guido90210 Posted October 9, 2006 Share Posted October 9, 2006 Hi there, One of my organisation's two MXes (203.2.32.108) has been listed in the SpamCop blacklist today, apparently for sending misdirected bounces, according to the lookup tool on the SpamCop website. It's true - that server does send bounced email. It sends bounced email for unknown recipients, and for over-quota local users. We also use vacation messages. I don't yet have recipient whitelisting set up on our MXes, and don't use SPF or DKIM. I'd like to do these things, but I'm a Unix administrator, and email administrator is one of the many hats that I wear. Anyway... I'd like to know if it's possible to find out exactly which bounces are causing me to get into the SCBL? Is there a web-based interface to do this? Also, can I find out if there are any user reports that have been lodged for this box? Finally, a bit off-topic, but what measures would the gentle readers suggest for reducing bounces, other than recipient whitelisting, SPF and DKIM? Thanks in advance, G. Link to comment Share on other sites More sharing options...
Wazoo Posted October 9, 2006 Share Posted October 9, 2006 One of my organisation's two MXes (203.2.32.108) has been listed in the SpamCop blacklist today, apparently for sending misdirected bounces, according to the lookup tool on the SpamCop website. http://spamcop.net/w3m?action=checkblock&ip=203.2.32.108 203.2.32.108 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it Listing History System has been listed for less than 24 hours. http://www.senderbase.org/?searchBy=ipaddr...ng=203.2.32.108 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 4.1 .. 173% Last 30 days ... 3.7 ... -0% Average ......... 3.7 Can you justify that last day incease? It's true - that server does send bounced email. It sends bounced email for unknown recipients, and for over-quota local users. We also use vacation messages. I don't yet have recipient whitelisting set up on our MXes, and don't use SPF or DKIM. I'd like to do these things, but I'm a Unix administrator, and email administrator is one of the many hats that I wear. Anyway... You've pretty much covered the entire gamut of 'bad' stuff .... stuff that was fine until the spammers started abusing it a few years ago ... I'd like to know if it's possible to find out exactly which bounces are causing me to get into the SCBL? Is there a web-based interface to do this? Also, can I find out if there are any user reports that have been lodged for this box? That's a bit of a bad question based on the data showing at http://mailsc.spamcop.net/sc?track=203.2.32.108 Parsing input: 203.2.32.108 host 203.2.32.108 = atom.scu.edu.au (cached) host 203.2.32.108 = atom.scu.edu.au (cached) Routing details for 203.2.32.108 Cached whois for 203.2.32.108 : mpowell[at]alsvid.une.edu.au Using last resort contacts mpowell[at]alsvid.une.edu.au mpowell[at]alsvid.une.edu.au bounces (19 sent : 10 bounces) Using mpowell#alsvid.une.edu.au[at]devnull.spamcop.net for statistical tracking. Statistics: 203.2.32.108 listed in bl.spamcop.net (127.0.0.2) More Information.. 203.2.32.108 not listed in dnsbl.njabl.org 203.2.32.108 not listed in dnsbl.njabl.org 203.2.32.108 not listed in cbl.abuseat.org 203.2.32.108 not listed in dnsbl.sorbs.net 203.2.32.108 not listed in relays.ordb.org. No valid email addresses found, sorry! There are several possible reasons for this: The site involved may not want reports from SpamCop. SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing. SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address. There may be no working email address to receive reports. Add this to the "ignore the FAQ" scenario and you have a mess in our hands. Spamtrap data is not handed over freely, and the public availability of this data was removed due to spammers working and abusing the system ... How to ask for any 'official' help is covered in the FAQ .... The only data available 'here' would be; Report History: Submitted: Sunday, October 08, 2006 11:05:31 AM -0500: Returned mail: see transcript for details 1957207419 ( 203.2.32.108 ) ( UUBE ) To: uube[at]devnull.spamcop.net ----------------------------------------------------- Submitted: Sunday, October 08, 2006 5:40:34 AM -0500: Returned mail: see transcript for details 1956812423 ( 203.2.32.108 ) ( UUBE ) To: uube[at]devnull.spamcop.net ----------------------------------------------------- Submitted: Sunday, October 08, 2006 1:13:51 AM -0500: Returned mail: see transcript for details 1956558581 ( 203.2.32.108 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------------- Submitted: Saturday, October 07, 2006 8:38:40 PM -0500: Returned mail: see transcript for details 1956325633 ( 203.2.32.108 ) ( UUBE ) To: uube[at]devnull.spamcop.net ------------------------------------------------------- Submitted: Saturday, October 07, 2006 2:56:04 PM -0500: Returned mail: see transcript for details 1955995970 ( 203.2.32.108 ) ( UUBE ) To: uube[at]devnull.spamcop.net --------------------------------------------------- Submitted: Friday, October 06, 2006 1:22:53 PM -0500: Returned mail: see transcript for details 1954406282 ( 203.2.32.108 ) ( UUBE ) To: uube[at]devnull.spamcop.net ----------------------------------------------------- Submitted: Friday, October 06, 2006 12:54:55 AM -0500: Returned mail: see transcript for details 1953454793 ( 203.2.32.108 ) ( UUBE ) To: uube[at]devnull.spamcop.net ----------------------------------------------------- Submitted: Friday, October 06, 2006 12:37:12 AM -0500: Returned mail: see transcript for details 1953436497 ( 203.2.32.108 ) ( UUBE ) To: uube[at]devnull.spamcop.net Finally, a bit off-topic, but what measures would the gentle readers suggest for reducing bounces, other than recipient whitelisting, SPF and DKIM? You're pretty much wasting everyone else's time if you're not going to look at the FAQ, look at the same ground covered in countless previous discussions, etc., etc., etc. Reject at SMTP receipt if you are not going to actually deliver the e-mail to a local user. Link to comment Share on other sites More sharing options...
guido90210 Posted October 9, 2006 Author Share Posted October 9, 2006 <snip> http://www.senderbase.org/?searchBy=ipaddr...ng=203.2.32.108 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ......... 4.1 .. 173% Last 30 days ... 3.7 ... -0% Average ......... 3.7 Can you justify that last day incease? Ummm... don't know if you meant to use the word 'justify' here... perhaps 'explain'? And no, I can't explain it either. Maybe IronPort could, given that it's their statistic You've pretty much covered the entire gamut of 'bad' stuff .... stuff that was fine until the spammers started abusing it a few years ago ... That's a bit of a bad question based on the data showing at http://mailsc.spamcop.net/sc?track=203.2.32.108 Parsing input: 203.2.32.108 host 203.2.32.108 = atom.scu.edu.au (cached) host 203.2.32.108 = atom.scu.edu.au (cached) Routing details for 203.2.32.108 Cached whois for 203.2.32.108 : mpowell[at]alsvid.une.edu.au Using last resort contacts mpowell[at]alsvid.une.edu.au mpowell[at]alsvid.une.edu.au bounces (19 sent : 10 bounces) OK, thanks for that - I wasn't aware of that bad address - I'll fix it. Are you saying that it's bounces to this address that caused this host to get listed in the SCBL? <snip> You're pretty much wasting everyone else's time if you're not going to look at the FAQ, look at the same ground covered in countless previous discussions, etc., etc., etc. Reject at SMTP receipt if you are not going to actually deliver the e-mail to a local user. OK, message understood. Just thought people might add an acronym or two to my short list for me to go and check out further. Thanks for your reply. Regards, G. Link to comment Share on other sites More sharing options...
Jeff G. Posted October 9, 2006 Share Posted October 9, 2006 Are you saying that it's bounces to this address that caused this host to get listed in the SCBL?No, but that's been preventing notifications to you and/or your admins of problems.Just thought people might add an acronym or two to my short list for me to go and check out further.OK, here's one: stop sending UUBE. Link to comment Share on other sites More sharing options...
guido90210 Posted October 9, 2006 Author Share Posted October 9, 2006 No, but that's been preventing notifications to you and/or your admins of problems. OK, here's one: stop sending UUBE. Helpful, thanks. Link to comment Share on other sites More sharing options...
Wazoo Posted October 9, 2006 Share Posted October 9, 2006 Ummm... don't know if you meant to use the word 'justify' here... perhaps 'explain'? I meant 'justify' .... One reason may have been that another server was shut down and that traffic is now going through this server. Another might be that a monthly mail-list may have been sent out yesterday, thus bumping up the 'last 24 hour' statistic. The bad situation is that spammer is using/abusing this server. So the question was "Can you justify those numbers?" suggesting that you'd have researched where they were coming from, noting if there might be an association with getting listed on the SpamCopDNSBL. Numbers today seem to show that the flow has not reduced, possibly taking the 'monthly mail-list' out of the equation .... you would/should know if servers have been reassigned/re-routed .... so that last scenario is still out there waiting for the results of your investigation .... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 10, 2006 Share Posted October 10, 2006 Ummm... don't know if you meant to use the word 'justify' here... perhaps 'explain'? OK, using your words, can you explain why that server generated 173% more traffic yesterday than is normally seen coming from it? Link to comment Share on other sites More sharing options...
guido90210 Posted October 11, 2006 Author Share Posted October 11, 2006 OK, using your words, can you explain why that server generated 173% more traffic yesterday than is normally seen coming from it? Well, the server did generate around 3 times the amount of bytes on Monday compared to Sunday. The 'bytes sent out' figure varies by a magnitude of around 3 over the last 10 days - on a weekday, the bytes sent out is around 3 times what it sends out on a weekend, which makes sense, given that there are no staff here on the weekend. Sorry for getting tetchy on the word 'justify', but to me, to 'justify' something means to explain why you've done something wrong. I don't see how the fact that my server has sent 3 times more traffic on a Monday than a Sunday is 'doing something wrong' And after all, apart from sending bounces, the machine isn't sending spam, i.e. it isn't an open relay, and no-one at our workplace sends spam through it. Regards, G. Link to comment Share on other sites More sharing options...
turetzsr Posted October 11, 2006 Share Posted October 11, 2006 Hi, G! <snip> Sorry for getting tetchy on the word 'justify', but to me, to 'justify' something means to explain why you've done something wrong. <snip> ...You seem to be using a different dictionary than I am. To me, "justify" simply means to explain something, whether that something is in fact right or wrong or even whether you have done it or someone else has. See, for example, http://dictionary.reference.com/browse/justify. ...In this case, I, personally, would accept your justification -- I think you have explained the observation of the increase in server activity, thereby justifying it. And after all, apart from sending bounces, the machine isn't sending spam,...IMHO, that's like saying, "apart from the 50 bank robberies my buddies and I have committed over the past week, we are not thieves." <g>i.e. it isn't an open relay, and no-one at our workplace sends spam through it....That isn't the definition of spam. spam is e-mail that someone receives that she or he did not request. Link to comment Share on other sites More sharing options...
guido90210 Posted October 11, 2006 Author Share Posted October 11, 2006 Hi, G! ...You seem to be using a different dictionary than I am. To me, "justify" simply means to explain something, whether that something is in fact right or wrong or even whether you have done it or someone else has. See, for example, http://dictionary.reference.com/browse/justify. ...In this case, I, personally, would accept your justification -- I think you have explained the observation of the increase in server activity, thereby justifying it....IMHO, that's like saying, "apart from the 50 bank robberies my buddies and I have committed over the past week, we are not thieves." <g>...That isn't the definition of spam. spam is e-mail that someone receives that she or he did not request. No, we're using the same dictionary. To quote from http://dictionary.reference.com/search?q=justify : "1. to show (an act, claim, statement, etc.) to be just or right: The end does not always justify the means." To have to show that you're right, someone must have claimed that you were wrong. As I said, I don't think that the fact that the server in question has sent out 3 times more traffic on a Monday than a Sunday is 'wrong'. And further on this, the statistic is IronPort's. They don't have a sniffer sitting next to my server, although I would agree that the statistic is a fair indication of the change in traffic coming from this server. The server isn't in any blacklists for sending spam, but regardless of that, to me this statistic bears no relation to whether the server is sending spam or not. I'm well aware that if it does start sending spam (apart from bounces), it will quickly make it into the blacklists. Re: the '50 bank robberies' statement, yes, I know, the server does send bounces. Yes, I'd prefer that it didn't, at least not 'user unknown' bounces. And yes, I'll stop it doing that when I can. Ciao, G. Link to comment Share on other sites More sharing options...
Wazoo Posted October 11, 2006 Share Posted October 11, 2006 Well, the server did generate around 3 times the amount of bytes on Monday compared to Sunday. The 'bytes sent out' figure varies by a magnitude of around 3 over the last 10 days - on a weekday, the bytes sent out is around 3 times what it sends out on a weekend, which makes sense, given that there are no staff here on the weekend. I'll admit that I'm not really following your numbers .. but what I'm looking at is your "more traffic Monday than Sunday" .. butnoting that the fisures being talked about are described as "Vol Change vs. Average" with the specifics of "last day" compared to something more than 30 days ..... having a bit of a hard time relating the two "statistic descriptions" ...??? Sorry for getting tetchy on the word 'justify', but to me, to 'justify' something means to explain why you've done something wrong. I don't see how the fact that my server has sent 3 times more traffic on a Monday than a Sunday is 'doing something wrong' as above, Monday versus Sunday is your interpretation ... I see it as an increase 'today' over what the "average" has been for something in exxcess of 30 days (seeing as how 30 days has its own stat) .... If your issue with "justify" was that you felt you had to explain to "me" ... well, I could basically care less. The question was whether you could justify that "last day" (now extending a few days more) increase over what that server had been seen sending out. If you could, great. I don't think you have yet, suggesting that there is someone else using that server for whatevver reasons .... Again, I don't need an answer, I was just pointing at the what the data suggested. To use your interpretation, can you justify why there is still the increase showing as compared to Tuesday versus Monday? And after all, apart from sending bounces, the machine isn't sending spam, i.e. it isn't an open relay, and no-one at our workplace sends spam through it. Yet, the server got listed due to some 'bad' traffic ...???? Link to comment Share on other sites More sharing options...
guido90210 Posted October 11, 2006 Author Share Posted October 11, 2006 I'll admit that I'm not really following your numbers .. but what I'm looking at is your "more traffic Monday than Sunday" .. butnoting that the fisures being talked about are described as "Vol Change vs. Average" with the specifics of "last day" compared to something more than 30 days ..... having a bit of a hard time relating the two "statistic descriptions" ...??? Yeah... I dunno, the stat is IronPort's - I don't know how they come up with it... I guess from all their appliances out there. as above, Monday versus Sunday is your interpretation ... I see it as an increase 'today' over what the "average" has been for something in exxcess of 30 days (seeing as how 30 days has its own stat) .... If your issue with "justify" was that you felt you had to explain to "me" ... well, I could basically care less. The question was whether you could justify that "last day" (now extending a few days more) increase over what that server had been seen sending out. If you could, great. I don't think you have yet, suggesting that there is someone else using that server for whatevver reasons .... Again, I don't need an answer, I was just pointing at the what the data suggested. Do you mean you couldn't care less? Fer chrissake, let's forget the whole 'justify' issue, and IronPort's statistic along with it To use your interpretation, can you justify why there is still the increase showing as compared to Tuesday versus Monday? Yet, the server got listed due to some 'bad' traffic ...???? Yes, bounces to a spamcop.net spamtrap, apparently. Link to comment Share on other sites More sharing options...
Wazoo Posted October 11, 2006 Share Posted October 11, 2006 Yeah... I dunno, the stat is IronPort's - I don't know how they come up with it... I guess from all their appliances out there. http://forum.spamcop.net/scwik/SenderBase Do you mean you couldn't care less? Fer chrissake, let's forget the whole 'justify' issue, and IronPort's statistic along with it I'm just a SpamCop.net user, volunteering my time and knowledge here. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 11, 2006 Share Posted October 11, 2006 and IronPort's statistic along with it That statistic you are trying to ignore is trying to tell you there is more traffic coming from your machine than is normally seen on average. Link to comment Share on other sites More sharing options...
turetzsr Posted October 11, 2006 Share Posted October 11, 2006 That statistic you are trying to ignore is trying to tell you there is more traffic coming from your machine than is normally seen on average....And to use a less-offensive (to you) word for what we're asking you to do: are you able to explain to "our" satisfaction why there seems to be so much more traffic than "normal" coming from that machine (as I said, I'm satifsfied, but I don't' really count because I'm not nearly as knowledgeable as others here who can help you if you are willing and able to cooperate by answering their questions)? Thanks! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.