Hi

Our IP - 203.48.247.108 has been blacklisted.
http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108

When will we be delisted? It's severely affecting my users.

Thanks

Did you read the info at the link you provided? Says a short time.

What is more important is the reason you or your ISP are currently listed. Since the info says spam traps are involved you will to read through the many postings on this subject and attempt to prevent spam trap entries for your IP.

Senderbase indicates a severe problem for your IP.

Magnitude Vol Change vs. Average
Last day 4.5 23344%
Last 30 days 2.6 261%
Average 2.1

A 23000% increase in mail volume indicates something way out of line.

Andrew

Just users here - we're basically seeing the same as you. Delisting "in a short time". I was sort of hoping http://www.dnsstuff.com/tools/lookup.ch?na...et&type=ALL might give an early indication that delisting has actually happened but it still shows you "in" -

Answer:

Domain Type Class TTL Answer 108.247.48.203.bl.spamcop.net. A IN 2100 127.0.0.2 108.247.48.203.bl.spamcop.net. TXT IN 2100 "Blocked - see http://www.spamcop.net/bl.shtml?203.48.247.108"

Your prospects do not seem good of staying off the list frankly, unless you've fixed whatever was hitting spamtraps. You've already "used up" your express delisting - record says listed twice, 30 hours in last 31 (SC link you provided). Note huge increase in volume shown by SenderBase (a link from the SC link you provided).

Hi

How long is a short time? Is there a time frame because it seems a bit ambiguous. Also I believe I have fixed the problem with the massive increase in the SenderBase. As an extra pre-caution I have denied all smtp traffic besides the exchange 2005 server.

Thanks

Wish there was an answer I could give you - previous discussion at http://forum.spamcop.net/forums/index.php?...ost&p=30412 deals with it but you will see there are some "indeterminates".

And good work in attacking the problem - thanks for that.

THanks for taking action. The link Farelf provides suggests a 3 hour time period. In the past the message would say in so many hours. This changed to 'a short time' since the process never seemed to take the suggested time.

My experience is that 3 hours is at the low end as an estimate. I'd say sometime today - but that's a user's experience not an official response.

Andrew

SpamCop FAQ
jump/scroll down to the SpamCop Blocking List Service section

NEW! SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained

(*New" really doesn't count, as this entry has been there for quite a while now ... but I do get tired of the "can't find it" scenario ....)

Answer is ambiguous for the reasons stated ... recall, it took just as long to actually get listed and have that data propagate .....

Thanks for the replies, is there anyone I can contact to help speed this process up? Or is there really nothing I can do except wait? It's very hard to explain to users that nothing can be done but wait.

Thanks

You could always put your case (email) to deputies[at]admin.spamcop.net and describe your actions to fix things. But the remaining time (whatever it is) is probably not completely under their control as discussions, FAQ would indicate.

I'm going to have to say that there does seem to be a bit of an oddity going on here. Topic starting post was over six hours ago. Yet ....

http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108
203.48.247.108 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.

http://www.senderbase.org/?searchBy=ipaddr...=203.48.247.108
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ........ 4.4 .. 22521%
Last 30 days .. 2.6 ..... 262%
Average ........ 2.1

Small decline, but also would think that six hours of "problem fixed" would have reduced it a lot further ....

I'll kick up a note about the apparent 'hang time' .. but I think that perhaps the system involved might need some more scrutiny and work ....

The only thing I can guess at from here (based on not Reports showing) is something happening due to the math involved .... something along the lines ot a thousand e-mails going out, which sets up ine variable, but then a spamtrap hit occurs on one of those, which sets up another variable. And the cach is that the massive spew and the occasional spamtrap hit is keeping the equation fluttering on the cusp of de-listing/re-listing .... e-mail to Deputies has been sent ...

My latest check shows: 203.48.247.108 not listed in bl.spamcop.net

That does not mean that the people you are sending to all have updated their own caches (if they use them) or even that all of the mirrors are updated. But it is a start.

Both "direct" SC lookup http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108 and "indirect" rDNS method http://www.dnsstuff.com/tools/lookup.ch?na...et&type=ALL showing blocklisting at this time. SenderBase

Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.4 23066%
Last 30 days 2.6 261%
Average 2.1

"fluttering on the cusp of de-listing/re-listing" as Wazoo said - but there does seem to be something still leaking, volume seems fairly constant, not reducing.

[2 minutes later - off the listing on the SC lookup (again), still showing as listed via the indirect lookup]
[5 minutes more, back on per the SC lookup.]

At the time of this posting;
http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108
203.48.247.108 not listed in bl.spamcop.net

http://www.dnsstuff.com/tools/ip4r.ch?ip=203.48.247.108
SPAMCOP Not listed

However;
http://www.senderbase.org/?searchBy=ipaddr...=203.48.247.108
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ......... 4.5 .. 23329%
Last 30 days ... 2.6 ..... 261%
Average ......... 2.1

Still a serious question about a 'fix' being applied.

Ellen's response;

As seen on the SenderBase page, Date of first message seen from this address 2006-10-15 ... which makes the 'new' status apparent, but .... I'm still going with my previous guess, myself.

Hi
I have just checked http://www.senderbase.org/?searchBy=ipaddr...8&showRBL=1

and it seems the volume has dropped to 7130%, I know it's still high but at least it's reducing. I will continue to monitor. But how come on senderbase it says were still listed on bl.spamcop.net.

Yet on here it's not?
http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108

Is it due to the cache and systems still updating?

Thanks

This IP seems to be delisted now:
203.48.247.108 not listed in bl.spamcop.net

However, Senderbase is up again:
Report on IP address: 203.48.247.108
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.4 23009%
Last 30 days 2.6 261%
Average 2.1

23009%?!?! Something's definitels wrong here...

Good luck,

A. Friend

Hi
On another note. I want to prevent this from happening again and will follow throught FAQs and suggestions. However for redundancy and to prevent major email disruption from happing again I want to implement the following:
1. Create another mx (mail2.charterhall.com.au) record that will point to ip 203.48.247.107
2. Configure required Firewall settings to have this IP ready for use with Exchange server, but have it only deny until required.
3. If for unforseen reason ie. new vulnerability, we are listed anywhere.
4. Change FQDN in Exchange Virutal SMTP Server to mail2.charterhall.com.au
5. Change external IP of firewall to 203.48.247.107
5. Deny all SMTP for 203.48.247.108
6. Re-route all SMTP traffic via 203.48.247.107

Thus email will traverse through the backup IP and mx record.

Please suggest if this will work.




I just check and it says the followiing?

Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.0 7140%
Last 30 days 2.6 261%
Average 2.1

Is there something wrong with Senderbase?

A spamcop listing will not affect your incoming messages at all, only outgoing and only to domains that use DNSBL's.

If it is a vulnerability with that server causing the issues, you are likely to cause both IP's to become listed. You are better off fixing the issue than working around it.


That being said, if you can setup your firewall to send messages as a different IP, that would work.

I am seeing:
Report on IP address: 203.48.247.108

Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 4.0 7145%
Last 30 days 2.6 261%
Average 2.1

Cache issue?

Hi
Thanks, I understand that if the problem is not fix that both IP can be blacklisted. I just want to have a backup IP so that emails can still be sent to domains using DNSBL and Spamcop after I fix the problem, while Spamcop does it's 24hr wait thing on the other IP.

I also create a second mx record for reverse lookup. This is correct yeah?
ie mail2.charterhall.com.au <---> 203.48.247.109

With the cache thing I was referring to A_Friend, he saw the SenderBase reporting
- Last day 4.4 23009%

Thanks

Either your updates have not fully propagated, or you may have a slight error.
Using Server: resolver1.opendns.com
Address: 208.67.222.222

mail2.charterhall.com.au = 203.48.247.107

203.48.247.107 = *** resolver1.opendns.com can't find 203.48.247.107: Non-existent domain

203.48.247.109 = mail.charterhall.com.au = 203.48.247.108

mail.charterhall.com.au = 203.48.247.108 = mail.charterhall.com.au

Hi
Yeah just did it 2 hours ago.

Thanks

Showing up in the MX records per http://www.dnsreport.com/tools/dnsreport.c...terhall.com.au+ but without rDNS or connectivity yetThat is understood - but are there any causes for concern in DNSReport? I don't know enough (anything) but re name servers with ozhosting.comCan't see how that could possibly be anything to do with mail issues but then this stuff is ALL whitefella magic to me.

Another data point;

http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108
203.48.247.108 not listed in bl.spamcop.net

http://www.senderbase.org/?searchBy=ipaddr...=203.48.247.108
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ........ 4.0 .. 7152%
Last 30 days .. 2.6 .... 261%
Average ........ 2.1

and while I'm at it, another e-mail to IronPort about some of the data involved ....

another data point;
http://www.senderbase.org/?searchBy=ipaddr...=203.48.247.108
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ......... 2.5 .... 74%
Last 30 days ... 2.6 .. 256%
Average ......... 2.1

Good sign, looks like output has dropped back to "normal" for that server.

As far as a SpamCopDNSBL listing, things would appear to be resolved. The follow-on SenderBase Reputation points issue (another Topic that was moved to the Lounge) would seem to still probably be an issue for a while ...

Storyline seems to be;
http://www.senderbase.org/?sb=1&search...rterhall.com.au
Date of first message seen from this domain 2006-09-21

http://www.senderbase.org/?sb=1&search...=203.48.247.108
Date of first message seen from this address 2006-10-15

That server was somehow compromised almost immediately, spewing stuff out at a magnificent rate. What it was spewing is still in question. There is no "Report History" so it doesn't appear that any spam was reported. A check of a couple of other BLs that work on spamtrap hits didn't 'see' this IP address. So the logic also seems to include that the folks that took over this server were including (if not specifically targetting) SpamCop.net spamtrap addresses.

And flowing with that stream, note the change in the statistics showing in the Reporting System Statistics link at the top-right of this page .... (well actually, follow that link and scroll down to the weekly chart) ... possible connection ???? at least, it's an odd coincidence .....

There is a largish body of opinion that would suggest:

7. Disconnect Exchange server from WAN and put a linux/unix server inbetween :-)

Yeah Derek, that may have been true for earlier versions of Exchange, but I would say for exchange 2000+, the lack of ability is not with the software. The problem is that it is GUI based, which makes people that have no idea what they are doing think they are mail server admins. The safety with Linux is that you have to be at least somewhat proficient to get it working at all. Exchange works pretty much right out of the box without having to deal with any advanced configurations. Thus a non-proficient user can get it up and running without taking into consideration any of the ramifications of their (lack of) configuration options.

Thanks for bringing me up-to-date. Have all the 'unsafe' defaults, standard accounts etc. now been corrected 'out of the box'?

There are still a number of "out of the box" configuration problems, which is one of the problems with Exchange. The unsafe accounts have pretty much been dealt with, but there are some configuration changes that must be made to prevent unsolicited bounces, etc. People think that because it is a GUI, they don't need any experience as an email admin to set it up correctly, and that is an incorrect assumption, and leads to many of the problems that are associated with Exchange.