UCEPROTECT
gkarasik
I'm trying to correct the problem that is causing my client's static
IP (173.8.137.169) to generate a UCEPROTECT Level 1 listing each day
but am stymied. Here are the circumstances:
Over this past weekend we switched our broadband provider from Covad
(with which there was no problem) to Comcast. Both were static IPs. As
of Monday morning we were blacklisted. According to the UCEPROTECT
database query, there is a single email caught in a spamtrap at 7:40
CEST (+/-10min) daily. Naturally this single, daily occurrence moves
our delisting day back one day each day.
We are in PST (GMT -8). I think 7:40 CEST would be 2:40am our time,
when there is no one in the client's office.
I have spoken with Comcast. We did have an incorrect PTR listing,
which Comcast corrected.
I have checked our Exchange logs, and there is no record of any email
going out at that time.
I have added a rule to our firewall so that nothing can go out on port
25 from our internal network.
Here is the result of the database query, which I ran at 9:12PST:
Last Impact: 30.04.2009 7:40am CEST +/-10min| Earliest Expiretime:
07.05.2009 8:00am CEST
What is particularly confusing is that there was no problem with our
former static IP (67.103.120.238). There may be something wrong with
Comcast's configuration, but they say there is not, and without being
able to point to something specific I am at a loss at to what to tell
them to look at.
I would very much appreciate some insight as to the cause of this
listing so that I may take steps to rectify it.
Sincerely,
GaryK
--
Comments posted to news.admin.net-abuse.blocklisting
are solely the responsibility of their author. Please
read the news.admin.net-abuse.blocklisting FAQ at
http://www.blocklisting.com/faq.html before posting.
Claus v. Wolfhausen
gkar...@fea.net says...
>I'm trying to correct the problem that is causing my client's static
>IP (173.8.137.169) to generate a UCEPROTECT Level 1 listing each day
>but am stymied. Here are the circumstances:
>
>Over this past weekend we switched our broadband provider from Covad
>(with which there was no problem) to Comcast. Both were static IPs. As
>of Monday morning we were blacklisted. According to the UCEPROTECT
>database query, there is a single email caught in a spamtrap at 7:40
>CEST (+/-10min) daily. Naturally this single, daily occurrence moves
>our delisting day back one day each day.
>We are in PST (GMT -8). I think 7:40 CEST would be 2:40am our time,
>when there is no one in the client's office.
>
>I have spoken with Comcast. We did have an incorrect PTR listing,
>which Comcast corrected.
You had an GENERIC PTR which caused that you got listed for the fist impact to
a spamtrap at 27. April 2009 07:54 CEST.
Lets see:
Apr 27 07:54:01 XXXXXXX smtpd[9661]: External client 173.8.137.169 has opened a
new session...
Apr 27 07:54:04 XXXXXXX smtpd[9661]: REQUEST: IP="173.8.137.169"
PTR="173-8-137-169-SFBA.hfc.comcastbusiness.net" HELO="calparks.org"
FROM="georgia [at] calparks.org" RCPT="suzanne9408sugih@XXXXXXXXX" RBLS
="0" RHSS="0" EXTRA="0" TOTAL="0"
Apr 27 07:54:04 XXXXXXX smtpd[9661]: DECISION: 999 (V4.1-RULE-0512) Attention!
suzanne9408sugih@XXXXXXXX is a spamtrap, you should disconnect the user that
did send to this one immediatley.
Apr 27 07:54:04 XXXXXXX smtpd[9661]: Hasta la vista 173.8.137.169 :-)
>I have checked our Exchange logs, and there is no record of any email
>going out at that time.
Possibly you have to increase logging level.
>I have added a rule to our firewall so that nothing can go out on port
>25 from our internal network.
Possibly you did it wrong:
You should configure your firewall that it will block connections *TO* port 25.
If you block connections from port 25 that will have no effect.
>Here is the result of the database query, which I ran at 9:12PST:
>
>Last Impact: 30.04.2009 7:40am CEST +/-10min| Earliest Expiretime:
>07.05.2009 8:00am CEST
>
>What is particularly confusing is that there was no problem with our
>former static IP (67.103.120.238). There may be something wrong with
>Comcast's configuration, but they say there is not, and without being
>able to point to something specific I am at a loss at to what to tell
>them to look at.
>
>I would very much appreciate some insight as to the cause of this
>listing so that I may take steps to rectify it.
Just give you todays issues (Timezone Germany = CEST):
Apr 30 07:48:36 XXXXXXXX smtpd[31892]: External client 173.8.137.169 has opened
a new session...
Apr 30 07:48:37 XXXXXXXX smtpd[31892]: 173.8.137.169 is BLACKLISTED at:
dnsbl-1.uceprotect.net. Scored: 225 Points
Apr 30 07:48:39 XXXXXXXX smtpd[31892]: REQUEST: IP="173.8.137.169"
PTR="mail.calparks.org" HELO="calparks.org" FROM="Bonnie [at] calparks.org"
RCPT="sotiristheophilus@XXXXXXXXX" RBLS="225" RHSS="0" EXTRA="0
" TOTAL="225"
Apr 30 07:48:39 XXXXXXXX smtpd[31892]: DECISION: 999 (V4.1-RULE-0606) We have
no user sotiristheophilus@XXXXXXXXXX.
Apr 30 07:48:39 XXXXXXXX smtpd[31892]: Hasta la vista 173.8.137.169 :-)
Apr 30 20:04:39 XXXXXXX smtpd[794]: External client 173.8.137.169 has opened a
new session...
Apr 30 20:04:40 XXXXXXX smtpd[794]: 173.8.137.169 is BLACKLISTED at:
dnsbl-1.uceprotect.net. Scored: 225 Points
Apr 30 20:04:44 XXXXXXX smtpd[794]: REQUEST: IP="173.8.137.169"
PTR="mail.calparks.org" HELO="calparks.org" FROM="elizabeth [at] calparks.org"
RCPT="thiam140trina@XXXXXXXXXXX" RBLS="225" RHSS="0" EXTRA="0" TOTAL="225"
Apr 30 20:04:44 XXXXXXX smtpd[794]: DECISION: 999 (V4.1-RULE-0606) We have no
user thiam140trina@XXXXXXXXXXXX.
Apr 30 20:04:44 XXXXXXX smtpd[794]: Hasta la vista 173.8.137.169 :-)
--
Claus von Wolfhausen
UCEPROTECT-Projektleitung
http://www.uceprotect.net
David W. Hodgins
> I'm trying to correct the problem that is causing my client's static
> IP (173.8.137.169) to generate a UCEPROTECT Level 1 listing each day
> but am stymied. Here are the circumstances:
> We are in PST (GMT -8). I think 7:40 CEST would be 2:40am our time,
> when there is no one in the client's office.
> I have spoken with Comcast. We did have an incorrect PTR listing,
> which Comcast corrected.
> Last Impact: 30.04.2009 7:40am CEST +/-10min| Earliest Expiretime:
> 07.05.2009 8:00am CEST
Currently, it's showing
173.8.137.169 30.04.2009 20:00 07.05.2009 22:00
Subtracting 10 hours from that would be 10:00 A.M. PST.
While it had the invalid PTR record, it would have only taken one
spamtrap hit, to get listed.
Now that it has valid forward/reverse dns, it will take 50 spamtrap
hits, to get relisted, once it does get unlisted.
Check your logs from 01000+-10min.
Could be an out-of-office reply to a spam, or something similar.
--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)
gkarasik
wrote:
Thanks for taking time to reply. The time difference got me all
discombobulated. I've tweaked the firewall so they won't (I hope I've
got it right now) be sending out any more email from the internal
network. We'll see tomorrow.
GaryK
gkarasik
Wolfhausen) wrote:
> In article <8cf30aec-216a-43fe-a356-e27f47e83...@d7g2000prl.googlegroups.com>,
> gkara...@fea.net says...
>
> --
> Comments posted to news.admin.net-abuse.blocklisting
> are solely the responsibility of their author. Please
> read the news.admin.net-abuse.blocklisting FAQ at
> http://www.blocklisting.com/faq.htmlbefore posting.
Thanks, Claus, for taking the time to reply. I had converted the time
incorrectly. I will look again at the Exchange logs. Also I tweaked
the firewall per your suggestion so that it is now blocking port 25
both from and to the internal network. That should stop anything going
to spamtraps. I will monitor the UCEPROTECT database and hope we have
solved the problem. The users do use out-of-office replies, so that
may have been the cause of these pings of the spamtraps.
My client is a struggling non-profit and can not afford the 50euro fee
to get delisted immediately, so we will wait the week and hope for
automatic delisting.
May I respectfully suggest an alternative to current UCEPROTECT
policy? Could UCEPROTECT consider providing one free automatic
delisting? Then if the problem does continue, the one-week-or-50euro
policy could take effect.
GaryK
E-Mail Sent to this address will be added to the BlackLists
> May I respectfully suggest an alternative to current
> UCEPROTECT policy? Could UCEPROTECT consider providing
> one free automatic delisting? Then if the problem does
> continue, the one-week-or-50euro policy could take effect.
Seems to me the one week or 50 is the incentive to proactively
prevent IPs under a ISP's control from being a source of abuse.
One free delisting per what?
per IP? Spammers would certainly make use of that,
as they walked slowly through a CIDR, before moving to
another CIDR, or ISP. (Sounds a lot like typical wack-a-mole.)
per ASN? (Shrug) If a ISP only ever has one source of abuse,
and they clean it up, and prevent all others, I guess they
might make use of it. As for normal ISPs, the millions of
endlusers are likely to keep getting their IPs listed,
till (if ever) the ISP prevents the abuse
--
E-Mail Sent to this address <Blac...@Anitech-Systems.com>
will be added to the BlackLists.
gkarasik
BlackLists <N...@BlackList.Anitech-Systems.invalid> wrote:
> gkarasik wrote:
> > May I respectfully suggest an alternative to current
> > UCEPROTECT policy? Could UCEPROTECT consider providing
> > one free automatic delisting? Then if the problem does
> > continue, the one-week-or-50euro policy could take effect.
>
> Seems to me the one week or 50 is the incentive to proactively
> prevent IPs under a ISP's control from being a source of abuse.
>
> One free delisting per what?
>
> per IP? Spammers would certainly make use of that,
> as they walked slowly through a CIDR, before moving to
> another CIDR, or ISP. (Sounds a lot like typical wack-a-mole.)
>
> per ASN? (Shrug) If a ISP only ever has one source of abuse,
> and they clean it up, and prevent all others, I guess they
> might make use of it. As for normal ISPs, the millions of
> endlusers are likely to keep getting their IPs listed,
> till (if ever) the ISP prevents the abuse
>
> --
> will be added to the BlackLists.
>
> --
> Comments posted to news.admin.net-abuse.blocklisting
> are solely the responsibility of their author. Please
> read the news.admin.net-abuse.blocklisting FAQ at
> http://www.blocklisting.com/faq.htmlbefore posting.
I'm not sure to whom I'm speaking, as there's no name, but I'll answer
on the assumption that these are sincere questions:
> Seems to me the one week or 50 is the incentive to proactively
> prevent IPs under a ISP's control from being a source of abuse.
Not everyone this impacts is an ISP. This is a small, financially
struggling charity, and email is critical to their survival. The
sooner any blocks come down, the easier will be their mission to do
the good they do.
It would be good of UCEPROTECT to consider the proposal.
GaryK
E-Mail Sent to this address will be added to the BlackLists
> Not everyone this impacts is an ISP.
173.8.0.0/13 is directly allocated to Comcast,
Comcast has the ultimate say in what happens with their IPs,
in the end it is Comcast that is ultimately held responsible
for how their IPs are treated.
> This is a small, financially struggling charity,
> and email is critical to their survival.
173.8.137.168/29 is SWIPed to CALIFORNIA STATE PARKS,
sounds more like a government entity, than a charity.
{Not that it likely matters at all to most (perhaps all) DNSbls.}
Although I can imagine they may be financially struggling,
as much as any other California state government entities are.
{Not to mention the rest of California, nor the rest of the world.}
> The sooner any blocks come down, the easier will be their
> mission to do the good they do.
If abuse is _prevented_ from Comcast NetSpace,
it is much less likely to end up listed in DNSbls.
> It would be good of UCEPROTECT to consider the proposal.
They likely will consider it, and I suspect reject it,
it would allow spammers to easily play wack-a-mole.
{however, what do I know.}
You didn't offer any ideas on how to prevent spammers from
taking advantage of the (yet one more free pass) plan.
Regardless of any DNSbl listing, recipients of your messages
can make certain they get them; if they really need / want
/ expect them, they could whitelist them.
--
E-Mail Sent to this address <Blac...@Griffin-Technologies.net>
gkarasik
BlackLists <N...@BlackList.Griffin-Technologies.invalid> wrote:
> gkarasik wrote:
>
> > Not everyone this impacts is an ISP.
>
> 173.8.0.0/13 is directly allocated to Comcast,
> Comcast has the ultimate say in what happens with their IPs,
> in the end it is Comcast that is ultimately held responsible
> for how their IPs are treated.
Regardless, if UCEPROTECT blocks this particular IP, then it is the
holder of that IP that suffers.
> > This is a small, financially struggling charity,
> > and email is critical to their survival.
>
> 173.8.137.168/29 is SWIPed to CALIFORNIA STATE PARKS,
> sounds more like a government entity, than a charity.
> {Not that it likely matters at all to most (perhaps all) DNSbls.}
It's the California State Parks FOUNDATION, a small, private, 501(c)3,
membership organization that among other things prressure both the
California government and the California State Park bureaucracy to
provide poor Californians with better public park access.
> Although I can imagine they may be financially struggling,
> as much as any other California state government entities are.
> {Not to mention the rest of California, nor the rest of the world.}
They are not a government entity. And particularly bacause of the
world-wide recession, any additional obstacles to their fund-raising
simply make life harder and ultimately impact the poor.
> > The sooner any blocks come down, the easier will be their
> > mission to do the good they do.
> If abuse is _prevented_ from Comcast NetSpace,
> it is much less likely to end up listed in DNSbls.
UCEPROTECT blocking this IP for an extra four days if it is no longer
sending out spam cannot realistically be expected to alter the
policiies of a tone-deaf, incompetent, multi-billion dollar, multi-
national corporation. For Comcast this user is smaller than a molecule
to the moon.
> > It would be good of UCEPROTECT to consider the proposal.
>
> They likely will consider it, and I suspect reject it,
> it would allow spammers to easily play wack-a-mole.
> {however, what do I know.}
Just considering it will be a kindness.
> You didn't offer any ideas on how to prevent spammers from
> taking advantage of the (yet one more free pass) plan.
It seems to me it's worthwhile trying to find a balance between two
competing goals--stopping the guilty while limiting the penalty of a
no-longer-offending penalizing small entity. If the IP is a spammer or
is still misconfigured somehow, it will be quickly relisted. If the
problem has been solved, then it serves no purpose to keep them
listed.
> Regardless of any DNSbl listing, recipients of your messages
> can make certain they get them; if they really need / want
> / expect them, they could whitelist them.
Yes, they've already contacted the recipient, then the admins at the
recipent's headquarters (a major California university). The attempted
white-listing didn't work, I'm not sure why (maybe because it's a
level-one listing?), but in any case, there's no way for the client to
know in advance who might be using an anti-spam utility that
references UCEPROTECT.
By the way, thanks for continuing this discussion. It helps me to
understand the issues.
GaryK
> --
> E-Mail Sent to this address <BlackL...@Griffin-Technologies.net>