Hello all,

I've read the FAQs and the pinned topics, so I hope I'm doing this right..

I have an in-house email server at our domain - basdensteel.com, 72.54.21.34

One of the users here received the following bounce message:


<lester[at]kupermanortho.com>: host mail.kupermanortho.com[66.212.116.85] said:
550 Rule imposed as jeanne[at]basdensteel.com is blacklisted on SpamCop (see
www.spamcop.net) (in reply to RCPT TO command)

Further down, there was another block of information, similar to the above:

Reporting-MTA: dns; mail.basdensteel.com
X-Postfix-Queue-ID: DC10E16A0
X-Postfix-Sender: rfc822; jeanne[at]basdensteel.com
Arrival-Date: Mon, 23 Oct 2006 09:28:30 -0600 (MDT)

Final-Recipient: rfc822; lester[at]kupermanortho.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mail.kupermanortho.com[66.212.116.85] said:
550 Rule imposed as jeanne[at]basdensteel.com is blacklisted on SpamCop (see
www.spamcop.net) (in reply to RCPT TO command)


However, when I went to the page where I enter our IP address to find out why we're blacklisted (as per all the FAQs and links).... I get a response that we are NOT.

So... why this email bounce?

The weird thing, the bounce message didn't confirm our IP address, but I do know basdensteel.com is 72.54.21.34 and we do our email on an in-house server.

Thank you for the help! Let me know if I didn't include enough information.. I tried!

Linda Webb

Thank you for trying. Unfortunately, the error message, as you stated, does not provide enough information.

Does your mailserver send directly to the reciving MX server, or does it use your ISP as a smarthost?

If you are unsure, you can send the address in my sig a test message. Please mention "spamcop forum test" in the subject so I don't accidentally report your test. I will then look at the headers, and hopefully have some additional information for you. You could also do the same with an address you control outside of the affected domain (yahoo, home account, etc.).

The error message you are citing is really bad. As you've already noted, the SpamCopDNSBL does not list e-mail address, just IP addresses. That the error message is so wrong also brings up the possibility of other configuration problems at that receiving server. It may be that the SpamCopDNSBL is pointed to erroneously due to some other BL or local file ....

ns99.worldnic.com reports the following MX records:
Preference Host Name IP Address
10 basdensteel.com 72.54.21.34

10/23/06 12:05:03 Slow traceroute basdensteel.com
Trace basdensteel.com (72.54.21.34) ...

This is your incoming e-mail server .. it is also the same IP address as where you are posting from .... strangely enough, it is also the same IP address that's hosting a web-site ...

Are you sure that this is the same IP address used by your outgoing e-mail?

I don't think that Linda said that, Wazoo. She mentioned an "in-house server" but its IP address is a mystery to us...for the moment...until she posts it.

DT

MX lookup returned the same IP address as the web-server which is the same IP address used to post here .. All the "incoming" stuff may be handled in-hopuse, but I'm going alnf the same path as StevenUnderwood .. the outgoing is handled by another server .... (and that server chose to ignore/reject the ICMP traffic in the traceroute I tried .. if I recall correctly, there were 4 steps beyond a Verizon server that failed, the site being the fifth step .. assumption would be that at least one of those was probably a router.)

I see that neither SpamCop.net or IronPort/SenderBase staff have fixed the BL lookup page result issue yet, but http://www.senderbase.org/search?searchString=72.54.21.34 does show traffic 'seen' from this IP address and 72.54.21.26 ... which is listed in the SPamCopDNSBL ...

http://spamcop.net/w3m?action=checkblock&ip=72.54.21.26
72.54.21.26 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 0 hours.

Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
SpamCop users have reported system as a source of spam less than 10 times in the past week
Additional potential problems

DNS error: 72.54.21.26 has no reverse dns

Reports would have gone to abuse[at]cbeyond.net

Report history pretty slim, so must have been the spamtrap hits;

Report History:
-----------------------------------------------------
Submitted: Sunday, October 22, 2006 4:32:46 AM -0500:
heya, this it or no
1978978716 ( 72.54.21.26 ) To: spamcop[at]imaphost.com
1978978684 ( 72.54.21.26 ) To: abuse[at]cbeyond.net

noting that http://www.senderbase.org/search?searchString=cbeyond.net lists two other IP addresses seen as e-mail sourcing ...

I think we're adding superfluous info here, all having to do with remote webhosting servers rather than the "in-house server" mentioned in the OP. Basden Steel is physically in the "Texoma" region (Texas/Oklahoma), the offices of the company responsible for the IP address assigned to their website is in Atlanta, GA (but they also have a Dallas/Ft. Worth facility). The IP address given does seem to resolve to somewhere local to the Texas office of Basden Steel. It's entirely possible, however, that the "in-house server" has a different IP address than the web server (or the MX)....we need for the OP to either send a message to Steven or to provide the IP directly.

on edit: nevermind...the OP returned (see below) with the necessary info...seems to be all one IP after all.

DT

I wasn't sure.. so I did try sending you an email message, and it bounced back immediately with this error:

<underwood+forum[at]spamcop.net>: host mx.spamcop.net[216.154.195.53] said: 553
http://www.spamhaus.org/query/bl?ip=72.54.21.34 (in reply to RCPT TO
command)

Reporting-MTA: dns; mail.basdensteel.com
X-Postfix-Queue-ID: 307E716A1
X-Postfix-Sender: rfc822; linda[at]basdensteel.com
Arrival-Date: Mon, 23 Oct 2006 12:00:05 -0600 (MDT)

Final-Recipient: rfc822; underwood+forum[at]spamcop.net
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host mx.spamcop.net[216.154.195.53] said: 553
http://www.spamhaus.org/query/bl?ip=72.54.21.34 (in reply to RCPT TO
command)


I also sent email to my gmail account, to see the headers, per your 2nd suggestion -- since in both I see the IP address I expected to see, I think it puts that question to rest?

X-Gmail-Received: 0b61c000169b659b9655f98d91ef0f456e7b73e6
Delivered-To: ariel817[at]gmail.com
Received: by 10.78.200.18 with SMTP id x18cs689193huf;
Mon, 23 Oct 2006 10:59:20 -0700 (PDT)
Received: by 10.35.121.12 with SMTP id y12mr5935229pym;
Mon, 23 Oct 2006 10:59:19 -0700 (PDT)
Return-Path: <linda[at]basdensteel.com>
Received: from mail.basdensteel.com ([72.54.21.34])
by mx.google.com with ESMTP id r15si1090449nza.2006.10.23.10.59.18;
Mon, 23 Oct 2006 10:59:19 -0700 (PDT)
Received-SPF: neutral (google.com: 72.54.21.34 is neither permitted nor denied by best guess record for domain of linda[at]basdensteel.com)
Received: from [10.1.1.119] (unknown [10.1.1.1])
by mail.basdensteel.com (Postfix) with ESMTP id 4391016A1
for <ariel817[at]gmail.com>; Mon, 23 Oct 2006 12:00:54 -0600 (MDT)
Message-ID: <453D02ED.8010602[at]basdensteel.com>
Date: Mon, 23 Oct 2006 12:59:09 -0500
From: Linda Webb <linda[at]basdensteel.com>





Wazoo: We are a small'ish company behind a firewall and on a T1 & 1/2 provided by CBeyond. We have an email server and webpage that we host on a Linux server located on premises. I'm not sure, but is it surprising to have it all on the one IP address? Since we do our own webhosting and email hosting, I mean....





Okay, I won't pretend not to be confused... but I do know that the range of public IPs assigned to me by CBeyond is 34-38, so 26 isn't us. I would assume that's a different CBeyond customer.

I have had a problem with AOL user accounts, and CBeyond not providing a reverse lookup (they kicked the problem to me, but I don't believe that even though we are assigned this IP, that we control enough to add a reverse entry, and I think I need to get CBeyond to do something..

That being said, could this error be part of that same problem?

Although, since the error message specifically mentioned SpamCop, you'd think we'd show up here... unless it would be the same error for a missing reverse DNS entry.

Oh my....your IP has some serious issues, it would appear, from this multi-RBL check:

http://www.robtex.com/rbls/72.54.21.34.html

take a look. Those four "pink" lines at the top spell trouble. However, your IP address is *not* currently listed on the SCBL (the one maintained by SpamCop), nor does the data found at Senderbase.org look at all troubling.

But even stranger is the delivery error you've posted above....unless I'm realing it wrong, it looks as if SpamCop's email server rejected the delivery attempt from your server based on the SpamHaus.org blocklist status....I didn't think that the SpamCop email server did that sort of thing, except for a very small internally-maintained list of nasty spam sources.

This needs some looking into, IMO.

And yes, Linda, you really *do* need to have reverse DNS. Here's a quote from the DNSReport.com check on your DNS status:


The rest of your DNS setup is excellent...take a look here:

http://dnsreport.com/tools/dnsreport.ch?do...basdensteel.com

DT

Whoa - thanks for the good info.

On the first report, and the red links -- that's bothersome, to put it mildly. Can you tell me, is that all of CBeyond, or just my domain?

On Reverse DNS, I will work on that. I assume that I'm ultimately correct and the CBeyond customer support was wrong -- it's on THEM to provide it, and has nothing to do with Network Solutions (where we registered our particular domain).

On the SpamCop/SpamHaus thing -- how do I look into that further? I seem to be getting more confused, not less! (But not your fault, and I am very grateful for the help and suggestions already provided..)

Very interesting as spamcop generally is not supposed to be bouncing any messages, but that server is definitely mx53.cesmail.net [216.154.195.53]. Sending query off on that now.


That line does indeed point to 72.54.21.34 as your server.
As stated already, it is not unusual for servers to be misconfigured to identify spamcop even though it is a different list actually causing the block. Your IP is listed at CBL as the bounce from spamcop indicated.

Not sure without doing lookups on all the IPs included in 72.54.0.0 - 72.54.255.255, but the other one that Wazoo provided (72.54.21.26) is much more problematic than yours...their outbound transmissions have increased almost 800% in the last 24 hours. You might want to call CBeyond and tell them to check into that one, because it's like having a "bad apple" in the barrel (although SpamCop's BL doesn't work that way...it treats each IP separately).


I'm not sure...someone else should chime in with a good answer to that one.

DT

Yes, since CBeyond provided the IP addresses, they would have to provide the reverse DNS (also known as a PTR record) for you. I had a similar problem with Southwestern Bell several years ago, and had to get up to Tier 3 support before they had any clue what I was talking about. Once I found a tech with an IQ over 75 however, I was routed immediately to the correct department and got it fixed.

From what I could see at CBL, and since we are behind a NAT, I could possibly have a user with a virus sending out email that I don't see in my email server logs... am I understanding their stuff correctly?

I did miss that some messages say spamcop but use something else...


The good news is that today I seem to have a tech support guy who knows what he's doing, so at least the missing reverse dns entry will be fixed shortly!

Yes, if all your computers are sharing a single public IP, then spam sent from ANY of them could cause the listing. If your firewall won't let you put the server on its own seperate public IP (I know many are either all nat, or all public, but no combination of the two), then you might want to see if you can set it to block all outbound connections to port 25 from anything but your mail server.

Thanks, Telarin! I knew someone could answer that better than I (I'm actually a choir director who knows just enough about all this stuff to be dangerous....sort of.) Being sure to block all unnecessary outbound port 25 connections is essential, if your firewall isn't already doing that.

But it's my turn to bring up another possible issue. They're using a Barracuda Spam Firewall appliance to filter their incoming mail for viruses and spam, and even though that device is primarily involved in *receiving* email, there are situations where it can actually be *transmitting* stuff also....specifically "backscatter." All one need do is to Google:

barracuda backscatter

and you'll find useful information (including a Tech Bulletin from Barracuda Networks) about how to make sure that your 'cuda isn't behaving badly in this respect. Barracuda Networks has had to modify their position on the optimal settings, in that spammers have really messed up the whole concept of auto-responses, ND reports, etc. that happen (mostly) after the attempted delivery of email messages. Here's the SpamCop page on "backscatter" (aka "misdirected bounces") -

http://mailsc.spamcop.net/fom-serve/cache/329.html

Linda,
As a server administrator, you can contact the SpamCop Deputies (start with the form found here: http://mailsc.spamcop.net/fom-serve/cache/91.html) to see if your Barracuda might be doing things like that, but first go through all the info found in the searching mentioned above.

DT

Thanks, Steven. Please share any answer you receive with us, but perhaps as a new Topic in the SC Email forum instead? This is kinda distressing....I don't want extra SMTP rejecting going on that I'm not informed about....that's what we don't like about other email providers....you never know what/who they might be blocking.

DT

Well, I did add a rule to our firewall that blocked all outbound port 25 traffic except for our servers... and lo & behold, found two computers slamming away at the rule....

So -- I think I have 1) found our problem computers,

and 2) Closed off the problem from ever getting us blacklisted again in the outside world, because at least they are just beating themselves up against the firewall rule.

I will check out the Barracuda backscatter info.

Y'all have NO idea how MUCH I appreciate the quality and quickness of your responses! You are all awesome!

THANKS!

Linda

Thank YOU for coming here with an open mind, and a willingness to find and fix the problem, rather than blaming the blocklist for being the "cause" of your problem.

We all appreciate that more than you think.

Ditto...what he just said. :-)

DT

There once was a girl by the same name I knew back in the early 70's, stationed in Augsburg, Germany. I remember being more than a bit impressed by her. She put a lot of the guys to shame in her ability to apply what she knew, work out what she didn't know, how to ask for help when she needed it .... There must be some magic associated with that name, as I believe I'm seeing the same thing happen all over again. Kudo's on finding/fixing the issue. Thanks for getting involved and handling the situation as gracefully as you did.

*Blush* You are considerably too kind!

Like DavidT claims (but more truly so), I generally know just enough to be dangerous, so thank heavens for intelligent people willing to donate their time and knowledge to others! In my book, y'all get the kudos!

But I do know what you mean.. I'm sure most exchanges are people coming and blustering and angry... mostly frustrated, but definitely not in the mode to take helpful suggestions well.

On the other hand, where are you guys when I call tech support somewhere (anywhere)? Why can't tech support people be as smart and helpful? Haha!

Well, there was more to the story <g> Throughout my Army career, I seemed to be the guy that folks liked to assign the problem-childs, hell-raisers, etc. to work under. That other Linda was one of the first women brought into that particular job description, and as no one had 'dealt wih women' before, she was natually assigned to be a part of my crew. I had no problems at all dealing with her, as said, she knew what she was doing. Now keeping track of all my guys ... that was another whole story .. way too many of them focused on 'being there to help' whenever she might need it (if you catch the drift)

Amazingly enough, I suggested that another lady take a look at this very Topic, as compared to the rant started that got her Topic moved to the Lounge .. and of course, her complaint is that almost no one actually tried to help her here.

There needs to be something in the registration process that helps an uninformed person find out their IP address.

Had anyone else from my company tried to solve this.... they'd have not had a clue what an IP address is, let alone how to figure out ours.

Maybe -- the message board message when you start a new topic in the block list help area could have a blank that specifically SAYS IP address (and a link to how to find out what IP address you are on for the unknowing)...

That seems to be the common issue -- people want to think in terms of domains, and not IPs. The majority of people barely know what an IP is. So even the help files that say post IP address doesn't help that much with that kind of user..

I dunno, just an idea.... I know how many people in my office don't know what an IP is, and as soon as a help is posted without one, the automatic response is you don't have enough info to really help.

Actually, a required Mail Server IP address field for the blocklist forum is not a bad idea. Though I suspect from past reactions to requests for IPs, that some will just post into a different forum section rather than taking the time to read the material provided... Its along the same lines as being able to lead a horse to water.

Well, the Moderators here can see the Posting IP address. But the problem is that this usually has nothing to do with the IP address of the outgoing e-mail server involved.

On the other hand, I do believe I have a FAQ entry that does do the "What is my IP address" thing .... but, guss what, I'm going to have to go look <g> Ah yes, I did have it in a FAQ tool that didn't survive the last upgrade of this Forum application .. and also had a note their describing the fact that the displayed IP address probably wasn't associated with the e-mail server in question .... will think about adding that to the Wiki ... but for most users, this is simply contrbuting to their confusion ...

I'd tried doing up a "new post with pre-defined content" but .... that also got to be a monster, so gave up on that. There are some FAQ entries now tha exist that talk to 'reading headers' and such, but ... they are buried in the FAQ ... the 'official' FAQ is a hyperlinked set of pages that folks complained about .. the single-page-access-expanded version I originally hacked together here was basically an attempt to work around the "get lost in the maze" complaint .... I have also installed and tried something like a half-dozen other FAQ tools that didn't receive any accolades .... we're now trying to work on a Wiki format, but not receiving much feedback on that effort either ....

There is the FAQ Development Forum that was set up just for this .... the problem is (as usual) trying to talk about technical stuff without using the technical jargon, but still providing correct data. And by not using technical jargon, one runs into the issue of folks re-defining other words in their descriptions, which then leads to confusion in the minds off other folks that attempt to use the correct definition of a word in trying to respond ... then we're back to the name-calling spasms ....

If you don't know, ask. I am technically non-fluent also and although at one time I knew how to find out IP addresses, I am not sure exactly how to go about it now. I have been trying to remember because I need to know an IP address which I think I have blocked and shouldn't. I don't have the money to hire a professional so I will either find it by googling or ask someone here if I get totally frustrated.

The problem is that having a website, a domain, and email needs an administrator who knows these things. If you don't, then you are going to run into technical problems. If your car needs a tune-up, do you try to do it yourself? It's possible with the help of manuals and people who will help you for free. And there are a lot of professionals on this forum who will help you. But, generally, when your car needs a tune-up, you hire a mechanic.

Miss Betsy

Later: I googled 'find IP addresses' and found several sites. One of them was to get your IP address. Another, which I used, was dnsstuff mentioned by someone else. Some people don't want to know where the air filter is on their automobile (do they actually have air filters any more? I know they don't have carbureutors - I think they still have vacuum hoses.), but they can identify the sound an automobile makes when something goes wrong and then they take it to a mechanic to fix. Other people, either out of necessity or inclination, will learn to do it themselves.

...Done? IP Address and references to "IP Address" in What is the SpamCop Blocking List (SCBL)?

I was going with thre flow on the "This is your IP address" display thing. It's just that we get so many folks already coming in here with those exact words, but the e-mail server IP address actually involved is 'way over there' ...

Woeking on some way to convery it along the lines of 'this is what one looks like (yours happens to be .......) but ... you need to find the one that's associated with your outgoing e-mail server" .. now that's where the hard part comes in .....

1. in the rejection message (already asked for in several places, and only works if that ISP did it correctly)
2. directions to send e-mail to another account, then provode those headers (can see the complaints now)
3. ask your ISP (yeah, right in most cases)
4. as StevenUnderwood has done so many times in the past ... provide an e-mail address for them to send e-mail to ...
5. point back to the FAQ and the vaious "How to read headers" stuff
6. ??????

With the smaller providers you can get the outgoing servers from the domain name (DNSStuff on the email address to get the MX, SenderBase on that to see whatever other "sending" servers - sometimes direct to SenderBase on domain name. Heaps of other tool but these ones are fairly easy to use.

But Comcast, Verizon, whatever - has to be one of the more direct ways for them. Hmm - DNSStuff pages show the users IPA, thus an alternative way to get that (as said, mostly useless in terms of mail).

Yeah .. I think I recall wading through SenderBase listing of about 20 or so once .. finding three listed .... which still really didn't help directly .... basically decided that night that I wasn't going to waste my time going through all that again ...

And as you say, when I look at something like "listing 1 out of 100+" ... nope .. research comes to a halt pretty quickly ...

This one is the most effective, IMO, in that people often give their domain name, and then we waste time looking up the MX and speculating, when they might not even be sending through that box in the first place, or the IP of the shared box is entirely different than the IP assigned to a particular domain. I've seen lots and lots of time and effort wasted here that could have been saved by urging (or even forcing, ie "no more help until you send us a test email") someone to send an email for inspection.

DT