Jump to content

vookenmeister

Members
  • Content Count

    7
  • Joined

  • Last visited

Community Reputation

0 Neutral

About vookenmeister

  • Rank
    Newbie
  1. Hi.... I'm sending this post for 2 reasons. 1) Complain about deputies[at]spamcop.net 2) Summarize my post about my trials over the last 2 days of figuring why our business mail server was blacklisted. good news is we have 1 hour left till we are FREE... ------------------------- 204.194.72.241 listed in bl.spamcop.net (127.0.0.2) Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 99.0 days. It has been listed for 47 hours. ------------------------- in an hour, I can stop redirecting our corporate email over slow links and send it back to our main server and out our 100M ethernet internet connection. Deputies[at]spamcop.net. I sent an email and got a short, less than helpful reply. I sent a reply to their reply and never heard back. Summary - we got blacklisted with no warning or reason. I found out due to a bounced email. - i visited spamcop.net and entered our IP, 204.194.72.241. it said we had received less than 10 complaints from less than 10 users. what does that mean? 1 user complained. 7? Certainly can;t tell. Especially, because the example trail on the site was anonymous. - so no warnings due to a mole and no evidence on what caused it. Great! - i sent an email to bl[at]admin.spamcop.net for help - NO REPLY for hours - visited this forum (BINGO!!!). Special thanks to those who helped. - got some excellent advice. - was told to email deputies[at]spamcop.net for the evidence - got the evidence and asked for more guidance. <crickets chirping> yes, silence is all I got. no reply back from deputies Apparently multiple times our mail server received emails to invalid recipients and sent bounce messages back to the from address (probably forged by Mydoom). we deny email to invalid users BEFORE checking for viruses. We do not send virus notifications. Anyways, one of these forged from addresses, must have been a spamtrap or mole. (which is why we got ZERO notice and there was ZERO evidence) The "mole" reported our server and we got added to the blacklist. Explained the issue to deputies but was told we would be delisted in 48 hours. Great. Thanks for nothing!!! Anyways, having an architecture discussion in the morning with our CIO. Apparently, SOLELY because of spamcop (we are not delisted anywhere elseon the Internet), we need to do one of two things: 1) Stop sending bounces for emails delivered to unknown recipients. 2) Find a way to deny the email via smtp rejection codes at our perimeter. We'd prefer #2. however, I don't think it's technically possible since our outside MX server simply accepts emails, checks it for spam, and then forwards it to our internal mail server (which checks for viruses and unknown recipients). LASTLY, SPECIAL THANKS TO THIS FORUM. I haven't gotten much real work done, but I learned a lot. - paul
  2. vookenmeister

    why is 204.194.72.241 listed? need help

    We don't send virus notifications. Fully agree on that. We do send bounce notifications. Here's our dilemma: We use Ciphertrust's Ironmail product to accept the email and then deliver it to our internal servers. Unfortunately, email sent to bad recipients is not flagged until it reaches our internal servers. Thus, we can't deny email and send a bounce-reply back to the original server as it's occurring (that I know of). We can only send bounces back to the sender. It sounds like our best course of action is to turn off our bounce replies completely. I'm gonna call our Ciphertrust, our vendor, and see if there's some way this server can do an LDAP lookup to our internal Notes servers to verify the username exists. If we can do that, then we can deny the email as we receive it (and thus the bounce will go back to the server sending the message and not to the forged "from" address.. I think. not too sure.) Anyway, if anybody's got some clever ideas... I'm all ears. Thanks for all the advice so far. - paul
  3. vookenmeister

    why is 204.194.72.241 listed? need help

    All, deputies replied and sent me the headers on the email complaint I just replied back with the very long email complaint that I will include below: Bottom line is the complaint was generated due to a "bounced email message warning" that we return. That's what the "report to Sender" subject line is. We use the bounce replies to let valid users know that their mail did not reach the recipient. I wonder if it's time for our company to stop sending bounce replies. This is not a decision I can make in a vacuum. Anybody have opinions on this? ------------------------------------------------------------------------------------- Don, In an nutshell, I think this is crap. The complaint that is referenced below was not from a spam email. Unless you consider a bounced reply message spam. Our business-purpose email server sends about 50,000 messages a day from caci.com employees. I just checked through our mail logs. On Sunday, there was one message sent to nicar.org (johnmiller[at]nasw.org). The message sent was a bounce reply (from our internal Notes smtp server, 10,11.4.62) to an email sent to a bad recepient at caci.com. Our bounce replies are sent from cacimta/caci[at]caci.com so I can tell this from the logs. I suspect this is the makings of the MyDoom virus. As we know, an infected pc can craft an email from johnmiller[at]nasw.org and send it to baduser[at]caci.com Our email server will reply to the spoofed from address and say baduser[at]caci.com does not exist. That is probably what happened here below. If you look at your spamcop logs on your site, you'll notice a sizable peak of complaints right about when the mydoom virus was unleashed. Coincidence? I think not. How can we avoid being blacklisted in the future? Is this gonna force us to turn off our bounce replies ? Most of our dealings are with military customers. We'd prefer to let them know if an email has bounced. However, we can't afford to get blacklisted. So we got a whole total of TWO COMPLAINTS and you blacklisted us!!!! Who verifies that these complaints are legitimate?? Why would you blacklist someone for 2 complaints? I realize you are trying to help rid the world of spam, but in the process you have screwed us. Do you have any other copies of the complaints that were directed about 204.194.72.241? This one is obviously bogus. I'd like to track down the "supposed" others. PS. I'd cc johnmiller[at]nasw.org on this reply, but I'm scared we might get blacklisted again. PLEASE FEEL FREE TO FORWARD THIS EMAIL TO THE USER WHO COMPLAINED. My phone number is below if he/she would like to call me. - paul Paul Gordon, Information Technology Scientist, CISSP, CISM, CCNA, CCNP Routing, CIS Network Operations Manager CACI - Federal 1100 North Glebe Road Arlington, VA 22201 703-841-4039 Here is a trail of logs from our mailserver. -rw-r--r-- 1 logger system 11863001 Feb 3 02:05 smtpo.log.ends20040202mailserver1.caci.com.gz cpmrsdb1.hq.caci.com[8]:gzip -d smtpo.log.ends20040202mailserver1.caci.com.gz cpmrsdb1.hq.caci.com[9]:grep -i nicar.org smtpo.log.ends20040202mailserver1.caci.com 325946:10:1:02012004 08:26:18:Lookup Returned. Data = <(0, 'svr1.nicar.org')>, Type = <MX> 325946:10:1:02012004 08:26:18:Lookup Returned <[(0, 'svr1.nicar.org', ('128.206.143.228',))]>. 325946:10:1:02012004 08:26:18:Connecting to MX <svr1.nicar.org> .... 325946:10:1:02012004 08:26:27:reply: '220 svr1.nicar.org ESMTP Sendmail 8.12.10/8.12.10; Sun, 1 Feb 2004 13:26:27 GMT' 325946:10:1:02012004 08:26:27:reply: '250-svr1.nicar.org Hello mailserver1.caci.com [204.194.72.241], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-EXPN\r\n250-VERB\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-DELIVERBY\r\n250 HELP' 325946:10:1:02012004 08:26:39:reply: '221 2.0.0 svr1.nicar.org closing connection' cpmrsdb1.hq.caci.com[10]:grep -i 325946:10:1:02012004 smtpo.log.ends20040202mailserver1.caci.com 325946:10:1:02012004 08:26:18:Lookup Returned. Data = <(0, 'svr1.nicar.org')>, Type = <MX> 325946:10:1:02012004 08:26:18:Lookup Returned <[(0, 'svr1.nicar.org', ('128.206.143.228',))]>. 325946:10:1:02012004 08:26:18:Connecting to MX <svr1.nicar.org> .... 325946:10:1:02012004 08:26:27:reply: '220 svr1.nicar.org ESMTP Sendmail 8.12.10/8.12.10; Sun, 1 Feb 2004 13:26:27 GMT' 325946:10:1:02012004 08:26:27:reply: '250-svr1.nicar.org Hello mailserver1.caci.com [204.194.72.241], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-EXPN\r\n250-VERB\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-DELIVERBY\r\n250 HELP' 325946:10:1:02012004 08:26:39:reply: '221 2.0.0 svr1.nicar.org closing connection' cpmrsdb1.hq.caci.com[10]:grep 325946:10:1:02012004 smtpo.log.ends20040202mailserver1.caci.com 325946:10:1:02012004 08:26:18:Starting to process for domain <nasw.org> and msgids <[30680808]> 325946:10:1:02012004 08:26:18:Processing nasw.org 325946:10:1:02012004 08:26:18:Lookup Returned. Data = <(0, 'svr1.nicar.org')>, Type = <MX> 325946:10:1:02012004 08:26:18:Lookup Returned <[(0, 'svr1.nicar.org', ('128.206.143.228',))]>. 325946:10:1:02012004 08:26:18:Connecting to Domain nasw.org 325946:10:1:02012004 08:26:18:Block time out set to = (300) seconds. 325946:10:1:02012004 08:26:18:Connecting to MX <svr1.nicar.org> .... 325946:10:1:02012004 08:26:18:Connecting to A <128.206.143.228> .... 325946:10:1:02012004 08:26:27:reply: '220 svr1.nicar.org ESMTP Sendmail 8.12.10/8.12.10; Sun, 1 Feb 2004 13:26:27 GMT' 325946:10:1:02012004 08:26:27:Connection Status ------<1> 325946:10:1:02012004 08:26:27:reply: '250-svr1.nicar.org Hello mailserver1.caci.com [204.194.72.241], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-EXPN\r\n250-VERB\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-DELIVERBY\r\n250 HELP' 325946:10:1:02012004 08:26:27:Starting SendSmtpMsg for msg_id <30680808> in domain <nasw.org> 325946:10:1:02012004 08:26:27:Sendmail Begin from : cacimta/caci[at]caci.com 325946:10:1:02012004 08:26:27:Sending MAIL FROM: <cacimta/caci[at]caci.com> size=707 325946:10:1:02012004 08:26:28:reply: '250 2.1.0 <cacimta/caci[at]caci.com>... Sender ok' 325946:10:1:02012004 08:26:28:Sending RCPT TO: <johnmiller[at]nasw.org> 325946:10:1:02012004 08:26:28:reply: '250 2.1.5 <johnmiller[at]nasw.org>... Recipient ok' 325946:10:1:02012004 08:26:28:Sending DATA 325946:10:1:02012004 08:26:28:reply: '354 Enter mail, end with "." on a line by itself' 325946:10:1:02012004 08:26:28:RETR COMMAND RECEIVED ('/ct/data/mss/00/03/06/80/810',) 325946:10:1:02012004 08:26:39:reply: '250 2.0.0 i11DQQYJ010374 Message accepted for delivery' 325946:10:1:02012004 08:26:39:LOG_STAT|cacimta/caci[at]caci.com|['johnmiller[at]nasw.org']|707|2004/02/01 08:26:39|0 325946:10:1:02012004 08:26:39:Sending RSET 325946:10:1:02012004 08:26:39:reply: '250 2.0.0 Reset state' 325946:10:1:02012004 08:26:39:Closing SMTP Connection 325946:10:1:02012004 08:26:39:reply: '221 2.0.0 svr1.nicar.org closing connection' 325946:10:1:02012004 08:26:39:Finished to process for domain <nasw.org> and msgids <[30680808]> SpamCop Admin <service[at]admin.spamcop.net> 02/03/2004 12:25 AM To Paul Gordon <pgordon[at]caci.com> cc bl[at]admin.spamcop.net, CIS Network <CIS_Network[at]caci.com> Subject Re: why is 204.194.72.241 listed as blackholed? Paul Gordon writes: >One of our users recently received an email that our main mail server, >204.194.72.241 or mailserver1.caci.com, was being blacklisted by >blacklist.bl.spamcop.net. 204.194.72.241 has been sending spam to our users and to our spamtraps. Not a lot, but enough to get it listed. The spam appears to have stopped about 24 hours ago. The server will automatically come off our list 48 hours after the last complaint came in. http://www.spamcop.net/sc?id=z278998573z25...05be1ca647c284z You can use that link to review the headers from the recent user complaint. The complaint was sent to postmaster[at]caci.com http://www.spamcop.net/w3m?action=checkblo...=204.194.72.241 - Don -
  4. vookenmeister

    why is 204.194.72.241 listed? need help

    Chris, Thanks for your help. This is painful. I really appreciate your going out of your way. it's been a very frustrating day. All I know is I come into work today and our main mailserver is blackholed. Not everywhere... ONLY on spamcop. With no notification whatsoever. We've had issues before over my 7 years working here. We even got "mail relayed" 3 or 4 years back. However, on those occasions I actually had a Spamcop warning delivered to postmaster[at]caci.com with the offending email inside. This time I got nothing via postmaster or abuse[at]caci.com. (although it's possible an email was sent to my boss' old address at emartin[at]hq.caci.com because that is how 204.194.72/22 is listed at ARIN. We flag mail headed to that as spam so he might've deleted it. ) I go to Spamcop and maybe I don't know how to navigate the site well, but basically it is useless. No info on why we're being blocked or what we can do to stop it. It just says less than 10 users complained less than 10 times. I don't want to wait 48 hours for it go away. Especially, since whatever caused us to get blackholed might happen again. Anyways, I really do appreciate your assistance in the matter. At least you directed me to deputies[at]spamcop.net Hopefully, they will give me the info I need. A quick lookup of caci.com will show my email and phone number as the POC. A quick visit to www.caci.com will show that we are just defense contractors. I'll post back whenever I have the resolution to this.... - paul
  5. vookenmeister

    why is 204.194.72.241 listed? need help

    Jeff, How can I tell 204.194.72.241 is sending email to Spamtraps? Can you at least give me an email address that we supposedly sent to or anything? I manage the logs on this firewall/email server (it is Ciphertrust's Ironmail by the way). I can go look it up. I can be reached at 703-841-4039 or pgordon[at]caci.com or postmaster[at]caci.com if you prefer not to post online. All I want to do is get this server "working" again. CACI is not in the business of spamming. We are just a defense contractor. I've had to redirect all of our company's outbound mail across a saturated T-1 to a different server to avoid email bouncing due to spamcop's blackhole list. I'd like to prevent what caused this from happening occurring again.... Still no reply from bl[at]admin.spamcop.net or deputies[at]spamcop.net - paul
  6. vookenmeister

    why is 204.194.72.241 listed? need help

    Chris, Thanks for the feedback. I sent an email to bl[at]admin.spamcop.net earlier today asking for info. Haven't received a reply yet. It's unfortunate that the two complainers didn't supply any info. How can we figure out the problem without any info? Anyways, we're just a normal defense contractor. We are not in the business of sending out unsolicited emails. It's possible a trusted server was abused/relayed. However, I can't track down the whereabouts or what happened without any info. <sigh> - paul
  7. Hi! One of our users recently received an email that our main mail server, 204.194.72.241 or mailserver1.caci.com, was being blacklisted by blacklist.bl.spamcop.net. I visited the site and entered info on the IP per this URL (http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=204.194.72.241) However, I was unable to see any valid reasons or statistics for the IP being listed. Just a noticed that it was listed less than 10 times by less than 10 users. Senderbase does not show our IP as being currently blocked nor does it say whether t was blocked before (if it was) or anything. I receive all email directed to postmaster[at]caci.com, but didn;t see any spamcop alerts recently. Why is our IP showing up at spamcop.net and how can we "fix" it? Please advise. Thanks, Paul
×