False Positive

[odysseus183]

Hello,

My company email was being blocked last week by spamcop. The block has already expired, but since this happens on occasion I thought I would look into it.

Apparently, the block was put in place because some spam was sent from one our ISPs (Verio) email servers, 128.121.64.66. This is not our email server (204.3.196.116) and the spam did not come from our domain (bosssystems.com). The spam was reported to the usenet group news.net-abuse.sighting:

http://groups.google.com/group/news.admin....bea49bb805c52f2

Am I missing something here, or is our company being penalized by something that does not have anything to do with us? Is there a way I can avoid this in the future?

Aaron

[Wazoo]

On the surface, based on a quick read, this appears to be better served by being placed in the Blocking List Help Forum .. moving it to that Forum section with this post ...

[Telarin]

It is unlikely that the email you posted a link to is involved in your spamcop listing. First, if your email server is indeed 204.3.196.116, then that email does not appear to have passed through that IP at all. Second, it takes much more than a single report to get an IP address listed.

I'm sure one of the paid reporters will be along shortly and can post the report summary for your IP address so we can get a better idea.

Is your mailserver run by Verio, or is it your own server? Verio typically configures their mailserver incorrectly so that they send bounces to forged from addresses by the thousands, which causes them to be listed on a regular basis. My internet connection is through Verio, however, we run our own internal mailserver, which is configured in accordance with best practices, and have never had a problem.

[odysseus183]

Verio provides both our webhosting and email.

[Miss Betsy]

Whether or not, your email server's IP address is listed on spamcop may, or may not, have anything to do with a posting on news.net-abuse.sighting.

Some posters have access to past reports and may be able to help you further with why your email server has been listed.

If you administer your own server, you might read the server admin section of the Why Am Blocked? FAQ for possibilities. Automatic replies which reply to forged return paths are often the culprit. Does the blocking coincide with someone in your office on vacation and using Out of Office replies indiscriminately?

Miss Betsy

[StevenUnderwood]

It is unlikely that the email you posted a link to is involved in your spamcop listing. First, if your email server is indeed 204.3.196.116, then that email does not appear to have passed through that IP at all. Second, it takes much more than a single report to get an IP address listed.

I'm sure one of the paid reporters will be along shortly and can post the report summary for your IP address so we can get a better idea.

No better idea on that IP Address:

Parsing input: 204.3.196.116

host 204.3.196.116 (getting name) = www.bosssystems.com.

host 204.3.196.116 = www.bosssystems.com (cached)

No recent reports, no history available

Routing details for 204.3.196.116

[refresh/show] Cached whois for 204.3.196.116 : swip[at]sjcwh.verio.net

abuse[at]verio.net redirects to abuse[at]ntt.net

Using best contacts abuse[at]ntt.net

The other IP address, however, is bouncing undeliverables all over the internet. Does your server use them as a smarthost, possibly? That would cause your mail to be affected by their listing.

Report History:

Don't Display UUBE

--------------------------------------------------------------------------------

Submitted: Monday, August 28, 2006 9:01:11 PM -0400:

failure notice

1896467229 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Sunday, August 27, 2006 7:28:17 AM -0400:

failure notice

1894095528 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Saturday, August 26, 2006 8:30:41 AM -0400:

failure notice

1892883988 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Saturday, August 26, 2006 2:25:13 AM -0400:

failure notice

1892589422 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Friday, August 25, 2006 10:03:25 AM -0400:

Mail Delivery Failure

1891684281 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Thursday, August 24, 2006 4:16:18 PM -0400:

failure notice

1890723671 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

--------------------------------------------------------------------------------

Submitted: Thursday, August 24, 2006 8:52:40 AM -0400:

failure notice

1890170422 ( 128.121.64.66 ) ( UUBE ) To: uube[at]devnull.spamcop.net

Older Reports

[Telarin]

Are you certain that 128.121.64.66 is not your outgoing mail server? Look in your email programs account settings for your SMTP server. What do you have listed there?

[DavidT]

Here's a link to an archived newsgroup message that seems to describe a similar situation involving Verio hosting and the blocking of outgoing mail:

http://news.spamcop.net/pipermail/spamcop-...ary/108030.html

DT

[Merlyn]

Resolved bosssystems.com to 204.3.196.116

[bosssystems.com has 1 MX record mail-fwd.g14.rapidsite.net.(50)]

Resolved mail-fwd.g14.rapidsite.net to 128.121.85.2

You might be right

address 128.121.64.66 = mail14d.g14.rapidsite.net.

he is using Rapidsite! so it could have gone through there.

[odysseus183]

We do not have any autoresponders configured. I checked again this morning to confirm.

Verio hosts our web and our email for us. I don't know the difference between hosting and "smart" hosting.

In our email programs, the POP3 server is specified as bosssystems.com and the SMTP server is specified as smtp.bosssystems.com. These both map to the same IP address, 204.3.196.116.

Rapidsite is part of Verio. From reading the link posted by DavidT, I gather that:

1. Verio is at fault.

2. There is nothing I can do about it except report the problem to Verio and/or get a new provider.

Is this about right?

Aaron

[odysseus183]

It happened again, this time with mail14e.g14.rapidsite.net [128.121.64.102]

http://www.spamcop.net/w3m?action=blcheck&...=128.121.64.102

[StevenUnderwood]

It happened again, this time with mail14e.g14.rapidsite.net [128.121.64.102]

http://www.spamcop.net/w3m?action=blcheck&...=128.121.64.102

Please send an email to the address in my sig with the subject: SpamCop Forum Test

I would like to see the path your message takes coming from your system to the internet. It is likely your list is correct, but this should confirm it.

[DavidT]

I'm guessing that this is a "shared hosting" situation, in which many domains share a single server. In most of those cases, the email source IP is rarely the IP affiliated with the domain itself, but usually a more "global" one belonging to either the server itself or some hop upstream from the server. This is one of the major problems of shared hosting, in that if anything bad is being transmitted by your "neighbors" on the server, it winds up interfering with your outbound mail also.

In the case of the most recent IP you gave us, it looks like the server is sending "misdirected bounces" that are hitting spamtrap addresses. This is something that only the server admin would be able to deal with, in that they'd need to change the server's behavior so that it rejects incoming mail during the initial SMTP session instead of sending out separate bounce notices after the fact.

DT

[odysseus183]

In the case of the most recent IP you gave us, it looks like the server is sending "misdirected bounces" that are hitting spamtrap addresses. This is something that only the server admin would be able to deal with, in that they'd need to change the server's behavior so that it rejects incoming mail during the initial SMTP session instead of sending out separate bounce notices after the fact.

What are "misdirected bounces"? Do they have something to do with autoresponders?

[GraemeL]

What are "misdirected bounces"? Do they have something to do with autoresponders?

Autoresponders generate some, but not all misdirected bounces. You can read some details in one of the Spamcop FAQs here.

[Wazoo]

Autoresponders generate some, but not all misdirected bounces. You can read some details in one of the Spamcop FAQs here.

Of course, mentioning that this referenced SpamCop FAQ is incorported into the single-page-access and expanded form of it here, linked to at the top of the page. There is also a Dictionary, Glossary, and the recently opened SpamCopWiki that includes "words you may not know the meaning of" available 'here' ....