Spam Block Details

[gwadmin]

I am trying to find out what has caused a customer of mine to be placed on the blocklist. I have subscribed to the reporting but all I get is a summary saying I am blocked. How do I find the details of what has caused the block? Any help would be much appreciated. Phil

This is an example email

The attached file had the following undeliverable recipient(s):

jmcrae[at]wrri.com

Transcript of session follows:

Command: Data...

Response: 571 - MAIL REFUSED - IP (24.106.126.138) is in RBL black list bl.spamcop.net

[GraemeL]

I am trying to find out what has caused a customer of mine to be placed on the blocklist. I have subscribed to the reporting but all I get is a summary saying I am blocked. How do I find the details of what has caused the block? Any help would be much appreciated. Phil

This is an example email

The attached file had the following undeliverable recipient(s):

jmcrae[at]wrri.com

Transcript of session follows:

Command: Data...

Response: 571 - MAIL REFUSED - IP (24.106.126.138) is in RBL black list bl.spamcop.net

Trying hard to restrain myself from commenting on why anybody would accept mail from any IP in Road Runer netspace.

http://www.spamcop.net/w3m?action=blcheck&...=24.106.126.138

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* SpamCop users have reported system as a source of spam less than 10 times in the past week

Recent reports:

Submitted: Mon, 27 Nov 2006 14:49:05 GMT:
Check out my lists for walking women, walking men, and gadgets for everyone.

    * 2037509197 ( 24.106.126.138 ) To: spamcop[at]imaphost.com
    * 2037509152 ( 24.106.126.138 ) To: abuse[at]rr.com 

Submitted: Thu, 23 Nov 2006 08:49:06 GMT:
earache

    * 2031189885 ( 24.106.126.138 ) To: abuse[at]rr.com 

Submitted: Wed, 22 Nov 2006 06:36:30 GMT:
scathing truck

    * 2029659574 ( 24.106.126.138 ) To: abuse[at]rr.com 

Submitted: Fri, 17 Nov 2006 17:36:55 GMT:
wonder anthill

    * 2022203399 ( 24.106.126.138 ) To: spamcop[at]imaphost.com
    * 2022203367 ( 24.106.126.138 ) To: abuse[at]rr.com 

[turetzsr]

Hi!

...Did you visit the SpamCop home page? There's a section there labeled "REPORTED FOR SPAMMING?" that may help answer your question.

...Did you click the big red link near the top of each Forum page labeled "------>------> Latest and Current Announcements <------<------?" There are links on that page under a heading labeled "Why am I Blocked?" that may help answer your question. Also, there's a link labeled "How to find what you are looking for without pulling your hair out in the process" with helpful tips about posting to the SpamCop Forum that will help you post here with the minimum effort for maximum results (help from us SpamCop users).

...Did you peruse our SpamCop FAQ (link near top left of the SpamCop Forum pages). There are links there labeled "Why am I Blocked?," "Has your email been blocked? (ISP, Mailing List Admin, Advertiser)," "SpamCop Blocking List - Am I listed?" and "How can I check if an IP is on the list?" that may help answer your question.

...If after checking these resources you still have questions, please return here to post them. If you find they do answer your question, please also post back here to let us know you found what you needed.

...Thanks and good luck!

[StevenUnderwood]

I am trying to find out what has caused a customer of mine to be placed on the blocklist. I have subscribed to the reporting but all I get is a summary saying I am blocked. How do I find the details of what has caused the block? Any help would be much appreciated. Phil

This is an example email

The attached file had the following undeliverable recipient(s):

jmcrae[at]wrri.com

Transcript of session follows:

Command: Data...

Response: 571 - MAIL REFUSED - IP (24.106.126.138) is in RBL black list bl.spamcop.net

Did you start here: http://www.spamcop.net/bl.shtml?24.106.126.138 where you would see a number of reasons for being listed if you are not intentionally sending spam.

Then proceed to: http://www.spamcop.net/w3m?action=blcheck&...=24.106.126.138 where you would see you are almost off the listing and:

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

If this IP address is shared, it is possible another party is sending the spam messages.

Some information you can not see unless you are a paid reporter is the time and subject or some of the recent reports against that IP address. abuse[at]rr.com seems to have gotten the reports so your customer should check with them to get more information:

Submitted: Monday, November 27, 2006 9:49:05 AM -0500: 
Check out my lists for walking women, walking men, and gadgets for everyone. 
2037509197 ( 24.106.126.138 ) To: spamcop[at]imaphost.com 
2037509152 ( 24.106.126.138 ) To: abuse[at]rr.com 

--------------------------------------------------------------------------------

Submitted: Thursday, November 23, 2006 3:49:06 AM -0500: 
earache 
2031189885 ( 24.106.126.138 ) To: abuse[at]rr.com 

--------------------------------------------------------------------------------

Submitted: Wednesday, November 22, 2006 1:36:30 AM -0500: 
scathing truck 
2029659574 ( 24.106.126.138 ) To: abuse[at]rr.com 

[gwadmin]

Thanks, I will check with Road Runner. I assumed the abuse email would go to the abuse address for the domain the customer is using not the Road Runner abuse address. Thanks again

[StevenUnderwood]

Thanks, I will check with Road Runner. I assumed the abuse email would go to the abuse address for the domain the customer is using not the Road Runner abuse address. Thanks again

The domain in an email is easily forged. SpamCop used the abuse desk of the IP address used to originate (as far back as the program can reliably trace it) the message.

[gwadmin]

How do I stop the forgery?

We went back on the spamcop list a few hours after we were off. I still have not gotten any additional info from Road Runner. From what I saw in what you sent me was the account blocked over one spam email?

[Farelf]

How do I stop the forgery?

We went back on the spamcop list a few hours after we were off. I still have not gotten any additional info from Road Runner. From what I saw in what you sent me was the account blocked over one spam email?

The forged email address is not the problem (which is fortunate because there is NO WAY to stop it). The server is being used to send spam. And no, it was not 'one' spam email. Spamtraps have also been hit from the IP address 24.106.126.138 That *can* be fixed (by Road Runner, if they have sufficient incentive).

[turetzsr]

How do I stop the forgery?

...Take away the spammers forging equipment. <g> IOW, you probably can't.

<snip>

From what I saw in what you sent me was the account blocked over one spam email?

...Nope, not according to the information SpamCop gives us: see SpamCop FAQ entry labeled "What is on the list?" For one thing, the information provided by StevenUnderwood in linear post #4 shows three, not one, user spam reports, each with a different subject:

• one Submitted: Monday, November 27, 2006 9:49:05 AM -0500, Check out my lists for walking women, walking men, and gadgets for everyone.
  
• one Submitted: Thursday, November 23, 2006 3:49:06 AM -0500, earache
  
• one Submitted: Wednesday, November 22, 2006 1:36:30 AM -0500, scathing truck
  

For another, also in that same post:

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

[gwadmin]

The issue I am trying to determine is the source. Would there not be an address from which the email was sent whatever[at]domain.com? If this was not a valid address on the system then I would know it was spoofed. If it was valid then I could look at the user's account.

[StevenUnderwood]

The issue I am trying to determine is the source. Would there not be an address from which the email was sent whatever[at]domain.com? If this was not a valid address on the system then I would know it was spoofed. If it was valid then I could look at the user's account.

You should be able to get that information from the people who received the reports: abuse[at]rr.com

However, even if the email address is spoofed, it still came from this IP address. BTW, there was another report submitted yesterday and today:

Report History:
--------------------------------------------------------------------------------

Submitted: Saturday, December 02, 2006 11:45:05 AM -0500: 

2045527869 ( 24.106.126.138 ) To: spamcop[at]imaphost.com 
2045527824 ( 24.106.126.138 ) To: abuse[at]rr.com 

--------------------------------------------------------------------------------

Submitted: Friday, December 01, 2006 12:04:01 PM -0500: 
I'm working hard to produce decent traffic on all online galleries. 
2044154140 ( 24.106.126.138 ) To: abuse[at]rr.com 

--------------------------------------------------------------------------------

Submitted: Monday, November 27, 2006 9:49:05 AM -0500: 
Check out my lists for walking women, walking men, and gadgets for everyone. 
2037509197 ( 24.106.126.138 ) To: spamcop[at]imaphost.com 
2037509152 ( 24.106.126.138 ) To: abuse[at]rr.com