Spam to this list

John E. Malmberg wb8tyw at qsl.net
Sun Apr 17 22:18:03 GMT 2005 

Christian Nekvedavicius wrote:
> Unfortunately I must report that legitimate emails are also blocked by
> sbl-xbl.spamhaus.org.

If you e-mails are being blocked by a sbl-xbl.spamhaus.org listing then 
you should be complaining loudly to your network provider.

It my help if you find out what list(s) that the I.P. address that is 
being listed is really on.

The sbl-xbl.spamhaus.org is combination of three lists:

   sbl = sbl.spamhaus.org
   xbl = opm.blitzed.org and cbl.abuseat.org

To get on the sbl portion, an internet provider has either had to work 
at being a bad network citizen and have been ignoring legitimate abuse 
complaints or is actively and knowingly assisting a spammer.  The sbl is 
very conservative and will only list a production mail server as a last 
resort.

To get on the opm.blitzed.org means that I.P. address has recently been 
tested and confirmed to be an open proxy, which basically means that it 
is providing unlimited free e-mail and other network services to every 
criminal on the internet.  opm.blitzed.org will retest on request.

To get on cbl.abuseat.org, the I.P. in question must have sent e-mail to 
a spamtrap address, and the contents of that e-mail was determined not 
to be from an auto-responder that is generating a new mail in response 
to spam or a virus.

About the only way to get on the cbl.abuseat.org is for the I.P. listed 
to either be controlled by a virus or controlled by a spammer through an 
open proxy.

Removal from the cbl.abuseat.org is done through a webform, one removal 
is allowed per week.


So about only way that a mail server can get on the sbl-xbl.spamhaus.org 
is if it is under the control of a virus or a spammer.


Now looking at the mail server that your post went through:

It is not listed in the sbl-xbl.spamhaus.org.

opm.blitzed.org claims that they have never listed the I.P. address and 
have never been requested to do a test on that I.P. address.

The cbl.abuseat.org also shows that is is not listed currently.  No 
other information is available.

The I.P. address is listed in bl.spamcop.net as hitting spamtraps.

There appears to be 5 outgoing mail servers for that domain, and that 
means that currently you have a 20% chance of your mail being rejected 
if you mail someone whose postmaster is using the spamcop blocking list 
for rejection instead of scoring.

At least three of the mail servers have recently sent spam to spamtraps 
operated by the opm.blitzed.org.  This caused proxy tests to be 
performed on them which they passed.

> 195.202.32.15 listed in bl.spamcop.net (127.0.0.2)
> 
> If there are no reports of ongoing objectionable email from this
> system it will be delisted automatically in approximately 21 hours.
> Causes of listing

Maximum listing time after the last spam report is 48 hours.
Minimum listing time is 1/2.  The time between varies based on an 
algorithm that takes into account prior listings of that I.P. address, 
and the amount of spam reported from it.

> * System has sent mail to SpamCop spam traps in the past week (spam
> traps are secret, no reports or evidence are provided by SpamCop)

To get listed this way, it means that the amount of spam hitting 
spamcop.net spamtraps exceeded 1% of the volume of e-mail from that I.P. 
from various monitoring points on the Internet.

For an ISP mail server, 1% is usually a large number.

Senderbase is reporting measuring well over 10,000 e-mails per day from 
that I.P.

> Additional potential problems
> (these factors do not directly result in spamcop listing)
> 
>     * System administrator has already delisted this system once
> 
> Because of the above problems, express-delisting is not available
> Listing History
> In the past 17.7 days, it has been listed 3 times for a total of 38
 > hours

For a production mail server to get listed by spamcop.net this many 
times in that short of time, it indicates that there is a problem at 
that mail server, either it is relaying spam, or it is abusively 
bouncing spam and virus reports to what are known to be forged e-mail 
addresses instead of following the standard practice and using SMTP rejects.

Or they have a clueless user that is using the fake bounce function that 
some poorly written anti-spam software has.  Of course they would have 
had to bounce a lot of spam/viruses in a short time to cause a listing.

Sending bounces or virus notifications to forged addresses are 
effectively a denial of service attack against the user that the spam or 
virus impersonated.

It looks like someone delisted the I.P. address from the spamcop.net 
list with out fixing the problem that resulted in the listing.

Getting an ISP mail server listed on spamcop.net is also rare, but does 
happen, but generally there is a large period of time (Think 
months/years) between listings unless there is a chronic problem with 
the configuration or security of that server.

-John
wb8tyw at qsl.net
Personal Opinion Only

More information about the rsync mailing list