and they will only give you the subject line, IIRC. That's because we don't want you to 'listwash' but to fix the problem. And it has to be possible because others have done it.

Sorry I can't be more help. As I said, I have my own problems.

This is all we want and all I am asking for. Theres obviously something about our platform people dont like, we would like to change this, but we cant unless someone tells us what it is, with a subjectline, sender address, message body etc etc.

The fact that we appear to have been listed for bounce messages/NDRs/something surely suggests we arent spammers.

I have emailed deputies about 2 weeks ago now, with no responce, do anyone know if this is normal?

And your help has been appreciated.

Link to comment
Share on other sites

...I have emailed deputies about 2 weeks ago now, with no responce, do anyone know if this is normal? ...
From my only personal experience, as an ordinary member, response from Ellen was quite quick - but that was some time ago. General word is things are very busy, meritorious simple queries handled straight away, more complicated ones might tend to get buried. Nothing wrong with sending another email, perhaps giving your posts here (URL) as background and a shorthand reference to your problem/need for evidence. Good luck.
Link to comment
Share on other sites

I have to prove i am responsible for this server. But how do I do this, our abuse/mx records are correct. postmaster[at]mailprimer.com comes dirrectly to me, and our SOA/NS/MX/SPF records are all accurate. We just purchase the use of this address off our provider.

Our providers abuse contact address is within accordance with APNIC policys. Spamcop seems to prefer the opinion of abuse.net over the details held at APNIC. This doesnt quite make sense to me,

Surely APNIC > abuse.net when it comes to contact details. If someone is DDoSing you, you dont whois the IP, find the contact address, then send your complaint to a different address.

I don't understand it either except that it is common practice. Since the abuse reports, if they came from people, would go to your provider, you may have to get your provider to email the deputies. You see, there are a lot of spammers who don't want their provider to know that they are spamming. (Again, that's a guess on my part. Since the deputies have hundreds of emails every day, they answer the ones with all the information they need without having to do any additional research.

This is all we want and all I am asking for. Theres obviously something about our platform people dont like, we would like to change this, but we cant unless someone tells us what it is, with a subjectline, sender address, message body etc etc.

The fact that we appear to have been listed for bounce messages/NDRs/something surely suggests we arent spammers.

I have emailed deputies about 2 weeks ago now, with no responce, do anyone know if this is normal?

And your help has been appreciated.

I don't think that you will get the sender address or the message body. You are going to have to figure out how to find and stop whatever is causing you to be listed without that. You could try asking how to do that in spamcop newsgroup or spamcop.geeks - there are more server admins there. However, they also don't waste any time dressing up their answers to avoid hurt feelings. You will get much blunter answers there.

However, emailing the deputies again (without asking for the sender) and providing them with IP address, MX records, giving them the information that postmaster is answered, your provider's name and address, etc. and time and date of listing plus pointing them to this discussion would not hurt. If your first email asked for the sender and message body and left out any details, it may be buried. Once buried, I would guess, it never gets unburied.

Miss Betsy

Link to comment
Share on other sites

I have to prove i am responsible for this server. But how do I do this, our abuse/mx records are correct. postmaster[at]mailprimer.com comes dirrectly to me, and our SOA/NS/MX/SPF records are all accurate. We just purchase the use of this address off our provider.

Are you sending the email FROM the postmaster account or at least have ther reply-to set to that account?

Our providers abuse contact address is within accordance with APNIC policys. Spamcop seems to prefer the opinion of abuse.net over the details held at APNIC. This doesnt quite make sense to me, Surely APNIC > abuse.net when it comes to contact details.

Too often, the spammers are in control of addresses like user[at]domain.tld, which is why spamcop will not send reports there, perferring the role accounts postmaster, abuse, etc. People who care about receiving spam reports have generally registered with abuse.net.

If someone is DDoSing you, you dont whois the IP, find the contact address, then send your complaint to a different address.

Maybe you don't, but I rarely send complaint anywhere but a postmaster, hostmaster or abuse type address.

The fact that we appear to have been listed for bounce messages/NDRs/something surely suggests we arent spammers.

You are sending email to email accounts that have not requested that traffic, there fore you ARE spammers, just not the first type you think about when you hear the word. If you have sent enough to trip the counter for spamcop, most likely you have sent many others. Most people in the world do NOT report spam, they simply filter it out and delete it.
Link to comment
Share on other sites

You are sending email to email accounts that have not requested that traffic, there fore you ARE spammers, just not the first type you think about when you hear the word. If you have sent enough to trip the counter for spamcop, most likely you have sent many others.

Using your definition of spam, everytime spamcop sends a report, it is spamming.

Posting to postmaster[at] does not make mail solicited.

Take my case as example.

My ISP lists kenneth.liew[at]hdsnz.com as point of contact for their address space.

Spamcop emails reports to postmaster[at]hdsnz.com

At what point did postmaster[at]hdsnz.com request the traffic.

Seems bizzare to me to apply one set of rules for DSN messages, and one set for spamcop reports.

Link to comment
Share on other sites

From the PM sent;

I can only guess that means I am correct.

Thank you for your help!

You are nohere near correct on anything. This 'discussion' was closed due to your lack of accepting any of the help offered, your apparent 'need' to challenge everything offered. You are not talking to any of the folks involved with the programming of the Parsing & Reporting system, and as all dialog from anyone besides yourself has come from other users volunteering their time, knowledge, suggestions on their own time .... I decided not to allow any of these folks to waste any more of their time. You want to rant, take it to the Lounge. This forum section is for those that are looking for "help" ....

You apparently have ignored the "user-to-user" notices, never bothered to look at Section 8 - SpamCop's System & Active Staff User Guide .. and even apparently ignored the last "suggestion" to contact someone that gets paid for this.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...