Why is my email blocked?, Why is my email blocked? Options

[RobertBoogaard]

My IP has been blocked by SpamCop. I don't send unsolicited email and my service provider said to run a virus scan to make sure my computer is not being used by someone else to send SPAM. This came up clean.

How can I find out why I am blocked and by who, as the link from SpamCop does not provide me with any information?


Thanks,
Robert

PS the message I receive is:

Your message did not reach some or all of the intended recipients.

Subject: Test
Sent: 03/03/2004 15:54

The following recipient(s) could not be reached:

'robert[at]ticketboy-portugal.pt' on 03/03/2004 15:54
550 5.2.1 Mailbox unavailable. Your IP address 213.22.56.30 is blacklisted using SPAMCOP. Details: Blocked - see http://www.spamcop.net/bl.shtml?213.22.56.30.

[Ellen]

There is a user reported spam and a spamtrap hit for IP 213.22.56.30 from yesterday. If that IP is specifically yours (static IP) then you may have a worm/trojan infection. The spams appear to be advertising HGH.

[Merlyn]

If you followed the link you would find spam has been reported coming from this IP.

This is also Dynamic/Residential IP range and many ISP's/email administrators will not accept email coming from these servers.

This machine is also an open proxy found Wed Mar 3 00:40:02 2004

Spammers are abusing this machine to send spam.

213.22.56.30 is listed as an open proxy in dnsbl.njabl.org.
213.22.56.30 is listed in dynablock.njabl.org.

For more info see: http://www.moensted.dk/spam/?addr=213.22.56.30&Submit=Submit

Please secure this machine. (IMG:style_emoticons/default/mad.gif)

[RobertBoogaard]

Thanks for your replies. Unfortunately I am not a computer wiz so exuse my ignorance.

I have got a cable account from my local cable provider. Does my IP belong solely to my computer or is it general belonging the the cable provider?

As I understand it someone is using this IP to send SPAM email, is that right?

How can I secure my machine? I use Norton Antivirus and XP Firewall?

Thanks for any help.
Robert

[Merlyn]

Just because you use Norton does not mean you cannot get infected.

Port 65506 is open on the machine currently connected to IP 213.22.56.30. Run Live update and scan your entire machine.

Enable scri_pt Blocking in Norton Also.

[turetzsr]

Hi, Robert,

<snip>
I have got a cable account from my local cable provider. Does my IP belong solely to my computer or is it general belonging the the cable provider?

As I understand it someone is using this IP to send SPAM email, is that right?

...It appears that the IP address in question belongs to Portugal Cable Modem Network, which I presume is your Cable provider, not you. That means it is their problem, not yours (except that you are suffering from their inability or unwillingness to stop spam from going through their server). E-mails should be going to their abuse address so they should be fully aware of the problem. You may wish to complain to them that you are not getting the e-mail service you contracted for because of their inaction in shutting down the spam. If they will not respond, you should try to find a more responsive provider.
...Good luck!

[Spambo]

My IP has been blocked by SpamCop. I don't send unsolicited email and my service provider said to run a virus scan to make sure my computer is not being used by someone else to send SPAM. This came up clean.

How can I find out why I am blocked and by who, as the link from SpamCop does not provide me with any information?


Thanks,
Robert

PS  the message I receive is:

Your message did not reach some or all of the intended recipients.

      Subject: Test
      Sent: 03/03/2004 15:54

The following recipient(s) could not be reached:

      'robert[at]ticketboy-portugal.pt' on 03/03/2004 15:54
            550 5.2.1 Mailbox unavailable. Your IP address 213.22.56.30 is blacklisted using SPAMCOP. Details: Blocked - see http://www.spamcop.net/bl.shtml?213.22.56.30.

213.22.56.30 seems to have an open proxy that spammers are using to hijack the machine in order to hide their true identity. This open proxy was last confirmed on 02 Mar 2004:

See: Proxy Test Results for 213.22.56.30

CODE

213.22.56.30:hc:65506: >> CONNECT 209.208.0.16:25 HTTP/1.0\r\n
213.22.56.30:hc:65506: >> \r\n
213.22.56.30:hc:65506: >> help njablproxytest\r\n
213.22.56.30:hc:65506: << HTTP/1.0 200 Connection established\r\n
213.22.56.30:hc:65506: << \r\n
213.22.56.30:hc:65506: HTTP request successeful (200)
213.22.56.30:hc:65506: << 220 rt.njabl.org ESMTP Sendmail 8.11.6/8.11.6; Tue, 2 Mar 2004 18:39:09 -0500\r\n
213.22.56.30:hc:65506: << 214-2.0.0 njabl.org proxytest response to 213.22.56.30\r\n
213.22.56.30:hc:65506: << 214 2.0.0 End of HELP info\r\n
213.22.56.30 hc:65506 open

The IP is also listed in the following blocklists according to OpenRBL

• DYNAMIC/dialup: 213.22/16: 553 SORBS DUL
• SPAM/spamsource: 213.22.56/24: 553 PROXY 213.22.56.10,161,184,4,58
• AHBL/dnsbl.ahbl.org: 553 AHBL 1[/COLOR][/B][/URL]
• DSBL/dsbl.org: 553 DSBL Insecure host
• SORBS/sorbs.net: 553 SORBS HTTP; 213.22/16: 553 SORBS DUL
• FIVETEN/213.22.122.142.netcabo.pt.misc.spam

You seriously need to have your computer checked for security issues, it is being used to abuse other people and networks.

[turetzsr]

<snip>
b]You seriously need to have your computer checked for security issues, it is being used to abuse other people and networks.[/b]

...Why do you say that? The IP in question appears to be the OP's service provider, not the OP her/himself.

[yourbuddy]

Instead of Windows XP Firewall, you migh also want to invest in Norton
Personal Firewall (to also stop the unauthorized traffic from going out).

[Spambo]

<snip>
You seriously need to have your computer checked for security issues, it is being used to abuse other people and networks.

...Why do you say that? The IP in question appears to be the OP's service provider, not the OP her/himself.

Sorry. Perhaps you can explain why I shouldn't believe Robert? So far I have no reason to think he's been untruthful and the IP is listed on more than one DUL list..

]I have got a cable account from my local cable provider. Does my IP belong solely to my computer or is it general belonging the the cable provider?

[turetzsr]

Hi, Spambo!

<snip>
You seriously need to have your computer checked for security issues, it is being used to abuse other people and networks.

...Why do you say that? The IP in question appears to be the OP's service provider, not the OP her/himself.

Sorry. Perhaps you can explain why I shouldn't believe Robert? So far I have no reason to think he's been untruthful and the IP is listed on more than one DUL list..
<snip>

...Sorry, I do not see what I wrote that makes you believe that I said that you should not believe Robert.
...You wrote to him that his PC "is being used to abuse other people and networks." The IP in question (213.22.56.30 ) appears to belong to an ISP, not to Robert.

[StevenUnderwood]

To me, an address with rDNS of a213-22-56-30.netcabo.pt looks like a client IP of netcabo.pt, which I assume is the OP's address.

[Spambo]

...Sorry, I do not see what I wrote that makes you believe that I said that you should not believe Robert.
...You wrote to him that his PC "is being used to abuse other people and networks."  The IP in question (213.22.56.30 ) appears to belong to an ISP, not to Robert.

213.22.56.30 [a213-22-56-30.netcabo.pt] appears to be an IP used by netcabo.pt for DHCP assignment to cable modem users. The fact that at least two lists report it as being a "DUL" IP (which by current definitions includes consumer cable modems as well as standard modem connections).reinforces my conclusion. Two other lists reporting it as an open proxy isn't encouraging either.

While I can't state with any certainty that his machine owned the "lease" on 213.22.56.30 when the open proxy test was run yesterday (?) or when the spams were actually sent, cable modems tend to keep the same IP for rather long periods periods of time which is one reason that spammers target them for trojan infections

Maybe I'm being an "alarmist" but I think there's ample reason he should give serious consideration about ensuring that his machine is secure and trojan free. And it's a win-win situation, if my suspicion is correct then there's one less vulnerable machine for spammers to abuse and if I'm wrong - well, everyone with an always on connection should ensure their machine is secure and occasional "in depth" checks aren't a bad thing.

[turetzsr]

...Sorry, I do not see what I wrote that makes you believe that I said that you should not believe Robert.
...You wrote to him that his PC "is being used to abuse other people and networks."  The IP in question (213.22.56.30 ) appears to belong to an ISP, not to Robert.

213.22.56.30 [a213-22-56-30.netcabo.pt] appears to be an IP used by netcabo.pt for DHCP assignment to cable modem users.
<snip>

Hi, Spambo!
...OIC! Thanks for the patient explanation. Man, I learn a lot from my fellow SpamCop users! (IMG:style_emoticons/default/biggrin.gif)

[WB8TYW]

Since his ISP was aware of the infection, he should be asking them why they did not take action to limit the damage that the open proxy was doing to him, them and the rest of the internet.

He should be very unhappy that they knew his machine was infected and did not tell him.

When a spammer exploits an open proxy on a cable modem, it can use so much of the network capacity that the other cable modem users are either reduced to speeds worse than dial-ups if they do not get knocked off completely.

For an ISP to ignore an open proxy and leave it able to send e-mail on the internet costs them hard operating cash. These costs are passed on to their customers one way or another.

It is with in the techology of an ISP to lock a cable modem to a DHCP issued address until it is fixed so that they know where the problem is.

They can then block that I.P. address from sending out the infection through e-mail while still allowing their customer to download patches and de-worming software from trusted vendors.

If they were organized, this could all be automated from the receipt of a spam or open proxy report, which would cause the I.P. address to be scanned for vulnerabilites, and automatically isolated.

Some claiming to be from an ISP said that they had implemented a program to read spamcop reports from their mail box to prioritize them to get the open proxies off of their network. They apparently realize that an open proxy is a cash drain on a network.

Also be aware that some of the internet connection sharing programs have two passwords, one for local adminstration and one for remote administration. If you do not change the remote password, then every hacker on the internet can use it.

-John
Personal Opinion Only