it says i have to be a admin of covad to delist. i do not have access to that.. what should i do?

their IP is: 67.103.70.198

There are no public reports in the last 90 days against this IP address.

Have you fixed the source of the spamtrap hits? Otherwise, your delisting is likely to get undone quickly and there is only one chance for that. Then you could:
1. Good-Wait the currently 7 hours for it to delist
2. Better-Contact Covad to immediately delist you
3. Best, contact deputies[at]admin.spamcop.net. They will be able to tell you what kind of spamtrap traffic was being seen (Out of Office or some other automatic reply, misdirected bounces, or typical spam because of a corrupted machine) and if they have been continuing. If there is no recent spamtrap hits and you convince them you have fixed the problem, they can delist you immediately.

Good luck

P.S. You may want to hold off on that delisting... if you follow the links to SenderBase information , you will see:
Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day 3.5 1948%
Last month 2.2

Is there a reason more than 3000 messages have been seen by the senderbase network servers in the last day? You will need to explain that number before anyone believes you have fixed the issue.

there was a system on the network that was heavily infected, it has been removed. Theres a good chance it was sending out bogus emails.

It's been over a half-hour since Steven's post. SenderBase is showing something is still going strong.

http://www.senderbase.org/senderbase_queri...g=67.103.70.198

Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ..... 3.5 .. 1949%
Last month .. 2.2

You didn't try to justify this much e-mail traffic, so it would appear that the problem isn't fixed yet.

h-67-103-70-198.lsanca54.covad.net .. is this really an e-mail server?

its showing 1945% on mine. We have no mail servers by that name.. covad is our ISP for our T1 line.

Mine to0 at the moment...1945%

If you do not have a mail server, then you should be using your ISP's mail server as many systems will block your mail just because of that name.

we have an exchange server inside our LAN. We dont use Covad mail services.

btw i love your quote at the bottem.. hehe

So at this point i think i found the problem machine which i took care of about 6 hours ago. Spamcop said they havnt had anymore spam messages come in for close to 20 hours..

should i ask them to delist me now?

It is still rising
67.103.70.198
Last day 3.5 1947%
Last month 2.2

A lot of junk spewing from that IP. Nothing has been fixed yet.

You were also in the CBL but you requested removal

IP Address 67.103.70.198 is not currently listed in the CBL.
It was previously listed, but was removed at 2008-07-16 18:56 GMT

You also just made it on
NIXSPAM automatically generated entries: ix.dnsbl.manitu.net -> 127.0.0.2
Latest spam received via pk.netcologne.de at Wed, 16 Jul 2008 03:40:35 +0200, see http://www.dnsbl.manitu.net/lookup.php?value=67.103.70.198

Microsoft Exchange Server

If you have been in contact with them, you should be asking them that question... as stated earlier, they are the only ones who can see what was going out.

It is very strange ONLY to hit spamcop traps and not see any spamcop reports.

Somewhat confusing. Does this e-mail server handle both incoming and outgoing? Is there actually an MX record for this server? Yet again, you've really not touched the "expected" traffic flow from this server if there is any outgoing ...????

Without your definition of 'expected' e-mail traffic, it's hard to analyze the SenderBase numbers from this side of the screen. Historically, if there was an infected/compromised machine that was the single source of a massive outbreak of spew, the numbers would normally have dropped dramatically over (your 6 hour reference, making it almost) 10 hours now.

http://spamcop.net/w3m?action=checkblock;ip=67.103.70.198
67.103.70.198 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 1 hours.

Volume Statistics for this IP
Magnitude Vol Change vs. Last Month
Last day ...... 3.4 .. 1382%
Last month .. 2.2

Some dropage, but not what would be normally expected.

the client has been whitelisted, and senderbase shows -1% which is good.. this thread can be closed.

thanks for the help guys!

One tip that might prevent this in the future. I am guessing from the information that you have given that your Mail server and the workstations on your LAN all share the same public IP through some type of NAT enabled router. If that is the case, consider configuring your router to block and outgoing traffic on Port 25 that does not originate from your mail server. This will prevent infected machines on your network from sending email directly to the internet, and will generally prevent this type of problem in the future.

It looks like he has his exchange server connected directly to the web:
SMTP - 25 220 xxxx.xxxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 17 Jul 2008 11:55:55 -0700
POP3 - 110 +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (xxxx.xxxx.com) ready.
IMAP - 143 * OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1 (xxxx.xxxx.com) ready.
He shut down the smtp service yesterday and just turned it back on a while ago.

There really wouldn't be a way to tell from outside if that exchange server is sitting behind a NAT appliance with port forwarding enabled.

true! Thanks