elvey Posted July 12, 2007 Share Posted July 12, 2007 It seems there isn't a forum for spamcop report recipients other than this thread, so posting here. I recently received a legit report of a spam apparently sent from an IP in an IP range I monitor that also referenced an URL that resolves to an IP in that same range. Oddly, I only received one report, for the domain. Is that normal? I do normally get reports for SUBE from that IP. FYI, for admins: the report id:2372902008 It makes me wonder if some of the reports I should be getting are going missing. I don't spam-filter reports from spamcop; e.g. I see one from the 1st that scored 19. Actually, I just noticed it happened again, with report id:2378805404 ! If I have spamcop analyze the spam, it seems to accept the hand-off the Received lines indicate an blame another IP. I should hear back soon about whether logs show the spam went out from the IP range in question. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 12, 2007 Share Posted July 12, 2007 It seems there isn't a forum for spamcop report recipients other than this thread, so posting here. I recently received a legit report of a spam apparently sent from an IP in an IP range I monitor that also referenced an URL that resolves to an IP in that same range. Oddly, I only received one report, for the domain. Is that normal? I do normally get reports for SUBE from that IP. FYI, for admins: the report id:2372902008 It makes me wonder if some of the reports I should be getting are going missing. I don't spam-filter reports from spamcop; e.g. I see one from the 1st that scored 19. Actually, I just noticed it happened again, with report id:2378805404 ! If I have spamcop analyze the spam, it seems to accept the hand-off the Received lines indicate an blame another IP. I should hear back soon about whether logs show the spam went out from the IP range in question. First, this is the forum for your query even though you are not necessarily on the blocklist at the moment. I believe you should only receive 1 report, primarily for the source of the spam and may mention the URL issue as well. SpamCop does not want to overwhelm administrators with multiple emails per spam. I would be interested in seeing the spamcop parse. The link in the report should get to one you could post the URL for. Your later lines seems to indicate the source email went elsewhere because that is what the parse determined. Link to comment Share on other sites More sharing options...
Wazoo Posted July 13, 2007 Share Posted July 13, 2007 geeze .. if I can actually make a post .... I'll toss in my disagreement about the placement of this post/query. It is in fact dealing with the "Reporting" side of the house. I'd move it, but .... again, I'm not even sure if I will be able to get this post made .... On the other hand, there are no "Admins" here with access to a Report ID .... several FAQ entries deal with this, the "user to user support Forum" description, etc. etc. So what would be needed for any input 'here' would be a Tracking URL. The Wiki has a page or two about "Types of Reports" that may or may not answer the actual question .... (dang .... something like 17 tries to post this .. and now I want to edit it ...) Confusing, over a half-hour trying to pull up a few Wiki pages .... and cannot find the one that was in my head, so ... change the reference to a FAQ page 'here' .... SpamCop Report Types Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 13, 2007 Share Posted July 13, 2007 I am with Steven here. A question about /getting/ reports is more likely to be of interest to those interested in blocklist issues rather than reporting issues. The parse was just a tool to discover what was going on. IIUC, your last remarks about the results of the parse seem to indicate that this time one report went to the 'source' and the other report went to you as the spamvertised site even though the way you read the headers, the email did come from your IP. If you post a Tracking URL (you can cancel the report), then perhaps others can show you why the headers do not show your IP as the source. IIWY, I would be looking for ways to stop the spam from leaving that IP address. But maybe there is a good reason why you are monitoring the reports. Miss Betsy Link to comment Share on other sites More sharing options...
elvey Posted July 18, 2007 Author Share Posted July 18, 2007 I am with Steven here. A question about /getting/ reports is more likely to be of interest to those interested in blocklist issues rather than reporting issues. The parse was just a tool to discover what was going on. IIUC, your last remarks about the results of the parse seem to indicate that this time one report went to the 'source' and the other report went to you as the spamvertised site even though the way you read the headers, the email did come from your IP. If you post a Tracking URL (you can cancel the report), then perhaps others can show you why the headers do not show your IP as the source. IIWY, I would be looking for ways to stop the spam from leaving that IP address. But maybe there is a good reason why you are monitoring the reports. Miss Betsy You understand correctly (except I'm technically a 3rd-party report recipient). Ok, turns out nothing is wrong; spamcop is working correctly. The spam was indeed sent through the system at the IP range I monitor (let's call it "FM") and spamcop blamed the IP of the machine that submitted it to FM via (authenticated) SMTP, because spamcop in this case accepted the Received header line FM had added. I was thrown because abuse of FM via (authenticated) SMTP is very rare. Thanks, folks. And I'll be sure to post a tracking URL next time I have a question/issue, so more folks here can look/help. As for "looking for ways to stop the spam from leaving that IP address": for FM, this has to a great extent come down to figuring out how to detect credit card fraud, such as with FraudCall. Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 18, 2007 Share Posted July 18, 2007 Thanks for coming back and indicating the resolution! I don't remember if I mentioned that web hosting and server administration are not very comprehensible to me since I have no experience with either. You are obviously are a responsible person taking such measures as you can to prevent spam. However, isn't there any way to measure quantity of email sent to give you a heads up that something might be going on? Perhaps it is because of your 3rd party status that you can't do that. I sure hope that you never have to post a tracking url, but if you do, I hope that the experienced posters are around to help figure it out! Miss Betsy Link to comment Share on other sites More sharing options...
elvey Posted July 18, 2007 Author Share Posted July 18, 2007 Rate limiting and outgoing spam detection are already in place. They're quite effective; I estimate the mail stream from FM is about 99.9% ham. But FM has been the subject of a header-forging joe-job attack... I'll write more soon. Link to comment Share on other sites More sharing options...
turetzsr Posted July 21, 2007 Share Posted July 21, 2007 <snip> Ok, turns out nothing is wrong; spamcop is working correctly. The spam was indeed sent through the system at the IP range I monitor (let's call it "FM") and spamcop blamed the IP of the machine that submitted it to FM via (authenticated) SMTP, because spamcop in this case accepted the Received header line FM had added. I was thrown because abuse of FM via (authenticated) SMTP is very rare. Thanks, folks. <snip> ...As Miss Betsy remarked, above, in linear post #6, thanks for letting us know! Based on this, I am marking this Forum thread as "Resolved." Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.