Jump to content

Blocklists being ignored


Recommended Posts

I've got all the blocklists checked in my SpamCop email options. But I just got a spam mail which bypassed the holding area, despite the reporting system identifying it as coming from a blocked IP.

Forgive this newbie question... I do not know how to post links to the report, if you want to see it.

Link to comment
Share on other sites

Since I have been reporting on a daily basis for a few week and still get the same spam every day, I often wonder how effective this is myself. Makes you wonder if spammer have found some clever way to circumvent the blocks. Whe they seem to be blocked even briefly, I start getting virus attachments then the spam starts again. :(

Link to comment
Share on other sites

Is anything being held for you or is all going to your inbox? If so, do you possibly have your account marked as Tag Only? To check, go to Options, SpamCop Tools, Select your email filtering blacklists, and look at the top for the Tag Only check box.

Otherwise, if you copy/paste the headers, specifically the X-spam and X-Spamcop ones into your reply, we should be able to see why it was not held.

Link to comment
Share on other sites

Tag Only is not set. It is holding quite a few spam mails, but this one slipped through... If you paste this into the web reporting page, you'll see if identifies the relay as...

211.158.15.60 listed in dnsbl.sorbs.net ( 127.0.0.10 )

So my question is... why did it slip through? I have ALL blocklists selected in my options.

My apologies if this is in the wrong place. It seems more applicable to the reporting service (which appears at fault here) than the email account.

May I make the secondary observation that so far this forum has seemed far more friendly (and far less flammable) than any other I use... but seeing phrases like "Attn: Moderator" kinda rankles me!

From eidetic[at]merrycrimbo.com Wed Mar 31 18:28:56 2004

Return-path: <eidetic[at]merrycrimbo.com>

Envelope-to: x

Delivery-date: Wed, 31 Mar 2004 18:28:56 +0100

Received: from out2.smtp.messagingengine.com ([66.111.4.26])

by nina with esmtp (Exim 3.36 #2)

id 1B8jWK-0005LS-00

for x; Wed, 31 Mar 2004 18:28:56 +0100

Received: from server1.messagingengine.com (server1.internal [10.202.2.132])

by mail.messagingengine.com (Postfix) with ESMTP id 221038E670F

for <x>; Wed, 31 Mar 2004 12:28:54 -0500 (EST)

Received: by server1.messagingengine.com (Postfix, from userid 503)

id 1596A4803E; Wed, 31 Mar 2004 12:28:54 -0500 (EST)

Received: from frontend1.messagingengine.com (mysql.internal [10.202.2.150])

by www.fastmail.fm (Cyrus v2.2.3) with LMTP; Wed, 31 Mar 2004 12:28:53 -0500

X-Sieve: CMU Sieve 2.2

X-spam-score: 1.2

Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

by smtp.us.messagingengine.com (Postfix) with ESMTP id 709248E5174

for <x>; Wed, 31 Mar 2004 12:25:46 -0500 (EST)

Received: from unknown (HELO blade4.cesmail.net) (192.168.1.214)

by c60.cesmail.net with SMTP; 31 Mar 2004 12:25:47 -0500

Received: (qmail 20232 invoked by uid 1010); 31 Mar 2004 17:25:47 -0000

Delivered-To: x

Received: (qmail 20180 invoked from network); 31 Mar 2004 17:25:45 -0000

Received: from unknown (192.168.1.101)

by blade4.cesmail.net with QMQP; 31 Mar 2004 17:25:45 -0000

Received: from nina-2.cs.keele.ac.uk (HELO nina.cs.keele.ac.uk) (160.5.89.35)

by mailgate.cesmail.net with SMTP; 31 Mar 2004 17:25:45 -0000

Received: from ktv16-59-85.catv-pool.axelero.hu ([62.201.85.59])

by nina with smtp (Exim 3.36 #2)

id 1B8jT7-00029t-00

for x; Wed, 31 Mar 2004 18:25:42 +0100

Received: from merrycrimbo.com (mail4.netwinsite.com [216.65.3.237])

by ktv16-59-85.catv-pool.axelero.hu (Postfix) with ESMTP id BE2D4EC4B0

for <x>; Wed, 31 Mar 2004 09:22:34 -0800

Message-ID: <0010______________________bf69[at]merrycrimbo.com>

From: "Victualed K. Bugaboos" <eidetic[at]merrycrimbo.com>

To: S <x>

Subject: S, need meds?

Date: Wed, 31 Mar 2004 09:22:34 -0800

MIME-Version: 1.0

Content-Type: multipart/alternative;

boundary="----=_NextPart_000_0018_50BCE6E8.997F2CB8"

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2720.3000

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

X-Remote-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade4

X-Remote-spam-Level: *

X-Remote-spam-Status: hits=1.0 tests=HTML_30_40,HTML_FONT_FACE_BAD,HTML_MESSAGE

version=2.63

X-Remote-SpamCop-Checked: 192.168.1.101 160.5.89.35 62.201.85.59 216.65.3.237

Status: RO

------

For info, the incoming mail is delivered to nina.cs.keele.ac.uk (my mailhost) and then forwarded to SpamCop. After you've done your bit, it is forwarded to FastMail, which then forwards back to nina - hence the long chain of Received: headers! And yes, I DO have an Exim scri_pt on nina to make sure things don't go round and round!

Link to comment
Share on other sites

X-Remote-SpamCop-Checked: 192.168.1.101 160.5.89.35 62.201.85.59 216.65.3.237

211.158.15.60 listed in dnsbl.sorbs.net ( 127.0.0.10 )

1. Nowhere do I or did spamcop see this message go through or from that host. The list spamcop checked is shown in the headers. Since it did not see that IP, it did not check that IP.

2. Could you post a tracking URL for this, I would like to see how the parser came to the conclusion you are stating (211.158.15.60). I have mailhosts configured, so my parse would not work for this.

3. I assume one of your hosts (maybe fastmail) is modifiying the X-SpamCop headers after spamcop processing as they should not have the -Remote part in there. It will not affect parsing, however, as those lines are ignored anyway.

Link to comment
Share on other sites

211.158.15.60 listed in dnsbl.sorbs.net ( 127.0.0.10 )

It might just be the old age thing, but I can't see this IP in your spam header sample, so I can't make an immediate jump as to why it'd show up in a parse.

Based on recent commentary at http://forum.spamcop.net/forums/index.php?showtopic=808 ... is it at all possible that one of the items you mung'd out is a white-listed address?

My apologies if this is in the wrong place. It seems more applicable to the reporting service (which appears at fault here) than the email account.

Not sure I agree ... I grok that you're asking about filtering on your SpamCop e-mail account. Though you did mention a "reporting issue(?)" .. I can't come up with the IP you mention, so not sure at all where that might have come from.

The way I read this header, the source somplaint would have gone to;

Parsing input: 216.65.3.237

host 216.65.3.237 = mail4.surgeweb.com (cached)

Reporting addresses:

abuse[at]hostcentric.com

and at present, http://www.spamcop.net/w3m?action=checkblock&ip=216.65.3.237 says it's not listed, although it sure has the appearance of being a "bad" place.

Based on all of the above, I am going to move this over to the E-Mail Forum.

Link to comment
Share on other sites

Hi, flomp!

<snip>

My apologies if this is in the wrong place. It seems more applicable to the reporting service (which appears at fault here) than the email account.

May I make the secondary observation that so far this forum has seemed far more friendly (and far less flammable) than any other I use... but seeing phrases like "Attn: Moderator" kinda rankles me!

<snip>

...Sorry for having rankled you -- that was not my intention. Please note I intentionally did not flame you with something like, "Hey, follow the rules and post to the right forum!" I realize that it is not always the first consideration to find the right place to post when you have a problem you need addressed. Fortunately, the Moderator(s) are able to move things to the right place, so don't worry about it! :)

Link to comment
Share on other sites

Thanks for taking the time to look into this.

I have not munged the headers at all... what I pasted above was exactly as SpamCop munged it (with the <x> bits in there).

The IP that shows up in the blocklist is actually found by following one of the obfuscated links in the email body.

You can see the entire email at: 842158870

And the parsed bit that identifies the IP at: 842159012

Sorry, as I said above, I do not know how to link to these reports directly.

There may be a reason why SpamCop doesn't hold email where obfustaced IPs are included in the body of a message... perhaps this could be a configurable option - I know I don't ever want to receive such things!

Link to comment
Share on other sites

I realize that it is not always the first consideration to find the right place to post when you have a problem you need addressed

But that's my point... I *DID* look through the boards to see if anything similar had cropped up, and I selected the board I felt best suited the problem.

If I got the wrong one, it was not for lack of trying! It *WAS* my first consideration!

I'll just go get a coffee and calm down now. I do appreciate the help.

Link to comment
Share on other sites

Thanks for taking the time to look into this.

It'd be better if we could get your questions answered though, wouldn't it? <g>

I have not munged the headers at all... what I pasted above was exactly as SpamCop munged it (with the <x> bits in there).

You can see the entire email at: 842158870

And the parsed bit that identifies the IP at: 842159012

Sorry, as I said above, I do not know how to link to these reports directly

OK, what should work is that if you can get bsack to where you got those numbers (I think) .. look for an item called the "Tracking URL" ... copy and paste that in your next post. That will allow "us" to go see "your" parse result page.

The remark on the munging was just calling out one of the things I couldn't see to point to as a popssible reason for the spam not being "held" .. again, suggesting that perhaps that address was in your "white-list" collection. But, as the source IP was not listed when I last checked, there's no apparent reason (from the details I have at present) to see why it would have been stopped ... the Tracking URL might answer some of these remaining questions.

The IP that shows up in the blocklist is actually found by following one of the obfuscated links in the email body.

Ouch! Your first post said "despite the reporting system identifying it as coming from a blocked IP" which I wasn't able to back up. Now it's odd that you say that a Blocked IP would show up in a listing for a URL in the body .... web-site URL's don't go on the BL, and it's rare that a web-server would be at the same IP as an e-mail server .. so, think we're back to the Tracking URL to see how all this came together.

There may be a reason why SpamCop doesn't hold email where obfustaced IPs are included in the body of a message... perhaps this could be a configurable option - I know I don't ever want to receive such things!

In the past, SpamCop dumped the bodies, kept the headers for a bit .. recently that part of the system got upgrded with some monster drives, so currently, the entire spam submittal is available .. this is where the Tracking URL really comes into play thse days.

Link to comment
Share on other sites

I realize that it is not always the first consideration to find the right place to post when you have a problem you need addressed

But that's my point... I *DID* look through the boards to see if anything similar had cropped up, and I selected the board I felt best suited the problem.

If I got the wrong one, it was not for lack of trying! It *WAS* my first consideration!

I'll just go get a coffee and calm down now. I do appreciate the help.

If it's any help, coming up with answers to questions isn't always easy either <g> With JT doing the e-mail thing on the east coast, Julian doing the reporting thing on the west coast, and some of that hardware / software actually residing somewhere else (I can't recall off the top of my head where that part of the system is physically located now) and the fact that only those two people know the actual internals of how things work, with a handful of people doing the Deputy thing .. that leaves the other 99% of us as users trying to help other users with only the data we've picked up along the way to try to fashion solutions. These Forums are but just a couple of months old, so we're all still trying to sort things out <g>

Link to comment
Share on other sites

The page of the 'parser output' which identifies the IP on the SORBS blocklist can be found here...

http://mailsc.spamcop.net/sc?track=http%3A....php%3Fid%3Dd13

Original mail (headers and body) can be found here...

http://mailsc.spamcop.net/mcgi?action=gett...ortid=842158870

May I thank Wazoo for the helpful and calming remarks. Are you a volunteer fire-fighter by any chance? :lol:

Link to comment
Share on other sites

It is still happening. Here's another report ID... this time the IP *is* listed in those checked by SpamCop, and it *is* on the SORBS blacklist, yet it STILL wasn't put in the held-mail area.

http://www.spamcop.net/sc?id=z383551606z3c...a13c24eeb39279z

Although I commend what SpamCop is trying to achieve, it is exactly this kind of slip-through that I paid my $30 to avoid!

Link to comment
Share on other sites

It is possible that the IP Address in question wasn't listed by the SORBS DNSbl at the time of receipt by the SpamCop Email System, but was listed by the time you parsed it using the SpamCop Parsing and Reporting System (and when I just parsed it again).

Link to comment
Share on other sites

It is also possible that the SpamCop Email System is not using all of the result codes that dnsbl.sorbs.net provides. In this case, 213.130.143.35 is listed with result code 127.0.0.10, which indicates "Dynamic IP Space (Cable, DSL & Dial Ups)" and "Dynamic Address Space [Active]" per the results of the "Check Entry" Button on this SORBS webpage.

Link to comment
Share on other sites

Thanks, Jeff. Very sensible answers to my perplexing problem!

In the longer term, then, could we have extra options to select which result codes we want to block, as well as a simple check-box for the main BL itself?

Since my average reporting time is four hours (doing it manually), I wouldn't mind if my mail was queued for an hour or two to give time for the BLs to be updated before it is parsed! I rarely get email from external addresses anyway (apart from spam).

Anyway, these are discussion points... thanks for resolving my original question.

Link to comment
Share on other sites

I know I seem like a whineing kid who's crying because his toys have been taken away, but this *really* is annoying me.

I'm still getting almost as much spam as before, which doesn't get held by SpamCop. Either it arrives before the IP is blacklisted, or the SpamAssassin score turns out to be zero on *blatant* spam content.

I accept the reasons given so far, but this isn't what I signed up to SpamCop for. I'm gonna give it another few days, and if things don't improve, I'm afraid I'll be asking for my $30 back :(

Link to comment
Share on other sites

May I thank Wazoo for the helpful and calming remarks. Are you a volunteer fire-fighter by any chance?

Thogh having done that in the past, while living in those 'affordable' little towns outside the military base ... and a bit of on-the-job-training while doing some "field tests" of some submarine based systems during a joint-service assignment (though that may not qualify as 'volunteer <g>) ... I seem to be more normally seen as a battle-hardened SOB <g> But glad you found some words calming.

I was doing the same reseach as JeffG, he posted reults while I was stil looking things up, so that part of things seemed to be covered. But your further remarks aren't quite as easy to answer. On one hand, you're not alone in complining about spam making it past the filters. On the other hand, there are many posting that they are pleased with the results and only occasionly seeing the flase positive (e-mail tagged as spam, but it wasn't) ... so sitting here, it's hard to guess as to whther it's the difference in the various settings and configurations, or if it's just that you're stuck with a totally different set of spammers that like you <g>

could we have extra options to select which result codes we want to block

As all BL's are different, even using the same codes to represent something different, that might be more than a bit difficult, but that'd have to be a JT thing anyway. Way out of the hands of us at the user level ... so I can't answer that one at all.

SpamAssassin score turns out to be zero on *blatant* spam content.

I'm not sure at all how much of this statement is sarcasm and how much is fact. The "zero" thing I'm not sure I understand. Recollection has me thinking that the default was like a 5, and I know that one user made reference that he saw no spam with his setting of 1 ... so I'm a bit baffled by your "zero" (and again, I'm not an e-mail user and I don't use SpamAssisin myself)

I'll be asking for my $30 back

Certainly valid response if you're not happy. But just maybe there's still something going on with your settings that just isn't right .. not having seen any of those set-up / slection screens, I don't know how to ask if there's a way to show what you've got set-up, so as to compare with one of the other users that are having a different experience than yours. For eample, the user that posted over in http://forum.spamcop.net/forums/index.php?showtopic=901 is complaining about too much e-mail being identified as spam .. mayne take a look at that Topic and see what's different? For example, there's a just-made posting over at http://forum.spamcop.net/forums/index.php?showtopic=899 that expresses the totally opposite side of your situation.

Link to comment
Share on other sites

I know I'm British, but sarcasm is generally not my thing...

What I mean is: spam arrives in my inbox, having passed through the SpamCop SpamAssassin filter, with a spam score of "0.0", yet the body of the message contains many of the popular 'spam' phrases. I'm wondering if, just occasionally, the filter throws a wobbly and just lets stuff through for some reason.

I got another today. For some of you receiving hundreds of spams per day, I can see that SpamCop is incredibly good value, and largely spot on in detecting stuff.

But I get about five or ten per day, so a very low volume recipient, and still one or two of those slip past SpamCop. In the past I've religiously reported each one that slips past, but I'm beginning to think that those random words in the mail body are actually identifying me to the spammers, because there has been a huge increase in spam recently.

I might just not bother reporting any more :(

Link to comment
Share on other sites

beginning to think that those random words in the mail body are actually identifying me to the spammers, because there has been a huge increase in spam recently.

If it's any value, after a rahter long spell of just a few, I've apparently managed the same circumstance that you're suggesting, as I'm now up to like 60 a day of two sets of spam, content and structure is tha same, they're just coming in from all over the place, different open provxies in almost all cases .. but it's like this particular spammer has set up a rather small list of targets and just re-runs that same list, apparently figuring that 250,000 e-mails is 250,000 e-mails, doesn't matter if it's only going to 200 addresses ...???

Link to comment
Share on other sites

It's the ones that get through that are annoying

Tell me about it, getting the same spam content every day after reporting it for weeks can be exasperating....I am starting to see some results though, they have came down from hundreds/day to dozens/day...hope I am not speaking to soon (in the past spams seemed to be send in a cycle)..yet if a large fraction may be filtered, the mistery is how the remaining fraction makes it through... :angry:

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...