Spam to this list
John E. Malmberg
wb8tyw at qsl.net
Sun Apr 17 22:18:03 GMT 2005
Christian Nekvedavicius wrote:
> Unfortunately I must report that legitimate emails are also blocked by
If you e-mails are being blocked by a sbl-xbl.spamhaus.org listing then
you should be complaining loudly to your network provider.
It my help if you find out what list(s) that the I.P. address that is
being listed is really on.
The sbl-xbl.spamhaus.org is combination of three lists:
sbl = sbl.spamhaus.org
xbl = opm.blitzed.org and cbl.abuseat.org
To get on the sbl portion, an internet provider has either had to work
at being a bad network citizen and have been ignoring legitimate abuse
complaints or is actively and knowingly assisting a spammer. The sbl is
very conservative and will only list a production mail server as a last
To get on the opm.blitzed.org means that I.P. address has recently been
tested and confirmed to be an open proxy, which basically means that it
is providing unlimited free e-mail and other network services to every
criminal on the internet. opm.blitzed.org will retest on request.
To get on cbl.abuseat.org, the I.P. in question must have sent e-mail to
a spamtrap address, and the contents of that e-mail was determined not
to be from an auto-responder that is generating a new mail in response
to spam or a virus.
About the only way to get on the cbl.abuseat.org is for the I.P. listed
to either be controlled by a virus or controlled by a spammer through an
Removal from the cbl.abuseat.org is done through a webform, one removal
is allowed per week.
So about only way that a mail server can get on the sbl-xbl.spamhaus.org
is if it is under the control of a virus or a spammer.
Now looking at the mail server that your post went through:
It is not listed in the sbl-xbl.spamhaus.org.
opm.blitzed.org claims that they have never listed the I.P. address and
have never been requested to do a test on that I.P. address.
The cbl.abuseat.org also shows that is is not listed currently. No
other information is available.
The I.P. address is listed in bl.spamcop.net as hitting spamtraps.
There appears to be 5 outgoing mail servers for that domain, and that
means that currently you have a 20% chance of your mail being rejected
if you mail someone whose postmaster is using the spamcop blocking list
for rejection instead of scoring.
At least three of the mail servers have recently sent spam to spamtraps
operated by the opm.blitzed.org. This caused proxy tests to be
performed on them which they passed.
> 18.104.22.168 listed in bl.spamcop.net (127.0.0.2)
> If there are no reports of ongoing objectionable email from this
> system it will be delisted automatically in approximately 21 hours.
> Causes of listing
Maximum listing time after the last spam report is 48 hours.
Minimum listing time is 1/2. The time between varies based on an
algorithm that takes into account prior listings of that I.P. address,
and the amount of spam reported from it.
> * System has sent mail to SpamCop spam traps in the past week (spam
> traps are secret, no reports or evidence are provided by SpamCop)
To get listed this way, it means that the amount of spam hitting
spamcop.net spamtraps exceeded 1% of the volume of e-mail from that I.P.
from various monitoring points on the Internet.
For an ISP mail server, 1% is usually a large number.
Senderbase is reporting measuring well over 10,000 e-mails per day from
> Additional potential problems
> (these factors do not directly result in spamcop listing)
> * System administrator has already delisted this system once
> Because of the above problems, express-delisting is not available
> Listing History
> In the past 17.7 days, it has been listed 3 times for a total of 38
For a production mail server to get listed by spamcop.net this many
times in that short of time, it indicates that there is a problem at
that mail server, either it is relaying spam, or it is abusively
bouncing spam and virus reports to what are known to be forged e-mail
addresses instead of following the standard practice and using SMTP rejects.
Or they have a clueless user that is using the fake bounce function that
some poorly written anti-spam software has. Of course they would have
had to bounce a lot of spam/viruses in a short time to cause a listing.
Sending bounces or virus notifications to forged addresses are
effectively a denial of service attack against the user that the spam or
It looks like someone delisted the I.P. address from the spamcop.net
list with out fixing the problem that resulted in the listing.
Getting an ISP mail server listed on spamcop.net is also rare, but does
happen, but generally there is a large period of time (Think
months/years) between listings unless there is a chronic problem with
the configuration or security of that server.
wb8tyw at qsl.net
Personal Opinion Only
More information about the rsync