backscatterer.org keep getting listed but cannot work out why.
apex...@gmail.com
We have been trying to find out why we get blacklisted at
backscatterer.org for some time with no success.
We have stopped all NDR even to local users yet still have the problem
We have searched out SMTP logs for "Access denied and blocklisted" as
explained on the site but this does not appear in any of our logs.
Anyone with any info on how to fix or find the problem would be great.
Our mail server IP is 203.89.213.169
Regards
Dave
--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.
Hal Murray
>We have been trying to find out why we get blacklisted at
>backscatterer.org for some time with no success.
>We have stopped all NDR even to local users yet still have the problem
>We have searched out SMTP logs for "Access denied and blocklisted" as
>explained on the site but this does not appear in any of our logs.
>
>Anyone with any info on how to fix or find the problem would be great.
>Our mail server IP is 203.89.213.169
Are you or any of your users using an autoresponder, including
Out-of-Office? If any spam gets through the response can go to
a forged sender.
--
These are my opinions, not necessarily my employer's. I hate spam.
Stephen Ward
>>We have been trying to find out why we get blacklisted at
>>backscatterer.org for some time with no success. We have stopped all NDR
>>even to local users yet still have the problem We have searched out SMTP
>>logs for "Access denied and blocklisted" as explained on the site but
>>this does not appear in any of our logs.
>>
>>Anyone with any info on how to fix or find the problem would be great.
>>Our mail server IP is 203.89.213.169
>
> Are you or any of your users using an autoresponder, including
> Out-of-Office? If any spam gets through the response can go to a forged
> sender.
>
> --
> These are my opinions, not necessarily my employer's. I hate spam.
Time to TCPDump port 25 traffic at the gateway where the destination is
*not* the mail server. That should show you just what is doing it.
--
. . .
Manfred Hielder
> Hi,
>
> We have been trying to find out why we get blacklisted at
> backscatterer.org for some time with no success.
> We have stopped all NDR even to local users yet still have the problem
> We have searched out SMTP logs for "Access denied and blocklisted" as
> explained on the site but this does not appear in any of our logs.
>
> Anyone with any info on how to fix or find the problem would be great.
> Our mail server IP is 203.89.213.169
>
> Regards
> Dave
Hi Dave.
The Website tell you two times.
First Impact was seen 2009/03/07 00:54 CET
Last Impact was at 2009/03/09 17:45 CET
This should help you finding out what happens.
--
--
Best Regards
Manfred Hielder
UCEPROTECT Representative
www.uceprotect.net
grin
apex...@gmail.com wrote:
> We have been trying to find out why we get blacklisted at
> backscatterer.org for some time with no success.
Easy. Just because.
I tend to view them pretty similar to apews, with the same amount
of relevance and usefulness. Once I was furious about their practices,
but since nobody seem to really use it, I stopped to care.
Yup, I do not agree with their listing criteria, since it's a religious
point of view: they _believe_ that their way is right, others way is
wrong. They'll share that with you soon enough. :-)
I've seen no large scale use. Actually I've never seen any, but it's not
impossible someone actualy uses it for anything.
My 2'cents.
--
One of the hunters being hunted.
Claus v. Wolfhausen
>
>On Tue, 10 Mar 2009 14:30:18 GMT
>apex...@gmail.com wrote:
>
>> We have been trying to find out why we get blacklisted at
>> backscatterer.org for some time with no success.
>
>Easy. Just because.
No any address listed at ips.backscatterer.org has a real issue:
Either these machines do backscatter or sender callout probes.
Ahh i see: http://www.backscatterer.org/?ip=193.227.196.2
Impressive history and a good example for that 30 days are too short listing
period for backscatter.
>I tend to view them pretty similar to apews, with the same amount
>of relevance and usefulness. Once I was furious about their practices,
>but since nobody seem to really use it, I stopped to care.
Backscatterer's indendet usage is to block misdirected bounces and callouts
only - that is the reason you don't see a big impact on your system.
See: http://www.backscatterer.org/index.php?target=usage
You believe you have to badmouth us, because one of your IP's 193.227.196.2
(mail.grin.hu) is listed at ips.backscatterer.org since a long time?
If you would have stopped backscatter / callouts, your IP could have been
removed from ips.backscatterer.org since years.
Why did you mention APEWS?
Let's see http://www.blacklistalert.org/?q=grin.hu
As much as i hate to say APEWS would be right, they are indeed right here:
http://www.apews.org/?page=test&C=657&E=270994&ip=193.227.196.2
"CASE: C-657 ISP permits abuse and/or ignores criminal activity"
UCEPROTECT also shows that AS8462 is permitting netork abuse ...
See: http://www.uceprotect.net/en/rblcheck.php?asn=8462
Anyway comparing any other list to APEWS like you did is just ridiculous.
>Yup, I do not agree with their listing criteria, since it's a religious
>point of view: they _believe_ that their way is right, others way is
>wrong. They'll share that with you soon enough. :-)
That sounds like you let your system backscatter intentionally ...
I believe you might end up in many private firewalls with such opinions.
Anyway thanks for playing...
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
Larry M. Smith
> In article <20090310194...@narya.grin.hu>, newsp...@grin.hu says...
>> On Tue, 10 Mar 2009 14:30:18 GMT
>> apex...@gmail.com wrote:
>>
>>> We have been trying to find out why we get blacklisted at
>>> backscatterer.org for some time with no success.
>> Easy. Just because.
>
> No any address listed at ips.backscatterer.org has a real issue:
> Either these machines do backscatter or sender callout probes.
>
> Ahh i see: http://www.backscatterer.org/?ip=193.227.196.2
>
> Impressive history and a good example for that 30 days are too short listing
> period for backscatter.
>
Impressive indeed, from http://www.backscatterer.org/?ip=193.227.196.2;
History:
2007/08/22 01:06 listed
2007/09/19 01:14 expired
2007/12/12 16:31 listed
2008/01/09 17:30 expired
2008/06/30 23:31 listed
2008/07/29 00:30 expired
2008/10/28 12:49 listed
2008/12/14 10:03 expired
2008/12/22 22:15 listed
2009/01/22 00:05 expired
2009/01/30 05:13 listed
Of that, I only see 6 listing events stretching all the way back to
August 2007.
>> I tend to view them pretty similar to apews, with the same amount
>> of relevance and usefulness. Once I was furious about their practices,
>> but since nobody seem to really use it, I stopped to care.
>
> Backscatterer's indendet usage is to block misdirected bounces and callouts
> only - that is the reason you don't see a big impact on your system.
>
> See: http://www.backscatterer.org/index.php?target=usage
>
> You believe you have to badmouth us, because one of your IP's 193.227.196.2
> (mail.grin.hu) is listed at ips.backscatterer.org since a long time?
>
> If you would have stopped backscatter / callouts, your IP could have been
> removed from ips.backscatterer.org since years.
>
Not all backscatter is avoidable, sure you want to minimize it, but
there are time when it simply will happen IAW RFC5321 (and RFC2821,
RFC821, etc.)
> Why did you mention APEWS?
>
I would believe that the contrast to APEWS was an attempt to show how
irrelevant such a system the lists any backscatter and/or SAV call outs is.
> Let's see http://www.blacklistalert.org/?q=grin.hu
>
> As much as i hate to say APEWS would be right, they are indeed right here:
>
> http://www.apews.org/?page=test&C=657&E=270994&ip=193.227.196.2
> "CASE: C-657 ISP permits abuse and/or ignores criminal activity"
>
I'm not sure I'd want to take APEWS' assessment at face value.
> UCEPROTECT also shows that AS8462 is permitting netork abuse ...
>
> See: http://www.uceprotect.net/en/rblcheck.php?asn=8462
>
I'm not sure what to make of these pages... Perhaps you could explain
what they mean.
> Anyway comparing any other list to APEWS like you did is just ridiculous.
>
Only if you don't take APEWS' data at face value.
>> Yup, I do not agree with their listing criteria, since it's a religious
>> point of view: they _believe_ that their way is right, others way is
>> wrong. They'll share that with you soon enough. :-)
>
> That sounds like you let your system backscatter intentionally ...
> I believe you might end up in many private firewalls with such opinions.
> Anyway thanks for playing...
>
This seems to show a "leap of faith" on your part Claus... Please
explain how this is *not* a religious view.
SgtChains
Hal Murray
>Not all backscatter is avoidable, sure you want to minimize it, but
>there are time when it simply will happen IAW RFC5321 (and RFC2821,
>RFC821, etc.)
Could you give me an example of something that is not avoidable?
There are several cases that are (much?) harder than others. I
don't know of any that are totally unavoidable.
--
These are my opinions, not necessarily my employer's. I hate spam.
--
Claus v. Wolfhausen
>Impressive indeed, from http://www.backscatterer.org/?ip=193.227.196.2;
>
>History:
>2007/08/22 01:06 listed
>2007/09/19 01:14 expired
>2007/12/12 16:31 listed
>2008/01/09 17:30 expired
>2008/06/30 23:31 listed
>2008/07/29 00:30 expired
>2008/10/28 12:49 listed
>2008/12/14 10:03 expired
>2008/12/22 22:15 listed
>2009/01/22 00:05 expired
>2009/01/30 05:13 listed
>
>Of that, I only see 6 listing events stretching all the way back to
>August 2007.
>
It seems you missed that text ....
A total of 24 Impacts were seen during this listing. Last was 2009/03/11 17:06
German time.
>Not all backscatter is avoidable, sure you want to minimize it, but
>there are time when it simply will happen IAW RFC5321 (and RFC2821,
>RFC821, etc.)
That depends on the configuration.
If a system is well configured, then it shuold NEVER happen.
>> Why did you mention APEWS?
>>
>
>I would believe that the contrast to APEWS was an attempt to show how
>irrelevant such a system the lists any backscatter and/or SAV call outs is.
If you ever were the victim of a forgery, then you wouldn't believe the
Backscatterer list would be irrelevant.
>> Let's see http://www.blacklistalert.org/?q=grin.hu
>>
>> As much as i hate to say APEWS would be right, they are indeed right here:
>>
>> http://www.apews.org/?page=test&C=657&E=270994&ip=193.227.196.2
>> "CASE: C-657 ISP permits abuse and/or ignores criminal activity"
>>
>
>I'm not sure I'd want to take APEWS' assessment at face value.
I wouldn't trust APEWS too, but as i said we have also seen massive abuse
originating from ASN8462.
>
>> UCEPROTECT also shows that AS8462 is permitting netork abuse ...
>>
>> See: http://www.uceprotect.net/en/rblcheck.php?asn=8462
>>
>
>I'm not sure what to make of these pages... Perhaps you could explain
>what they mean.
You can get a clue how spammy an ISP is by having a look to their ASN.
Didn't you see all those spammers listed there?
That was what i wanted to tell him.
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
--
Larry M. Smith
>> Not all backscatter is avoidable, sure you want to minimize it, but
>> there are time when it simply will happen IAW RFC5321 (and RFC2821,
>> RFC821, etc.)
>
> Could you give me an example of something that is not avoidable?
>
> There are several cases that are (much?) harder than others. I
> don't know of any that are totally unavoidable.
>
dot-forwards is one such example. While you want to minimize it by
looking at the logs and shutting down dead accounts on your side, some
backscatter has happened.
SgtChains
Larry M. Smith
(snip)
>> Not all backscatter is avoidable, sure you want to minimize it, but
>> there are time when it simply will happen IAW RFC5321 (and RFC2821,
>> RFC821, etc.)
>
> That depends on the configuration.
> If a system is well configured, then it shuold NEVER happen.
>
Claus, either you are saying the store-then-forward nature of SMTP is
not "well configured", or you are stating that you don't understand
SMTP... Which is it?
>>> Why did you mention APEWS?
>>>
>> I would believe that the contrast to APEWS was an attempt to show how
>> irrelevant such a system the lists any backscatter and/or SAV call outs is.
>
> If you ever were the victim of a forgery, then you wouldn't believe the
> Backscatterer list would be irrelevant.
>
Look at the domain I post with, now try to pronounce it... Please try
to tell me again that I haven't been the "victim" of sender address forgery.
(snip)
>>> UCEPROTECT also shows that AS8462 is permitting netork abuse ...
>>>
>>> See: http://www.uceprotect.net/en/rblcheck.php?asn=8462
>>>
>> I'm not sure what to make of these pages... Perhaps you could explain
>> what they mean.
>
> You can get a clue how spammy an ISP is by having a look to their ASN.
> Didn't you see all those spammers listed there?
> That was what i wanted to tell him.
>
I'll admit that all I looked at was 193.227.196.0/22, and that I didn't
see any real problems.
SgtChains
AntiSpam
Larry M. Smith <usene...@fahq2.com> looked something like:
> Claus v. Wolfhausen wrote:
> (snip)
>>> Not all backscatter is avoidable, sure you want to minimize it, but
>>> there are time when it simply will happen IAW RFC5321 (and RFC2821,
>>> RFC821, etc.)
>>
>> That depends on the configuration.
>> If a system is well configured, then it shuold NEVER happen.
>>
Even a proper configuration can still backscatter due to local error
conditions (disk failure being on the top of that list). Still, that is the
exception for that server, not the norm. It's the difference between servers
that have been deliberately configured to backscatter, and those that have
done everything they can to make sure that doesn't happen.
> Claus, either you are saying the store-then-forward nature of SMTP is
> not "well configured", or you are stating that you don't understand
> SMTP... Which is it?
If your server routinely store-n-forward and some time later sends an NDR
then that server is certainly _not_ "well configured". It's a deliberate
backscatterer and should be listed.
If your server accepts the message for delivery - then deliver it (locally)
or destroy it. Don't inflict it on others.
--
Current Peeve: The mindset that the Internet is some sort of school for
novice sysadmins and that everyone -not- doing stupid dangerous things
should act like patient teachers with the ones who are. -- Bill Cole, NANAE
Shmuel (Seymour J.) Metz
at 07:43 PM, "Larry M. Smith" <usene...@fahq2.com> said:
>I would believe that the contrast to APEWS was an attempt to show how
>irrelevant such a system the lists any backscatter and/or SAV call outs
>is.
What it showed was not what you wanted to show, but something true.
>I'm not sure what to make of these pages...
You are ill advised to dismiss as irrelevant what you do not understand.
--
Shmuel (Seymour J.) Metz, truly insane Spews puppet
<http://patriot.net/~shmuel>
I reserve the right to publicly post or ridicule any abusive
E-mail. Reply to domain Patriot dot net user shmuel+news to contact
me. Do not reply to spam...@library.lspace.org