Help - Search - Members - Calendar
Full Version: IP blocked
SpamCop Discussion > Discussions & Observations > SpamCop Blocklist Help
Cale
Mar 2 2006, 07:53 AM
About 5 days ago I started getting emails from my clients saying that their email is blocked because of Spamcop. I have been running the same configuration on my email server for at least 2 years without a problem, however now im getting endless problems.

This is what the report says

QUOTE
196.15.203.170 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 17 hours.

Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
Additional potential problems
(these factors do not directly result in spamcop listing)

DNS error: 196.15.203.170 has no reverse dns
Because of the above problems, express-delisting is not available

Listing History
In the past 5.9 days, it has been listed 2 times for a total of 4.8 days

I have TrendMicro enterprise running and it seems to be clear for my server and whole network. There arent any viruses on at all.

We got delisted today, but after a few hours got listed again.

Here is a response from Ellen at Spamcop.

QUOTE
If this is your IP/server then you have a virus/worm infection somewhere in your network or an insecure server being used by spammers  and you need to find the compromised machine and disinfect it or you may have a server exploit such as an insecure cgi or php scri_pt; an open proxy or an smtp/auth issue where the spammer has cracked a name/password.

If i have a insecure cgi or and smtp/auth issue, how do I fix it?

also Is it possible that I have a DNS problem as stated in the original report?

Thanks in advance...
Wazoo
Mar 2 2006, 08:35 AM
Telnet response shows; 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:04:39 +0200 .. which reflects some out of date software ... current version is shown at http://www.merakmailserver.com/ as being 8.3.8 ....

Reading the "spiffy" stuff, one sees right off the bat the "Challenge/Response" settings ... not a good sign. Are you using this function?

How you "find" stuff ...???? Logs for starters. You talk about anti-virus checks but say nothng about a firewall ...???

http://www.senderbase.org/?searchBy=ipaddr...=196.15.203.170
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ......... 4.5 .. 8539%
Last 30 days ... 3.1 ... 236%
Average ......... 2.6

I don't quite understand how this kind of traffic increase would be that hard to not see somewhere ...

Hmm, looks like someone has already been woeking in other areas ...
http://psbl.surriel.com/listing?ip=196.15....PSBL+list+query
Currently listed in PSBL? No.

Spam and removal history for 196.15.203.170 (times in UTC):

2006-02-25 21:23:17.458613 received spamtrap mail
2006-02-25 22:18:53.136368 received spamtrap mail
2006-03-02 07:12:47.886267 removed through website

Just as with SpamCop, playing the "get me off the list" without finding/fixing the problem is pretty much a waste of time. Did whoever hit the "Remove" button there look at the evidence files from those spamtrap hits? Was any work done to track down the source of that spew?

03/02/06 07:24:38 Slow traceroute 196.15.203.170
Trace 196.15.203.170 ...
196.43.9.145 RTT: 293ms TTL:240 (rrba-ip-lir-1-pos-6-1.telkom-ipnet.co.za ok)
196.43.10.66 RTT: 298ms TTL:240 (ndn-ip-esr-1-fe-1-0-0.telkom-ipnet.co.za bogus rDNS: host not found [authoritative])
196.25.220.54 RTT:1416ms TTL:240 (select-online-gw.telkom-ipnet.co.za bogus rDNS: host not found [authoritative])
196.15.203.170 RTT: 889ms TTL:116 (No rDNS)

ns2.zadns.net reports the following MX records:
Preference Host Name IP Address
5 mail.selectonline.net 196.15.203.170

http://www.mxtoolbox.com/blacklists.aspx?IP=196.15.203.170
PSBL LISTED Return codes were: 127.0.0.2 300 656
SPAMCOP LISTED Blocked - see Detail
Return codes were: 127.0.0.2 2100 609
UCEPROTECTL1 LISTED Sorry, IP 196.15.203.170 is blacklisted at Level 1 by UCEPROTECT-Network see Detail
Return codes were: 127.0.0.2
Reverse DNS FAILED! This is a problem

http://www.dnsreport.com/tools/dnsreport.c...electonline.net
ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries
The problem MX records are:
170.203.15.196.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0)

http://www.dnsstuff.com/tools/ptr.ch?ip=196.15.203.170
No PTR records exist for 196.15.203.170
Cale
Mar 2 2006, 08:52 AM
EDIT Ok im totally freaked out at the moment. Panda Online Scan has detected over 20 viruses which Trend ( updated upto today ) never did. How can this happen? Surely this is the source of my problem???

Thank you for your response.

There are a lot of things to be done, judging by your post. I will download the newest version of Merak to get things started, and just as a measure use an online antivirus check to verify that we dont have any viruses on our server.

Now onto your post.

QUOTE
one sees right off the bat the "Challenge/Response" settings ... not a good sign. Are you using this function?


What is challenge/response? Where can i identify this setting under Merak?


QUOTE
How you "find" stuff ...???? Logs for starters. You talk about anti-virus checks but say nothng about a firewall ...???


I didnt think it pertinent. We have a firewall im place as well and is functional. Here is some suspicious log file evidence

QUOTE
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:48 +0200 <<< HELO thedirtybear.com
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:48 +0200 >>> 250 mail.selectonline.net Hello thedirtybear.com [209.221.40.204], pleased to meet you.
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 <<< MAIL FROM:<halldofortier[at]thedirtybear.com>
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 >>> 250 2.1.0 <halldofortier[at]thedirtybear.com>... Sender ok
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 <<< RCPT TO:<kathy[at]selectonline.net>
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 >>> 250 2.1.5 <kathy[at]selectonline.net>... User unknown
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:51 +0200 <<< DATA
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:51 +0200 >>> 354 Enter mail, end with "." on a line by itself
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:53 +0200 *** <halldofortier[at]thedirtybear.com> <kathy[at]selectonline.net> 1 3878 00:00:02 OK
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:53 +0200 >>> 250 2.6.0 3878 bytes received in 00:00:02; Message accepted for delivery
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 <<< QUIT
209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection
SYSTEM          [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 Disconnected


and

QUOTE
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:07 +0200 Connected
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:07 +0200 >>> 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:29:07 +0200
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:08 +0200 <<< HELO mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:08 +0200 >>> 250 mail.selectonline.net Hello mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx [209.198.149.186], pleased to meet you.
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:09 +0200 <<< HELO mxtoolbox.com
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:09 +0200 >>> 250 mail.selectonline.net Hello mxtoolbox.com [209.198.149.186], pleased to meet you.
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:10 +0200 <<< MAIL FROM: <test[at]mxtoolbox.com>
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:10 +0200 >>> 250 2.1.0 <test[at]mxtoolbox.com>... Sender ok
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 <<< RCPT TO: <test[at]mxtoolbox.com>
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 >>> 550 5.7.1 <test[at]mxtoolbox.com>... we do not relay <test[at]mxtoolbox.com>
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 <<< QUIT
209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection
SYSTEM          [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 Disconnected
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:54 +0200 Connected
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:54 +0200 >>> 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:30:54 +0200
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 <<< HELO test.DNSreport.com
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 >>> 250 mail.selectonline.net Hello test.DNSreport.com [66.36.241.109], pleased to meet you.
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 <<< MAIL FROM:<>
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 >>> 250 2.1.0 <>... Sender ok
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<postmaster[at]selectonline.net>
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 250 2.1.5 <postmaster[at]selectonline.net>... Recipient ok
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<abuse[at]selectonline.net>
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 250 2.1.5 <abuse[at]selectonline.net>... User unknown
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<postmaster@[196.15.203.170]>
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 550 5.7.1 <postmaster@[196.15.203.170]>... we do not relay <>
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:57 +0200 <<< RCPT TO:<Not.abuse.see.www.DNSreport.com.from.IP.12.214.114.136[at]DNSreport.com>
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:57 +0200 >>> 550 5.7.1 <Not.abuse.see.www.DNSreport.com.from.IP.12.214.114.136[at]DNSreport.com>... we do not relay <>
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 <<< QUIT
66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection
SYSTEM          [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 Disconnected



[QUOTE]
2006-02-25 21:23:17.458613 received spamtrap mail
2006-02-25 22:18:53.136368 received spamtrap mail
2006-03-02 07:12:47.886267 removed through website

Did whoever hit the "Remove" button there look at the evidence files from those spamtrap hits? Was any work done to track down the source of that spew?
[QUOTE]

If you could point me in the right direction in how to do this it would be appreciated.

It also seems I have to put in a reverse PTR entry for my IP?? Correct ?

PS It seems you are a bit upset. It might not have occured to you that I really dont know how to go about fixing my problem. Hence my detailed answers to your post. I really would like to fix it but need some assistance in doing so. Thank you very much.
Telarin
Mar 2 2006, 09:35 AM
Don't take Wazoo's short answers as him being upset, its not unusual in a forum like this to get answers of that nature. Its not intended to be rude, just direct and to the point.

You can read more about Challenge/Response and other Auto-Responder problems here:

http://www.spamcop.net/fom-serve/cache/329.html#CR

That would be one place to start. However, from what Ellen told you, I don't think that is your problem, as she would have immediately noticed C/R or NDR messages as a problem.

An insecure scri_pt can be any scri_pt on a webpage that allows users of your website to send mail to anywhere else. Many of these scripts will have the TO address in a hidden field on the form, which means that a malicious user can change it and submit to any to address they like. You need to make sure that any form to mail scripts you are using have a hard coded to address.

The PTR record, while not directly related to your problem, is a problem that you will want to take care of. Many ISPs will automatically reject any mail coming from a server without a proper PTR record. You should talk to whoever actually owns the IP address (Your connectivity provider usually) and have them put in the correct PTR record for your server.
Merlyn
Mar 2 2006, 09:44 AM
QUOTE(Cale @ Mar 2 2006, 08:52 AM)
I really would like to fix it but need some assistance in doing so. Thank you very much.
*



As you are already aware that this is a bad problem and you do not know what to do then it would probably be very productive to hire someone that is competent in this area otherwise your server(s) will keep bombarding the web with needless and unwanted junk. Good luck.
Jeff G.
Mar 2 2006, 09:59 AM
QUOTE(Telarin @ Mar 2 2006, 09:35 AM)
The PTR record, while not directly related to your problem, is a problem that you will want to take care of. Many ISPs will automatically reject any mail coming from a server without a proper PTR record. You should talk to whoever actually owns the IP address (Your connectivity provider usually) and have them put in the correct PTR record for your server.
*
Cale:

The reverse address for your mailserver "196.15.203.170" is "170.203.15.196.in-addr.arpa". There is no PTR Record for "170.203.15.196.in-addr.arpa". "170.203.15.196.in-addr.arpa" is in a zone "203.15.196.in-addr.arpa" run by Telkom SA's dnsadmin[at]saix.net which has not been updated since December 27th, 2005, as follows:
QUOTE
C:\>dig @igubu.saix.net 170.203.15.196.in-addr.arpa ptr

; <<>> DiG 9.2.3 <<>> @igubu.saix.net 170.203.15.196.in-addr.arpa ptr
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;170.203.15.196.in-addr.arpa.  IN      PTR

;; AUTHORITY SECTION:
203.15.196.in-addr.arpa. 3600  IN      SOA    localhost.203.15.196.in-addr.arpa. dnsadmin.saix.net. 2005122701 10800 3600 604800 3600

;; Query time: 701 msec
;; SERVER: 196.25.1.1#53(igubu.saix.net)
;; WHEN: Thu Mar 02 09:57:59 2006
;; MSG SIZE  rcvd: 108
When discussing this issue with Telkom SA, please ask them to see http://forum.spamcop.net/forums/index.php?...027&#entry36027 and to put a proper nameserver name in their SOA Record. Thanks!
Jeff G.
Mar 2 2006, 10:03 AM
All of the about 11-20 incidents regarding 196.15.203.170 appear to be Spamtrap hits.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.