I recently installed EFM, including the "Use UCE Blacklists" feature.

Today after reading a forum message today regarding security and Matt's Script Archive's FormMail, I decided to upgrade a survey on my site. After testing, I didn't receive any of the email responses. I re-installed the older version, still nothing. I checked my EFM reject log and there they were:

[05/Jun/2002:09:35:30 -0500] webmaster@mjblue.com
xmjblue-webmaster@mjblue.com
<20020605133529.19543.qmail@six.futurequest.net> "5 Jun 2002 13:35:29
-0000" "()" "webmaster@mjblue.com" "Michael Johnson Survey" "IP:
63.151.147.101; Spam blocked see: http://spamcop.net/bl.shtml and
http://spamcop.net/w3m?action=checkblock&ip=63.151.147.101"

According to the CNC, 63.151.147.101 is not my IP address.

I did get a survey submitted last night so I just don't understand this.

I want to continue using the UCE blacklists as it cut down on the spam I've gotten considerably. Help.

Cindy

Thanks for the note.

We are actively pursuing this matter with SpamCop to determine what caused the listing and to get ourselves removed.

Are you aware SIX's mail is blocked again by SpamCop as of today?

http://spamcop.net/w3m?action=checkblock&ip=63.151.147.101

Cindy

Hello Cindy,

Yes, we are aware of this unfortunate situation. This morning, around 6 am EDT the sysadmin caught the Spammer within two hours of the actual sending, by cross-correlating server loads. This Spammer was caught without anyone notifying FutureQuest. The account was immediately deactivated. The sysadmin then checked at SpamCop.net and there was already one piece of spam reported on this incident,

If you check the following link you will see that SpamCop now acknowledges that the "ISP" has dealt with this issue:
http://spamcop.net/sc?id=z40275082z19ae9e180514f8068db88c7cc151f070z

I'm not sure why SpamCop is continuing to let the points accrue and still accepting reports on this issue. We are hoping in the near term to dialog with them on their practicies and policies.

This account has been killed and there is nothing more that FutureQuest can do against the spammer. Note that SpamCop clearly indicates that their blacklist is "experimental" in status, and that ISPs should not use it in production.

Hopefully this will expire more quickly than the last listing of the SIX server, as there are no "spamtrap" reports listed, which seem to carry more points and last longer in the SpamCop system, than reports from individuals.

This is a case of a hit-and-run spammer, and FutureQuest caught them and deactivated as quickly as we could.

Sheila,
Thanks for the quick reaction. I just got hit by this problem....but I'm showing that FQ was listed today, then DE-listed, then listed AGAIN:

listed: Sunday, June 16, 2002 10:43:01 -0400
delisted: Sunday, June 16, 2002 11:03:01 -0400
listed: Sunday, June 16, 2002 11:20:02 -0400

The URL is:

http://spamcop.net/w3m?action=checkblock&ip=63.151.147.101

I don't like their policy listed here:

http://spamcop.net/fom-serve/cache/298.html

How can I be de-listed
If you have stopped the spam, you will be delisted automatically within one week. Please do not write asking to be delisted sooner
unless you believe there is some error in SpamCop's logic. Systems known to send spam are listed for up to a week even if there is a
"resolution" to the "issue". Often, what happens once can happen again.

I don't agree with this at all! A week is a LONG time in net-years. I've never heard of SpamCop before, but my first experience with them hasn't been a good one (tonight). They need to rethink some of their logic.

Thanks,
Larry Schauer

Larry,

I agree with you. A week is too long.

Currently I am corresponding with some of the deputies at Spamcop, and it looks like they may manually remove the listing this time.

Keep your fingers crossed,

Just moments ago, a SpamCop administrator has manually delisted the IP address for the SIX server.

:)

http://spamcop.net/w3m?action=checkblock&ip=63.151.147.101

What happens if someone signs up on for a mailing list, receives a mailing and then doesn't remember signing up and so impulsively reports to spam cop? Does FQ automatically close an account with asking for proof the opt-in subscriber signed up? How would a FQ client even prove that the complainer signed up before being nuked from the FQ servers?

What if we want to send a press release to various news organizations? Sure, chances are, they are used to unsolicated emails but how do we avoid the pox called spam because someone might be having a bad day or disagree with the subject? Do we ditch email lists all-together and go back to snail mail?

Reading the threads about spamcop, I sense an napoleonic atmosphere on their part in that they list, but don't investigate. Please tell me I am wrong on this account.

Best,

Betsy

Each situation is viewed individually and a lot depends on the number of complaints as well as how the mail was sent etc.

FutureQuest has had it's invoices reported as spam so we do know that "anything is possible". In the end however the majority take precedence over the minority on a community server and our primary focus is ensuring the services are delivered properly. If an account, with a legitimate list, is causing us to be blocked consistently then that account is better off on a dedicated system where it cannot as easily affect the others that may share the resources. At the same time if a legitimate list receives a complaint or two we simply ask the list owner to take the appropriate measure to handle those problems.

It is vitally important that you include clear opt-in/opt-out procedures and descriptions of who you are and why you have sent the email to lesson the chance of complaints.

When it comes to spam, the wrongs of one spammer cause entire networks to be punished :(

Deb
- Point, Click, Spam!

I've been getting tons of bounced emails back in the last few days because of various spammers using my domain. Life insurance and such. I was initially worried about SpamCop listing my domain or FQ closing my account because of this spam - but since nothing negative has happened, I'm wondering if you and Spamcop looks at the IP addresses rather than the domain name in order to tell who sent the message.
Cindy

Originally posted by Cindy:
I've been getting tons of bounced emails back in the last few days because of various spammers using my domain. Life insurance and such. I was initially worried about SpamCop listing my domain or FQ closing my account because of this spam - but since nothing negative has happened, I'm wondering if you and Spamcop looks at the IP addresses rather than the domain name in order to tell who sent the message.
Cindy
Spamcop always looks at the IP addresses. While they will allow users who report spam the option of reporting "Spamvertised" websites and/or domains, those checkboxes for sending to Abuse@ on those domains are not checked by default. However, the boxes are there, and Spamcop users can report to those addresses. But Spamcop will not list such reports in their blacklist. (This is my interpretation of their FAQs, which I spent quite a bit of time going over yesterday.)

As for FutureQuest...we will always look at the IP address to determine the source of the email and whether it came through our servers or elsewhere. However, if a particular domain hosted on our site were to be sending out spam, even through servers other than ours, we would definitely be concerned and investigate this further. We would want to disassociate ourselves from hosting any known spammers, especially to protect the integrity of our services for the community of site owners.

At the same time, FutureQest is sensitive to forgeries and Joe Jobs. The best we can do is promise to investigate thoroughly, and to be aware that forgeries and Joe Jobs do happen. As well, FutureQuest does not want to reveal too much about our investigation procedures, nor make any "absolute" statements, as each case is different.

Deb, as a reseller, I have a few questions.

a. Do you see any pattern with these spammers buying accounts, like only paying for the first month, or oddball domain names?

b. When these people buy accounts, do they let them sit idle for a while before they start spamming or do they jump right in and spam away?

c. Did any of the recent terminations have the FQ provided home page still in place?

Just wondering what to look for, as I don't usually resell to someone without a personal reference, but I don't want to rule it out.

Mont

We see all types...

Those that get the account and send the spam within the first 24 to 48 hours without paying a dime.

Those that pay and are terminated within the first month for spam.

Those that 'hang out for months' prior to sending.

And the most difficult of all, is those that have been great clients for years who, in their ignorance, decide to buy a million "opt-in addresses" to advertise to and honestly believe they are doing a good thing. The "advertisement said it was all good".

We had one recently that we found who had accounts with multiple hosts...they had not pointed their domain to ours yet. They made the mistake of spamming us from one of their other accounts hosted elsewhere. It 'appears' they kept many accounts open with multiple hosts so if one host terminated them it wouldn't affect their mailings because they always had other hosts 'standing by'.

Deb
- Pick your poison

I've been getting tons of bounced emails back in the last few days because of various spammers using my domain

Late last week, I had a returned mail show up in my inbox that was sent from an address I have never sent from (webmistress@xxx). The recepient was an address I have never seen or heard from (and not someone who signed up for my mailing list) The body of the email was empty, and it was the only one. I dismissed it (but not without concern, I just was clueless as to how it occurred).

Could that be a sign that someone else is using the domain for spam purposes?

Betsy