67.38.176.142 is listed. Can someone help us determine why?

We had one computer with NTRootkit-J last week. I think we have it eradicated.
Any ideas would be appreciated.

Thanks,

EVV532

The best source for the information you are asking for is to go to the spamcop web page and click on the Blocking List Tab.

There you will find a window to inter your numeric IP address. When you click on the button you will see that at this time:


There is also some additional information about your IP and mail.threeieng.com that you should address.

Hope this helps.

Yep. Did that earlier. Still trying to find the original cause for getting listed in the first place.

The original cause for being listed seems to be that mail from your IP was received by some of SpamCop's spam traps. Apparently three times during the last five days.

Spamtraps are: "Non-existent email addresses set up by SpamCop to definitively identify spam. As SpamCop never used these email addresses to signup for a mailing list or purchase an item, for example, SpamCop knows spammers harvested the emails for their mailing lists."



The fact that your volume of email has increased 1050% over last month would indicate that something has changed. Do you know what has changed? There are lots of tools available to help you identify malware on your machines if you can't account for the increase in volume in other ways.

Lou (preceding post) has mentioned the SenderBase stats, which you can access via the lookup you know about. You only seem to be listed on the SCbl, looking at http://www.robtex.com/rbl/67.38.176.142.html (so no evidence is available from other sources) but the hits on SC spamtraps seem to continue going by SenderBase and the currency of your listing in the SCbl. And spamtrap evidence is secret. The deputies (deputies[at]admin.spamcop.net) might be able to tell you the TYPE of traffic they are seeing in the spamtraps (NDNs, etc) which could maybe help you home in on the continuing problem.

If your senderbase stats are not going down, then perhaps there is something else or you didn't get what you had completely eradicated.

Miss Betsy

My first suggestion is to get a quick fix in until you can more definatively track down the problem machine. The first thing I would suggest doing is configure your firewall to only allow outgoing port 25 traffic from your mailserver. This will block any infected computers on your network from sending out mail. If your router/firewall supports it, configuring it to log those failed attempts can be very useful in tracking down the infected computer.

Telarin your right it doesn't look like the fix is in yet. Last I checked the volume is up to 1228% over 1050% yesterday. There must also been some additional hits at the Spam Traps because the time remaining on the list has increased also.

Keep digging EVV532, the problem is there somewhere.

I was watching the time tick down ... 3 .... 2 - then 22. Bummer! We're still digging.
Trying the port 25 blocking suggestion. Thanks to all.
Any other additional ideas are appreciated.

http://forum.spamcop.net/scwik/Bounce
Your not mindlessly bouncing email?

In this case wouldn't that require SpamCop spam Traps to send email or someone to know the address of a spam trap and include it in an email to EVV532?

I don't think either is very likely (nada!). If he had been reported by someone other than a spam trap, what you suggest is very likely.

Now promoting itself to a few more lists - http://www.robtex.com/rbl/67.38.176.142.html

Au contraire, very likely and very common. Spamtrap addresses are 'out there' to attract the scrapers: that's the whole point. No human needs to know them.

Human report now received