Hi,

Since last week I have problems with my computer, one problem was trojans/virusses after I did a fresh install and for a couple of hours my computer was unprotected for virusses and trojans (normally that's no problem, but now it really was!)
The second big problem; I cant email anymore since my IP got blocked.
Never knew that was even possible as just a normal regular user!

I do get this message;

551 Mail from your IP address is currently blocked based on RBL listing

I just called my ISP (Chello); and a helpfull girl was at the phone, she said that I would be delisted when for 24 hours there were no reports from my IP address.
She even checked this site for me and everything, but could not delist me herself since I was listed @ spamcop.

I have flushed down all my data these last few days, so many pictures of my pets and such, I did a fresh install of windows about 24 hours ago (again); I have installed nod32 antivirus, hitmanpro, and atm I'm doing an online anti virus check.

I'm so tired of this whole thing; hope I can soon send some email again!

What can I do more?

http://www.spamcop.net/w3m?action=checkblo...ip=213.93.21.64
213.93.21.64 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.

Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
SpamCop users have reported system as a source of spam less than 10 times in the past week

Listing History
In the past 5.9 days, it has been listed 2 times for a total of 5.3 days

http://www.senderbase.org/senderbase_queri...ng=213.93.21.64
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ......... 3.4 .. 2524%
Last month ...... 1.9

Date of first message seen from this address 2007-06-20

The SpamCopDNSBL is but one BL this IP address has made its way into ....

Wondering about all the "my computer" details in conjunction with "sending" e-mail .... why aren't you actually using one of cello's e-mail servers for your outgoing?

where can you see the emails? I use mail.chello.nl for outgoing!

There's a real problem here. You are posting from the very IP address you are asking/complaining about.

Yes; because it is my IP

I'm complaining about being blocked
Not about my own ip adress

But where do you see the emails you are reffering to? so I can check what emails were send what causes the problem.

I dont know what virus did hit me; just a bunch of trojans; but dont checked which.

I just did an online scan an as far as I know my computer is now free from virusses or trojans.

If your computer is now free from viruses or trojans, then no more spam emails will be sent from it and it will automatically delist from the spamcop blocklist. The spamcop blocklist is entirely automatic. You can check it yourself to see how long it will be (there is sometimes a lag in the time, but if you are clean, then when it delists, you won't be re-listed.)

Miss Betsy

06/26/07 16:04:19 Slow traceroute mail.chello.nl
Trace mail.chello.nl (213.46.255.2) ...

and this does not actually mean that outgoing would come from that IP address ... but it certainly does mean that if you were using your ISP's hosted e-mail servers, the outgoing e-mail would not be "coming" from "your" IP address.

The IP address in question seems to be the IP address assigned to your computer for connectivity. You shiuld not akso be sending e-mail from that same IP address. That something happened on 20 June that caused you to 'configure' your system to send out e-mail from that computer, and the follow-on infection is what seems to have caused your "blockage"

I have an e-mail awaiting an answer as to what's up with the database. There was yet another outage on the Parsing & Reporting system this morning .. which may have some bearing on not being able to pull up any report history on this IP address at present.

While waiting for me to get an answwer, you couls alsao do some of your own research .. there are FAQ entries available here .. there's a Wiki if you don't like the single-page-access-expanded version of the SpamCop FAQ here ... or you could start with the Why am I Blocked? that has another entry as a Pinned item in this Forum section.

There are other suggested tools to check for other types of malware in another Forum section here.

But the primary issue seems to boil down to you sending outgoing e-mail from your own system ... a lot of ISPs will block on just that reason alone.

You are block in many lists

Resolved 213.93.21.64 to e21064.upc-e.chello.nl.
e21064.upc-e.chello.nl. has no MX records -> upc-e.chello.nl has no MX records -> [chello.nl has 1 MX record smtp.chello.nl.(10)]
--------------------------------------------------------------------------------
PBL The Policy Block List: pbl.spamhaus.org -> 127.0.0.11
http://www.spamhaus.org/query/bl?ip=213.93.21.64
--------------------------------------------------------------------------------
ZEN Spamhaus combined SBL, XBL and PBL - replaces SBLXBL: zen.spamhaus.org -> 127.0.0.11
http://www.spamhaus.org/query/bl?ip=213.93.21.64
--------------------------------------------------------------------------------
NJABLDYNA NJABL list of dynamic ip spaces: dynablock.njabl.org -> 127.0.0.3
Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
--------------------------------------------------------------------------------
NJABLCOMBINED NJABL & NJABLDYNA combined: combined.njabl.org -> 127.0.0.3
Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html
--------------------------------------------------------------------------------
SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2
Blocked - see http://www.spamcop.net/bl.shtml?213.93.21.64
--------------------------------------------------------------------------------
FIVETEN local bl at 510 Software Group: blackholes.five-ten-sg.com -> 213.93.159.180.chello.nl.misc.spam.blackholes.five-ten-sg.com. -> 127.0.0.2
213.93.159.180.chello.nl.misc.spam.blackholes.five-ten-sg.com.
miscellaneous address blocks that have sent spam here
--------------------------------------------------------------------------------
PSBL Passive Spam Block List: psbl.surriel.com -> 127.0.0.2
Listed in PSBL, see http://psbl.surriel.com/listing?ip=213.93.21.64
--------------------------------------------------------------------------------
RBLJPSHORT reject spam sent from ADSL or PPP connections which have dynamic IP addresses: short.rbl.jp -> 127.0.0.4
213.93.21.64 is listed in short.rbl.jp.
--------------------------------------------------------------------------------
RBLJP This provides both the above services of virus.rbl.jp and short.rbl.jp.: all.rbl.jp -> 127.0.0.4
213.93.21.64 is listed in short.rbl.jp.
--------------------------------------------------------------------------------
SORBS Spam and Open Relay Blocking System: Aggregate zone: dnsbl.sorbs.net -> 127.0.0.10
Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?213.93.21.64
--------------------------------------------------------------------------------
SORBSDUL Dynamic IP Address ranges (NOT a Dial Up list!): dul.dnsbl.sorbs.net -> 127.0.0.10
Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?213.93.21.64
--------------------------------------------------------------------------------
DRBL-VOTE-EXPRESS Distributed RBL node: TSB Russian Express: vote.rsbs.express.ru -> express.ru. -> 217.23.143.1
express.ru.
--------------------------------------------------------------------------------
DRBL-WORK-EXPRESS Distributed RBL node: TSB Russian Express: work.rsbs.express.ru -> express.ru. -> 217.23.143.1
express.ru.
--------------------------------------------------------------------------------

I hope you removed your worm!

Yes I already suspected it was from my own computer, nothing new there.

guess the date was indeed june 20th

I wanted to make a new partition on my computer, partitions crashed; had to install a new fresh copy of windows; visited about 10 sites (just normal regular sites; about gerbils; those cute little rodents; my favuorite game ponyisland, and sites like that), and was unprotected not more than half a day.

I had an virusscanner who picked up a lot of stuff; but couldnt disable the cause of getting all these trojans in and in again.

So yesterday-evening I tried a new fresh install and immidiately hitmanpro and antivirus and such, to prevent a new infection.


I did read the sections you reffered to; but it is still unknown to me how to get specific information about the emails and such were send.
Maybe I dont understand things well because I'm not a native english speaker, but the info I did read was very limited IMO, just about what could caused the block (well; I have an idea about that; see the story above )

I'm just sick of the whole thing; can you imagine how I did spend these last 6 days? Stupid viruses! (And scriptkiddies who write them, I was a programmer myself but dont see much fun in creating an virus).

A Trojan is not a virus. It is a program you have been fooled into starting/installing
This means every thug who wants to has access to all information on that computer, know where you live when you are home and when your are not. Trojans also allow spam to be sent through your computer

Pays to do a security check at least. My signature is for windows computers.
You are best to format all drives on that computer IMO
Then use my Signature for getting effective complete freeware protection if you do not wish to pay for it

You didn't actually say just where this error message came from ... although your next sentence stated that you contacted chello ... so is it chello that has you blocked? (This makes the rest of that 'conversation' then make a bit more sense .. and helps clear up my bit of confusion on just how your outgoing e-mail is in fact being handled.)

As far as delisting elsewhere .... wow! lots of work at this point .... However, the real point of concern is that the SenderBase numbers aren't going down, suggesting that the spew is continuing .... it's been over an hour since my last data check .... so ne could go with the fact that your system is still screwed up ... you need to locate, install, and run some of those other tools ... what you say you've been looking for is a 'virus' .. what you apparently have is something that is not considered a 'virus' ....

http://www.senderbase.org/senderbase_queri...ng=213.93.21.64
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 3.4 .. 2762%
Last month ...1.9

You've never stated just what version of Windows is involved .... so not sure if you can check for running "services" to start shutting things down ...

You've never talked about your actual connection/network .... is it possible you've got a wireles router set up and it's compromised? Is there any kind of a firewall at all in use? (Noting that traceroute fails)

You think you are tired? That "magnitude" suggests something to the tune of 5-6,000 e-mails a day leaving your computer (that you know nothing about) You are not the only person "tired" of (your) spam spew .....

If you have cleaned your computer, it does not matter what the emails were. The emails were probably typical spam about viagra or how to lose weight or how to buy stock, etc.

Sometimes it does help to know what the emails are about. However, in your case, it does not make much difference. They were sent by a spammer through something infecting your computer. You still need to work on making your computer secure.

You will need to contact all those other blocklists to tell them when you have cleaned your computer. Other blocklists are not automatic the way spamcop is. There is no point in contacting them until your senderbase statistics go down and you know absolutely you have fixed the problem.

Perhaps you need to ask more specific questions about how to secure your computer.

Miss Betsy

The average time for an unpatched Windows XP SP1 machine to be compromised when connected directly to the internet was 10 minutes at the end of 2006. I've seen some studies showing that the average is now as low as 4 minutes.

If you're installing from a SP2 disc, the time might well be as high as 30 minutes.

Odds are that any Windows machine from a fresh install would be compromised before you could use Windows Update to get it patched unless it was well firewalled before being connected to the internet.

Apparently, about the only thing left to try at this point (based on the appearnce that fixing this computer isn't an option) would seem to be simply shutting it down for a while to possibly rule it out ....

Seven+ hours later .... SendrerBase data hasn't changed from my last lookup .... the SpamCopDNSBL page still reads "in a short time" .... so having to guess that we have another 'winner' that seems to be staying right on the cusp of being de-listed ....

Shutting down this computer should cause both the SenderBase numbers to change, the de-listing to occur if this traffic is in fact coming from that computer. Leaving it shut down long enough, and perhaps it will come back up and get a different IP address assigined .... if the spew problem isn't handled, then this situation will be repeated .....

We have an wireless router; we have 3 active computers, a wii and a laptop in the network. The router should be closed to other traffic. (I said should; because my bf installed it; I did asked him about it when he installed it; and he said everything was ok, but I fear it is not because I can get the laptop onto it without doing nothing special).

I do know the difference between a virus and trojan; but heck; I still dont know exactly what did hit me.

I asked my bf to check his computers, and possible his new computer, but his new computer is not connected to the internet nor network, but was last week so maybe it is still infected

I have windows pro sp2

Ohw ohw ohw, I was very into computers, and years ago I would have been very interested into solving this; but now I just become an regular computer user; to busy with a lot of other things.
Last week I said to my boyfriend; wow; this is my punishment for getting lazy with computers and dont spend a lot of time to geeky things anymore


My Bf can be a big cause too; cause well he does know enough; but is a bit naive on the internet about viruses and trojans and spyware and such; he just installs everything what looks right.
I asked him last night and he said everything was fine with his own computer; but I think he has other things on his mind then this; he just got a new nice game computer, so he's playing all nice new games with lot of eyecandy (that computer is not on attached to anything else, except a monitor/keyboard switch). So I guess I can solve this on my own

This is just still so unbelievable to me! I'm 9 years active on the internet now; started with computers back in '83 when I still was a kid; but this is pretty big to me! I was hit by a virus and/or tojan about 2 times; was very keen about that; and now this; 3rd time; and big time!

I think I gonna shut this computer down for some hours now to see if it this computer. Gonna get the laptop to see what happens. Then I think I gonna shut down the laptop; then my bf's internet computer (he's not going to be happy with that cause he send weather data 24/7 to his website).

But first some breakfast...

Maybe I will get some help from my stephbrother if I cant solve it myself; he's is more into this stuff than me since he is more into networking and certified for this side of computers. Or otherwise I can get help from the place my dad works (we have 2 computers from there).


Btw; the message I got was when I try to send an mail.
I try to check for headers; but the header section is blank. I use outlook; and look for internet headers.

Well; shutting this comp down now.
(11:26AM Dutch time)

I'm on my bf's internet computer now; scanning it with trend micro housecall, but if I look in the list with processes I see enough things I think look suspected.

With the laptop I can connect to the router wireless; but cant connect to the internet through the router; maybe my bf changed something when he was watching the router last night.
Yesterday morning I could connect to the internet with the laptop.

I'm gonna check everything in your sig, thanks for that!

Well where I live is not a big secret since you can look it up through one of my websites, and I dont have any crazy stuff on my computer people cannot know of, and I dont have a creditcard or so. I'm very aware of that kind of things; since I was a bit afraid of that kind of stuff years ago since I also was a moderator on a big computer related forum and you never know who wants to slap you because someone thinks different or does not agree with the decissions you make (or other things caus I was one of the very few females between a lot of geeky males ); but since I was called at my bf cellphone a few years ago by someone who wanted to make nude pictures of me and wanted to have a relation with me because he saw my picture on the internet I know not to be really afraid anymore; it is not scarier than just walking in the streets and I have nothing to hide. If someone does something that is not allowed he's gonna get reported, and things happen, with or without the internet, so it is not scarier to me than normal day life I'm past that stage! Internet is just the next dimension into our lives. My car was broken into just a few weeks ago; without internet

But it is very not ok to have an infected system with all the troubles I got into (couldnt install programs anymore like hitmanpro to check; well I could by clicking just fast enough through clicking really really fast ), couldnt reach my own servers anymore, cannot email anymore. And it is not ok to make it possible to make even more computers infected or spread spam.

Most stupid thing; I still get spam myself even though I cant email anymore About viagra pills & penis-enlargements So this system stinks a little bit in my opinion; no offence to anyone from here, but it seems not to help to get the big causers, only the people who get 'victim' of it (well I know it is only me to blame with getting infected). And it wont stop the spam (Cause the big causers will always find another way and are one step ahead this way).
Well; that sounds interesting to search for an solution that will work and with protecting 'unwary' internet users.

Wazoo; where can I check for specific details if it made any difference my computer was offline? I just turned my computer on again.

I checked my bf's computer with online symantec scanners; and nothing wrong; everything in stealth mode, no trojans or viruses, everything seems ok.

Tonight we will turn both the computers off to see what happens.

...See the link in Wazoo's post, above: http://forum.spamcop.net/forums/index.php?...ost&p=57482. Compare the results you see with those he posted there.
...Actually, you should not have put your computer back on the net until you are reasonably sure you've solved the root problem. One reason for this is that if you are still running malware that is sending spam through your computer, your statistics will jump up again now that your PC is back on the net.

http://www.senderbase.org/senderbase_queri...ng=213.93.21.64
The number did go down a bit from the last time I checked ....
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 4.5 .. 2615%
Last month .. 3.1


From this, the 'most' effective would be to start with the wireless router. Disconnecting that from the Internet should remove 'all' traffic from leaving that IP address. The SenderBase numbers should start going down rapidly. As said before though, I have no idea what chello's 'lease time' is on the IP address assignment. You said "windows pro sp2" so I'm going with that you meant to say "XP" ....

Start button
Run
type in "cmd" without the quotes
in that 'box' type in "ipconfig /all" without the quotes again
in that list of stuff, look for the Lease times/dates .... for instance, mine is now showing;

Lease Obtained. . . . . . . . . . : Tuesday, June 26, 2007 1:22:33 PM
Lease Expires . . . . . . . . . . : Friday, June 29, 2007 1:22:33 PM

This should tell you how long you could remain disconnected and still have the same IP address assigned.

Anyway, if disconnecting the wireless router causes the SenderBase numbers to rapidly drop ... then the 'easy' way to isolate which system has an issue would be to hook only one up at a time, directly to the cable source and look for the one that causes the numbers to start climbing again. (From the sounds of your description, it doesn't appear to include the laptop)

If none of the computers appear to be the cause, then one would start looking at the wireless router as being involved .... worst case, you have a neighbor with an infected computer that is using your Internet connection .....

For record keeping purposes, it you want to make a post to advise when "everything is disconnected 'now'" there are several folks here that would be glad to check and post the numbers so as to help document what worked, what didn't ....

Geeky girls are allowed (and appreciated) here <g>

XP yes (Tried vista, but with the partition accident back to XP again).

Ok; this night I will disconnect the router, and will hook up one at a time again tomorrow morning.

http://www.senderbase.org/senderbase_queri...ng=213.93.21.64
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 4.5 .. 2388%
Last month .. 3.1

Numbers have changed already ......

So seems everything is better now? everything is online now atm.

Not saying that at all .. just noting the volume drop.

On the other hand, this IP address is not currently listed in the SpamCopDNSBL .... in theory then, chello may not be blocking your attempted 'real' e-mail right now (depends on caching of various DNS data, but maybe it's worth a shot to get your 'important' e-mail out now while there's an opportunity)

BTW: went off to work on something else, yet another thought hit me .. perhaps hooking things back up "directly to your cable connection" might not be a good idea. It may be that your cable connection has some access control based on MAC address, which means that there'd probably be some connection issues .... again, I've no knowledge on how chello administers their system.

Owner's manual for the wireless router will contain instructions on how to access the router itself .... hopefully, the first issue you'll run into is that your BF changed the default password .... one of the things to check would be a routing/access table ... see what's actually connecting to that router. hopefully, you'll only see "your" systems (having to translate the IP addresses seen there to what's actually been assigned to your systems ... that's part of the data seen in the ipconfig data I described in a previous post)

I'm emailing atm through (chello) webmail; so that's not a problem anymore.

My bf also noticed that we are not listed @ SpamCopDNSBL atm anymore.

We can connect just directly to the modem, done that all the time when we run into connection troubles or when the previous router broke down

My bf did closed the router to the last bit when he came home; so maybe that made a change. (And yes he did changed the default password, had run into that problem earlier )

volume is going back up
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 4.5 .. 2615%
Last month .. 3.1

Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ....... 4.6 .. 1966%
Last month ... 3.3

Hard to say if it's going down or if this is just because the 'baseline' has increased ...????

Magnitude Vol Change vs. Last Month
Last day 4.5 1793%
Last month 3.3

Didnt disconnect the router last night because I thought the problem was solved, but what you say about the 'baseline' can be the cause to about getting a lower number.

It is still dropping.

But, we are out the blacklists, I did hit the button de be delisted on 2 or 3 blacklists, but not the spamcop blacklist, because I first wanted to make sure the problem was solved. So the ip was removed automatically.

Shall see if the numbers are dropping really when I disconnect the router this upcoming night.

Running into another SenderBase data/cache issue ... between beng sent to the wrong page at times, I just ran into an issue where the first (correct IP address) display came up with 1966% .. which caught my eye, as this was the same number as my last post .. did a browser Refresh .. the number changed to 1793% which matches your last post .... confusing ..

Yep; I have that to; and freaked a little bit out , untill I noticed it were the numbers you posted.

And its down again

Magnitude Vol Change vs. Last Month
Last day 4.6 1471%
Last month 3.4

But .. we're all still waiting to hear how things like Ad-Aware, SpyBot-Search & Destroy, etc. came out on scanning your system(s) .....You also haven't mentioned checking the wireless router 'connections' ....

Where I'm at .. I'd like to see that number coming down much faster ....

Couldnt find anything with hitmanpro as said (hitmanpro is a dutch program which uses ad-aware, spy sweeper and a lot of more programs) nor with symantec or trend micro housecall.

Cant see/find any strange connections on the router.

Disconnected the router last night

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month
Last day 4.6 1061%
Last month 3.5

The volume change flops around a little bit (seeing 1166% at the moment, after hitting refresh) but the magnitude (4.6) has been constant - more or less. My interpretation is that disconnecting the router, at that time and for that period, has had no effect. I'm wondering just what part your computer is actually playing in the (monitored) traffic through that IP address. I note there has been no relisting on the SCBL which may be the only reliable datum right now.

At the time of this posting;
Report on IP address: 213.93.21.64
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 4.3 .. 538%
Last month .. 3.5

At this time;

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month
Last day 4.3 376%
Last month 3.6

A bit tricky ... 'daily' volume is going down, but 'monthly' is still on the uprise, which would also factor into the 'daily' figure ...

What's depressing to me is that if all issues were cleared up, no one else is using your router to send their e-msail, then it sure seems like the 'daily' number should have reached zero quite a while ago .... that the volume has been much reduced is obvious, but why SenderBase is still showing 'any' traffic is confusing to me ....

Still going down

[Added]And some real progress now

Touchdown!

Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 0.0 .. N/A
Last month .. 3.6

Thanks and congratulations to you (and BF if we must include him <g>) for cleaning up yet another source of spam.
Appreciated by all.

And for the record; it seems it was a wireless connection throught the router; since we protected the router the numbers started really dropping.

Thanks for all those have helped me with this!!!

The implication there is that your 'problem' was caused by someone that you might be waving to every morning, one of those friendly neighbors ....

and thanks to you from those (previous) 4-5,000+ a day recipients of e-mail traffic from someone they'd never met <g>