IP: 203.33.254.150
After first been listed last week I started examining my mail logs in detail trying to find the customer responsible. I managed to stop a couple of customers sending non-deliverable reports but we are only talking like 5 messages a day out of some 10,000 we send.
After continual re-listing over the weekend, many late nights examining logs, writing filters and attempts to contact Spamcop for more information I gave up and changed the IP of my mail server yesterday morning some 30hours + ago. I really didn't want to do this as if there is a problem I would like to fix it.
The new IP hasn't been listed yet. But the old IP has been relisted since I stopped it sending any e-mail?
How is this possible, am I missing something?
The spamcop site doesn't really give any details of the reason for listing, other then the obvious.
Full Version: My IP Blacklisted but it no longer sends e-mail
QUOTE
idl.net.au' post='46922' date='Aug 30 2006, 12:39 AM']The spamcop site doesn't really give any details of the reason for listing, other then the obvious.
Besides the obvious?
http://www.spamcop.net/w3m?action=checkblo...=203.33.254.150
203.33.254.150 listed in bl.spamcop.net (127.0.0.2)
If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 17 hours.
Causes of listing
SpamCop users have reported system as a source of spam about 60 times in the past week
(this is the first listing showing something besides "less than 10 times" I've seen in a long time ..)
Additional potential problems
DNS error: 203.33.254.150 is mail.idl.com.au but mail.idl.com.au has no DNS information
System administrator has already delisted this system once
http://www.senderbase.org/?searchBy=ipaddr...=203.33.254.150
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ......... 3.6 .. -73%
Last 30 days ... 3.3 .. -86%
Average ......... 4.1
It is still sending e-mail, per those numbers .... something like 10,000 a day, based on data at SenderBase's "Magnitude" Explained
It appears that you're checking in the wrong place ..... or you've offered up the wrong IP address.
whois -h whois.apnic.net 203.33.254.150 ...
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 203.33.254.0 - 203.33.254.255
netname: MAGNETICANDOPTI-AU
descr: Magnetic and Optic Labs
descr: 5 Garlick Close
descr: Kariong
descr: NSW 2250
country: AU
admin-c: DM252-AP
tech-c: DM252-AP
remarks: ** Conversion note - reference 'DM252-AU' changed to 'DM252-AP'
remarks: Record imported from AUNIC as part of AUNIC->APNIC migration
remarks: Please see http://www.apnic.net/db/aunic/
mnt-by: APNIC-HM
status: ALLOCATED PORTABLE
changed: nobody[at]aunic.net 19961025
changed: aunic-transfer[at]apnic.net 20010525
changed: hm-changed[at]apnic.net 20041214
source: APNIC
You mat also want to take a look at Spammers love Forum name = e-mail address
Thats me, been staring at those pages for many hours now 
I added a smart host yesterday to relay all the messages via a different machine. Logs show the messages all going to the remote machine and recieved on the other end to.
It doesn't track messages via a relay does it?
Or how updated is it?
I added a smart host yesterday to relay all the messages via a different machine. Logs show the messages all going to the remote machine and recieved on the other end to.
It doesn't track messages via a relay does it?
Or how updated is it?
All kind of spam, including pills, porn and gambling:
Report History:
Don't Display UUBE
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:37:38 PM -0400:
Re: yuRXie
1898003822 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:22:43 PM -0400:
pressed
1897992162 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:18:30 PM -0400:
Youngest glorious Schoolgirl fu**eed by oldman.
1897984720 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:18:23 PM -0400:
Got free time? Become richer! Tue, 29 Aug 2006 12:49:42 -0400
1897984741 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:18:18 PM -0400:
Re: geRXly
1897984862 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:17:47 PM -0400:
blackjack
1897993452 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:17:28 PM -0400:
FW: Job proposition from "FinanceAct Corp
1897993955 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:17:16 PM -0400:
! Try the new miracle weight loss herb
1897994071 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 11:48:44 PM -0400:
Re: BEST PRICE ON HUMAX PAU-42THD PLASMA SCREEN
1896620124 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 11:48:43 PM -0400:
Pain killers are here
1896620161 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
---------------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 11:48:46 PM -0400:
issues. stories weeks
1896619922 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 11:48:45 PM -0400:
Which rules are in effect here?
1896620017 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 10:37:53 AM -0400:
Undelivered Mail Returned to Sender
1895728296 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net
--------------------------------------------------------------------------------
Submitted: Sunday, August 27, 2006 9:02:41 PM -0400:
Email address: The
1894923578 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Sunday, August 27, 2006 6:40:11 PM -0400:
Be a powerful warrior in the bedroom!
1894779776 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Saturday, August 26, 2006 11:44:29 PM -0400:
Undelivered Mail Returned to Sender
1893731739 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net
--------------------------------------------------------------------------------
Submitted: Saturday, August 26, 2006 9:50:52 AM -0400:
Undelivered Mail Returned to Sender
1892962948 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 8:42:19 PM -0400:
Your Express-credits Fri, 25 Aug 2006 09:25:58 +1000
1890963303 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:23 PM -0400:
Xmas Party's on Trade BOOK NOW !! Is this what you mean???
1890845278 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:16 PM -0400:
Didnt Happen Brenda
1890845291 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
spamtraps are but a small fraction of reports.
CODE
Report History:
Don't Display UUBE
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:37:38 PM -0400:
Re: yuRXie
1898003822 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:22:43 PM -0400:
pressed
1897992162 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:18:30 PM -0400:
Youngest glorious Schoolgirl fu**eed by oldman.
1897984720 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:18:23 PM -0400:
Got free time? Become richer! Tue, 29 Aug 2006 12:49:42 -0400
1897984741 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:18:18 PM -0400:
Re: geRXly
1897984862 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:17:47 PM -0400:
blackjack
1897993452 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:17:28 PM -0400:
FW: Job proposition from "FinanceAct Corp
1897993955 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Tuesday, August 29, 2006 7:17:16 PM -0400:
! Try the new miracle weight loss herb
1897994071 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 11:48:44 PM -0400:
Re: BEST PRICE ON HUMAX PAU-42THD PLASMA SCREEN
1896620124 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 11:48:43 PM -0400:
Pain killers are here
1896620161 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
---------------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 11:48:46 PM -0400:
issues. stories weeks
1896619922 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 11:48:45 PM -0400:
Which rules are in effect here?
1896620017 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Monday, August 28, 2006 10:37:53 AM -0400:
Undelivered Mail Returned to Sender
1895728296 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net
--------------------------------------------------------------------------------
Submitted: Sunday, August 27, 2006 9:02:41 PM -0400:
Email address: The
1894923578 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Sunday, August 27, 2006 6:40:11 PM -0400:
Be a powerful warrior in the bedroom!
1894779776 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Saturday, August 26, 2006 11:44:29 PM -0400:
Undelivered Mail Returned to Sender
1893731739 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net
--------------------------------------------------------------------------------
Submitted: Saturday, August 26, 2006 9:50:52 AM -0400:
Undelivered Mail Returned to Sender
1892962948 ( 203.33.254.150 ) ( UUBE ) To: uube[at]devnull.spamcop.net
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 8:42:19 PM -0400:
Your Express-credits Fri, 25 Aug 2006 09:25:58 +1000
1890963303 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:23 PM -0400:
Xmas Party's on Trade BOOK NOW !! Is this what you mean???
1890845278 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:16 PM -0400:
Didnt Happen Brenda
1890845291 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
spamtraps are but a small fraction of reports.
QUOTE
idl.net.au' post='46926' date='Aug 30 2006, 01:47 AM']It doesn't track messages via a relay does it?
Or how updated is it?
Or how updated is it?
http://forum.spamcop.net/scwik/SenderBase for the general background. Bottom line, those "data collection points" are seeing traffic from that IP address .... it is basically "live" ....
That is my personal old uni e-mail address that forwards to my ISP account. My mail server 203.33.254.150 does not send that e-mail out it recieves it from the newcastle uni.
Is there something wrong with spam cop?
PS: I can't believe I put my e-mail as the login and I can't figure out where to change it. Anyone know?
Is there something wrong with spam cop?
PS: I can't believe I put my e-mail as the login and I can't figure out where to change it. Anyone know?
I could go on, but this is one of the most productive source of spam I have seen yet, possibility of a hijacked PC is very likely:
CODE
Submitted: Thursday, August 24, 2006 6:20:07 PM -0400:
Ill
1890845231 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:07 PM -0400:
money for you
1890845232 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:03 PM -0400:
Latest stuff Now you could grant your wish Revel in
1890845233 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:06 PM -0400:
Info for the Rock
1890845245 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:06 PM -0400:
killing Just Schoolgirl and killing Schoolgirls from Your dreeam!
1890845246 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:05 PM -0400:
beautiful Sluts at Porn!
1890845249 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:40 PM -0400:
Russsian attractive Teen hardcoree action.
1890845256 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:30 PM -0400:
good-looking russiann Teen in poono!
1890845259 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:28 PM -0400:
Credit Card Expiration Approaching
1890845267 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:28 PM -0400:
{mob}
1890845269 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
Ill
1890845231 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:07 PM -0400:
money for you
1890845232 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:03 PM -0400:
Latest stuff Now you could grant your wish Revel in
1890845233 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:06 PM -0400:
Info for the Rock
1890845245 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:06 PM -0400:
killing Just Schoolgirl and killing Schoolgirls from Your dreeam!
1890845246 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:20:05 PM -0400:
beautiful Sluts at Porn!
1890845249 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:40 PM -0400:
Russsian attractive Teen hardcoree action.
1890845256 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:30 PM -0400:
good-looking russiann Teen in poono!
1890845259 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:28 PM -0400:
Credit Card Expiration Approaching
1890845267 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
--------------------------------------------------------------------------------
Submitted: Thursday, August 24, 2006 6:19:28 PM -0400:
{mob}
1890845269 ( 203.33.254.150 ) To: c9514955[at]alinga.newcastle.edu.au
Missed my post 
Yes, My spam assassin works like mad filtering all the crap generated from that account. Again its sent to my mail server not the other way around..
c9514955[at]newcastle.edu.au forwards to 203.33.254.150.
Yes, My spam assassin works like mad filtering all the crap generated from that account. Again its sent to my mail server not the other way around..
c9514955[at]newcastle.edu.au forwards to 203.33.254.150.
QUOTE
idl.net.au' post='46922' date='Aug 30 2006, 12:39 AM']IP: 203.33.254.150
After continual re-listing over the weekend, many late nights examining logs, writing filters and attempts to contact Spamcop for more information I gave up and changed the IP of my mail server yesterday morning some 30hours + ago. I really didn't want to do this as if there is a problem I would like to fix it.
The new IP hasn't been listed yet. But the old IP has been relisted since I stopped it sending any e-mail?
How is this possible, am I missing something?
After continual re-listing over the weekend, many late nights examining logs, writing filters and attempts to contact Spamcop for more information I gave up and changed the IP of my mail server yesterday morning some 30hours + ago. I really didn't want to do this as if there is a problem I would like to fix it.
The new IP hasn't been listed yet. But the old IP has been relisted since I stopped it sending any e-mail?
How is this possible, am I missing something?
Any explanation for the response I get ....???
C:\>telnet 203.33.254.150 25
220 mail.idl.net.au ESMTP
There's still an e-mail server sitting at that IP address .....
Yes.. But it doesnt send any e-mail directly. It relays via another host.
I do not send e-mail to c9514955[at]newcastle.edu.au it's my personal old UNI account. They forward my e-mail to my ISP that I happen to own..
They forward to 203.33.254.150 not the other way around. I just logged into their webmail admin and turned off the forwarding. BUT there must be an issue somewhere, what if one of my customers did this.
I know you get a lot of noobs posting crap, and at the risk of sounding like I don't know what I am doing let me say that I do know what I am doing and I am an ISP admin of some 10 years.
I do not send e-mail to c9514955[at]newcastle.edu.au it's my personal old UNI account. They forward my e-mail to my ISP that I happen to own..
They forward to 203.33.254.150 not the other way around. I just logged into their webmail admin and turned off the forwarding. BUT there must be an issue somewhere, what if one of my customers did this.
I know you get a lot of noobs posting crap, and at the risk of sounding like I don't know what I am doing let me say that I do know what I am doing and I am an ISP admin of some 10 years.
QUOTE
idl.net.au' post='46929' date='Aug 30 2006, 01:56 AM']Is there something wrong with spam cop?
Reports routes for 203.33.254.150:
routeid:21471794 203.33.254.0 - 203.33.254.255 to:c9514955[at]alinga.newcastle.edu.au
Administrator found from whois records
Parsing input: 203.33.254.150
host 203.33.254.150 = mail.idl.com.au (cached)
host 203.33.254.150 = mail.idl.com.au (cached)
Routing details for 203.33.254.150
[refresh/show] Cached whois for 203.33.254.150 : c9514955[at]alinga.newcastle.edu.au
Using last resort contacts c9514955[at]alinga.newcastle.edu.au
Removing old cache entries.
Tracking details
"whois 203.33.254.150[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror)
Display data:
dm252-ap = c9514955[at]alinga.newcastle.edu.au
whois.apnic.net 203.33.254.150 = c9514955[at]alinga.newcastle.edu.au
whois: 203.33.254.0 - 203.33.254.255 = c9514955[at]alinga.newcastle.edu.au
Routing details for 203.33.254.150
Using last resort contacts c9514955[at]alinga.newcastle.edu.au
QUOTE
PS: I can't believe I put my e-mail as the login and I can't figure out where to change it. Anyone know?
???? The link to the Announcement was provided in a previous post .. that Announcemnt has a link to an entry in the Forum FAQ (which also available at the top of this screen)
Ahh.. Should I feel stupid now?
So you are saying the reports where sent to c9514955[at]alinga.newcastle.edu.au, not that the spam was reported by this address?
I cant change the whois lookup as I registered that subnet some 12 years ago and unless I start paying APNIC they wont update records. Any way to get notifications to go to a different address?
Do you have any details of the actual message headers so I can track it within my network. I really want to know how I can miss so many in my logs. Still doesn't answer the question as to why I am getting re-listed when that sever does not send e-mail directly.
Any more help please?
So you are saying the reports where sent to c9514955[at]alinga.newcastle.edu.au, not that the spam was reported by this address?
I cant change the whois lookup as I registered that subnet some 12 years ago and unless I start paying APNIC they wont update records. Any way to get notifications to go to a different address?
Do you have any details of the actual message headers so I can track it within my network. I really want to know how I can miss so many in my logs. Still doesn't answer the question as to why I am getting re-listed when that sever does not send e-mail directly.
Any more help please?
QUOTE
idl.net.au' post='46935' date='Aug 30 2006, 02:06 AM']Yes.. But it doesnt send any e-mail directly. It relays via another host.
Firewall in use? Can you send e-mail 'to' this server and 'prove' that it is relaying for you properly?
If so, then there's a lot more to the story .....
QUOTE
I do not send e-mail to c9514955[at]newcastle.edu.au it's my personal old UNI account. They forward my e-mail to my ISP that I happen to own..
They forward to 203.33.254.150 not the other way around. I just logged into their webmail admin and turned off the forwarding. BUT there must be an issue somewhere, what if one of my customers did this.
They forward to 203.33.254.150 not the other way around. I just logged into their webmail admin and turned off the forwarding. BUT there must be an issue somewhere, what if one of my customers did this.
As shown, that address is found in the WHOIS data/records ..... thus you should have been receiving all those reports. Not sure what you 'solved' by turning off the forwarding, other than having to check that account directly now ....
QUOTE
I know you get a lot of noobs posting crap, and at the risk of sounding like I don't know what I am doing let me say that I do know what I am doing and I am an ISP admin of some 10 years.
I just fessed up to making a huge error in only applying half a modification to some other code in another application here .... I had it running just fine on the original installation .. was involved with Alpha and Beta testing with the next release, then installed the 'final' of that last release .. eventually copying over the 'final' into the 'original' location .... a couple of weeks ago .. problem only noticed a few hours back ... how I missed inserting the second bit of code is beyond me, but ..... and I've been around for a lot longer than 10 years <g>
QUOTE(Wazoo @ Aug 30 2006, 05:24 PM) 
Firewall in use? Can you send e-mail 'to' this server and 'prove' that it is relaying for you properly?
Yes, the mail definatly goes via the smart host and then is sent to the Internet.
QUOTE(Wazoo @ Aug 30 2006, 05:24 PM)
As shown, that address is found in the WHOIS data/records ..... thus you should have been receiving all those reports. Not sure what you 'solved' by turning off the forwarding, other than having to check that account directly now ....
My bad, thought that was the address reporting the spam (please see my last post, we really need a chat line instead of a discussion board.. and thanks for you quick help)
QUOTE(Wazoo @ Aug 30 2006, 05:24 PM)
I just fessed up to making a huge error in only applying half a modification to some other code in another application here .... I had it running just fine on the original installation .. was involved with Alpha and Beta testing with the next release, then installed the 'final' of that last release .. eventually copying over the 'final' into the 'original' location .... a couple of weeks ago .. problem only noticed a few hours back ... how I missed inserting the second bit of code is beyond me, but ..... and I've been around for a lot longer than 10 years <g>
My comment was a litte toung in cheek. I get self proclamed network admin's calling for support ever day that don't even know how to forward a port.
PM sent, asking for a test e-mail so I can see the headers .. Tracking URL will be forthcoming ....
Are you able to give me the full headers for one or some of these messages by any chance? I honostly have spent many hours (like 4 days up until midnight) trying to figure out where it is coming from.
I like nothing more then to disconnect a user who is sending spam , kind of like disconnecting an ISP that sends spam I suppose
I like nothing more then to disconnect a user who is sending spam , kind of like disconnecting an ISP that sends spam I suppose
QUOTE(mmarklew @ Aug 30 2006, 02:47 AM)
Are you able to give me the full headers for one or some of these messages by any chance? I honostly have spent many hours (like 4 days up until midnight) trying to figure out where it is coming from.
Section 8 - SpamCop's System & Active Staff User Guide
You've gotten all the data that other 'users' can provide. Yoy're saying that the Subject: lines don't do you any good, thus I asked for an e-mail to see what is actually in those headers.
Tracking URL: http://www.spamcop.net/sc?id=z1047543055za...2b5fdbb20a16afz
Bottom line, this "legitimate' e-mail would resilt in reports being sent to you about the 'other' IP address ....
Report Spam to:
Re: 203.33.254.129 (Administrator of network where email originates)
To: c9514955[at]alinga.newcastle.edu.au
So that the spam being reported shown by dra007 was either prior to your switching to the smarthost ... or there is definitely someone managing to bypass the alleged e-mail server itself, yet using the same IP address to get out on (so back to the firewall logs ..????)
On the other hand, the parser shows lots of problems (well even the e-mail header itself complains aboit a misconfigured server ....) I really hate to post the whole mess here, but I'm guessing that as you don't have even a free reporting account, I don't know if you will be able to see the "full, technical details" ..????
Received: from smtp2.idl.com.au (smtp3.idl.com.au[203.33.254.147](misconfigured sender))
by sccqmxc94.asp.att.net (sccqmxc94) with ESMTP
id <20060830074230q9400ob5gde>; Wed, 30 Aug 2006 07:42:30 +0000
203.33.254.147 is not an MX for smtp3.idl.com.au
Host smtp3.idl.com.au (checking ip) = 203.33.254.147
203.33.254.147 not listed in dnsbl.njabl.org
203.33.254.147 not listed in cbl.abuseat.org
203.33.254.147 not listed in dnsbl.sorbs.net
203.33.254.147 is not an MX for sccqmxc94.asp.att.net
203.33.254.147 is not an MX for smtp3.idl.com.au.
203.33.254.147 is not an MX for smtp2.idl.com.au
203.33.254.147 is not an MX for sccqmxc94.asp.att.net
203.33.254.147 not listed in dnsbl.njabl.org
203.33.254.150 is not an MX for mail.idl.com.au
Host mail.idl.com.au (checking ip) = 203.33.254.150
Host smtp2.idl.com.au (checking ip) = 203.32.82.5
203.32.82.5 not listed in dnsbl.njabl.org
203.32.82.5 not listed in cbl.abuseat.org
203.32.82.5 not listed in dnsbl.sorbs.net
Chain test:smtp2.idl.com.au =? smtp3.idl.com.au.
Host smtp3.idl.com.au. (checking ip) = 203.33.254.147
203.33.254.147 is not an MX for smtp2.idl.com.au
Host smtp2.idl.com.au (checking ip) = 203.32.82.5
203.33.254.147 is not an MX for smtp2.idl.com.au
smtp2.idl.com.au and smtp3.idl.com.au. have same domain - chain verified
Possible relay: 203.33.254.147
203.33.254.147 not listed in relays.ordb.org.
203.33.254.147 has already been sent to relay testers
Received: from localhost (localhost.localdomain [127.0.0.1]) by bishop.idl.com.au (Postfix) with ESMTP id B5B6451C775 for <xxxxx>; Wed, 30 Aug 2006 17:39:33 +1000 (EST)
Received: from bishop.idl.com.au ([127.0.0.1]) by localhost (bishop [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29416-07 for <xxxxx>; Wed, 30 Aug 2006 17:39:33 +1000 (EST)
Cannot accept line without valid 'by'. Skipping chain test - would fail.
203.33.254.129 is not an MX for gemini.idl.com.au
Host gemini.idl.com.au (checking ip) = 203.33.254.129
Host bishop.idl.com.au (checking ip) = 203.33.254.150
203.33.254.150 not listed in dnsbl.njabl.org
203.33.254.150 not listed in cbl.abuseat.org
203.33.254.150 not listed in dnsbl.sorbs.net
Chain test:bishop.idl.com.au =? mail.idl.com.au
Host mail.idl.com.au (checking ip) = 203.33.254.150
203.33.254.150 is not an MX for bishop.idl.com.au
Host bishop.idl.com.au (checking ip) = 203.33.254.150
ips are identical
bishop.idl.com.au and mail.idl.com.au have close IP addresses - chain verified
Possible relay: 203.33.254.150
203.33.254.150 not listed in relays.ordb.org.
203.33.254.150 has already been sent to relay testers
Lots of configuration "issues" .....
Bottom line, this "legitimate' e-mail would resilt in reports being sent to you about the 'other' IP address ....
Report Spam to:
Re: 203.33.254.129 (Administrator of network where email originates)
To: c9514955[at]alinga.newcastle.edu.au
So that the spam being reported shown by dra007 was either prior to your switching to the smarthost ... or there is definitely someone managing to bypass the alleged e-mail server itself, yet using the same IP address to get out on (so back to the firewall logs ..????)
On the other hand, the parser shows lots of problems (well even the e-mail header itself complains aboit a misconfigured server ....) I really hate to post the whole mess here, but I'm guessing that as you don't have even a free reporting account, I don't know if you will be able to see the "full, technical details" ..????
Received: from smtp2.idl.com.au (smtp3.idl.com.au[203.33.254.147](misconfigured sender))
by sccqmxc94.asp.att.net (sccqmxc94) with ESMTP
id <20060830074230q9400ob5gde>; Wed, 30 Aug 2006 07:42:30 +0000
203.33.254.147 is not an MX for smtp3.idl.com.au
Host smtp3.idl.com.au (checking ip) = 203.33.254.147
203.33.254.147 not listed in dnsbl.njabl.org
203.33.254.147 not listed in cbl.abuseat.org
203.33.254.147 not listed in dnsbl.sorbs.net
203.33.254.147 is not an MX for sccqmxc94.asp.att.net
203.33.254.147 is not an MX for smtp3.idl.com.au.
203.33.254.147 is not an MX for smtp2.idl.com.au
203.33.254.147 is not an MX for sccqmxc94.asp.att.net
203.33.254.147 not listed in dnsbl.njabl.org
203.33.254.150 is not an MX for mail.idl.com.au
Host mail.idl.com.au (checking ip) = 203.33.254.150
Host smtp2.idl.com.au (checking ip) = 203.32.82.5
203.32.82.5 not listed in dnsbl.njabl.org
203.32.82.5 not listed in cbl.abuseat.org
203.32.82.5 not listed in dnsbl.sorbs.net
Chain test:smtp2.idl.com.au =? smtp3.idl.com.au.
Host smtp3.idl.com.au. (checking ip) = 203.33.254.147
203.33.254.147 is not an MX for smtp2.idl.com.au
Host smtp2.idl.com.au (checking ip) = 203.32.82.5
203.33.254.147 is not an MX for smtp2.idl.com.au
smtp2.idl.com.au and smtp3.idl.com.au. have same domain - chain verified
Possible relay: 203.33.254.147
203.33.254.147 not listed in relays.ordb.org.
203.33.254.147 has already been sent to relay testers
Received: from localhost (localhost.localdomain [127.0.0.1]) by bishop.idl.com.au (Postfix) with ESMTP id B5B6451C775 for <xxxxx>; Wed, 30 Aug 2006 17:39:33 +1000 (EST)
Received: from bishop.idl.com.au ([127.0.0.1]) by localhost (bishop [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29416-07 for <xxxxx>; Wed, 30 Aug 2006 17:39:33 +1000 (EST)
Cannot accept line without valid 'by'. Skipping chain test - would fail.
203.33.254.129 is not an MX for gemini.idl.com.au
Host gemini.idl.com.au (checking ip) = 203.33.254.129
Host bishop.idl.com.au (checking ip) = 203.33.254.150
203.33.254.150 not listed in dnsbl.njabl.org
203.33.254.150 not listed in cbl.abuseat.org
203.33.254.150 not listed in dnsbl.sorbs.net
Chain test:bishop.idl.com.au =? mail.idl.com.au
Host mail.idl.com.au (checking ip) = 203.33.254.150
203.33.254.150 is not an MX for bishop.idl.com.au
Host bishop.idl.com.au (checking ip) = 203.33.254.150
ips are identical
bishop.idl.com.au and mail.idl.com.au have close IP addresses - chain verified
Possible relay: 203.33.254.150
203.33.254.150 not listed in relays.ordb.org.
203.33.254.150 has already been sent to relay testers
Lots of configuration "issues" .....
QUOTE(Wazoo @ Aug 30 2006, 06:33 PM)
Report Spam to:
Re: 203.33.254.129 (Administrator of network where email originates)
To: c9514955[at]alinga.newcastle.edu.au
I'll put my mail server on another subnet that I have access to the whois e-mail address or is there another way to change the reporting address? (I cant access the whois due to a APNIC policy with old registered class C's)
QUOTE(Wazoo @ Aug 30 2006, 06:33 PM)
So that the spam being reported shown by dra007 was either prior to your switching to the smarthost
It would have been before, I only switched it 40 hours or so ago.
QUOTE(Wazoo @ Aug 30 2006, 06:33 PM)
On the other hand, the parser shows lots of problems (well even the e-mail header itself complains aboit a misconfigured server ....)
I fixed the DNS, but am I correct the only error is to do with the virus scanning on outgoing e-mail? I will remove this service.
QUOTE(Wazoo @ Aug 30 2006, 06:33 PM)
Lots of configuration "issues" .....
Lots? Other then the anti virus and the dns for 203.33.254.150, am I reading this wrong?
Here's a possible scenario. If your mailserver had some kind of virus running on it, that virus would most likely not use your MTA to send mail, it would simply go direct to MX, which means that traffic would still be from your original mail server IP, not your relay. Your legitimate email would bounce from your MTA, to the relay/smart host and out on the new IP. As Wazoo suggested, I would watch port 25 traffic on your firewall logs and see if you are still showing traffic from your mailserver going out on port 25 to places other than your designated relay.
QUOTE(Telarin @ Aug 30 2006, 11:01 PM)
Here's a possible scenario. If your mailserver had some kind of virus running on it, that .......
That is a good point and worth checking. Its a Linux server with postfix, I guess its possible it has been compromised. Just checked my netflow records and nothing going external from that IP. You had me worried for a second there.
Sorry to harp and thank you for your help, but I still do not know why I am blocked. Everyone has been helpful to give me records of spam my server sent but nothing in these posts allows me to track it back to my server and the originating user. I check the time stamps and there was nothing at the time I could see to be the message in question (my time is in sync).
Can I gain access to more of the header? I need the bit that shows the sent from/to or the message ID from my server so I can search my logs.
QUOTE(Wazoo @ Aug 30 2006, 06:33 PM)
but I'm guessing that as you don't have even a free reporting account, I don't know if you will be able to see the "full, technical details" ..????
I have a paid spamcop e-mail account. I am happy to even pay for a reporting account if I can get the info I need. Believe me I see the need for the Spamcop service I am as committed as you at stopping spam. I have read loads of FAQ's and stuff but can find this out. There is a lot of info though. Can you point me to the right docs please?
You should be able to get more detailed information from the deputies (deputies[at]admin.spamcop.net). The users here don't have access to any more information than what has already been posted unfortunately.
QUOTE(mmarklew @ Aug 30 2006, 10:27 AM)
I have a paid spamcop e-mail account. I am happy to even pay for a reporting account if I can get the info I need. Believe me I see the need for the Spamcop service I am as committed as you at stopping spam. I have read loads of FAQ's and stuff but can find this out. There is a lot of info though. Can you point me to the right docs please?
You get a paid rporting account with your paid email account, but you will not get any more information that way. The email address just above can provide the information, but you wil need to prove to the deputies you are the administrator of that server.
Wazoo's previous comment about us getting listed for forwarded e-mail was correct but I didnt quite understand what he ment.
Turns out one of my customers was forwarding e-mail to a spamcop account (I even do this) and the parser was making a mistake with the forwarding via my anti-virus system. Means it was listing my ISP for the e-mail by mistake.
The deputy fixed it but I need to clean up the message routing to prevent this type of thing happening again. I have been using the amavis anti virus for almost a year, but there must be something I have done wrong in its configuration. Anyone seen this type of problem before and know how to fix the headers for amavis + postfix?
Thanks for everyones help.
Turns out one of my customers was forwarding e-mail to a spamcop account (I even do this) and the parser was making a mistake with the forwarding via my anti-virus system. Means it was listing my ISP for the e-mail by mistake.
The deputy fixed it but I need to clean up the message routing to prevent this type of thing happening again. I have been using the amavis anti virus for almost a year, but there must be something I have done wrong in its configuration. Anyone seen this type of problem before and know how to fix the headers for amavis + postfix?
Thanks for everyones help.
From Wazoo's earlier post:
Received: from bishop.idl.com.au ([127.0.0.1]) by localhost (bishop [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29416-07 for <xxxxx>; Wed, 30 Aug 2006 17:39:33 +1000 (EST)
Cannot accept line without valid 'by'. Skipping chain test - would fail.
It looks like the parser rejected the 'by' entry because it was unable to resolve 'bishop' to 127.0.0.1. I guess 'bishop' comes from a hosts entry on your server or local DNS? Removing the entry from your hosts file or DNS should cause your server to stamp 'localhost' or 'localhost.localdomain' instead and the parser will accept that.
Apart from having names and IP addresses that resolve, the chain test likes relays that are either in the same domain or have 'close' IP addresses.
Received: from bishop.idl.com.au ([127.0.0.1]) by localhost (bishop [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29416-07 for <xxxxx>; Wed, 30 Aug 2006 17:39:33 +1000 (EST)
Cannot accept line without valid 'by'. Skipping chain test - would fail.
It looks like the parser rejected the 'by' entry because it was unable to resolve 'bishop' to 127.0.0.1. I guess 'bishop' comes from a hosts entry on your server or local DNS? Removing the entry from your hosts file or DNS should cause your server to stamp 'localhost' or 'localhost.localdomain' instead and the parser will accept that.
Apart from having names and IP addresses that resolve, the chain test likes relays that are either in the same domain or have 'close' IP addresses.
QUOTE(Snowbat @ Aug 31 2006, 02:05 PM)
It looks like the parser rejected the 'by' entry because it was unable to resolve 'bishop' to 127.0.0.1. I guess 'bishop' comes from a hosts entry on your server or local DNS? Removing the entry from your hosts file or DNS should cause your server to stamp 'localhost' or 'localhost.localdomain' instead and the parser will accept that.
Just checked and the hostname doesnt reverse to bishop its localhost in the /etc/hosts file. Must be something that either amavis or postfix is doing.. thanks.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.