Jump to content

64.34.165.154 blocked


fender

Recommended Posts

We have been off and on your blacklist for at least a week now.

64.34.165.154 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 16 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

I also read in your FAQ that if a block lists only spamtraps and not any user reports (as seems to be the case here) that the likely causes are either autoresponders or misdirected bounces. However, our system does not utilize any autoresponders, nor do we reject any email for any reason ever, so neither of these explanations seem to fit.

Any help you can offer is greatly appreciated.

Link to comment
Share on other sites

Any help you can offer is greatly appreciated.

Given the name of that domain (mynewsletterbuilder.com) I suggest you read the FAQ on 'am I running my mailing list responsibly?'. More to the point, are all your clients using only confirmed opt-in lists? My guess is that one or more spamtrap addresses, which have been spydered from the web, is included in someone's mailing list and keeps getting that server listed.

Link to comment
Share on other sites

I also read in your FAQ that if a block lists only spamtraps and not any user reports (as seems to be the case here) that the likely causes are either autoresponders or misdirected bounces. However, our system does not utilize any autoresponders, nor do we reject any email for any reason ever, so neither of these explanations seem to fit.

Are you sending a mail list using addresses suplied by a spammer?

SpamCop Spamtrap addresses use random characters around 16 which is better than Bank security to guess

IP 64.34.165.154 does not seem to have rDNS MX records etc

Link to comment
Share on other sites

We have been off and on your blacklist for at least a week now.

64.34.165.154 listed in bl.spamcop.net (127.0.0.2)

I also read in your FAQ that if a block lists only spamtraps and not any user reports (as seems to be the case here) that the likely causes are either autoresponders or misdirected bounces. However, our system does not utilize any autoresponders, nor do we reject any email for any reason ever, so neither of these explanations seem to fit.

There is one non-spamtrap report for that IP address today:

Submitted: Fri, 29 Dec 2006 12:50:11 GMT:
[Tuff City] 8 New Releases: Funk, Soul, Boogaloo, more...

	* 2082683889 ( http://www.tuffcity.com/catalog/TuffCity_Januar... ) To: abuse[at]algx.net
	* 2082683789 ( http://www.tuffcity.com.cnchost.com/html/allgen... ) To: abuse[at]algx.net
	* 2082683692 ( 64.34.165.154 ) To: spamcop[at]imaphost.com
	* 2082683615 ( http://www.mynewsletterbuilder.com/ ) To: abuse[at]peer1.net
	* 2082683504 ( 64.34.165.154 ) To: abuse[at]peer1.net
	* 2082683387 ( http://www.mynewsletterbuilder.com/ ) To: abusespamcop[at]tickets.serverbeach.com
	* 2082683278 ( 64.34.165.154 ) To: abusespamcop[at]tickets.serverbeach.com

It's for the same (Tuff City) newsletter that was mentioned by Farelf, though the one on Google is from two days ago.

Your anti spam policy seems fairly good, but I have a couple of suggestions that might help you out in the future.

You have an unsubscribe option automatically added to each email. It might be worth your time to also add an option for "This mail is spam" which will alert your support personnel to possible problems.

Reports for your IPs go to peer1 and server beach abuse desks. You might want to write to service at admin.spamcop.net and ask them to add your own abuse desk as a 3rd party recipient for your IPs. This would help you identify potentially abusive clients for non-spamtrap hits.

Link to comment
Share on other sites

64.34.165.154 listed in bl.spamcop.net

Subject: [Thursday Night] Holiday Bowl Winner! [Texas A&M / California]

From: Insiders Sports Group <SportsWinners[at]InsidersSportsGroup.com>

The server is sending that mail to spamtrap addresses that feed our complaint database.

A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. Spamtraps are basically the nonexistent addresses at small vanity domains owned by us or our associates. Mail to nonexistent addresses is proof-positive that email addresses are being added to a mailing list without the address owner's permission.

- Don D'Minion - SpamCop Admin -

Link to comment
Share on other sites

Your anti spam policy seems fairly good, but I have a couple of suggestions that might help you out in the future.

You have an unsubscribe option automatically added to each email. It might be worth your time to also add an option for "This mail is spam" which will alert your support personnel to possible problems.

Reports for your IPs go to peer1 and server beach abuse desks. You might want to write to service at admin.spamcop.net and ask them to add your own abuse desk as a 3rd party recipient for your IPs. This would help you identify potentially abusive clients for non-spamtrap hits.

Thanks for all your suggestions so far. We do include a "report spam" link as you suggest automatically at the bottom of every newsletter. In the tuffcity newsletter that was reported, look for this link:

http://www.mynewsletterbuilder.com/tools/s...&email=user [at] domain.xxx

Most of the time we find that spam reports are filed without the email ever being opened in the first place, but we do monitor these reports closely.

I will contact spamcop admin and have my abuse desk added to reports from spamcop.

However, this issue with user reports on tuffcity seems to be new. They had not sent a large mailing from our system prior to Dec 27, so my original issue about spamtrap emails would seem to be comming from a different user.

If the spamtrap addresses return a recognizable bounce message (smpt error code 5xx) then they would have been removed from our system once the first bounce was received.

I cannot get any evidence of spamtrap emails received from the spamcop website, so i am at a loss as to how to figure out what user on my system could be the source of these emails.

Subject: [Thursday Night] Holiday Bowl Winner! [Texas A&M / California]

From: Insiders Sports Group <SportsWinners[at]InsidersSportsGroup.com>

The server is sending that mail to spamtrap addresses that feed our complaint database.

Thanks that helps alot. I will deactivate this user immediately.

Link to comment
Share on other sites

<snip>

If the spamtrap addresses return a recognizable bounce message (smpt error code 5xx) then they would have been removed from our system once the first bounce was received.

...This is called List Washing and is not the preferred resolution. Besides, if the SpamTrap addresses rejected messages with a 5xx code, there would be no evidence of the spam attempt. Note: I'm making an educated guess, here, as I know almost nothing about the inner workings of SpamTraps.
I cannot get any evidence of spamtrap emails received from the spamcop website, so i am at a loss as to how to figure out what user on my system could be the source of these emails.
...You may be able to get additional information by writing to the SpamCop Deputies at deputies[at]admin.spamcop.net. You will have to provide good evidence that you are an appropriate abuse contact for the source IP address (the spam source) about which you are requesting information.
Subject: [Thursday Night] Holiday Bowl Winner! [Texas A&M / California]

From: Insiders Sports Group <SportsWinners[at]InsidersSportsGroup.com>

<snip>

Thanks that helps alot. I will deactivate this user immediately.
...Please do not take any action based solely on the "From" or "Reply-to" addresses! Those are easily forged by the spammer!! Thanks. :) <g>
Link to comment
Share on other sites

Please do not take any action based solely on the "From" or "Reply-to" addresses! Those are easily forged by the spammer!! Thanks. :) <g>

Since the email is coming from our IP, it is easy for me to determine who the source is. Nobody else on our system is using that email address, so it can only be one user's account. They have been terminated now, so hopefully the block will be lifted once the current timer runs out.

If i am supplied with a copy of the email received (or even part of it, as long as its the right part) it is very easy for me to track down spam policy violators within my system and disable them because of the way our system is set up.

Link to comment
Share on other sites

Nobody else on our system is using that email address, so it can only be one user's account. They have been terminated now, so hopefully the block will be lifted once the current timer runs out.

However, the email may not have come from that email address. Spammers can forge anyone's address into the From and To lines - even the return path.

Unless, of course, that email address is sending a newsletter and you have verified with them that their list is not according to best practices.

Miss Betsy

Link to comment
Share on other sites

Trust me, I gave you the correct sender info. The sender is a newsletter operator. Nobody else here has access to the spamtrap information that I do. If I thought I was looking at the product of a compromised machine sending ordinary spam, I would have given you different information.

- Don D'Minion - SpamCop Admin -

Link to comment
Share on other sites

Trust me, I gave you the correct sender info. The sender is a newsletter operator. Nobody else here has access to the spamtrap information that I do. If I thought I was looking at the product of a compromised machine sending ordinary spam, I would have given you different information.

- Don D'Minion - SpamCop Admin -

From previous replies from 'official' spamcop, the inference is that what you, Don, posted is all that the deputies will give as far as information about spamtrap hits. They will also give information that it looks like compromised servers or misdirected bounces, etc. which you didn't specifically mention or exclude.

There have been several people posting who have had their accounts discontinued on the basis of "From" evidence - which is why SteveT wanted to be sure that the OP had truly investigated this response. I tried to make a clarification that the OP could make sure that this user was using a bad list before discontinuing the account - since all the evidence from posts so far indicated a bad list.

Unfortunately, this is a totally user to user forum with many posts being made by those who are 'regulars' Users do not have the information that deputies have and have to rely on past experience (those who have had accounts discontinued on the basis of 'From' information) as well as the possibility that the OP can tell (how we don't know) who actually sent the email that hit the spam trap.

Now, we know that once Don has posted, that it is not a good idea to add any other information because he will see it as being that other posters don't trust him.

Miss Betsy

Link to comment
Share on other sites

<snip>

Now, we know that once Don has posted, that it is not a good idea to add any other information because he will see it as being that other posters don't trust him.

Miss Betsy

...Gee, I don't know that at all! My guess, Miss Betsy, is that because Don's last reply came immediately after your reply, you thought he was reacting to your post. However, if you switch from "Standard view" to "Outline view," you will see that Don was actually replying to fender's linear post #9:
<snip>

If i am supplied with a copy of the email received (or even part of it, as long as its the right part) it is very easy for me to track down spam policy violators within my system and disable them because of the way our system is set up.

...Don, please correct me if I am incorrect.
Link to comment
Share on other sites

...Gee, I don't know that at all! My guess, Miss Betsy, is that because Don's last reply came immediately after your reply, you thought he was reacting to your post. However, if you switch from "Standard view" to "Outline view," you will see that Don was actually replying to fender's linear post #9:...Don, please correct me if I am incorrect.

You and I both gave information about the 'From' - what Don was saying was that he can see the information in the spam email and that the sender apparently was not forged. That's very likely since the guesses for the reason for blocking earlier were that a mailing list was not kosher. You and I both want to remind people who can cancel accounts that the 'From' is not always legitimate - for the benefit of others who might read this topic. Don answered this poster's question with the information that only he is privileged to see so he knew that the 'From' was apparently not forged.

My reply was a little bit snippy because I reacted to the use of 'trust me' seeing it as a slam on your post and my post. IMHO, however, it probably /is/ best not to amplify (or add clarifications) to Don's replies. We can't see what he sees. We are used to covering all the bases because we can't see exactly what is the problem.

IOW, once Don has decided to answer a poster, there is nothing more that anyone can add because he knows exactly what the problem is and how to fix it. Anything that other non-official posters might add only muddies the waters.

Miss Betsy

Link to comment
Share on other sites

... once Don has decided to answer a poster, there is nothing more that anyone can add because he knows exactly what the problem is and how to fix it. Anything that other non-official posters might add only muddies the waters.
Concur.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...