paulmon Posted October 2, 2006 Share Posted October 2, 2006 I'm the manager of the engineering group for a majorish Canadian ISP. I hate spammers. It seems that one of my 200,000 users is spamming. We have numerous spam prevention system in place. We have a throttle that prevents users sending out massive amounts of email. This is set very low. However we still find outselves getting blacklisted by SpamCop. My only guess as to why this is happening is that the user(s) that are spamming are doing so at a low volume, and trip a SpamCop spam trap email address. What I would like to know is how is this preventable? I'm being told by SpamCop that 1 of my 200,000 users is spamming. How on earth can I possibly find them if they're sending a low volume of spam and they hit the spam trap? SpamCop won't answer phone calls and for fear of divulging the spam trap address won't tell us the time and date of the sending user, basically they won't tell us anything other than "one of your 200,000 users is spamming." How are other ISPs getting around this blocking? I run the engineering of an honest ISP that honestly doesn't want any spammers on their network. I want to find these people and run them off my network. Basically I want what SpamCop wants, I want to stop spam. However I can't do that with some help. Someone somewhere must have some suggestions. Regards, Paul Link to comment Share on other sites More sharing options...
turetzsr Posted October 2, 2006 Share Posted October 2, 2006 Hi, Paul, ...Your frustration is understandable. Spammers have ruined things for everyone! ...Please go back to the first page of this forum (http://forum.spamcop.net/forums/index.php?showforum=11) and click the link labeled "Announcement: [How-to] Post a Question (and prevent stupid/rude answers)," especially the section labeled "The question." We need a bit more information from you to help you. ...In general, I have heard others mention to admins that they should check their outgoing firewall logs for suspicious activity. Some signs of suspicious activity are messages that look like bounces or out-of-office messages. Once you post the information referred to in the aforementioned Announcement, others here might be able to provide a bit more information that might help you. ...Good luck! Link to comment Share on other sites More sharing options...
paulmon Posted October 2, 2006 Author Share Posted October 2, 2006 Steve, I've read that post and don't know what else to tell you. I can't provide the spam in question as we believe the user is tripping a spam trap. All I know is my mail server is listed in SpamCop. The mail server in question is referenced by this spam Cop report. I guess the frustration comes from SpamCop's desire to reduce spam and then sitting on their "high horse" and not providing people like me and my team the information they need top stop it. I can understand why they don't want to let people know for fear of people starting to know the spam trap email address'. So on the one hand SpamCop wants to reduce spam, on the other hand their silence is actually causing more spam. Our cluster of mail servers sends out hundreds of thousands of emails a day. Checking our outbound logs for "suspicious activity" is like trying to find a you know what in a hay stack. We already track messages by count for every IP and every user in our network, similar to Senderbase but our own system. This is part of the throttle I mention in my first post. However as we're talking spam trap address' a user could send 10 messages/hour and still get us flagged on the Spamcop DB. My sales team, marketing team, technical support and customers don't care about the fact that the ISPs blocking us for using SpamCop in too strict of a fashion aren't using it as designed isn't their concern. To them this is my problem to fix but without a two way street between SpamCop and my team this isn't fixable. So how do I find one spammer in 200,000 users with no information at all? How are other ISPs preventing themselves from getting blacklisted? An ISP could never EVER prevent spam entirely, anyone who thinks so is dreaming. So how do I prevent getting blacklisted if I can never get rid of all spam? Paul Link to comment Share on other sites More sharing options...
Wazoo Posted October 2, 2006 Share Posted October 2, 2006 Thanks for providing the IP address in question. Looking at the page you referenced, both spamtrap hits and user reports have been made. From that page, follow the SenderBase link ... overall traffic numbers don't suggest spammer infestation. So the likelyhood is "misdirected e-mails" .... From the SenderBase page, follow the Google Group look-up .... . hmmmm, first item seen is a 'rejection e-mail' as the user doesn't live here .... then there's some older spam .... Back to the "Why am I Blocked?" FAQ for starters ...???? PBSL has a "new/fresh' database, so no data found there .... Link to comment Share on other sites More sharing options...
turetzsr Posted October 2, 2006 Share Posted October 2, 2006 Thanks for providing the IP address in question. Looking at the page you referenced, both spamtrap hits and user reports have been made. <snip> ...Which also means that user reports should have been going to aupviolations[at]primus.ca (I found this by following the link you provided, Paul, then clicking on the link labeled "Trace IP"). Have you looked for those reports? Link to comment Share on other sites More sharing options...
Wazoo Posted October 2, 2006 Share Posted October 2, 2006 Suspecting that the data shouldn't be all that hard to 'discover' .... Report History: ------------------------------------------------------ Submitted: Monday, October 02, 2006 9:44:04 AM -0500: YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 1947730370 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ----------------------------------------------------- Submitted: Monday, October 02, 2006 7:21:58 AM -0500: YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 1947559170 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 1947559146 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ----------------------------------------------------- Submitted: Monday, October 02, 2006 1:27:13 AM -0500: [spam] YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 1947852131 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 1947852118 ( 216.254.136.21 ) To: aupviolations[at]primus.ca --------------------------------------------------- Submitted: Sunday, October 01, 2006 7:04:10 PM -0500: Mail delivery failed : returning message to sender 1946895663 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------------ Submitted: Sunday, October 01, 2006 4:15:28 PM -0500: YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 1946746992 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ----------------------------------------------------- Submitted: Sunday, October 01, 2006 8:15:18 AM -0500: Mail delivery failed : returning message to sender 1946271041 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ---------------------------------------------------- Submitted: Saturday, September 30, 2006 6:57:52 AM -0500: Mail delivery failed : returning message to sender 1944857333 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------------- Submitted: Friday, September 29, 2006 3:42:59 PM -0500: Mail delivery failed : returning message to sender 1944013478 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net -------------------------------------------------- Submitted: Friday, September 29, 2006 12:00:42 PM -0500: Mail delivery failed : returning message to sender 1943757524 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------ Submitted: Thursday, September 28, 2006 6:43:00 PM -0500: Mail delivery failed : returning message to sender 1942686192 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------ Submitted: Monday, October 02, 2006 9:44:04 AM -0500: YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 1947730370 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ----------------------------------------------------- Submitted: Monday, October 02, 2006 7:21:58 AM -0500: YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 1947559170 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 1947559146 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ---------------------------------------------------------------- Submitted: Monday, October 02, 2006 1:27:13 AM -0500: [spam] YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 1947852131 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 1947852118 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ------------------------------------------------------------- Submitted: Sunday, October 01, 2006 4:15:28 PM -0500: YOUR EMAIL WAS PICKED AS THE FREE LOTTO ONLINE WINNER! CONGRATULATIONS!!! 1946746992 ( 216.254.136.21 ) To: aupviolations[at]primus.ca --------------------------------------------------- Submitted: Wednesday, September 27, 2006 11:59:56 AM -0500: BE OUR COMPANY REPRESENTATIVE IN YOUR REGION 1940795740 ( 216.254.141.10 ) To: spamcop[at]imaphost.com 1940795731 ( 216.254.141.10 ) To: aupviolations[at]primus.ca 1940795728 ( 216.254.136.21 ) To: aupviolations[at]primus.ca --------------------------------------------------- Submitted: Tuesday, September 26, 2006 11:37:50 PM -0500: CONGRATULATION YOU HAVE WON THE ONLINE BRITISH NATIONAL LOTTERY BATCH: 074/05... 1940040726 ( 216.254.141.10 ) To: spamcop[at]imaphost.com 1940040701 ( 216.254.141.10 ) To: aupviolations[at]primus.ca 1940040692 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ------------------------------------------------- Submitted: Tuesday, September 26, 2006 10:55:02 PM -0500: [spam:76%] CONGRATULATION YOU HAVE WON THE ONLINE BRITISH 1940028923 ( 216.254.141.10 ) To: spamcop[at]imaphost.com 1940028918 ( 216.254.141.10 ) To: aupviolations[at]primus.ca 1940028916 ( 216.254.136.21 ) To: aupviolations[at]primus.ca Link to comment Share on other sites More sharing options...
petzl Posted October 3, 2006 Share Posted October 3, 2006 The mail server in question is referenced by this spam Cop report. So how do I find one spammer in 200,000 users with no information at all? How are other ISPs preventing themselves from getting blacklisted? An ISP could never EVER prevent spam entirely, anyone who thinks so is dreaming. So how do I prevent getting blacklisted if I can never get rid of all spam? Your Mail server is not stamping the source IP (where mail server received message from) Your email server is not compliant and is concealing the spam source ****mail.tor.primus.ca_headers***** Return-Path: <remove^bblockstech.com> Received: from smtp-05.primus.ca (mail.tor.primus.ca [216.254.136.21]) by www.***.*** (Postfix) with ESMTP id A529111E82 for <***^***.***>; Mon, 17 Apr 2006 21:46:26 -0400 (EDT) Received: from dsl-207-112-109-251.tor.primus.ca ([207.112.109.251] helo=YOUR-97FD25D54E) by smtp-05.primus.ca with esmtpa (Exim 4.50) id 1FVfEi-0007k9-J9 for ***^***.***; Mon, 17 Apr 2006 21:42:37 -0400 From: Steve Shivkumar <sshivkumar^bblockstech.com> To: ***^***.*** Message-Id: <20060417214237.609557^bblockstech.com> Subject: 5-day Voice Over IP Security Boot Camp Course in Ottawa June 5-9, 2006 Date: Mon, 17 Apr 2006 21:42:37 -0400 MIME-Version: 1.0 Reply-To: sshivkumar^bblockstech.com Content-Type: multipart/mixed; boundary="MixedBoundary.11111111.11111111" *****Headers_End**** http://www.spamcop.net/sc?id=z1087964718z872b4575be82457c32c974068e18a468z A test email from me through Hotmail correctly identifies the IP source[211.27.248.13]. It does not identify Hotmail email server as the "injection point" (Hotmail servers are compliant) If you make email server [216.254.136.21] compliant where it appropriately stamps the source or "injection point" your server will not be added to the SCBL or any other "blocklist"(unless it does other dumb things like mindlessly bounce email) At present your server is naming itself as the spam injection point It needs to stamp where it is getting its email from Link to comment Share on other sites More sharing options...
Derek T Posted October 3, 2006 Share Posted October 3, 2006 According to senderbase there are 358 'mailservers' sending mail from Primus. The vast majority are in DSL space and indicate trojanned customers. As petzl says, if your SMTP servers recorded the injection point that would help, but so would being a bit more proactive in closing down infected connections. Link to comment Share on other sites More sharing options...
paulmon Posted October 3, 2006 Author Share Posted October 3, 2006 Your Mail server is not stamping the source IP (where mail server received message from) Your email server is not compliant and is concealing the spam source Am I missing something? Isn't this the injection point? Received: from dsl-207-112-109-251.tor.primus.ca ([207.112.109.251] helo=YOUR-97FD25D54E) Paul Link to comment Share on other sites More sharing options...
DavidT Posted October 3, 2006 Share Posted October 3, 2006 Aside from the "injection point" issue, what about all those misdirected bounces? (aka "backscatter") I'm not able to inspect any of the actual reported messages, but when we see items in the database flagged as "UUBE" (Unwanted/Unsolicited Bounce Email ) with Subject lines like this: Mail delivery failed : returning message to sender that's usually a red flag for misdirected bounces....see this URL: http://www.spamcop.net/fom-serve/cache/329.html Many otherwise "clean" servers are getting listed in SpamCop's SCBL due to this issue. DT Link to comment Share on other sites More sharing options...
Snowbat Posted October 3, 2006 Share Posted October 3, 2006 Am I missing something? Isn't this the injection point? Received: from dsl-207-112-109-251.tor.primus.ca ([207.112.109.251] helo=YOUR-97FD25D54E) I concur. The format may look a little strange with HELO ID after the IP address but the parser had no problems with it. Chain test looks fine and no problem identifying the source IP in two examples I tried from http://groups.google.com/groups?scoring=d&...1+group:*abuse* Received: from [207.112.84.44] (helo=YOUR-97FD25D54E) by smtp-06.primus.ca with esmtpa (Exim 4.43) id 1FcvB9-0007Jl-Kd for ***^***.***; Sun, 07 May 2006 22:08:56 -0400 207.112.84.44 found host 207.112.84.44 (getting name) = dsl-207-112-84-44.tor.primus.ca. Possible spammer: 207.112.84.44 Possible relay: 216.254.136.21 216.254.136.21 not listed in relays.ordb.org. 216.254.136.21 has already been sent to relay testers Received line accepted Link to comment Share on other sites More sharing options...
Wazoo Posted October 3, 2006 Share Posted October 3, 2006 Inital query issue, problem, spew continues .... Submitted: Tuesday, October 03, 2006 6:14:31 AM -0500: NOTIFICA DEL PREMIO:CONGRATULAZIONI!!! 1948963158 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 1948963153 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ----------------------------------------------------- Submitted: Tuesday, October 03, 2006 6:04:11 AM -0500: Mail delivery failed : returning message to sender 1948949337 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------------ Submitted: Tuesday, October 03, 2006 1:56:07 AM -0500: Mail delivery failed : returning message to sender 1948704265 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------------ Submitted: Tuesday, October 03, 2006 1:12:58 AM -0500: Mail delivery failed : returning message to sender 1948659494 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------------- Submitted: Tuesday, October 03, 2006 12:44:04 AM -0500: Mail delivery failed : returning message to sender 1948630560 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net Link to comment Share on other sites More sharing options...
petzl Posted October 3, 2006 Share Posted October 3, 2006 Am I missing something? Isn't this the injection point? Received: from dsl-207-112-109-251.tor.primus.ca ([207.112.109.251] helo=YOUR-97FD25D54E) Sorry you are correct ,SpamCop would not list this/your server if spam was sent through it (SpamCop would indeed just block the source computer) I looked at your SpamCop "report history" and is is targeting 216.254.136.21 as a spam source (need to see newer headers) IP 216.254.136.21 is also being sourced for UUBE This then means your server is bouncing (Joe Jobing) email to fake addresses http://www.spamcop.net/fom-serve/cache/329.html I suggest you contact deputies directly http://www.spamcop.net/fom-serve/cache/91.html Link to comment Share on other sites More sharing options...
Jeff G. Posted October 8, 2006 Share Posted October 8, 2006 More recent Report History follows (you should be accepting and acting on UUBE Reports, rather than opting not to receive them): Submitted: Saturday 2006/10/07 18:58:23 -0400: Mail delivery failed : returning message to sender 1956179132 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------ Submitted: Saturday 2006/10/07 18:57:18 -0400: Mail delivery failed : returning message to sender 1956177981 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------ Submitted: Saturday 2006/10/07 04:56:21 -0400: Mail delivery failed : returning message to sender 1955272751 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------ Submitted: Saturday 2006/10/07 02:02:14 -0400: Mail delivery failed : returning message to sender 1955090106 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------- Submitted: Friday 2006/10/06 22:17:21 -0400: Mail delivery failed : returning message to sender 1954881195 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------- Submitted: Friday 2006/10/06 21:29:03 -0400: Mail delivery failed : returning message to sender 1954837468 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------- Submitted: Friday 2006/10/06 18:47:49 -0400: Mail delivery failed : returning message to sender 1954696702 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------- Submitted: Friday 2006/10/06 15:03:08 -0400: REQUEST TO BE OUR COMPANY'S PAYMENT AGENT IN YOUR REGION 1954459122 ( 216.254.136.21 ) To: aupviolations[at]primus.ca --------------------------------------------- Submitted: Friday 2006/10/06 12:13:41 -0400: Mail delivery failed : returning message to sender 1954233714 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------ Submitted: Thursday 2006/10/05 21:52:53 -0400: spam: =?ISO-8859-1?Q?ATTN: YOU WON =A31.5M (CLAIM IT NOW).?= 1954456583 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 1954456574 ( 216.254.136.21 ) To: aupviolations[at]primus.ca --------------------------------------------- Submitted: Friday 2006/10/06 09:02:03 -0400: Mail delivery failed : returning message to sender 1953960092 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------- Submitted: Friday 2006/10/06 08:37:16 -0400: MYSTERY SHOPPER WANTED EARN NO LESS THAN $ 500.00 1953925654 ( 216.254.136.21 ) To: aupviolations[at]primus.ca --------------------------------------------- Submitted: Friday 2006/10/06 07:49:41 -0400: Mail delivery failed : returning message to sender 1953862577 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------- Submitted: Friday 2006/10/06 00:55:52 -0400: Mail delivery failed : returning message to sender 1953393459 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------- Submitted: Thursday 2006/10/05 17:46:15 -0400: Mail delivery failed : returning message to sender 1952968721 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------- Submitted: Thursday 2006/10/05 16:26:44 -0400: Mail delivery failed : returning message to sender 1952881542 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------------- Submitted: Wednesday 2006/10/04 23:29:04 -0400: Mail delivery failed : returning message to sender 1951737240 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------------- Submitted: Wednesday 2006/10/04 16:24:05 -0400: Mail delivery failed : returning message to sender 1951332937 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------------- Submitted: Wednesday 2006/10/04 07:34:17 -0400: Mail delivery failed : returning message to sender 1950600067 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------------- Submitted: Wednesday 2006/10/04 03:05:59 -0400: Mail delivery failed : returning message to sender 1950309905 ( 216.254.136.21 ) To: aupviolations[at]primus.ca --------------------------------------------------- Submitted: Wednesday 2006/10/04 00:39:22 -0400: Mail delivery failed : returning message to sender 1950149440 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------ Submitted: Tuesday 2006/10/03 20:54:58 -0400: Mail delivery failed : returning message to sender 1949945431 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------ Submitted: Tuesday 2006/10/03 07:14:31 -0400: NOTIFICA DEL PREMIO:CONGRATULAZIONI!!! 1948963158 ( 216.254.136.21 ) To: spamcop[at]imaphost.com 1948963153 ( 216.254.136.21 ) To: aupviolations[at]primus.ca ------------------------------------------------ Submitted: Tuesday 2006/10/03 07:04:11 -0400: Mail delivery failed : returning message to sender 1948949337 ( 216.254.136.21 ) ( UUBE ) To: uube[at]devnull.spamcop.net Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.