acdha Posted May 3, 2007 Share Posted May 3, 2007 I've been receiving spam from a Nuvox.net customer for several years. I've never received a response from Nuvox's abuse department and - more interestingly - they've never been added to the SpamCop blacklist, despite the fact that this is blatant spam sent directly from their network: Received: from mhi-inc.com (unknown [66.148.201.62]) by mx.example.edu (Postfix) with ESMTP id BFCD474113 for <me[at]example.edu>; Wed, 2 May 2007 05:49:44 -0700 (PDT) Received: from BM2 [10.0.0.20] by mhi-inc.com [10.0.0.2] with SMTP (MDaemon.PRO.v5.0.4.R) for <me[at]example.edu>; Tue, 01 May 2007 18:06:11 -0400 I'm apparently not alone in receiving their spam: http://www.highprogrammer.com/alan/spammer...al-mhi-mxi.html http://zippy.physics.niu.edu/ http://www.trustedsource.org/query.php?q=66.148.201.62 This leads to two questions: 1) What's the best way to make sure they end up on the BL? 2) Is there a good way to motivate rogue ISPs like Nuvox who are apparently unconcerned about spam from their customers? I've filed reports with the upstreams at various times and the only change is that they appear to have stopped using above.net (all other spam before and after came through gblx.net). Link to comment Share on other sites More sharing options...
Wazoo Posted May 3, 2007 Share Posted May 3, 2007 1) What's the best way to make sure they end up on the BL? Let's start the answer there by pointing out just how hard everyone has tried to hide that data .... Wiki - What is the SpamCop Blocking List (SCBL)? SpamCop FAQ links at the top of this page SpamCop Blocking List Service How do I configure my mailserver to reject mail based on the blocklist? What is on the list? ^^^^^^^^^^^^ Original FAQ - SpamCop Blocking List information How do I configure my mailserver to reject mail based on the blocklist? How can I use the blocklist without mailserver configuration? What is the SpamCop Blocking List (SCBL)? ^^^^^^^^^^^^^^^^^^^^^^^^^^^ The bad/reported traffic from the IP address in question has to meet the formula involved for a listing / de-listing Note: there are many other BLs in use, all with different rules, requirements .. the SpamCopDNSBL is unique 2) Is there a good way to motivate rogue ISPs like Nuvox who are apparently unconcerned about spam from their customers? I've filed reports with the upstreams at various times and the only change is that they appear to have stopped using above.net (all other spam before and after came through gblx.net). Honesty .. if there was an 'effective' way that had 100% positive results, wouldn't you guess that the issue would have been resolved years ago? Reality ... check the tons of other Topics around here with numerous ways to make you complaints mean something, other tools available for various other actions, be it other complaints, additional filtering/handling of incoming e-mail, etc. Link to comment Share on other sites More sharing options...
Farelf Posted May 4, 2007 Share Posted May 4, 2007 The SCBL is a blunt tool when dealing with this sort of situation. Report on IP address: 66.148.201.62 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.7 27042% Last 30 days 3.5 1541% Average 2.3 Other information about this IP address Sender Category: - Network Owner: NuVox Communications Domain: mhi-inc.com Date of first message seen from this address: 2007-03-22 CIDR range: 66.148.192.0/19 # of domains controlled by this network owner: 2843 No address list shown since no email was detected from mhi-inc.com. So, the spew on that IP address is effectively shielded by the great size of NuVox [can only assume that little of it hits other SC reporters else the Deputies really should be looking at the reputation score part of the listing equation in this instance]. mhi-inc.com doesn't have its own registered abuse address. You've tried upstream, maybe you should try downstream? DNS Report for mhi-inc.com confirms a valid abuse[at]mhi-inc.com address1 (but not, of course, confirming that anyone looks at such mail). Looking at NuVox, where the abuse reports currently go:Report on network owner: NuVox Communications Volume Statistics for this Network Owner Magnitude Vol Change vs. Average Last day 6.8 -72% Last 30 days 6.8 -70% Average 7.3 Which totally masks what is happening at the lower level. So - different tools for different purposes (to paraphrase Wazoo). A list of spam databases at http://www.dnsstuff.com/tools/ip4r.ch?ip=66.148.201.62 shows just 2 with that IP address listed - one of which is also shown in the first SenderBase lookup, above, and which has the IP repeatedly sinbinned for relaying. 1Actually, I think there are problems with that address, maybe it just diverts to abuse[at]mhi-inc.com, but try that one instead. They may not have the access to do anything directly (and again they may not even see anything sent there) but they seem perfectly straight and probably concerned about their bandwidth and reputation. Other than that, maybe try the contact form on their website Link to comment Share on other sites More sharing options...
acdha Posted May 8, 2007 Author Share Posted May 8, 2007 Let's start the answer there by pointing out just how hard everyone has tried to hide that data .... What is the SpamCop Blocking List (SCBL)? ^^^^^^^^^^^^^^^^^^^^^^^^^^^ The bad/reported traffic from the IP address in question has to meet the formula involved for a listing / de-listing I had actually read that - but it doesn't answer the question I actually asked: what might account for the BL failing in this specific case with repeated spam from the same netblock, frequently even the same IP? I've been using Spamcop for something like 8 years by now - normally reported IPs get listed quickly; in this case they've never been listed despite years of spamming from the same unresponsive ISP. Farelf's response was nice both for not assuming that I was a completely idiot and confirming that there really isn't much to do with a small-scale, targeted spam operation. Honesty .. if there was an 'effective' way that had 100% positive results, wouldn't you guess that the issue would have been resolved years ago? Interestingly, actually reading my post might confirm that I didn't ask for a 100% effective approach or tips on filtering my email. I was interested in learning whether there was a better strategy for contacting Nuvox, given that volume makes it harder for complaints about small-scale spammers to stand out from the torrent of abuse reports most ISPs receive. So, the spew on that IP address is effectively shielded by the great size of NuVox [can only assume that little of it hits other SC reporters else the Deputies really should be looking at the reputation score part of the listing equation in this instance]. mhi-inc.com doesn't have its own registered abuse address. You've tried upstream, maybe you should try downstream? Thanks - I have sent various replies to MHI's contacts (both the ones listed on their website and the address used to send spam) and never received a response, so I'm just going to leave them in my personal blacklist since they're far too small scale for any legal strategy. Link to comment Share on other sites More sharing options...
Wazoo Posted May 8, 2007 Share Posted May 8, 2007 I had actually read that - but it doesn't answer the question I actually asked: what might account for the BL failing in this specific case with repeated spam from the same netblock, frequently even the same IP? I've been using Spamcop for something like 8 years by now - normally reported IPs get listed quickly; in this case they've never been listed despite years of spamming from the same unresponsive ISP. On the referenced pages are descriptions of a formula involved. Three primary variables are identified, e-mail traffic 'seen' .... reported spam/spamtrap hits ... and the IP address ..... the nebulous variable of 'reputation points' is included in the description. http://www.senderbase.org/search?searchBy=...g=66.148.201.62 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day ........ 0.0 ..... -100% Last 30 days .. 3.5 ..... 1588% Average ........ 2.3 Let's ignore the 'last day = zero' issue for right now, rather looking at the flow when it was in real spew mode. SenderBase's "Magnitude" Explained suggests that a magnitude of 3.5 is approximately 8,000 e-mails a day. Report History: the last 90 days ------------------------------------------------------ Submitted: Wednesday, May 02, 2007 11:36:17 AM -0500: Robust Hot Air Tools 2271080165 ( http://www.bayzi.com/ ) To: abuse[at]crystaltech.com 2271080148 ( http://www.bayzi.com/ ) To: abuse-nonverbose[at]qwest.net 2271080122 ( http://www.mhi-inc.com/ ) To: spamcop[at]nuvox.net 2271080119 ( 66.148.201.62 ) To: spamcop[at]nuvox.net ----------------------------------------------------- Submitted: Friday, April 20, 2007 12:26:06 PM -0500: MHI Microheaters 2254625661 ( http://www.buyrefractory.com/CPStorefrontend24/... ) To: abuse[at]crystaltech.com 2254625660 ( http://www.buyrefractory.com/CPStorefrontend24/... ) To: abuse-nonverbose[at]qwest.net 2254625659 ( http://www.mhi-inc.com/ ) To: spamcop[at]nuvox.net 2254625658 ( 66.148.201.62 ) To: spamcop[at]nuvox.net -------------------------------------------------------- Submitted: Tuesday, March 27, 2007 6:41:33 PM -0500: High Temperature Lab Furnaces 2218142295 ( http://www.buyrefractory.com/CPStorefrontend24/... ) To: abuse[at]crystaltech.com 2218142294 ( http://www.buyrefractory.com/CPStorefrontend24/... ) To: abuse-nonverbose[at]qwest.net 2218142292 ( http://www.mhi-inc.com/ ) To: spamcop[at]nuvox.net 2218142291 ( 66.148.201.62 ) To: spamcop[at]nuvox.net Would you care to try to do the math and make the result translate into meeting a "listed" condition? One reported spam a month as leveraged against 8,000 e-mails a day? Farelf's response was nice both for not assuming that I was a completely idiot and confirming that there really isn't much to do with a small-scale, targeted spam operation. I made no assumptions when I posted my first reply. The response to that referenced FAQ data does tend to lead to some judgements though ... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.