Monthly Archives: July 2006

Spamming shoe on other foot

Typically, the biggest issue we see week-to-week involves non-spamming companies that have been caught in blacklist spam traps which block entire ranges of suspected spamming IP addresses. However, over the past few days several RBLs (including SORBS, SPAMCOP, PSBL, and even CBL) have listed many instances of spam being sent directly from the IP addresses of the companies that have contacted us with blacklist problems. Reports of ISP network abuse have also been noted by SPAMBAG, SPEWS and SPAM CANNIBAL.

As to Non Delivery Reports (NDRs) directly from ISP hosts, Earthlink has joined BellSouth and Comcast as the most dominant ones as of today. Otherwise, CBL and SPAMCOP have both listed infections from unknown viruses invading various companies’ networks…and reverse DNS issues have made a small resurgence. Have a great weekend!

Typical hot, summer, blacklist weather pattern continues

SORBS blacklist entries are rising slightly, but today we’ve noticed more entries listing “exploitable server” and fewer listing “dynamic IP address”. Also, there has been a minor influx of “open proxy” listings on other RBLs, such as DSBL, NJABL, PSBL and Spamhaus-SBL.

Regarding the Non Delivery Reports (NDRs) from ISPs that have targeted non-spamming companies in their nets along with the spammers, they have shifted away from hosts such as Verizon, Yahoo, SBC and Hotmail in the past few days…and appear to be coming more from Comcast, BellSouth and AOL users.

Meanwhile, the FIVETEN family blacklist listings are nominally higher than they were over the weekend, while the reverse DNS issues are also on the decline.

Uptick in NDRs from major ISPs

While the number of SORBS blacklist entries have declined dramatically since last week, we are noticing an uptick in Non Delivery Reports (NDRs) from ISPs such as Verizon, Yahoo, SBC and Hotmail. In most cases, it appears that these ISPs’ latest netblocks (ranges of IP addresses that include recent spammers) are catching non-spamming companies in their nets, creating bouncebacks to them as well as to the actual spammers.

There have also been a fair number of FIVETEN family blacklist occurrences since Friday — identifying miscellaneous address blocks that have sent spam — which have also included non-spammers in their ranges.

And we are still seeing several reverse DNS issues (PTR records not pointing to the original IP address or missing “A” records), which can make it difficult to get de-listed when requested…and a few viruses identified by CBL. We’ll keep you updated on any changes to these current trends.

SORBS causing deliverability problems

 Far and away, the most common delivery issue for Monday and Tuesday has been bouncebacks due to the SORBS blacklist. Based on the reports we’ve gotten so far this week, the latest SORBS dynamic IP listing update has included a great number of static IP’s by mistake, resulting in many legitimate email messages being blocked by SORBS users.

We’ve also noticed a trend of bouncebacks coming from IP addresses showing CBL as the operative blacklist. In a great many of these cases, the CBL site has listed the Bagle worm as the cause of the virus that’s causing spam to be broadcast from multiple networks.

In other scenarios, reverse DNS issues (PTR records not pointing to the original IP address or missing “A” records) have been found, along with a few instances of domain names being spoofed. We’ll keep you posted.