spamauditor.org Open in urlscan Pro
65.39.244.206  Public Scan

Form analysis
1 forms found in the DOM

GET https://spamauditor.org/

<form role="search" method="get" id="searchform" class="searchform" action="https://spamauditor.org/">
  <div>
    <label class="screen-reader-text" for="s">Search for:</label>
    <input type="text" value="" name="s" id="s">
    <input type="submit" id="searchsubmit" value="Search">
  </div>
</form>

Text Content

* Log in
* Entries feed
* Comments feed
* WordPress.org
Skip to content
 * Home
 * About
 * Contact
 * Best Practices


 * SEARCH
   
   Search for:

Spam Auditor Blog
Words from the battle front against spam, home for spam auditors


THE SPAM AUDITOR BLOG: THE INFORMATION NEXUS FOR THE ANTI-SPAM COMMUNITY.


IP REPUTATION, THE MOST POWERFUL TOOL IN THE FIGHT AGAINST UNWANTED BULK EMAIL
(UBE) AND SPAM


WHAT IS IP REPUTATION?

It is simple. All email must originate from an IP address, and IP reputation can
be used to tell if a certain IP Address is responsible for sending Spam or
Unwanted Bulk Email (UBE). And it is extremely effective, stopping between
80-95% of all inbound connections at ISP’s and sometimes more.

It is up to the person who owns that IP to be responsible for what comes out of
that IP Address, and if they don’t stop spam from originating they can get a
reputation for that behavior. Almost every large company, ISP and email server
uses it to some extent. Otherwise they would have to process almost 20 times as
much email as they would without it.

And there are many companies and resources that track that type of behavior, and
create IP reputation lists. Often those lists are used to completely reject
email coming from that IP Address. And these lists are compiled from data that
shows that IP Address is responsible for only certain types of behavior. The
following is some examples:

 * The IP Address belongs to a system that is NOT an email server.
   * It might be an infected personal computer
   * It might be an compromised web server
 * The IP Address belongs to an ISP or email server that doesn’t prevent
   outbound spam
 * The IP Address belongs to an ISP that doesn’t respond to Spam complaints
 * The IP Address belongs a known spammer
 * The IP Address belongs to an email protection device or server that does
   ‘BackScatter’
 * The IP Address belongs to a company that allows mass email marketing
   campaigns

Some of these lists are freely available, some you have to pay for, and some are
privately maintained. There are literally hundreds of such IP Reputation lists,
operated by companies such as SpamHaus, SpamCop, SpamRats, SORBS, UCE-Protect
and others. The nice thing about these lists is that is often how companies find
out they are leaking Spam in the first place. It is also a motivator for
companies to fix the problem.

And checking the IP Address is the easiest thing for email servers to check
before accepting email.

Resource: Spam-related Reputation Lists:

   SpamRats list lookup: http://www.spamrats.com/
   SpamCop list lookup: https://www.spamcop.net/bl.shtml
   Spamhaus list lookup: https://www.spamhaus.org/lookup/
   SORBS list lookup: http://www.sorbs.net/lookup.shtml

Resource: Mass Email Marketing Reputation List:

   MIPSPACE list lookup: http://www.mipspace.com/

Of course, some times using IP reputation can stop legitimate email. Sometimes
an IP Address will change owners, and sometimes an IP Address will be listed
because too many other IP Addresses from the same company are responsible for
UBE. Or, it could be that another email account on the server you use was
compromised, and you are affected. Normally most lists allow removal of IP
Addresses easily, quickly and quite simply, except where too many repeated cases
occur, some list operator may prevent the removal until the owner of the IP
address does something to correct the repeated problem. This actually helps to
make the internet a better place.

If you are an end user, and you reached this page the problem is with your ISP
and/or email administrator. It is their job to ensure that they don’t gain a
reputation for sending unwanted email. There are many alerting systems and
lookup tools to make sure that they don’t get listed on such IP reputation
lists. And if your ISP does not do anything to address the reasons they get on
such IP reputation lists, consider either changing ISP’s or you will have to get
all your friends to whitelist your email address in order to get email from you.

Two companies that do this are DNS Stuff and MX Toolbox

If you are the operator of an email server and find that you are listed in one
of those lookup tools, then it behooves you not only to remove yourself, but to
figure out why you got listed in the first place.
The following are the most common reasons for Spam Leakage from your email
servers:

 * Free Email signups by Spammers
 * Compromised accounts, bad passwords, stolen passwords
 * Backscatter
   * Filter bounces messages to forged or wrong addresses
   * Over Quota or Virus Bounces
   * Bad Vacation Message or Email Forwarding system
   * Not checking for Valid USers properly
 * No rate limiters


MAGICMAIL PROTECTION

MagicMail servers take advantage of IP Reputation lists. However they usually
only need to check a few lists to get most protection. If you received a message
similar to the following:

     10.0.0.1 does not like recipient.
                  
     Remote host said: 550-Your message was rejected by this user and was not delivered.
                   
     550-Reason: This system uses BMS to check your IP address reputation, and was rejected 
     550-Protection provided by: MagicMail version 1.1.1 (http://magicmail.linuxmagic.com) 
     550-For more information, please visit the URL:
     550-http://www.linuxmagic.com/power_of_ip_reputation.html
     550-or contact your ISP or mail server operator.
                         
     Giving up on 10.0.0.1


You can check your IP Address using the form at BMS Lookup Tool and it should
show you what IP reputation list the user or the email server was using that you
were listed on, and you can go to that site to get yourself removed. PLEASE,
check your server over to find out why you got listed in the first place
otherwise you may get listed again. Then you can contact the list administrators
via their websites.

An example of how great IP reputation can be, since virus infected home PC’s are
the single biggest source of Spam on the internet, if you had all the IP
addresses of all home style connections (DUL/Dynamic/Dialup/Hotspots) then
spammers would not be able to use that to spread new viruses by email. One such
database at SpamRats for instance has over 25 million such IP’s listed and
blocks over 50% of Spam alone. If your ISP is using such lists, this is the
single best way block ‘BotNet’ spam.


EMAIL MARKETING COMPANIES

Although sometimes not classed as true ‘Spam’, this unwanted bulk email (UBE)
has become a lot worse over the last 18 months. You may have seen this type of
email offering lower mortgages, cheaper airline tickets, even advertising for
very legitimate companies. They usually contain a message ‘You are receiving
this because you have opted in to 3rd party offerings’. Normally the main reason
you get these is that you signed up for something online or bought something,
and the small fine print said that they are allowed to send you such flyers. The
problem is once they get that ‘permission’ from you, very often the flyers get
out of hand; now you are getting 30-40 flyers a day.

Wouldn’t it be nice if the same way you call the post office, and ask them not
to deliver any more flyers to your door, you could do the same thing with your
inbox? Well you can, by using IP reputation and databases of such companies and
their IP Addresses that engage in such practices, and networks that allow such
behavior. Often these companies are so big, they have thousands of email servers
sending out advertising. And this is the fastest growing form of UBE out there.

One such database, MIPSpace tracks this activity at hundreds of ISP’s across
North America (BTW, contrary to popular belief, most of these companies are
located in North America and NOT overseas). If your ISP uses, or allows you to
use such a database it can block this with IP reputation.


COMPROMISED/HACKED SERVERS OR ACCOUNTS

This used to be a more common problem, but as server security has increased
hackers and spammers do look for easier targets. There are still web servers and
online forms that hackers can compromise, and use to send out their spam, (often
the more vicious types, like viruses and porn) but usually this type of activity
is easier to detect, and they get shut down very fast, or blocked by IP
reputation lists like SpamRats.

However, recently hackers are using easier targets such as email accounts
hijacked from people just like you. Using a real email account is a lot better
for hackers as ISP’s who need to process millions of emails for their customers
have a harder time noticing one account that is sending more than it’s normal
share. The hackers may only send a few thousand from each account, but if they
have thousands of such accounts, it makes for a profitable way to send spam.
Usually using a real email account from a reputable ISP means they have less
chances of their messages being blocked.

How do they get those accounts? Simple. Too many people using easy to guess
passwords. If your email is “john@isp.com” and your password is “john”, or
“john123” or “test”, then they are going to get your email account. With the
‘BotNets’ mentioned early it doesn’t take long when 100,000 computers all try to
‘guess’ your password. They also run dictionary attacks for commonly used words
as passwords.

So how do we stop this? Well, the ISP’s have to stop it before it gets out. If
they use rate limiters on outbound email, and password policies, they should not
have these problems. And the ISP’s that don’t, well they usually end up on
blacklists until they rectify the problem. (Actually, some of the bigger ISP’s
are often the worst problems, as they are too big to blacklist, and without that
pressure they have little motivation to deal with this issue) But using better
email technologies like the LinuxMagic’s own ‘MagicMail’ email server, more
companies get this capability out of the box, and this type of Spam could be a
thing of the past.


FREE EMAIL PROVIDERS

Yes, a problem. But you have to have a little sympathy on how hard it is.
Basically, the hacker use the ‘BotNets’ described earlier to try to sign up to
for thousands of email accounts.. Or some individual signs up for a throwaway
account. Often this is the nastier form, sending emails to try to get your bank
account information, or to tell you you have won a lottery, or that they want
you to help them get millions of dollars out of a foreign company.

They can do some things, like limiting how much email a person can send at a
time, but when thousands of accounts all send just a few messages, it is harder
detect the spammers. And you can’t really point a finger at a single email
provider, as all of them have suffered from this at one time or another. They
try to stop automated signups, but the hackers keep finding new ways around
this. For most people, it is impossible to just block free email providers such
as Yahoo, Gmail, or Hotmail (although some people do) therefore there is only
one way to stop spam from bad free email accounts. Thankfully this is the lowest
percentage of all the types of Spam, but in this case the ISP has to use
‘filters’. Not the best way to deal with this as it adds load to the servers,
and as soon as one filter stops a message, the spammers change the way they
write the emails to get around the filters.

Until the free email companies solve this problem, your ISP is forced to use
some spam filtering techniques along with the normal virus and other filters.
Luckily, most modern email servers have, or keep up with the latest filtering
technologies. If you get this kind of spam, report it to your ISP. It will be up
to the ISP to put pressure on the free email providers to make sure they stop it
before it leaks out of their servers.

Index