Looking for more details about spam trap hits from our ip: 210.13.108.53. There was also an additional warning about reverse DNS. I have contacted our ISP about this, but it takes some time to setup in China.

I have emailed the deputies a few times over the last few business day but have not recieved a response.

We are not currently listed, but would like to prevent getting listed again.

Thank you

Hi, emailing deputies[at]admin.spamcop.net is the correct approach (IP address included in the subject probably a good idea and you need to spell out your authority/relationship to the ISP somewhere if you are not the "abuse address"). Maybe if Don (SC Admin) comes by he could do something for you but otherwise it's a matter of waiting, unfortunately. There is a webform but that is not necessarily going to hasten response and the deputies will give an admin like yourself priority anyway.

Spam trap hits generally mean that the ISP is accepting email before sending a NDR to the return path or other automatic replies like out of office. Sometimes it indicates an infected machine (especially if it is listed and then delisted).

Using the webform sometimes does get a faster reply because you are asked all the pertinent information needed to get a reply. The more information you give about your problem, the quicker the reply. Unfortunately, you won't get much information except the type of spam hitting the spam traps so that the spam traps are not compromised. The deputies can tell also sometimes what the underlying problem is.

Spamcop doesn't list because of no reverse DNS, but many server admins use that as a criterion to block.

If you are sharing an IP address with others, then it may be someone else who has a problem and only your ISP can do something about fixing it. You may be able to get a static IP address that only you use.

If you are in China, be aware that many individuals who run their own servers, block all IP addresses from China because so much spam comes from China. You may, after you get the problem fixed, have to contact your email correspondents and have them whitelist your IP address.

You didn't say how you discovered that your IP address was on the spamcop blocklist. Some lazy server admins use the spamcop message for all the email they block no matter what the reason.

Listing by spamcop is very aggressive. You are wise to take it seriously because if whatever is causing the listing continues, other blocklists will start to list if it continues.

Preventing listing means having up-to-date anti-virus programs and firewalls, making sure any forms or forums on your website are secure from spammers, having the correct information during the the initial transaction (since I am not a server admin, I can't list what they look for, but the the correct rDNS is one), not sending automatic replies to the return path, but rejecting them at the server level, not sending unsolicited email yourself by using a confirmed subscription system for any email list, and, obviously, not allowing spammers to operate.

HTH,

Miss Betsy

I just googled that IP address and got a lot more hits than I expected for a random IP address. Most were in Chinese (I think) so I could not read them.

The IP is currently listed on the following RBLs:

ucepn.dnsbl.net.au
dnsbl-1.uceprotect.net

and it appears to have been due to spamtrap hits and the lack of the rDNS.

DT

I'm sorry to report that the server was sending spam to our spamtraps. We know for a fact that our trap servers accurately record the source IP when they get mail. A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. We guard our traps like gold for fear of revealing the email addresses, which is why we don't send any reports about the spam they get, so I'm afraid there aren't many details I can share with you. The spam run lasted a couple of days and stopped on March 5th.

Received: from zipmail.com.br (unknown [210.13.108.53])
by [our trap server] (Postfix) with SMTP id x
for <x>; Wed, 5 Mar 2008 02:xx:xx -0800 (PST)
Received: from 212.85.249.130 (HELO mail.wsl.uk.com)
by [our server name] with ESMTP (x)
id x
for x; Wed, 05 Mar 2008 18:xx:xx +0800
Message-ID: <@Beth>
From: "Brittany Melton" <x>
To: "x" <x>
Subject: The person was too physically


Received: from unknown (HELO CHN-Litiantian) ([210.13.108.53])
by [our trap server] with SMTP; 04 Mar 2008 21:xx:xx -0800
Received: (qmail x by uid x); Wed, 5 Mar 2008 01:xx:xx +0800
Message-Id: <2008__[at]CHN-Litiantian>
To: <x>
Subject:Pharmacy
From: <x>
Date: Tue, 4 Mar 2008 21:xx:xx -0800 (PST)

These days, the most common problem is backdoor spam sending spyware that has been installed by a Trojan or Worm. The server may be suffering from an open proxy port exploit, or has been compromised by some other means. The reason the mail doesn't show up in your logs is because the spammer uses his own SMTP engine to send the mail after he connects to the open port. If you block outgoing port 25 so that all mail has to go through your server, you can identify and prevent the traffic.

The reasons you see the "DNS error" information is because 210.13.108.53 has no reverse dns.

- Don D'Minion - SpamCop Admin -

Thank you. I was able to track down the infected computer. Yes, it is a shared IP. I have applied for rDNS

At our location we have outside visitors that use the network daily. If port 25 is blocked how can outlook users send/receive email?

Use port 587 instead

Blocking port 25 would only be a problem if they are using an external SMTP server, and even then, as was pointed out, most SMTP providers allow for an alternate port for when port 25 is blocked.

I would at the very least get a second IP address for the mail server to keep that secure even if the workstation one is listed.

Getting another IP for the vendors (directly to the internet, no internal connection) is another thing I have done. Cable with a wireless router is nice for this because often visitors are in a certain area (conference rooms, for instance).