[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: our email bouncing

Mike Easter MikeE at ster.invalid
Tue Sep 13 07:15:07 EDT 2005 

William Strickland wrote:

> We have recently begun to see email being refused by recipient with a
> reference to spamcop in the refusal notice.

> I went to spamcop and the
> sending ip address is not listed as a blocked server.

Some server's are misconfigured to reject mail for one reason, but to
give a spamcop blocklist reference in the text reason for the rejection.

The other possibility is that the IP was listed and became automatically
delisted because the list is very dynamic.  It is currently unlisted in
the SCbl, and the current configuration of the lookup doesn't provide
past history to the public the way it used to.  A deputy has access to
that.

However, I have a theory about its possible listing, based on another
db's listing, psbl

Oops, I 'lied' -- the IP /is/ currently SCbl listed.

216.180.241.250 listed in bl.spamcop.net (127.0.0.2)
it will be delisted automatically in approximately 23 hours.
users have reported system as a source of spam about 20 times in the
past week
administrator has already delisted this system once
In the past 11.0 days, it has been listed 7 times for a total of 7.1
days
Other hosts in this "neighborhood" with spam reports
216.180.241.234 216.180.241.242 216.180.242.218

216.180.241.234 listed in bl.spamcop.net (127.0.0.2)

> does anyone
> have any idea what is going on?  If it helps, the IP in question is
> 216.180.241.250 Suggestions welcome...

Over at psbl, it is listed for hitting spamtraps
http://psbl.surriel.com/listing?ip=216.180.241.250 altho' that isn't
shown as the reason for the SCbl listing.

The name of 216.180.241.250  is server8.totalchoicehosting.com which
makes it sound like an output server, and senderbase shows a lot of
output servers for totalchoicehosting.  Senderbase also shows a large
uptick in output activity for that IP

Volume Statistics for this IP
   Magnitude    Vol Change vs. Average
Last day 4.9    697%
Last 30d 4.0    -11%
Average  4.0

A seven fold increase in output activity lately must be a recent mailing
which SC reporters are reporting.

So, I'm guessing the servers hit spamtraps at psbl, and hit spamcop
reporters.  If a server is hitting spamtraps, sometimes that is caused
by misdirected bounces and autoacks.  If reporters are reporting but not
spamcop spamtraps, that is generally reporters reporting spam.  If a
server has a big increase, that is generally because it is serving for
something that puts out a lot of mail;  a magnitude 5 could be
considered an exponent, so that is quite a lot of mail.

Also, the history of being on the blocklist 7 days out of the last 11 is
a sign that the server is being used to spam.

I would say that it is a spam server which hits spamtraps and spamcop
reporters, and so are other members of its family.



-- 
Mike Easter
kibitzer, not SC admin

More information about the SpamCop-List mailing list