Saipem Posted March 6, 2007 Share Posted March 6, 2007 Hi, OK simple quick question, how am I supposed to deal with my work email being blocked by spam corp? Considering i have no access to webbased emails at work (hotmail etc all blocked) The admin for the server in question (212.17.199.49) is in the companies HQ in Italy (I work in the UK, emails all routed through gateway in italy). And by the time they do anything the 27 hours of blocking will have elapsed (takes them a month to hire someone, I doubt they'll sort this out within 24 hours). (I have contacted our UK IT department.. can you spell "chocolate teapot"?) But at the same time a lot of my job requires email and I really can't cope with the lottery of every email that goes through that gateway (we have many, or at least I assume so as not all my mails to the client that uses spamcorp have been blocked) Also it seems strange to me that we should be blocked when we are a company, anyone that actually tryed to send spam through that gateway would get fired?! Not to mention if we were serious spammers all our gateways would be blocked. BTW, sorry if any (or all!) of my terminology is wrong. Link to comment Share on other sites More sharing options...
agsteele Posted March 6, 2007 Share Posted March 6, 2007 Hi, OK simple quick question, how am I supposed to deal with my work email being blocked by spam corp? Considering i have no access to webbased emails at work (hotmail etc all blocked) The admin for the server in question (212.17.199.49) is in the companies HQ in Italy The IP is question has been listed for the following reasons: Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) * SpamCop users have reported system as a source of spam less than 10 times in the past week The subjects of a few spam items identified as passing trough this server include: Submitted: Mon, 05 Mar 2007 15:11:46 GMT: Herbal VI[at] , -GRA- Dailey Submitted: Mon, 05 Mar 2007 08:58:11 GMT: Herbal VI[at] , -GRA- Lund Submitted: Mon, 05 Mar 2007 08:08:03 GMT: Incredible Herbal V1gra - no side effects Curtis Ewing Submitted: Mon, 05 Mar 2007 02:54:24 GMT: **spam** Order: anteater So from the immediate evidence available it looks like your chocolate teapots need too take a look at the firewall logs. There does appear to be a problem with this ip address. Andrew Link to comment Share on other sites More sharing options...
Saipem Posted March 6, 2007 Author Share Posted March 6, 2007 So from the immediate evidence available it looks like your chocolate teapots need too take a look at the firewall logs. There does appear to be a problem with this ip address. Cool, thanks for the help, will forward the details to people that should be sorting it out. But out of interest, there sould be some kind of suggestions in the faq for the IT iliterate peon's like myself who have no choice of what to do (I don't have access to other email addresses, and some things basically have to be communicated by email) and have no control over our email systems. Cheers again. Link to comment Share on other sites More sharing options...
turetzsr Posted March 6, 2007 Share Posted March 6, 2007 Cool, thanks for the help, will forward the details to people that should be sorting it out....Also of note: http://www.spamcop.net/sc?track=212.17.199.49 which tells them the e-mail addresses to which reports of user-reported spam are sent. If these are incorrect, they should be changed (see FAQ item "How do I register an abuse[at] email address?").But out of interest, there sould be some kind of suggestions in the faq for the IT iliterate peon's like myself who have no choice of what to do (I don't have access to other email addresses, and some things basically have to be communicated by email) and have no control over our email systems....The "SpamCop FAQ" (see link near top left of all SpamCop Forum pages) includes a link labeled "Why am I Blocked?" You will probably wish to skip down to the section labeled "Q: Why me? A: It Happens to the best of us." It includes a suggestion to (temporarily) use a webmail service, which you indicate is not an option for you. However, there follow other good suggestions. Link to comment Share on other sites More sharing options...
Saipem Posted March 6, 2007 Author Share Posted March 6, 2007 ...Also of note: http://www.spamcop.net/sc?track=212.17.199.49 which tells them the e-mail addresses to which reports of user-reported spam are sent. Cool, so I'm working for the UK arm of an italian company, all my email gets sent to italy to go through a gateway there only to be handled by the italian arm of British telecom! If these are incorrect, they should be changed I'm afraid I can't tell you if they are correct, i'm so many steps removed from anyone who knows it's only slightly funny. But again I'll forward the info to people that should know who to forward it to or at least who knows someone else nearer to where it should go!!! The "SpamCop FAQ" (see link near top left of all SpamCop Forum pages) includes a link labeled "Why am I Blocked?" You will probably wish to skip down to the section labeled "Q: Why me? A: It Happens to the best of us." It includes a suggestion to (temporarily) use a webmail service, which you indicate is not an option for you. However, there follow other good suggestions. Sorry I did read the webmail bit, but I must have been glazing over or skim-reading if I missed other good suggestions. Actually that's not entirly true but I won't hold you nice people up with any more babling :-) .edit. In case it's not obvious, I think you can say this is resolved, I've done all I can and so have you :-) Cheers again Link to comment Share on other sites More sharing options...
turetzsr Posted March 6, 2007 Share Posted March 6, 2007 Cool, so I'm working for the UK arm of an italian company, all my email gets sent to italy to go through a gateway there only to be handled by the italian arm of British telecom!...Wish we here could help you with that. <g> ...But if you're talking about the reports of spam, they aren't your e-mail, they're the e-mail admin's e-mail, as it is the e-mail server that is sending the spam. I'm afraid I can't tell you if they are correct, i'm so many steps removed from anyone who knows it's only slightly funny....Understood -- I didn't expect you would.But again I'll forward the info to people that should know who to forward it to or at least who knows someone else nearer to where it should go!!!...Exactly! Good luck with that!<snip> In case it's not obvious, I think you can say this is resolved, I've done all I can and so have you :-) ...Well, I'm hoping to see you back here again with word on what has become of your communication with the "people that should be sorting it out" so I'm not going to mark this forum thread as resolved, yet. Link to comment Share on other sites More sharing options...
Derek T Posted March 6, 2007 Share Posted March 6, 2007 Hi, OK simple quick question, how am I supposed to deal with my work email being blocked by spam corp? Please note that SpamCop blocks NOTHING, it can't, and even if it could it wouldn't. It's the recipients that are blocking based on a SpamCop listing. SpamCop does NOT recommend this and does not do it on its own email system: it just moves stuff to 'held mail'. Get the recipients to whitelist your email address (whitelisting is done on addresses) no matter what IP it comes from (blocklisting is done on IPs). Link to comment Share on other sites More sharing options...
Saipem Posted March 8, 2007 Author Share Posted March 8, 2007 ...But if you're talking about the reports of spam, No I wasn't, don't worry, despite my comments about being a computer illiterate Peon, I am literate enough to run a redhat linux box at home and be my departments unofficial IT support. Well, I'm hoping to see you back here again with word on what has become of your communication with the "people that should be sorting it out" so I'm not going to mark this forum thread as resolved, yet. I'm glad you didn't, beause it's not. The same IP has been listed again. would it be possible for you to give me a list of the emails again (I assume it's something new?) so I can badger the IT manager. <snip> It's the recipients that are blocking based on a SpamCop listing.<snip>Get the recipients to whitelist your email address <snip> You are right, I meant to send a quote of your email to the people in question, now that I've been blocked again, well, I've done it. Although, I do know my address has been spoofed in the past for spam (it's an odd experience receiving a mail from yourself that you've not sent! and then working out if it should go on the block senders list made my head hurt!) so obviously if they whitelist my address they will get the spoofed emails won't they? Link to comment Share on other sites More sharing options...
agsteele Posted March 8, 2007 Share Posted March 8, 2007 I'm glad you didn't, beause it's not. The same IP has been listed again. would it be possible for you to give me a list of the emails again (I assume it's something new?) so I can badger the IT manager. The identifiable spam is as follows: Submitted: Tue, 06 Mar 2007 20:04:21 GMT: Incredible Herbal V1gra - no side effects Nicole Esposito Submitted: Mon, 05 Mar 2007 15:11:46 GMT: Herbal VI[at] , -GRA- Dailey Submitted: Mon, 05 Mar 2007 08:58:11 GMT: Herbal VI[at] , -GRA- Lund Submitted: Mon, 05 Mar 2007 08:08:03 GMT: Incredible Herbal V1gra - no side effects Curtis Ewing However, spam is also reaching spam traps which accounts for the speed with which the ip address is being re-listed. Reports of the problem are being sent to: tony.mills[at]albacom.it bernini[at]albacom.net mills[at]albacom.net ronci[at]albacom.net spam trap hits would most likely, in this situation, relate to spam sent through this IP address to these spam trap addresses. I'd be inclined to think there is a compromised PC on the network hence the reason I suggested they look at their firewall logs as an aid to diagnosis. That said, the Email volumes are quite moderate so my gut diagnosis may be way off beam. Senderbase reports ( http://www.senderbase.org/search?searchBy=...g=212.17.199.49 ) Magnitude Vol Change vs. Average Last day 5.0 -30% Last 30 days 3.6 -97% Link to comment Share on other sites More sharing options...
Saipem Posted March 8, 2007 Author Share Posted March 8, 2007 The identifiable spam is as follows: Submitted: Tue, 06 Mar 2007 20:04:21 GMT: <snip> Submitted: Mon, 05 Mar 2007 08:08:03 GMT: Hmmm, I was assuming being relisted was because of spam since the last listing, all those were before or during the original listing. Is it possible that the problem has been fixed but the reports have come in after the problem was fixed? However, spam is also reaching spam traps which accounts for the speed with which the ip address is being re-listed. Ok so this means there is still definitely a problem? Is it possible to give me a few identifiable spam from more recently? as it would help me complain to the IT manager. Reports of the problem are being sent to: <snip> Yeah I've asked them to check the email addresses, I don't think they are right, but I can't do anything to fix that except annoy my IT department, and we've got to remeber I'm tryign to do my job at the same time. spam trap hits would most likely, in this situation, relate to spam sent through this IP address to these spam trap addresses. I'd be inclined to think there is a compromised PC on the network hence the reason I suggested they look at their firewall logs as an aid to diagnosis. Yeah I did basically suggest that, but I may have been to subtle. My next comunication will be more direct. That said, the Email volumes are quite moderate so my gut diagnosis may be way off beam. Senderbase reports ( http://www.senderbase.org/search?searchBy=...g=212.17.199.49 ) Magnitude Vol Change vs. Average Last day 5.0 -30% Last 30 days 3.6 -97% I'm afraid I'm not sure I'm getting the point of those stats, doesn't that suggest that in the last 30 days the mail volume through that IP has gone down to half what it averages, and the volume in the last day is up, but still down on the average? What is that average based on? Link to comment Share on other sites More sharing options...
Telarin Posted March 8, 2007 Share Posted March 8, 2007 Unfortunately, no one here has access to email that has hit spam traps. We can only see those reports that Wazoo already posted, which are spams submitted by reporters. To get information on spam trap hits, you would have to email deputies[at]admin.spamcop.net As far as the senderbase statistics, the 5.0 magnitude indicates that approximately 100,000 emails are being sent from that IP address each day. Link to comment Share on other sites More sharing options...
Saipem Posted March 8, 2007 Author Share Posted March 8, 2007 Unfortunately, no one here has access to email that has hit spam traps. We can only see those reports that Wazoo already posted, which are spams submitted by reporters. To get information on spam trap hits, you would have to email deputies[at]admin.spamcop.net Don't worry, I've been reading around so I understand why we can't find out about the spam traps, just thought there might have been more recent reports. And I don't want to over step my position by dealing directly with spam corp, when my IT department should be. I can't really complain to IT that the problem hasn't been fixed if we could have been blocked because of badly set up auto-responses (is that right?) and I don't have some proof that that IP is still sending out spam. As far as the senderbase statistics, the 5.0 magnitude indicates that approximately 100,000 emails are being sent from that IP address each day. THat is interesting. Considering the size of the company that's not much at all, there must be loads of gateways, which means either my part of the company only use a small proportion of them, or I've been very very unlucky. That means that all those 100k emails are blacklisted (if spam corp doesn't condone blocking why do most people call it a "Blocklist"?). I guess I can assume that someone else is complaining too! :looking on the Sendbase Help now to work out what the numbers mean... under common tasks it says this: "It is also useful to abuse desk managers tasked with investigating". Originally thought there was a pause between abuse and desk :-) Hmmm, so would an 800% increase in mail in the last 24 hours suggest spam? http://www.senderbase.org/search?searchBy=...g=212.17.199.37 Great. :-( Link to comment Share on other sites More sharing options...
Wazoo Posted March 8, 2007 Share Posted March 8, 2007 http://spamcop.net/w3m?action=checkblock&a...p=212.17.199.49 212.17.199.49 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week It appears this listing is caused by misdirected bounces. Other hosts in this "neighborhood" with spam reports 212.17.199.37 212.17.199.48 212.17.199.154 http://www.senderbase.org/search?searchBy=...g=212.17.199.49 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 5.0 .. -28% Last 30 days .. 3.6 .. -97% Average ........ 5.1 # of domains controlled by this network owner 3 Addresses in relayout.eni.it used to send email - Showing 1 - 3 out of 3 212.17.199.49 relayout.eni.it Y 5.0 3.6 212.17.199.154 relayout.eni.it Y 4.9 3.6 212.17.199.37 relayout.eni.it Y 4.2 3.4 http://www.senderbase.org/search?searchBy=...relayout.eni.it Volume Statistics for this Domain Magnitude Vol Change vs. 30 Day Last day ........ 5.0 .. 950% Last 30 days .. 4.0 Oddity in that there are three IP addresses showing for output servers, but the 'names' are the same .... 03/08/07 15:10:37 Slow traceroute 212.17.199.49 Trace 212.17.199.49 ... 166.49.180.51 RTT: 140ms TTL:208 (t2a3-ge2-0.it-mil2.eu.bt.net ok) 166.49.233.2 RTT: 143ms TTL:208 (166-49-233-2.eu.bt.net bogus rDNS: host not found [authoritative]) 213.255.14.69 RTT: 144ms TTL:208 (No rDNS) 212.17.207.247 RTT: 144ms TTL:208 (No rDNS) 212.17.199.152 RTT: 143ms TTL:208 (No rDNS) * * * failed 03/08/07 15:12:54 Slow traceroute 212.17.199.154 Trace 212.17.199.154 ... 166.49.233.2 RTT: 139ms TTL:208 (166-49-233-2.eu.bt.net bogus rDNS: host not found [authoritative]) 213.255.14.5 RTT: 146ms TTL:208 (No rDNS) 212.17.207.247 RTT: 149ms TTL:208 (No rDNS) 212.17.199.152 RTT: 146ms TTL:208 (No rDNS) * * * failed 03/08/07 15:14:46 Slow traceroute 212.17.199.37 Trace 212.17.199.37 ... 166.49.233.2 RTT: 151ms TTL:208 (166-49-233-2.eu.bt.net bogus rDNS: host not found [authoritative]) 213.255.14.5 RTT: 144ms TTL:208 (No rDNS) 212.17.207.247 RTT: 154ms TTL:208 (No rDNS) 212.17.199.152 RTT: 145ms TTL:208 (No rDNS) * * * failed Pretty consistent with the lack of rDNS and blocking of ICMP traffic Hmmm, so would an 800% increase in mail in the last 24 hours suggest spam? http://www.senderbase.org/search?searchBy=...g=212.17.199.37 Great. :-( The possibility exists that the downwards trend on the other two IP addresses is because that traffic is being moved to this server, causing its traffic flow to show this increase ....???? anyway, off to do other things .. just setting some other data points here. Link to comment Share on other sites More sharing options...
Merlyn Posted March 8, 2007 Share Posted March 8, 2007 You must admit there is a lot of garbage coming from those servers. looking at the reports it is mostly drugs, loans etc.... Lot of zombies behind that network Link to comment Share on other sites More sharing options...
Farelf Posted March 9, 2007 Share Posted March 9, 2007 Currently 212.17.199.37 is listed on LashBack Unsubscribe Blacklist though that could have as much (or more) to do with their product sales aspirations as it might with the actual cause of listing there. Nevertheless, another potential source of information on supposed spam originating from the IP address. Link to comment Share on other sites More sharing options...
Saipem Posted March 9, 2007 Author Share Posted March 9, 2007 Ok, there are lots of things I don't understand in the last three posts, except the fact 49 has been delisted. So thanks again for your help. I intend to be back here on Monday after the weekend to try to untangle the various bits of jargon :-) Link to comment Share on other sites More sharing options...
Derek T Posted March 10, 2007 Share Posted March 10, 2007 Although, I do know my address has been spoofed in the past for spam (it's an odd experience receiving a mail from yourself that you've not sent! and then working out if it should go on the block senders list made my head hurt!) so obviously if they whitelist my address they will get the spoofed emails won't they? Unfortunately, yes, but they won't be chucking the baby out with the batwater. Link to comment Share on other sites More sharing options...
Derek T Posted March 10, 2007 Share Posted March 10, 2007 That means that all those 100k emails are blacklisted (if spam corp doesn't condone blocking why do most people call it a "Blocklist"?). I guess I can assume that someone else is complaining too! Unfortunately the injecting IP is the only thing that can't be spoofed/forged: spammers have spoilt it for everyone. Admins that DO have a clue welcome the 'heads-up' from SpamCop that something has gone horribly wrong. Clueless ones blame the messanger. SpamCop says of its list that it is aggressive and does not recommend using it as a 'reject'-list. For its own customers it 'blocks' it from our Inboxes and files it under 'Held-mail'. However, as it costs the receiver money to accept all that spam, some choose to reject altogether. Their server, their rules. I think it can be fairly said that SpamCop is the easiest list to get on, and the easiest to get off once the problem is fixed: both are entirely automatic. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.