Hi,
68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.
Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.
I'm going nuts here, what else am I missing?
Full Version: 68.160.79.3
QUOTE(VRod74 @ Nov 10 2006, 02:49 PM) 
68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.
Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.
I'm going nuts here, what else am I missing?
Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.
I'm going nuts here, what else am I missing?
You are correct that it is not listed and the only publically available report in the last 30 days is:
Submitted: Friday, November 03, 2006 5:24:58 AM -0500:
Undeliverable: Spam: Eleanor wrote:
1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net
Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net.
QUOTE(VRod74 @ Nov 10 2006, 01:49 PM)
68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.
Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.
I'm going nuts here, what else am I missing?
Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.
I'm going nuts here, what else am I missing?
What's missing 'here' is an example of one or more of the rejection notices you say you are receiving.
http://spamcop.net/w3m?action=checkblock&ip=68.160.79.3
68.160.79.3 not listed in bl.spamcop.net
http://www.senderbase.org/search?searchBy=...ing=68.160.79.3
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ........ 3.5 .. 650%
Last 30 days .. 3.2 .. 277%
Average ........ 2.6
Can you justify that increase in traffic as something other than spam/misdirected bouces/etc. ??
Report History:
Submitted: Friday, November 03, 2006 4:24:58 AM -0600:
Undeliverable: Spam: Eleanor wrote:
1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net
The only item showing as a reported spam ....
So, from 'just another user' viewpoint, it is not currently listed, no sign available that it was ...
so if it was, it's not now ..
The other possibility is that the receiving ISP has a screwed up configuration, whereas your e-mail may be rejected, but the wrong 'justification/error' message is being generated ....
You do not get any 'bouncebacks' from spamcop. You get rejection messages by server admins who are using the spamcop blocklist.
Some admins are lazy and use the spamcop message format to reject email for reasons other than that the IP address is on the spamcop bl. Your IP address is not listed on any other blocklists, however. Are all the 'bouncebacks' coming from one place? If so, it would probably be a good idea to contact that server admin and ask hir.
It might be a good idea to provide the rejection message. The only alarming thing is that your senderbase stats show an increase.
A real server admin may be by shortly to ask you more technical questions. Meanwhile, I would continue looking for a way that something could be compromised.
Miss Betsy
Some admins are lazy and use the spamcop message format to reject email for reasons other than that the IP address is on the spamcop bl. Your IP address is not listed on any other blocklists, however. Are all the 'bouncebacks' coming from one place? If so, it would probably be a good idea to contact that server admin and ask hir.
It might be a good idea to provide the rejection message. The only alarming thing is that your senderbase stats show an increase.
A real server admin may be by shortly to ask you more technical questions. Meanwhile, I would continue looking for a way that something could be compromised.
Miss Betsy
QUOTE(StevenUnderwood @ Nov 10 2006, 04:48 PM)
You are correct that it is not listed and the only publically available report in the last 30 days is:
Submitted: Friday, November 03, 2006 5:24:58 AM -0500:
Undeliverable: Spam: Eleanor wrote:
1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net
Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net.
Submitted: Friday, November 03, 2006 5:24:58 AM -0500:
Undeliverable: Spam: Eleanor wrote:
1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net
Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net.
Sorry I call them bounced emails... Here is are two examples:
****** Message from InterScan Messaging Security Suite ******
Sent <<< [Session Initiation]
Received >>> 554 http://www.senderbase.org/search?searchstring=68.160.79.3
Unable to deliver message to <2046[at]prtc.net>.
************************ End of message **********************
and the other is this:
****** Message from InterScan Messaging Security Suite ******
Sent <<< [Session Initiation]
Received >>> 554 "your access to this mail system has been rejected due to the sending mta's poor reputation. please reference the following url for more information: http://www.senderbase.org/search?searchstring=68.160.79.3 if you believe that this failure is in error, please contact the intended recipient via alternate means."
Unable to deliver message to <mleone[at]oxfordshirtmakers.com>.
************************ End of message **********************
I have already contacted Verizon.net regarding this. I haven't heard from them since.
By the way all that increase in traffic is all the spam that's trying to get in my server which I try to filter as much as I can.
OK, what I am seeing is that the SpamCopDNSBL is not involved here. Those rejection notices are dealing with something using SenderBase Reputation scores to make the call. And the only thing I can suggest on that is to point back to my previous question ....
OK, you edited your last while I was typing in the above ... editing this one to add a reply;
No, your "incoming" is not what is 'scored' on that SenderBase page. However, the 'connection' may be that your server is sending out those mis-directed bounces in reply to that flood of spam .... which then may also be feeding into the 'bad reputation' point scoring' ...???
OK, you edited your last while I was typing in the above ... editing this one to add a reply;
QUOTE(VRod74 @ Nov 10 2006, 04:03 PM)
By the way all that increase in traffic is all the spam that's trying to get in my server which I try to filter as much as I can.
No, your "incoming" is not what is 'scored' on that SenderBase page. However, the 'connection' may be that your server is sending out those mis-directed bounces in reply to that flood of spam .... which then may also be feeding into the 'bad reputation' point scoring' ...???
Wow, I can't say I've ever seen ANY ISP reject email based solely on senderbase reputation. I'm not even sure where they would pull that information from. Perhaps a paid service from senderbase?
The senderbase reputation, while handled by IronPort, the same company that owns Spamcop, is not in any way related to the SCBL.
I would try to contact the receiving ISP to find out what the problem is, since I don't believe there is any way to access the "Senderbase reputation" without paying for that service. It doesn't appear that that IP is listed in ANY blocklists, so I would write this off as a clueless admin on the receiving end.
The senderbase reputation, while handled by IronPort, the same company that owns Spamcop, is not in any way related to the SCBL.
I would try to contact the receiving ISP to find out what the problem is, since I don't believe there is any way to access the "Senderbase reputation" without paying for that service. It doesn't appear that that IP is listed in ANY blocklists, so I would write this off as a clueless admin on the receiving end.
Wazoo I will check my spam server and see if this is a case of misdirection based on the traffic information from senderbase. I will monitor outgoing traffic from side and see what's happening. 
Wow! Something appears to have happened for sure ...
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ........ 3.1 .. 106%
Last 30 days .. 3.2 .. 278%
Average ........ 2.6
Thanks!
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ........ 3.1 .. 106%
Last 30 days .. 3.2 .. 278%
Average ........ 2.6
Thanks!
QUOTE(Telarin @ Nov 11 2006, 06:15 AM)
... Wow, I can't say I've ever seen ANY ISP reject email based solely on senderbase reputation. I'm not even sure where they would pull that information from. Perhaps a paid service from senderbase? ...
The concept is addressed in the IronPort whitepaper http://www.ironport.com/pdf/ironport_c60_rep_based_paper.pdf - part of the "solution" package.
Ok I got listed this time. Although traffic from senderbase.org has lowered.
68.160.79.3 listed in bl.spamcop.net (127.0.0.2)
Listing History
In the past 8.5 days, it has been listed 4 times for a total of 3.5 days.
It's definitely misdirected spam from side, i'll get working on this.
68.160.79.3 listed in bl.spamcop.net (127.0.0.2)
Listing History
In the past 8.5 days, it has been listed 4 times for a total of 3.5 days.
It's definitely misdirected spam from side, i'll get working on this.
QUOTE(VRod74 @ Nov 11 2006, 09:09 PM)
It's definitely misdirected spam from side, i'll get working on this.
There is still only the one 'reported' spam ... the SpamCopDNSBL page only mentions spamtrap hits.
Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day 3.3 200%
Last 30 days 3.2 285%
Average 2.6
It may have been that the spammer took a bit of a break from your server, allowing it to fall off the 'listed' status .... then came back ....
Good luck and thanks for keeping at it!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.