How can I tell why we are on the blacklist. Is it being caused by mydoom?

According to http://www.spamcop.net/w3m?action=checkblo...=199.89.170.139 :
Query bl.spamcop.net - 199.89.170.139
199.89.170.139 is mail1.univarusa.com
199.89.170.139 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 23.8 days. In the past 45 hours, it has been listed 2 times for a total of 36 hours

In the past week, this system has:
Been reported as a source of spam less than 10 times
Been detected sending mail to spam traps
Been witnessed sending mail about 90 times
A sample sent sometime during the 24 hours beginning :
Received:
Subject: - now
From: ch.. at ..o.com


Been detected sending mail to spam traps is a kiss of death for any IP Address. ISPs whose IP Addresses have Been detected sending mail to spam traps need to review FAQ Entry "How can I be de-listed" at http://www.spamcop.net/fom-serve/cache/298.html ASAP.

Please see the "Pinned: FAQ Entry: Why is my email blocked?" Topic at
http://forum.spamcop.net/forums/index.php?showtopic=35 for more information.

Er... unfortunately none of that stuff is relevant in this case, Jeff.

The IP was indeed listed due to MyDoom. The MyDoom worm generates email addresses from a list of names and attaches them to known domains, and unfortunately it seems to have come up with a spamtrap address in that way.

I've removed the IP from the list. I hope the virus has been cleaned up now.

Michael,

Thank you for taking care of this.

Can you tell if that spamtrap was embedded in a web page or computed using a common first name?

Thanks!

I'm only guessing, but it looks like just a common first name at a known domain.

In the interest of justice, it might be advisable to disable that one and others which match the profile, at least until this worm expires.