Opened 6 months ago

Closed 6 months ago

#13762 closed Bug/Something is broken (fixed)

209.234.253.187 added to MAILSPIKE Z blacklist

Reported by: https://id.mayfirst.org/legitgov Owned by:
Priority: High Component: Tech
Keywords: MAILSPIKE Cc: lori@…
Sensitive: no

Description

Dear Support Team,

209.234.253.187 has been added to MAILSPIKE Z blacklist over a 'Distributed Spam Wave.' (I learned that additional detail when I submitted a check on the mailspike.net site.)

209.234.253.187 
Added to MAILSPIKE Z at 6/5/2018 9:17:22 AM (UTC-06:00) Central Time (US & Canada)  
  
Blacklist Severity: Low  
MxRep Current Score: 96  
Delisting link: http://mailspike.net/contact.html  
Get more information: blacklist:209.234.253.187  
Tags:  
Learn more about this problem: MAILSPIKE-Z  
Current Checks failing: 2  
Email Sent On: 6/5/2018 9:17:24 AM 

I tried to manually de-list the IP from their spam list - not sure if I was/will be successful.

Thank you,
Lori Price

Change History (8)

comment:1 Changed 6 months ago by https://id.mayfirst.org/jaimev

  • Resolution set to wontfix
  • Status changed from new to feedback

Lori, I think that ip might have previously been assigned to june but it is no longer assigned to any of our servers. This block shouldn't affect anything as far as I can tell.

Thank you for keeping an eye on this though.

comment:2 Changed 6 months ago by https://id.mayfirst.org/legitgov

  • Resolution wontfix deleted
  • Status changed from feedback to assigned

Hi, Jaime.

Thank you! But also, there is this:

 LISTED	SORBS NEW 	162.247.75.110 was listed  Detail	3600	0	Ignore
 LISTED	SORBS SPAM 	162.247.75.110 was listed  Detail	3600	

More info here:

Spam record for address 162.247.75.110
Description:	Spam Received from this host
Record Created:	22:33:12 05 Jun 2018 GMT+00
Message ID (munged):	517*********************************@******************RBS
Additional Information:	No Info

Newest Spam listings for: 162.247.75.110 (Limited to a maximum of 30)
Current status of 162.247.75.110 is Listed
Seen/Created Time	Host/Netblock	Short Description/Identifier	Select
 22:33:12 05 Jun 2018 GMT+00 	 162.247.75.110 	 517*******************************32@***

That is the IP used for the CLG Newsletter, so it has to be de-listed. Do you want me to open a new ticket for this problem, or is it tied in with the MAILSPIKE Z blacklist issue?

Thank you,
Lori

comment:3 Changed 6 months ago by https://id.mayfirst.org/jaimev

Yes that ip is active and we should look into it. You don't have to create a new ticket.

comment:4 Changed 6 months ago by https://id.mayfirst.org/legitgov

Ah, SORBS has provided detailed info as the blacklist triggering, which also occurred in April 2018. One particular email dissemination from 'Grassroots Global Justice Alliance' was the cause of the problem in April and also in June. *The exact same email* from GGJA caused this recent blacklisting, according to SORBS. (Please see Ticket #13624 for more info.)

Here is the SORBS ticket trail. I did note that someone/a group may be trying to harm GGJA by disseminating spam on their behalf.

Dear Courtney,

Thank you so much for taking the time to respond to my ticket and for your explanation. Apparently, 'Grassroots Global Justice Alliance' keeps disseminating spam via the relevant IP. Our organization also uses that IP to send our newsletter, so we are being effectively 'punished' for [their possible actions]. I submitted a ticket in our Web hoster's support forum about GGJA in April (when they previously triggered a SORBS blacklist tag with the *very same email* that triggered the June 5 blacklisting). Sadly, I did not see that the problem was resolved on our Web hoster's end. I should add, it's possible someone/a group is trying to harm GGJA by continually sending spam via 162.247.75.110.

I will try to get our Web hoster, May First, to address the GGJA spam issue. 

Thank you, also, for saying if there's no further problems, you will delist the IP after a 48-hour period. I sure hope that's by Friday, as CLG needs to cover the upcoming North Korea/US summit. :)

Sincerely,
Lori Price

On Wed Jun 06 17:06:16 2018, comcgrath wrote:
> Hello,
>
> This listing was the result of mailing list management issues.
> Unfortunately, one of your mailing lists is delivering to one of our spam trap
> addresses. A "spam trap" is an email address owned by SORBS that is intended to
> collect spam samples in the wild. In order to prevent future listings, I'd
> recommend making configuration improvements to prevent mailings from being sent to
> addresses that are no longer in use, such as by removing recipients from which
> you receive hard rejects (DSN 5.x.x) and using confirmed opt-in policies
> when adding new subscribers.
>
> Additionally, we recommend implementing a one-click unsubscribe via
> the List-Unsubscribe header as defined in RFC 2369
> (http://tools.ietf.org/html/rfc2369).
> Note that if following this link automatically unsubscribes the user,
> our spam traps will unsubscribe themselves upon receiving these messages. At
> this time, we only provide this functionality for HTTP links in the List-
> Unsubscribe header.
>
> The most recent occurrence of spam from this IP was within the last 48
> hours.
> It is SORBS policy to wait at least 48 hours since the last occurrence
> before de-listing. I will hold this ticket open until the 48 hours has
> passed. If we have not collected anymore spam data, We will be able to de-list this
> IP after 48 hours, or by the next business day after the 48 hour period. You do
> not need to reply to this email.
>
> For your reference, I've attached the headers for the most recent
> occurrence.
>
> Received: from [Host/Domain Hidden] ([Host/Domain Hidden]
> [162.247.75.110])
> by mx.mail-[Host/Domain Hidden] (Postfix) with ESMTP id
> EBFBD23BE48D
> for <[Email Address]>; Tue, 5 Jun 2018 17:33:17 -0500 (CDT)
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="[hidden]"
> Subject: We're Hiring for Two Positions! Communications Coordinator
> and It Takes Roots Fundraising Contractor
> Precedence: bulk
> job_id: 4915
> From: "Grassroots Global Justice Alliance" <[Email Address]>
> To: Alberta Beeson <[Email Address]>
> Date: Tue, 05 Jun 2018 18:33:16 -0400
>
> Thank you,
>
> SORBS Support
>
> On Tue Jun 05 20:40:00 2018, SORBS_Support wrote:
> > Name: Lori Price
> > IP/Host: 162.247.75.110
> > IP: 162.247.75.110
> > DNS: NXDOMAIN
> > DNS TTL: -1
> > DNS Info is cached: No
> > Additional Information:
> >
> > Dear SORBS Support Team,
> >
> > Please de-list 162.247.75.110, which is the ISP used to send the CLG
> > Newsletter. We have no advertisements in this newsletter.
> > Furthermore,a ' double opt-in' procedure has been implemented in order to
> > subscribe.
> >
> > Sadly, we have been listed as a spam source, which must be an error.
> >
> > Thanks very much.
> >
> > Sincerely,
> > Lori Price
> > www.legitgov.org
> >

Would it be possible to please research the GGJA spamming issue? I think that will take care of this particular SORBS blackisting trigger, going forward

Thank you, Jaime!
Lori

comment:5 Changed 6 months ago by https://id.mayfirst.org/legitgov

Hi, Jaime.

For now, SORBS has removed from 162.247.75.110 from their blacklists. However, the spam-generating via Grassroots Global Justice Alliance needs to be addressed (please see my previous post in this thread), or the IP is destined to be blacklisted again. The identical problem was not dealt with in April - can you/the team please get to the bottom of it? I'm only requesting this action because I believe there will come a point where SORBS will refuse to delist the IP from their blacklist.


Thank you,
Lori

comment:6 Changed 6 months ago by https://id.mayfirst.org/jamie

Thanks Lori - I've just followed up with the member responsible for the email and we have put that email address on hold while we investigate how it was subscribed to the list in the first place.

comment:7 Changed 6 months ago by https://id.mayfirst.org/legitgov

Thank you, Jamie!
Lori

comment:8 Changed 6 months ago by https://id.mayfirst.org/jaimev

  • Resolution set to fixed
  • Status changed from assigned to closed

I'll go ahead and close this now as it seems we've been able to keep that ip off the blacklist.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.