Help - Search - Members - Calendar
Full Version: Why is it listed
SpamCop Discussion > Discussions & Observations > SpamCop Blocklist Help
wantedz
Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it?

Help appreciated

on 05/04/2006 05:59 PM

There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.

<octagon.za.com #5.5.0 smtp;554 Service unavailable; Client host [196.211.16.228] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?196.211.16.228
Derek T
QUOTE(wantedz @ Apr 6 2006, 08:17 AM)
Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it?

<octagon.za.com #5.5.0 smtp;554 Service unavailable; Client host [196.211.16.228] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?196.211.16.228
*


There are no human reports for that server which suggests spamtrap hits. Listing now aged-off.

HOWEVER can you explain a 67-fold increase in traffic fom that server? Looks like a trojan or SMTP/AUTH hack to me.

QUOTE
Report on IP address:  196.211.16.228
Volume Statistics for this IP
Magnitude  Vol Change vs. Average
Last day  3.2  6777%
Last 30 days  1.8  218%
Average  1.3
wantedz
QUOTE(Derek T @ Apr 6 2006, 09:40 AM)
HOWEVER can you explain a 67-fold increase in traffic fom that server? Looks like a trojan or SMTP/AUTH hack to me.
*


We only started to use the IP three days ago
Derek T
QUOTE(wantedz @ Apr 6 2006, 08:45 AM)
We only started to use the IP three days ago
*


OK, thanks!

My next-best guess is post-facto NDRs OOOs etc. if you must reject do it with a 5xx code at the time of the SMTP transaction.
Wazoo
Problems, confusion, wierd stuff ....
http://www.senderbase.org/?searchBy=ipaddr...=196.211.16.228 shows;
Date of first message seen from this address 2006-04-03
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 3.2 6983%
Last 30 days 1.8 219%
Average 1.3

However, the assignment data is showing only as AfriNIC - www.afrinic.net and Domain unknown

started with a trace route ...
04/06/06 06:22:03 Slow traceroute 196.211.16.228
Trace 196.211.16.228 ...
196.26.96.197 RTT: 615ms TTL: 48 (cdsl1-rba-gi0-2.isdsl.net ok)
196.36.80.213 RTT: 613ms TTL: 48 (clns2-rba.isdsl.net ok)
196.211.137.242 RTT: 956ms TTL: 48 (No rDNS)
* * * failed
* * * failed

OK, tried a Telnet connection - no connection made

So looked up the user's registration details to perhaps come up with a Domain involved to try to sort out what MX was actually involved:
http://co.za/cgi-bin/whois.sh?Domain=3gi&Enter=Enter
2005-04-01| R | 50.00|deon[at]bdse.co.za |2005-05-06| 2 | 436853|B&D System Engineers =
2006-04-03| R | 50.00|deon[at]bdse.co.za | NOT PAID | 1 | 567543|B&D System Engineers =

Noting that this history dates back to 2000-03-28 ....???

asterix.bdse.co.za reports the following MX records:

Preference Host Name IP Address TTL
10 mxscan02.bdse.net 196.34.229.60 3600
20 mxscan01.bdse.net 196.36.136.221 3600
50 dogmatix.bdse.co.za 196.34.229.60 3600

none of these are the IP in question ....

maybe I just need more coffee?
Telarin
If it is indeed spamtrap hits as Derek has indicated, you would need to contact deputies[at]admin.spamcop.net to get any more information on what is hitting them.

As far as volume goes, senderbase is showing a current estimated volume of around 1500 email messages per day. If that sounds like about what you expect, then you probably don't have a trojanned machine, as they will generally send that many every hour or so.

My guess would be a misconfigured server that is sending NDRs to the envelope "FROM:" address after it has already accepted the message for delivery to a non-existent user.

Automated replies such as Challenge/Response systems and Out of Office replies can cause this problem as well.

The deputies should be able to tell you exactly what types of messages are finding their way to the spamtraps.
Jeff G.
QUOTE(wantedz @ Apr 6 2006, 03:17 AM)
Got the following error. But when I looked it up on the database it shows nothing. Is there a history that I can check or who submitted it?
*
No, sorry. Spammers ruined that feature.
Jeff G.
04/06/06 14:21:51 whois 196.211.16.228[at]whois.afrinic.net

whois -h whois.afrinic.net 196.211.16.228 ...
% This is the AfriNIC Whois server.

% Information related to '196.208.0.0 - 196.211.255.255'

inetnum: 196.208.0.0 - 196.211.255.255
netname: TIS-20050812
descr: Internet Solutions
descr: The Campus, 57 Sloane Street
descr: Bryanston
descr: Johannesburg
descr: Gauteng
descr: 2021
country: ZA
org: ORG-TIS1-AFRINIC
admin-c: ZT12-AFRINIC
tech-c: ZT12-AFRINIC
status: ALLOCATED PA
remarks: +-------------------------------------+
remarks: | Further assignment information is |
remarks: | available in the Internet Solutions |
remarks: | whois database: |
remarks: | |
remarks: | http://whois.is.co.za |
remarks: +-------------------------------------+
mnt-by: AFRINIC-HM-MNT
mnt-lower: TF-LALISHA-MNT
changed: hostmaster[at]afrinic.net 20050812
changed: hostmaster[at]afrinic.net 20050812
source: AFRINIC
parent: 196.0.0.0 - 196.255.255.255

organisation: ORG-TIS1-AFRINIC
org-name: Internet Solutions
org-type: LIR
address: The Internet Solution
address: The Campus, 57 Sloane Street
address: Bryanston
address: Johannesburg
address: Gauteng
address: 2021
country: ZA
e-mail: netadmin[at]is.co.za
admin-c: LS1-AFRINIC
tech-c: LS1-AFRINIC
tech-c: ZT12-AFRINIC
remarks: abuse e-mail: <abuse[at]is.co.za>, phone: +27 11 575 0055
mnt-ref: TF-LALISHA-MNT
mnt-by: AFRINIC-HM-MNT
changed: hostmaster[at]arin.net 19940613
changed: hostmaster[at]arin.org 20030714
changed: hostmaster[at]afrinic.net 20050221
changed: hostmaster[at]afrinic.net 20050818
source: AFRINIC

person: IS Hostmaster
address: The Campus, 57 Sloane Street
address: Bryanston
address: Johannesburg
address: Gauteng
address: 2021
phone: +27(11) 5750550
fax-no: +27(11) 5760550
e-mail: hostmaster[at]is.co.za
notify: hostmaster[at]is.co.za
org: ORG-TIS1-AFRINIC
nic-hdl: ZT12-AFRINIC
notify: hostmaster[at]is.co.za
changed: hostmaster[at]is.co.za 20050712
source: AFRINIC


04/06/06 14:22:56 whois 196.211.16.228[at]whois.is.co.za

whois -h whois.is.co.za 196.211.16.228 ...


Your WHOIS search for '196.211.16.228' yielded the following results:

inetnum: 196.211.16.224/29 (196.211.16.224 - 196.211.16.231)
netname: ISDSL (Reserved)
descr: c/o Internet Solutions
descr: The Campus, 57 Sloane Street
descr: Bryanston
descr: Johannesburg
descr: Gauteng
descr: 2021
country: ZA
admin-c: ZT12-AFRINIC
tech-c: ZT12-AFRINIC
status: ALLOCATED PA
remarks: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
mnt-by: LS1-AFRINIC
mnt-lower: n/a
changed: netadmin[at]is.co.za (Wed Oct 26 16:02:08 2005)
source: Internet Solutions IPDB

organisation:
org-name: Internet Solutions
org-type: LIR
address: Internet Solutions
address: The Campus, 57 Sloane Street
address: Bryanston
address: Johannesburg
address: Gauteng
address: 2021
country: ZA
e-mail: netadmin[at]is.co.za
admin-c: ZT12-AFRINIC
tech-c: ZT12-AFRINIC
remarks: abuse e-mail: abuse[at]is.co.za, phone: +27 11 575 0055
mnt-ref: n/a
mnt-by: LS1-AFRINIC
source: Internet Solutions IPDB

person: Internet Solutions
address: The Campus, 57 Sloane Street
address: Bryanston
address: Johannesburg
address: Gauteng
address: 2021
address: ZA
phone: +27 11 575 1000
e-mail: netadmin[at]is.co.za
nic-hdl: ZT12-AFRINIC
source: Internet Solutions IPDB
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.