[SpamCop.net - protecting the internet through technology]

[SC-Help] Re: Blocked? Read this.

John E. Malmberg wb8tyw at qsl.network
Thu Mar 10 23:24:20 EST 2005 

[followups set to spamcop.help]

Me wrote:
> "Miss Betsy" <nobody at devnull.spamcop.net> wrote in message 
> news:d0mms5$4i7$1 at news.spamcop.net... 
> 
>>Probable Causes
>>
>>If your email has suddenly been blocked by the SpamCop blocklist,
>>it is probably because you share an IP address with other email
>>users and there is someone who:
> 
> My single IP address hosts six different MX records, all of them are related 
> to the corporation and its sub-division, neither of them send spams.

That you are aware of.  We [tinw] have basically heard that story 
before.  Usually the inhabitants of this newsgroup can find what the 
problem is from the I.P. address.

So far there was only one case that stumped us [tinu], but we got 
feedback about what the real cause was, and it was a security problem 
with the mail server.

>>   * is using auto-responses that are replying to spam with forged
>>spamtrap email addresses (such as Out-of-Office/Vacation notices,
>>virus notifications, and 'created email' bounces);
>  
> Nope..

Good.

Does any of your users have an anti-spam product that claims it can 
bounce spam back to the source?  Users of those can get your mail server 
listed in many places, many of them much harder to get out of than the 
spamcop.net service.

>>   * has a computer with a virus that sends spam without the
>>owner's knowledge;
> 
> The internal network does not have outbound port 25 Internet access, only 
> the server IP blocked by SpamCop can send outbound emails. There's no 
> viruses on this system.

We have also heard that before...

>>   * has a computer that has been compromised and spammers are
>>remotely controlling it to transmit their spew;
>  
> Nope...

Are you using a packet analyzer to monitor, or are just relying on virus 
scanners and mail server logs?

>>   * is sending unsolicited emails and your internet service
>>provider is allowing it;
> 

> My ISP does not control our emails, nor do we send unsolicited emails.
> 
> 
>>   * or because, as in all systems, there may have been a mistake.
>>(very rare)
>  
> It seems mine could be one of such "rare case", which raises some questions. 
> Why can't I contact someone directly at SpamCop?

Because all the obvious easily reachable addresses are being continually 
attacked by spammers to the point where they are unusable.

> My email system is critical to my company and we can easily loose business
 > because of SpamCop's action.

SMTP e-mail is not a reliable communication method in spite of illusions 
otherwise.  It can take over 4 days to get a message delivered with out 
any required notifications of delays or notices of non-delivery.  As 
such it can not be used for business communications.

I would recommend having a backup plan, such as a smart host on a 
different network, that can be reached through dialup if needed.

If you have more than 1 I.P. address, it is easy to get around the 
temporary block, but if you do not know what caused the block, it could 
get blocked again.

> I've already reported the error through  they web site, but there's been
 > no response whatsoever. I'd expect at least an aknowledgement of 
receiving
 > my request.

The usual turn around for non-emergency requests seems to be around 72 
hours maximum.

For fastest response, post your I.P. address here.

The deputies do monitor these forums.  But they are probably not paying 
much attention to this thread.

A new thread with your I.P. address on the subject would be most likely 
to get their attention.

> Additionally to your suggestion my email server does not allow:
> 
> 1. mail-relay
> 2. SMTP/AUTH
> 
> So, what gives?

With out the I.P. address who knows.

If there was a statistics keeper on this forum, they might be able to 
tell you how many times people have claimed their servers were secure 
and it was proven otherwise from simple lookups on the many public 
databases about that I.P. address.

The spamcop.net database on this use to be open to the public, but now 
it is restricted to paying members.  A free member like me can not look 
up much in it.  I do know where several other databases are though, and
so do the others here.

One of the common things seems to be an proxy server that instead of 
being a one-way conduit from the internal network through a firewall, it 
is instead providing unlimited access to that network to every criminal 
on the internet.  While the most common cause of this is a virus, there 
are a large number of proxy servers that are not secure by default, and 
some of them are installed in web servers with out the owner's knowlege.

In many cases, the remote access password was either set to something 
easily guessed, or never changed from the default.


One item left out of the FAQ is if you have a user receiving mail on 
your system that is a spamcop.net member, and they do not notice that 
the parser is offering to report their own mail server before they 
confirm the spam reports.  On a small volume mail server this can cause 
a listing.


The one case that stumped us, was a bunch of UNIX systems that were 
relaying spam, yet scans showed no vulnerabilities, and neither did the 
logs.  They were not vulnerable to viruses, yet the spammer clearly had 
control of them.

It turned out that there was a security hole in the web server and the 
spammer was able to upload a mail relay written in perl script, run a 
spam run, and then delete the perl script.  The spammer would run for 
only a little bit at a time on each server they were exploiting.

The owner of the server who was convinced that this was a spamcop.net 
error finally found the problem because they had a packet analyzer on 
the network, and caught the spammer in the act.

I have been monitoring this forum for years.  In that time, I have only 
seen one case where the spammers managed to fool the spamcop.net parser 
into reporting the wrong source, and that issue was fixed.

The self reporting of mail servers seems to occur as much as 4 times a year.

The most common cause of a listing is a security problem with the mail 
server, or a system on it's network.

The next most common cause is the server sending out auto-responses to 
spam and viruses.

> PS: This is not my real email address.

here.com belongs to:

WORLD PUBLICATIONS LLC (HERE4-DOM)
    460 N. Orlando Ave STE. 200
    Winter Park, FL 32893
    US

    Record expires on 10-Jun-2006.
    Record created on 11-Jun-1995.
    Database last updated on 10-Mar-2005 22:36:47 EST.

Do you have permission to use it?

If not, are they who you are worried about taking action against you for 
posting?  If they choose, they can get your information from the ISP you 
are posting from.

If you are going to post with a false address, do not use one that can 
be assigned, or use one of the e-mail addresses specially designated for 
such use.  For the spamcop.net newsgroup nobody at devnull.spamcop.net is 
set up for this.

-John
wb8tyw at qsl.network
Personal Opinion Only

More information about the SpamCop-Help mailing list