Hi Guys.
We host a merak pop3 mail server for a small town.
This morning when trying to send mail to anyone using one or any of the domains we host we received this error message.
<example[at]exampledomain.co.za>... Sender refused by the DNSBL bl.spamcop.net
The mail server has a local IP address of 172.17.0.6 with a public Address 41.208.36.76.
I check the Public address and noticed that it was not listed.
Could someone please assist or point me in the right direction.
I hope i have given enough information.
Thanks in advance.
Full Version: Sender refused by the DNSBL bl.spamcop.net
QUOTE(mvanwyk @ May 7 2009, 09:29 AM) 
We host a merak pop3 mail server for a small town.
This morning when trying to send mail to anyone using one or any of the domains we host we received this error message.
<example[at]exampledomain.co.za>... Sender refused by the DNSBL bl.spamcop.net
This morning when trying to send mail to anyone using one or any of the domains we host we received this error message.
<example[at]exampledomain.co.za>... Sender refused by the DNSBL bl.spamcop.net
1. AIUI mail is sent from an SMTP server and received from a POP3, so I am, to say the least, puzzled.
2. That IP seems to have a good reputation and I can find no reports against it. If there were they would have been sent to abuse[at]mtnns.za, is that you? Who checks that mailbox?
3. You get the error message when trying to send to anyone? Are you using the SCBL and if so is it configured correctly? Could you post the full text of a rejection please?
It just doesn't add up as you have presented it.
QUOTE(Derek T @ May 7 2009, 11:28 AM)
It just doesn't add up as you have presented it.
My Bad!
Point 1
We also have the Merak SMTP as well.
Point 2
mtnns.za is our ISP i'm sure thier admin checks the mailbox
Point 3 (This is one of the domains / users trying to email)
196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 Connected
196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 >>> 220 mail.igrade.co.za ESMTP Merak 8.2.0; Thu, 7 May 2009 10:00:38 +0200
196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 <<< EHLO JAKESPC
196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 >>> 250-mail.igrade.co.za Hello JAKESPC [196.11.146.71], pleased to meet you.
196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 <<< MAIL FROM: <jakes[at]tekalarms.co.za>
196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 >>> 501 5.7.1 <jakes[at]tekalarms.co.za>... Sender refused by the DNSBL bl.spamcop.net
SYSTEM [000017D4] Thu, 7 May 2009 10:00:39 +0200 Disconnected
QUOTE(mvanwyk @ May 7 2009, 05:11 AM)
196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 >>> 501 5.7.1 <jakes[at]tekalarms.co.za>... Sender refused by the DNSBL bl.spamcop.net
http://www.spamcop.net/w3m?action=checkblo...p=196.11.146.71
196.11.146.71 listed in bl.spamcop.net (127.0.0.2)
If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.
Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
SpamCop users have reported system as a source of spam less than 10 times in the past week
System has been listed for less than 24 hours.
Additional potential problems
(these factors do not directly result in spamcop listing)
DNS error: 196.11.146.71 has no reverse dns
http://www.senderbase.org/senderbase_queri...g=196.11.146.71
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ....... 4.4 .. 301%
Last month .. 3.8
DNS-based blocklists
bl.spamcop.net
cbl.abuseat.org
Spamtrap hits, user Reports, and an increase in traffic .... as noted in the [b]Why am I Blocked?[b] FAQ, Pinned, and Wiki entries points to an infected/compromised computer/network involved.
QUOTE(Wazoo @ May 7 2009, 11:22 AM)
http://www.spamcop.net/w3m?action=checkblo...p=196.11.146.71
196.11.146.71 listed in bl.spamcop.net (127.0.0.2)
Oh dear!
CODE
Submitted: 07 May 2009 09:21:39 +0100:
Renew your virility for yourself,for her and for your love.
* 4116004757 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 04 May 2009 19:47:11 +0100:
Newsletter_12:_Making_money_with_SMS_SHORT_CODES
* 4106883551 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 04 May 2009 13:58:23 +0100:
[ipc] LATEST IPC CONNECT
* 4106132192 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 04 May 2009 07:00:03 +0100:
GOLD_DUST_and_GOLD_NUGGETS
* 4104789442 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 04 May 2009 05:39:19 +0100:
GOLD_DUST_and_GOLD_NUGGETS
* 4104537549 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 03 May 2009 19:01:40 +0100:
GOLD_DUST_and_GOLD_NUGGETS
* 4103343570 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 03 May 2009 19:01:28 +0100:
Newsletter_12:_Making_money_with_SMS_SHORT_CODES
* 4103342733 ( http://www.payprofit.net/payprofit/unsubscribe.... ) To: abuse[at]navigata.net
* 4103342617 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Renew your virility for yourself,for her and for your love.
* 4116004757 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 04 May 2009 19:47:11 +0100:
Newsletter_12:_Making_money_with_SMS_SHORT_CODES
* 4106883551 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 04 May 2009 13:58:23 +0100:
[ipc] LATEST IPC CONNECT
* 4106132192 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 04 May 2009 07:00:03 +0100:
GOLD_DUST_and_GOLD_NUGGETS
* 4104789442 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 04 May 2009 05:39:19 +0100:
GOLD_DUST_and_GOLD_NUGGETS
* 4104537549 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 03 May 2009 19:01:40 +0100:
GOLD_DUST_and_GOLD_NUGGETS
* 4103343570 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
Submitted: 03 May 2009 19:01:28 +0100:
Newsletter_12:_Making_money_with_SMS_SHORT_CODES
* 4103342733 ( http://www.payprofit.net/payprofit/unsubscribe.... ) To: abuse[at]navigata.net
* 4103342617 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net
and
CODE
Parsing input: 196.11.146.71
[report history]
Routing details for 196.11.146.71
[refresh/show] Cached whois for 196.11.146.71 : risk[at]vodacom.co.za
spampolice[at]vodamail.co.za bounces (241 sent : 121 bounces)
Using best contacts
No reporting addresses found for 196.11.146.71, using devnull for tracking.
Statistics:
196.11.146.71 listed in bl.spamcop.net (127.0.0.2)
More Information..
196.11.146.71 not listed in dnsbl.njabl.org ( 127.0.0.8 )
196.11.146.71 not listed in dnsbl.njabl.org ( 127.0.0.9 )
196.11.146.71 not listed in cbl.abuseat.org
196.11.146.71 not listed in dnsbl.sorbs.net
No valid email addresses found, sorry!
* There are several possible reasons for this: The site involved may not want reports from SpamCop.
* SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
* SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
* There may be no working email address to receive reports.
[report history]
Routing details for 196.11.146.71
[refresh/show] Cached whois for 196.11.146.71 : risk[at]vodacom.co.za
spampolice[at]vodamail.co.za bounces (241 sent : 121 bounces)
Using best contacts
No reporting addresses found for 196.11.146.71, using devnull for tracking.
Statistics:
196.11.146.71 listed in bl.spamcop.net (127.0.0.2)
More Information..
196.11.146.71 not listed in dnsbl.njabl.org ( 127.0.0.8 )
196.11.146.71 not listed in dnsbl.njabl.org ( 127.0.0.9 )
196.11.146.71 not listed in cbl.abuseat.org
196.11.146.71 not listed in dnsbl.sorbs.net
No valid email addresses found, sorry!
* There are several possible reasons for this: The site involved may not want reports from SpamCop.
* SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
* SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
* There may be no working email address to receive reports.
Houston, we have a problem
QUOTE(Derek T @ May 7 2009, 12:40 PM)
Houston, we have a problem :unsure:
Thanks Guys.
One thing i forgot mention is that most of the people are using Vodacom as thier ISP to connect to the net using thier 3G network it seems like the public address which is assigned is blacklisted.
Assuming that the problem is not a compromised mail server, which seems to rarely be the case, there are a couple of good solutions to this problem:
1) If you have, or can get, multiple public IP addresses, use one IP address for the mail server, and a seperate IP address for your NAT.
2) Configure your router to deny all Outbound traffic, with a destination port of 25, and a source IP address OTHER than the mail server.
An even better solution would be to do BOTH of these items if possible.
Of course, this is just a stop-gap measure. The real solution is going to be finding the infected machine or machines on the network and getting it cleaned, but 1 and 2 above should get your IP to quit sending spam so that you can get delisted quickly while tracking down the bad machine.
1) If you have, or can get, multiple public IP addresses, use one IP address for the mail server, and a seperate IP address for your NAT.
2) Configure your router to deny all Outbound traffic, with a destination port of 25, and a source IP address OTHER than the mail server.
An even better solution would be to do BOTH of these items if possible.
Of course, this is just a stop-gap measure. The real solution is going to be finding the infected machine or machines on the network and getting it cleaned, but 1 and 2 above should get your IP to quit sending spam so that you can get delisted quickly while tracking down the bad machine.
Good advice Will
Examples of spam from this ip can be found here:
http://psbl.surriel.com/evidence?ip=196.11...=Check+evidence
Examples of spam from this ip can be found here:
http://psbl.surriel.com/evidence?ip=196.11...=Check+evidence
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.