NDRs

[normcamp]

I have never has a problem with spamcop until this week. I somehow ended up on their blacklist. I followed the link on the NDR and it said the mail was sent to a spam trap.

I'm wondering if the fact that our mail server was down for 4 days due to a problem with my telephone service being down and had no DSL. Anyone emailing people in my office would have received a NDR. Could this have cause the problem.

Like I said, we never had a problem until the mail server was off-line for those days.

My mail server ip is 65.86.159.199.

Any help will be greatly appreciated!

Norm

[StevenUnderwood]

Well, the NDR would not have been sent by your system's IP if your mail server were down. It might have been sent by another server, but that would not list your server.

And if the machine was really down (off the net) for 4 days, the spamtrap happened since then since there is a 48 hour expiration on all IP's with no new reports.

There is one old spam sample available from Aug 29 and it is a pharm spam.

What was done to this server? Seeing: In the past 33.7 days, it has been listed 7 times for a total of 6.0 days, I hope it was removed from the internet for maintenance to find the hole the spammers were using.

Did someone leave a hole open and allow a new attack?

[Merlyn]

I have never has a problem with spamcop until this week.  I somehow ended up on their blacklist.  I followed the link on the NDR and it said the mail was sent to a spam trap.

I'm wondering if the fact that our mail server was down for 4 days due to a problem with my telephone service being down and had no DSL.  Anyone emailing people in my office would have received a NDR.  Could this have cause the problem. 

Like I said, we never had a problem until the mail server was off-line for those days.

My mail server ip is 65.86.159.199.

Any help will be greatly appreciated!

Norm

16752[/snapback]

I don't believe that is what is meant by an NDR.

If your server was down the mail would not be rejected to the "From" address. The sending server would just get it back after a specified period.

To send an NDR your server needs to be up and running.

It is more likely your exchange server has been hacked, this is just a guess as there are no samples to view.

See:

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

This exploit allows spammers to relay thru your exchange server. This relaying does not show up using standard open relay tests as the spammer has gained "legal" access to your server by hacking an account/password combination.

[Wazoo]

Merlyn, I've added a couple of more links to that list in the FAQ here if you'd want to update your copy of that reference list ... I recall that Ellen recently caught one of them ...

[Wazoo]

I have never has a problem with spamcop until this week.  I somehow ended up on their blacklist.  I followed the link on the NDR and it said the mail was sent to a spam trap.

I'd like to ask for a bit more data on this "link on the NDR" thing.

I'm wondering if the fact that our mail server was down for 4 days due to a problem with my telephone service being down and had no DSL.  Anyone emailing people in my office would have received a NDR.  Could this have cause the problem. 

I find this a bit confusing. For you to have an "NDR" with a link, I'm thinking that this means that you sent an e-mail that was rejected by another ISP. This would have no bearing on someone trying to send e-mail to you.

My mail server ip is 65.86.159.199.

There may be yet another issue involved;

Parsing input: 65.86.159.199

host 65.86.159.199 = 65-86-159-199.client.dsl.net (cached)

Reporting addresses:

abuse[at]dsl.net

postmaster[at]dsl.net

The "client.dsl.net" may actually place your e-mail server into some BLs because it' falls into what is normally called "dial-up space" ... an IP address that is assigned to a (home) customer as compared to a business (assigned to a static IP address) ... so some ISPs may reject your e-mail just for this reason.

However, the real issue does appear to be that already suggested, you have what appears to be a compromised system sitting at that IP (are you in control of this system?)

http://www.senderbase.org/?searchBy=ipaddr...g=65.86.159.199

Volume Statistics for this IP

........Magnitude ...... Vol Change vs. Average

Last day ........ 3.4 ....... 315%

Last 30 days .. 3.6 ....... 472%

Average ........ 2.8

Is it possible someone was trying to "fix" this server when the phone was turned off and made some configuration changes that weren't put back to "normal" after the real reason for the e-mails stoppage was made known?

[normcamp]

I disabled the GUEST account on my server.

I came across this report from my server on http://www.mail-abuse.com/services/mds_rss.html. My Exhcange server is not a open relay but it did have some history in their spam database. See below. What does this mean? Thanks for any help you may provide.

Database

Received: from [65.86.159.199] by daver.bungi.com via sendmail with smtp;

Thu, 29 Jul 2004 13:23:19 -0700 (PDT)

Received: from ex ([200.66.97.92]) by nbtaexchange.nbta.org with Microsoft SMTPSVC(6.0.3790.0);

Thu, 29 Jul 2004 16:20:26 -0400

From: "Funda McKenzie"<excursionsillustrating[at]t-online.de>

To: <removed>

Subject: GlVE THE GREATEST G1FT

Mime-Version: 1.0

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

Return-Path: excursionsillustrating[at]t-online.de

Message-ID: <NBTAEXCHANGEYqMhmhV000010a6[at]nbtaexchange.nbta.org>

X-OriginalArrivalTime: 29 Jul 2004 20:20:29.0896 (UTC) FILETIME=[7E1CDC80:01C475A9]

Date: 29 Jul 2004 16:20:29 -0400

<html><body ><b><font color=#FF0000>

CIA-L1S & LEV-ITRA st<b>a</b>rts w<b>o</b>rk<b>i</b>ng up to tw<b>i</b>c<b>e</b> as f<b>a</b>st as V1AG.RA & l<b>a</b>st up to 24-36 h<b>o</b>urs </font></b><br><br>

<font color=#FF0033><b> d<b>o</b>ct<b>o</b>r ap<a href=http://exempting.biz></a>pr<b>o</b>v<b>e</b>d nat<b>u</b>ra1 p<b>i</b>l1<a href=http://scribbled.us></a>s w<b>i</b>l1 <b>e</b>nlarg<b>e</b> y<b>o</b><b>u</b>r p~<b>e</b>~n~<b>i</b>~s in 1 w<b>e</b><b>e</b>k! </b></font>

<p><font color=#FF0000><b>

<a href=http://existence.pliancy.dsdmnr.com/as>NOw VIS1T 0ur W~EBSITE : C|l|1|C|K H|E|R|E</a></b></font>

</P>

</BODY></HTML>

-- end of submission -------------------------------------------------

Received: from [65.86.159.199] by daver.bungi.com via sendmail with smtp;

Wed, 4 Aug 2004 06:57:56 -0700 (PDT)

Received: from pocketbook ([211.158.108.109]) by nbtaexchange.nbta.org with Microsoft SMTPSVC(6.0.3790.0);

Wed, 4 Aug 2004 09:54:56 -0400

From: "Elderine Adell"<advanceadrian[at]verizon.net>

To: <removed>

Subject: C.1l|A||S & |.EVI1lTRA |S THE ANT|-IMPO0TENCE DR UG

Mime-Version: 1.0

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

Return-Path: advanceadrian[at]verizon.net

Message-ID: <NBTAEXCHANGEoZolmRB00008379[at]nbtaexchange.nbta.org>

X-OriginalArrivalTime: 04 Aug 2004 13:54:56.0931 (UTC) FILETIME=[A0450730:01C47A2A]

Date: 4 Aug 2004 09:54:56 -0400

<html><body ><b>

save money and enjoy 1onger with your every C1All||S & IEVVITRA p<a></a>urchase. </b><br><br>

1f you are ser<tr></tr>ious about en|<a href=http://ceit.com>argin</a>g, streng<td></td>thening and deve|oping your p^e^n^i^s n<a href=http://ceit.net>atura1</a>ly, then you have finaI|y found what you are |ooking for.

<p><b>

<a href=http://sane.creekside.medbizd.com/as>P.1.a.c.e YOur 0.r.d.e.r H.e.r.e T0day</a></b>

</P>

</BODY></HTML>

-- end of submission -------------------------------------------------

Received: from [65.86.159.199] by daver.bungi.com via sendmail with smtp;

Mon, 30 Aug 2004 12:27:41 -0700 (PDT)

Received: from mesquite ([222.183.16.98]) by nbtaexchange.nbta.org with Microsoft SMTPSVC(6.0.3790.0);

Mon, 30 Aug 2004 14:51:55 -0400

From: "misk "<hurlingbolivia[at]ntlworld.com>

To: <removed>

Subject: PRESCRI1PTlON MED||CATI0N

Mime-Version: 1.0

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

Return-Path: hurlingbolivia[at]ntlworld.com

Message-ID: <NBTAEXCHANGEXSz3LUN0001f988[at]nbtaexchange.nbta.org>

X-OriginalArrivalTime: 30 Aug 2004 18:51:57.0826 (UTC) FILETIME=[6D174E20:01C48EC2]

Date: 30 Aug 2004 14:51:57 -0400

<html><body ><b>

<b>Xanax, Va|ium ,Cia1lis, Via<em></em>gar <a href=http://lukyan.com>and</a> many more...! <br> 1: 8O+% sa<font></font>vings 0r<a href=http://lukyan.com>derin</a>g ! <br> 2: no pres<a href=http://lukyan.org>cription</a> required . <br> 3: doctor & F.<b></b>D.A appr<big></big>oved ! <br> 4: 0ve<b></b>rnight sh<a href=http://lukyan.net>ipping</a> !

<p>

<a href=http://www.menicap.com>1 WANT KN0W MORE</a>

</P></b>

</BODY></HTML>

-- end of submission -------------------------------------------------

Received: from [65.86.159.199] by daver.bungi.com via sendmail with smtp;

Tue, 31 Aug 2004 13:09:15 -0700 (PDT)

Received: from postulation ([200.122.42.194]) by nbtaexchange.nbta.org with Microsoft SMTPSVC(6.0.3790.0);

Tue, 31 Aug 2004 08:48:24 -0400

From: "Pik Silvestre"<scorchexposure[at]ntlworld.com>

To: <removed>

Subject: PRESCRI1PTl0N MED||CATION

Mime-Version: 1.0

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

Return-Path: scorchexposure[at]ntlworld.com

Message-ID: <NBTAEXCHANGEMs1HRee00020497[at]nbtaexchange.nbta.org>

X-OriginalArrivalTime: 31 Aug 2004 12:48:27.0898 (UTC) FILETIME=[CFC625A0:01C48F58]

Date: 31 Aug 2004 08:48:27 -0400

<html><body ><b>

<b>Xan<big></big>ax, Vali<b></b>um ,CiaI|is, Via<i></i>grra <a href=http://eryn.com>and</a> many more...!</b>! <br> <a href=http://eryn.com>We</a> stand behi<u></u>nd 0ur p<a href=http://eryn.org>roduct</a>s and ser<a></a>vice. <br> 1n fact, we're the first comp<tr></tr>any to ever back a phar<a href=http://eryn.net>maceuti</a>ca| product with a 1O0% mo<td></td>ney back guarantee

<p>

<a href=http://www.menicap.com>Y0UR S0lUTlON |S HERE</a>

</P></b>

</BODY></HTML>

-- end of submission -------------------------------------------------

Received: from [65.86.159.199] by daver.bungi.com via sendmail with smtp;

Wed, 8 Sep 2004 11:59:50 -0700 (PDT)

Received: from borrowers ([218.94.80.41]) by nbtaexchange.nbta.org with Microsoft SMTPSVC(6.0.3790.0);

Wed, 8 Sep 2004 03:58:44 -0400

From: "Helen Johnson"<humidifiedbella[at]t-online.de>

To: <removed>

Subject: |N THE NEWS 20O4

Mime-Version: 1.0

Content-Type: text/html; charset=us-ascii

Content-Transfer-Encoding: 7bit

Return-Path: humidifiedbella[at]t-online.de

Message-ID: <NBTAEXCHANGErNKBquj00001ed4[at]nbtaexchange.nbta.org>

X-OriginalArrivalTime: 08 Sep 2004 07:58:45.0250 (UTC) FILETIME=[AA368E20:01C49579]

Date: 8 Sep 2004 03:58:45 -0400

<html><body ><b>

ivonne: <br> C|IA11S & lEV|TRA works in as little as 30 minu<i></i>tes and Iasts for up to 36 hours. </b><br><br>

we are a pharma<a href=http://ivonne.org>ceutica</a>| com<u></u>pany , <br> Offer<a></a>ing inex<a href=http://ivonne.net>pen</a>sive and effe<tr></tr>ctive so|utions to common hea1th problems. <br> no p<a href=http://ivonne.com>rescr</a>iption required che<td></td>ap prices !

<p><b>

<a href=http://pomp.meandered.znbdtzr.com/as>N0W V|SIT 0UR WEBS1TE : CIlCK HERE</a></b>

</P>

</BODY></HTML>

-- end of submission -------------------------------------------------

[Wazoo]

I came across this report from my server on http://www.mail-abuse.com/services/mds_rss.html.  My Exhcange server is not a open relay but it did have some history in their spam database.  See below.  What does this mean?

Basically, it means that; (no real reason to post all that stuff anyway, it's just evidence that this server has been compromised, as suggested already)

I disabled the GUEST account on my server.

may not be enough. Are you still doing some research or did you just stop at the first "likely" item? Not meaning to give you a hard time, but .....

[Chris Parker]

I disabled the GUEST account on my server.

My Exhcange server is not a open relay but it did have some history in their spam database.  See below.  What does this mean?  Thanks for any help you may provide.

16768[/snapback]

It appears that your machine has been compromised either by a virus/trojan or that the mail server itself has been compromised (SMTP AUTH HACK?)

Disabling the guest account is a good start, however you really should disable any accounts that are not currently being used. For all accounts that are being used you should change *ALL* the passwords to something that is non-trivial.

Unless someone who uses that mail server needs to access it from outside of your LAN I'd suggest than you disable all remote sending capabilities.

A full virus/trojan scan of the machine should also be in order. If the machine has been compromised by a virus/trojan it would be in your best interest to format the drive and rebuild the machine taking all the proper security measues.

Thanks for your desire to resolve the core problem leading to the listing of your server. You may also want to send an email to deputies <at> spamcop <dot> net who may provide you some additional information as to what is happening.

[turetzsr]

I disabled the GUEST account on my server.

<snip>

My Exhcange server is not a open relay but it did have some history in their spam database.

<big snip>

16768[/snapback]

...There are other possible causes of a spam problem. See the links in Merlyn's reply, above as well as Chris Parker's reply, above (which I presume summarizes what's in at least one of Merlyn's links), which he apparently posted at the same time I was authoring this reply prior to my Edit.

[Ellen]

I disabled the GUEST account on my server.

I came across this report from my server on http://www.mail-abuse.com/services/mds_rss.html.  My Exhcange server is not a open relay but it did have some history in their spam database.  See below.  What does this mean?  Thanks for any help you may provide.

Your server is being used by spammers using the SMTP/AUTH exploit:

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

http://support.microsoft.com/default.aspx?...;EN-US;324958#4

The spammer has now also evolved according to what I am hearing and in addition to the usual guest account and demo/test etc accounts they are also running long crack lists of names/passwords. In any case if you can turn off auth completely that would be good and if not then you should change the passwords on *all* accounts to strong passwords.

[Wazoo]

Fixed the quoting <g> ... Ralsky has been using the "long account/password list" thing for a long time, thus his continued success at owning all these servers. Not sure where someone would be listing this mode as "new" .... but the referenced links have been provided (plus additional ones via the FAQ here) .... in fact, one of my previous questions was whether or not all data found in these links was evaluated, as the only thing mentioned was "deleted the GUEST account" ... There's been like another half-dozen posts suggesting that there was more to do <g>

[Merlyn]

Merlyn, I've added a couple of more links to that list in the FAQ here if you'd want to update your copy of that reference list ... I recall that Ellen recently caught one of them ...

16761[/snapback]

Thanks Wazoo, I just returned. I will update my list, Actually I will just point to the FAQ from now on :-)

Wow I am gone 2 1/2 days and I miss all the fun

[dra007]

Wow I am gone 2 1/2 days and I miss all the fun

..you just have no idea, it was like Gingis Hun invaded and no one here to stop the assault...

[louisd]

..you just have no idea, it was like Gingis Hun invaded and no one here to stop the assault...

16956[/snapback]

Actually the last few days were just about the best time I've had on these forums since their creation. Frankly, I get more laughs around here each day than I do from my nightly sitcom input!

[dra007]

Frankly, I get more laughs around here each day than I do from my nightly sitcom input!

...so do I, so much so sometimes I fall off my chair or my stomach hurts...

[normcamp]

Okay, I'm no longer list on the spamcop blacklist but one of my users is still getting the undeliverables.

From: System Administrator

Sent: Sunday, September 12, 2004 3:18 PM

To: aaa[at]aaa.com

Subject: Undeliverable: RE: cc authorization

Your message did not reach some or all of the intended recipients.

Subject: RE: cc authorization

Sent: 9/12/2004 3:18 PM

The following recipient(s) could not be reached:

aaa[at]aaa.comon 9/12/2004 3:18 PM

There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.

<nbtaexchange.nbta.org #5.5.0 smtp;554 Service unavailable; Client host [65.86.159.199] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?65.86.159.199>

[DavidT]

normcamp,

This Forum software made the BL URL "clickable," but it got mangled due to the angle bracket after the IP number and it results in an incorrect lookup for those of us reading the thread.

Here's the correct URL:

http://www.spamcop.net/bl.shtml?65.86.159.199

But, even when fixed, that IP is NOT currently blocked, which means that the people that are actually doing the blocking, the receiving ISP, should be contacted for an explanation. Their SCBL data is not current...maybe they've got their server misconfigured and it's not pulling updates at regular intervals.

DT

[StevenUnderwood]

There are 2 possibilities I can think of. There may be others.

1. (most likely) The server you are receiving this rejection from is caching the lookups locally rather than doing a fresh lookup each time and the TTL has not expired yet. You could contact them another way and ask them to clear their cache or keep retrying. Eventually, it should get the refreshed data automatically.

2. Recently, if I understand correctly, there was at lease 1 mirror that was "out of sync" and giving stale data. The deputies would need to check into that.

If most messages that were being returned are now going through, you can see that most people are getting the correct information. I double checked both the web page and nslookup directly and confirmed you are not listed.

[Derek T]

Okay, I'm no longer list on the spamcop blacklist but one of my users is still getting the undeliverables.

16968[/snapback]

The SpamCop blocklist is likely to be the least of your troubles: you're listed by SORBS, now, and CBLabuseat among others for sending mail to spamtraps. What have you done to stop the spew, if you don't mind my asking?

[normcamp]

The SpamCop blocklist is likely to be the least of your troubles: you're listed by SORBS, now, and CBLabuseat among others for sending mail to spamtraps. What have you done to stop the spew, if you don't mind my asking?

16982[/snapback]

I just checked both SORBS and CBLabuseat and I'm no longer listed.

What did I do to stop this? A lot of hope and praying . But really, I disable all user accounts with a blank passoword and I dismounted my public folders in Exchange since we don't use them. A couple weeks a ago I was playing a round with it and left it enabled. I don't know if the user accounts or public folder caused the problem but I'm no longer listed.