tibmail Posted August 22, 2008 Share Posted August 22, 2008 I've got a bit of a confusing issue here, we're an ISP and we relay mail for a whole bunch of folks. The other day one of them calls us and says their mail is getting bounced by our server. So I have a look on the server and I see loads of mail from their domain going through, I dig a bit deeper and I find that only sales[at]jimshop.com is getting blocked by spamcop wheras everyone else [at]jimshop.com is getting through. The IP address for jimshop.com is on the spamcop list so I was thinking it might be the recipient server that is blocking it but the bounceback message is coming from our outbound smtp server also, it's being blocked because it sent to a spam trap, what actually is a spam trap? Link to comment Share on other sites More sharing options...
Derek T Posted August 22, 2008 Share Posted August 22, 2008 I've got a bit of a confusing issue here, we're an ISP and we relay mail for a whole bunch of folks. The other day one of them calls us and says their mail is getting bounced by our server. So I have a look on the server and I see loads of mail from their domain going through, I dig a bit deeper and I find that only sales[at]jimshop.com is getting blocked by spamcop wheras everyone else [at]jimshop.com is getting through. The IP address for jimshop.com is on the spamcop list so I was thinking it might be the recipient server that is blocking it but the bounceback message is coming from our outbound smtp server also, it's being blocked because it sent to a spam trap, what actually is a spam trap? Please supply the IP address that is allegedly listed. We (TINW) can do nothing to help without it. Spamcop knows nothing whatsoever about domains so I can only surmise that the sales[at] is being sent from a different IP from the others. A spamtrap is an address that has NEVER been used to send email. They are hidden on web-sites for the bots to scrape them. ANY mail to a spamtrap is by definition unsolicited and therefore given more weight in scoring for the blacklist. Link to comment Share on other sites More sharing options...
tibmail Posted August 22, 2008 Author Share Posted August 22, 2008 Hi, the IP is 80.46.110.1, it's definitely listed and all the mail for that domain is coming from the same IP. I'm not looking to appeal it at this stage as it's due to be delisted soon, I'm just trying to understand what's going on Link to comment Share on other sites More sharing options...
agsteele Posted August 22, 2008 Share Posted August 22, 2008 As you say, 80.46.110.1 is listed... 80.46.110.1 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 5 hours. Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) 80-46-110-1.static.dsl.as9105.com is a static dsl connection so reports on this IP will have been sent to the ISP. The records seem to suggest that Tiscali is somewhere in the loop. This IP is also listed at cbl.abuseat.org A listing due to spam Trap hits are often an indication of a PC behind a router at this IP infected with a trojan of some sort - assuming these guys are not actually sending junk to spam traps. Because there are only spam trap hits there is no message history available to users to give further indication of the content. Andrew Link to comment Share on other sites More sharing options...
Derek T Posted August 22, 2008 Share Posted August 22, 2008 Hi, the IP is 80.46.110.1, it's definitely listed and all the mail for that domain is coming from the same IP. I'm not looking to appeal it at this stage as it's due to be delisted soon, I'm just trying to understand what's going on OK that 's resolving as a static IP assigned by Tiscali.co.uk. The client is running his own mailserver there and you are cool with that? Can he explain why there has been a four-fold increase in traffic from that server in the last day or two? He almost certainly has a a trojanned machine spewing spam and spamcop is doing its job and working properly. You may want to disconnect him until he's found and fixed the problem. Not sure what you mean by 'getting through' are YOU using the SCBL to e reject connections from your own clients? If not then its not YOUR server that's doing the rejecting: it's one of your client's intended recipients. If you have it, post the rejection message here. Link to comment Share on other sites More sharing options...
Miss Betsy Posted August 22, 2008 Share Posted August 22, 2008 I'm not looking to appeal it at this stage as it's due to be delisted soon, I'm just trying to understand what's going onIf you mean that you didn't use the 'delist' button, that was a good decision. If you had used that and the spam continued, you wouldn't be able to use it when you get the problem fixed. It is a one time only button. If other email addresses from the same IP address are not getting bounced, then the ISPs at the receiving end are not using the spamcop blocklist to reject email or if they are, it is only part of their filtering process. sales[at] might get blocked because of the content (an obvious sales pitch or spam key words) while other legitimate emails get through the content filters or the recipient has whitelisted the addresses. However, ISTM as if you are filtering outgoing email for spam (though why you are doing that and not monitoring it to see if spam is being sent is a bit of a mystery). If that is so, then the way your filtering system is set up, it must only use spamcop for part of the filtering process so that only obvious spam is caught. As was suggested before, either your client has a compromised computer or they have bought a 'guaranteed all opt-in mailing list' and really are sending unsolicited email from their sales department. If someone else previously has installed an outgoing spam filter and tweaked it so that only email from sales[at] gets caught, it sounds as if this has been going on for a while. You need to get the problem fixed - help your client understand either about compromised computers or best mailing list practices. Miss Betsy Link to comment Share on other sites More sharing options...
Merlyn Posted August 22, 2008 Share Posted August 22, 2008 The IP should be shut down until the machine is fixed. Also: It should not be running a mail server: SMTP - 25 220 bcplantjcb.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.211 ready at Fri, 22 Aug 2008 15:48:45 +0100 Example header of spam From Azmeer-rednazfa[at]1topme.co.kr Thu Aug 21 08:30:10 2008 Delivery-date: Thu, 21 Aug 2008 08:30:10 -0400 Received: from [80.46.110.1] (helo=80-46-110-1.static.dsl.as9105.com) by mail.victim.example with esmtp (Exim 4.63) (envelope-from <Azmeer-rednazfa[at]1topme.co.kr>) id 1KW9Io-0004i5-7x for victim[at]smtp.example; Thu, 21 Aug 2008 08:30:10 -0400 From: "Azmeer Luostarinen" <Azmeer-rednazfa[at]1topme.co.kr> To: victim[at]smtp.example Subject: Britney Spears Leaves Earth, Humanity Breathes Sigh of Relief Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted August 22, 2008 Share Posted August 22, 2008 80.46.110.1 was sending tons of spam to our system. >- Subject: Britney Spears and Paris Hilton to Visit Burma >- http://www..../play.exe It is the type of spam that has an executable web link as a payload. 80.46.110.1 stopped spewing for some reason and was removed from our list Friday, August 22, 2008 10:29:54 -0600. - Don D'Minion - SpamCop Admin - . Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.