Frequently asked questions:
- Why are you port-scanning my host/network?
- We don't port-scan entire networks. We do check several dozen
ports (well known proxy ports and current spammer odd proxy ports) on hosts
that have tried to send mail into contributing
systems for
open proxies. Open proxies are apparently the next frontier for spammers
who have all but used up the once plentiful supply of open relays. To the
spammers, open proxies are even better than open relays since they leave no
trace of the spammer's IP in the message headers.
-
These checks for open proxies typically discover several thousand new open proxies
every day.
- I'm not a spammer, but there are spammers hosted on IPs close to mine.
Why are my IPs in your list?
- When we notice a professional spammer, especially if they appear to
have a block of IPs, we use whois to determine their IP block, and then add
that entire block to our list. If their IPs are part of a /24 or smaller
block, we assume the spammer has been allocated the entire block. This may
not always be the case, but if the ISP the space belongs to has not kept their
swips up to date, we have no way of knowing this. If you're caught in this
situation, talk to your ISP about swipping your space so that you don't get
mixed up with their spammers, or better yet, ask them to get rid of their
spammers.
- Why wasn't I notified before my IP was added to your list?
- Our automated system generally finds thousands of open relays and
open proxies every day...far too many to manually notify the owner of
each one. Since we're not aware of any programable
method to obtain appropriate contact information for a given IP address, we
do not attempt to notify the operators of open systems.
-
In the past, ORBS
found that attempting to send such notifications generated more complaints
and ill will than it was worth.
-
Currently, we only attempt to notify the RIR contacts for multi-stage open
relays. We send these notifications at least 1 week prior to adding
multi-stage open relay outputs to our list.
- My IP isn't a dial-up. Why is my IP listed as a dial-up port?
- We determine which IP's are dial-ups by looking at registry
information and/or checking in-addr.arpa (reverse) DNS near the beginning, middle,
and end of each /24 we suspect may be dial-ups. If the regional registry
records say the space is used for dial-ups or other dynamic uses, or if the
in-addr.arpa records suggest this, we list the /24. It's possible you have
a static IP within a range of addresses that's otherwise largely dynamic or
at least has in-addr.arpa DNS suggesting it is dynamic. If this is the
case, let us know. If your PTR record suggests the IP is static we'll remove
your IP from our list. If you have a static IP that in every way looks just like
the dynamic IPs around it, you're going to have to have your ISP contact us.
- How often are servers retested?
- Open SMTP relays are expired and retested after 90 days.
If you have used our
removal form to request removal of an open relay, the open relay IP will be
retested several hours after it has been removed. The delay between a
removal request and the IP actually being removed varies. Until the penalty
delay from too many removals kicks in, removal requests through our removal
form are generally processed in about an hour or less. Occasionally, maintenance
on our back-end scripts may delay removals for some time. You can check the
queue of removal requests on our stats page.
- What if I just use your removal page but don't bother fixing my open
relay?
- You can do that, but it's not a good idea.
- First, shortly after removal, your relay will be retested.
- Second, after a few removals, subsequent removals will take increasingly
longer to process, thus leaving your relay stuck in our list for hours,
days, weeks, etc.
- Third, unfortunately, enough open relays have gone through the removal
process without being fixed that it seems some spammers have figured out
that our stats page is a handy place to grab a current list of open relays.
It's been reported more than once that open relays that never got abused
were flooded by open relay spammers shortly after removing themselves from
our list. In no way do we support or condone this activity, but it may turn
out to be the biggest incentive for fixing open relays before requesting
removal.
- I know that my relay is open, but I keep an eye on the logs and I don't
think any spammers have found my open relay yet. Will you exclude me from
your list?
- No. It's only a matter of time before your open relay is discovered
by spammers. Having it in our list will allow those who use our list to
block the spam that will eventually be relayed through your server.
- My server is not an open relay. I've removed it, but your site keeps
listing it as an open relay I even had someone else test it and they told
me it's not an open relay. Why is this happening?
- If we really do have your server listed as an open relay, you can
use our lookup page to see
the test messages we've relayed through your server. If you see these and
still don't believe your server is an open relay, we probably can't help
you.
- Don't bother emailing us that some other site's open relay test says your
system is not an open relay. There are more relay test sites than we're
aware of, and they all use different test suites of envelope to/from
addresses. If they don't do the same tests we do, and they say your system
is not open, while we have evidence that it is, their test is irrelevant
because they haven't tested your system in the same way we have.
- I've emailed you asking for removal or with some other question. I've gotten no reply. My
server hasn't been removed. Is there anyone home?
- Most likely, your email was received, read, and ignored.
- If your message does not include the IP address of the server you want removed from
our list, we won't guess or otherwise try to determine the IP. We'll delete
your message. Here's a hint. Put the IP you're emailing about in the
subject line of your message.
- Don't just ask for removal. Tell us why your system which is likely listed
as a dial-up, spam source, open proxy, open formmail, relay output, or
multi-stage open relay should be removed. i.e. Telling us that you've fixed
whatever problem your system had is more likely to result in removal than
a simple "please remove [IP] from your list." Removal requests that do not
include a reason the IP should be removed are likely to be ignored.
- If an IP is listed as a dynamic IP, don't email us that it's not an open
relay. We don't care and we didn't necessarily say/think it was an open
relay. Doing so makes you look stupid and gets your message deleted.
- If you email a question that can easily be answered by our web site
(especially "why is my IP in your list?"), your message will be ignored. Use
our web site and our lookup page.
- If you email us nothing but attachments (i.e. Word documents, images of
screenshots, etc.) your message will be ignored. We will not even try to open
such attachments. If you want to communicate with us, please stick to ASCII
text in English.
- I'm trying to email you to ask for my IP to be removed,
but my message bounces because my server's IP is in your list. How am I
supposed to contact you?
- Email can be sent to removals at rt.njabl.org even
from IP addresses in our list. However, you must put the IP address you're
contacting us about in the subject of your message or it will not make it
through our filters and will be discarded.
- What's an open proxy, and why are they bad?
- A proxy is a program/service that accepts connections and redirects
them to other systems, making the proxy server a sort of middle-man. An open proxy is a
proxy that will do this redirection to any destination for anyone without
authentication. Open proxies can be used for a variety of network
abuse...spam being just one of the more common ones. These are currently
utilized by spammers because they completely hide the identity of the
spammer....All the spam recipient sees in the message header is the IP address
of the proxy server. This makes tracking down the person who actually sent
the spam impossible.
- If your system has been found to be running an open proxy, you will need
to examine the software your system is running in order to determine how to
fix the problem. There are around half a dozen different common proxy
protocols. The protocol(s) with which your proxy is open will be displayed
in the proxy test messages archived in our system. i.e.
10.20.30.40:ho:8080: >> POST http://209.208.0.16:25/ HTTP/1.0\r\n
10.20.30.40:ho:8080: >> Content-length: 24\r\n
10.20.30.40:ho:8080: >> Connection: close\r\n
10.20.30.40:ho:8080: >> \r\n
10.20.30.40:ho:8080: sending data
10.20.30.40:ho:8080: << 220 rt.njabl.org ESMTP Sendmail 8.11.6/8.11.6; Fri, 25 Apr
10.20.30.40:ho:8080: << 2003 20:30:12 -0400\r\n
10.20.30.40 ho:8080 open
The above would indicate that the IP 10.20.30.40 is an open proxy using the
"ho" protocol on port 8080. The protocols we currently test are:
s5: socks5
s4: socks4
wg: wingate
hc: HTTP CONNECT
ho: HTTP POST
hu: HTTP PUT
hg: HTTP GET
fu: FTP USER
- Your DNSBL (actually, all the popular ones) doesn't work.
I happen to be an AT&T customer.
- Why does http://njabl.net/ redirect to a mortgage spammer's web
site?
|
|