Jump to content

safendoulis

Members
  • Content Count

    11
  • Joined

  • Last visited

Community Reputation

0 Neutral

About safendoulis

  • Rank
    Member
  1. safendoulis

    Sender was blocked by not on BL

    OK... to answer my own question... for the benefit of others who don't live & breath this day-in-and-day-out... See http://securityresponse.symantec.com/avcen...jan.kalshi.html "Discovered on: October 10, 2003 Last Updated on: October 24, 2003 10:39:59 AM Trojan.Kalshi is a Trojan Horse that spammers use to anonymously send spam messages. This Trojan may arrive in an install package that includes Backdoor.HackDefender, a rootkit used to hide its malicious activities. Definitions dated October 13, 2003 or earlier may detect this threat as W32.Kalshi.A[at]mm." As Wazoo points out... been happening for some time now. Stefan
  2. safendoulis

    Sender was blocked by not on BL

    Miss Betsy, I totally agree. Tony recognised it was better to move on and has now done so. From a learning perspective it was important to understand what occurred and why so I think this exercise was valid. Personally I needed to be sure I understood this issue too so thank you all for your contributions and patience. I'm glad forums like this exist. Stefan
  3. safendoulis

    Sender was blocked by not on BL

    Sorry Wazoo... I knew that viruses were now carrying their own smtp servers but missed the whole "remote control" aspect in relation to sending of spam. This is how we learn so I appreciate you pointing that out. I'll take a walk through the FAQ but perhaps you can cite some viruses/worms/trojans that exhibit this behaviour. I'd like to look at what Symantec/McAfee etc have to say on these. Stefan
  4. safendoulis

    Sender was blocked by not on BL

    Here's the ISP's comeback. My brother has moved on causing a disruption to his business. Comments please: 1. I have not heard of spammers using "infected" machines, open-relays unbeknown to the owner yes, but has there been viruses developed in anticipation of using them as open-relays later. Do you think the writer means to say viruses can spawn spam from infected machines? 2. The writer cites mx4.hotmail.com as an example of server name spoofing. To my knowledge a server name or an IP address can get onto a black list. Is it a fair question to ask whether the Chinese IP address or the server mx4.hotmail.com deemed this email as spam in this case? I am not sure this demonstrates more than the fact that email headers can be forged. In any case, the wording clearly is designed to imply Hotmail gets black listed too (which I am sure they do). 3. The writer implies it is impossible to identify the subscriber guilty of spamming because he obscures the email address. As far as I am aware ISPs log the IP addresses assigned to a given account against a timeline. Shouldn't that allow them to see who really sent the mail or at least give them a starting point? ***TOP*** Hi Tony It feels as if I have been misunderstood in the comments that I have given in regards to the blacklists. Let me try and explain. If a spammer wants to send spam, the last thing he wants is somebody to catch him. Instead of using his own e-mail address as a return address, he would try to use any domain as an alternate reply address. Spammers have automated software applications that they use to accomplish this. They also use infected computers as "relay agents" to send their spam from. When this happens, companies like Spamcop places the domain in a list of known domains from with spam have originated from. The blacklists are updated every 48 hours, so after that time a domain or IP is removed and everything would be normal. The problem with companies like Spamcop, is that putting a domain or IP on the list effects valid mail from going through to end users thereby " being more annoying than anything else" All ISP's have an abuse e-mail address, in our case it is abuse[at]orcon.net.nz. where network abuse notifications should be sent. We have always given these notifications top priority in dealing with as we know it would effect business continuity of the end user. Changing the IP address of our mail server is not to avoid the notification of being blacklisted, is is purely done to get mail through spam is a worldwide problem effecting all ISP's and everyone with a valid e-mail address or domain would be a target. The majority of e-mails currently sent worldwide are spam. we are constantly working on our own systems and also work with other ISP in trying to combat spam. I gave the option of running your own mailserver purely as alternative as apposed to running your mail services through an ISP being us or anybody else for that matter. To prove to you that it's not only us having a problem, the included header information is from a spam message that I have received just a few seconds ago. The offending SMTP server is mx4.hotmail.com, however the IP address 219.136.146.86 of that mail server belongs to an IP range from an ISP in china (Chinanet-GD). Microsoft Mail Internet Headers Version 2.0 Received: from dbmail-mx1.orcon.net.nz ([219.88.242.3]) by exchange02.exchangeservers.orcon.net.nz with Microsoft SMTPSVC(6.0.3790.1830); Thu, 30 Jun 2005 09:30:35 +1200 Received-SPF: none Received: from smtp2.orcon.net.nz (smtp2.orcon.net.nz [219.88.242.60]) by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with ESMTP id j5TLV8PB005158 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <staff[at]orcon.net.nz>; Thu, 30 Jun 2005 09:31:08 +1200 Received: from mx4.hotmail.com ([219.136.146.86]) by smtp2.orcon.net.nz (8.13.1/8.13.1/Debian-14) with ESMTP id j5TC9QWJ015563 for <staff[at]orcon.net.nz>; Thu, 30 Jun 2005 09:26:59 +1200 Message-Id: <200506292126.j5TC9QWJ015563[at]smtp2.orcon.net.nz> From: gercment[at]wanadoo.es <mailto:gercment[at]wanadoo.es> Subject: Trust Needed/Investment pkcugk To: staff[at]orcon.net.nz Content-Type: text/plain Date: Wed, 29 Jun 2005 23:29:39 -0700 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Virus-Scanned: ClamAV 0.86/960/Wed Jun 29 16:31:06 2005 on dbmail-mx1.orcon.net.nz X-Virus-Status: Clean Return-Path: sexyztcy[at]hotmail.com <mailto:sexyztcy[at]hotmail.com> X-OriginalArrivalTime: 29 Jun 2005 21:30:35.0501 (UTC) FILETIME=[C93B81D0:01C57CF1] We do appologise for any inconvenience we may have caused. Regards Louie Schutte Corporate Account Manager Orcon Internet Limited 09 444 44 74 ext 704 021 366 123 ***END***
  5. safendoulis

    Sender was blocked by not on BL

    ....and here is the ISP's reply. I drafted a response for my brother but I'd appreciate people's remarks. I liked the workaround they have to "get things going for the users". I bet that's all they do since they tell Spamcop they don't want to be notified. I also like the remark "blacklist is more annoying than anything else as it does not target the problem". I'd have thought that was their responsibility and since they issue DHCP client IP addresses they are the only party that can reconstruct which account sent the spam. Then they try to steer my brother down a road that (to the best of my knowledge) requires a static IP address, since many ISPs bounce mail received from SMTP servers at dynamic IP addresses. He could relay through I an ISPs server but then he couldn't use theirs or he'd be back at square one. Perhaps this is the way they drum up revenues: run a sloppy email service then encourage business users they need their own dedicated mail server $$$ Stefan From: Louie Schutte [mailto:lschutte[at]orcon.net.nz] Sent: Tuesday, 28 June 2005 09:24 a.m. To: xxxxx[at]bikeparks.co.nz Subject: RE: Undeserved blacklisting Hi Tony Any ISP would have someone trying to abuse the system, and at some point the mail server's IP address would be black listed. The blacklist is more annoying than anything else as it does not target the problem. All ISP's have this issue and Xtra is no exception as they have been blacklisted many time before as well. The way ISP's get around the problem would be to change the IP address of the SMTP server to allow valid traffic and then to contact the Spammer whom in many cases would be an end users' computer infected by a virus. The only way to get around being blacklisted would be to run your own mailserver with it's own IP address. You would then need to implement strict security rules to block anyone from using your server to relay messages and have the box running on Linux which will be less prone in getting infected. You can also run an SMTP software application on your existing machine and there are thousands of free SMTP applications on the net that you can use. Hope this helps Regards Louie Schutte Corporate Account Manager Orcon Internet Limited 09 444 44 74 ext 704 021 366 123
  6. safendoulis

    Sender was blocked by not on BL

    Gents, I did find those reports. I agree this ISP is totally irresponsible. I have now passed on the information to my borther and recommended that he (at the very least) uses another ISP for emailing. Since he hosts his business website with them too it is not straight forward to move to another hoster, but that is something he has been considering doing. As I said earlier, there had been other issues related to poor service/performance in terms of the hosting service this ISP has provided. Thanks for everyone's help. I appreciate it. Stefan
  7. safendoulis

    Sender was blocked by not on BL

    Steven, Thanks but I can't find where I get those details from. Can you please give me directions? Thanks - Stefan
  8. The following email was blocked. I am curious to know why. I read the FAQs. The sender's address is my brother's as is the bikeparks.co.nz domain. He has been having issues with his ISP and I'd like to know if there is something problematic in their email routing. Obviously I released it only today (Friday in Singapore) but it was sent Tuesday NZ time. I hope somebody can talk me through this. Stefan Return-path: <ichangedthisaddress[at]bikeparks.co.nz> Received: from mac.com (smtpin26-en2 [10.13.11.71]) by ms22.mac.com (iPlanet Messaging Server 5.2 Patch 2 (built Jul 14 2004)) with ESMTP id <0IIL00GKMDSF0G[at]ms22.mac.com> for ichangedthisaddress[at]mac.com; Fri, 24 Jun 2005 07:05:03 -0700 (PDT) Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49]) by mac.com (Xserve/smtpin26/MantshX 4.0) with ESMTP id j5OE52Di022166 for <ichangedthisaddress[at]mac.com>; Fri, 24 Jun 2005 07:05:02 -0700 (PDT) Received: from unknown (HELO beta.cesmail.net) (192.168.1.150) by c60.cesmail.net with SMTP; Fri, 24 Jun 2005 10:05:01 -0400 Received: (qmail 1802 invoked by uid 0); Fri, 24 Jun 2005 14:05:01 +0000 Received: (qmail 5238 invoked from network); Mon, 20 Jun 2005 20:48:27 +0000 Received: from unknown (192.168.1.101) by blade1.cesmail.net with QMQP; Mon, 20 Jun 2005 20:48:27 +0000 Received: from loadbalancer1.orcon.net.nz (HELO dbmail-mx1.orcon.net.nz) (219.88.242.3) by mailgate.cesmail.net with SMTP; Mon, 20 Jun 2005 20:48:26 +0000 Received: from Desktop (60-234-136-101.bitstream.orcon.net.nz [60.234.136.101]) by dbmail-mx1.orcon.net.nz (8.13.2/8.13.2/Debian-1) with ESMTP id j5KKmtjN026607; Tue, 21 Jun 2005 08:49:22 +1200 Date: Tue, 21 Jun 2005 08:48:37 +1200 From: Xxxx Xxxxxxxx <ichangedthisaddress[at]bikeparks.co.nz> Subject: RE: cool clothing In-reply-to: <000001c57556$2cbfc610$d71ebb09[at]sg.ibm.com> To: ichangedthisaddress[at]spamcop.net, ichangedthisaddress[at]noelleeminggroup.co.nz Cc: 'Xxxxx Xxxxxxx' <ichangedthisaddress[at]spamcop.net> Reply-to: ichangedthisaddress[at]bikeparks.co.nz Message-id: <001101c575d9$746e0ed0$0301a8c0[at]Desktop> Organization: Bike Parks Ltd MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Mailer: Microsoft Outlook, Build 10.0.2616 Content-type: multipart/alternative; boundary="----=_NextPart_000_0012_01C5763E.09A5FC10" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Delivered-to: spamcop-net-ichangedthisaddress[at]spamcop.net Received-SPF: none X-Virus-Scanned: ClamAV version 0.85.1, clamav-milter version 0.85 on dbmail-mx1.orcon.net.nz X-Virus-Status: Clean X-spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade1 X-spam-Level: X-spam-Status: hits=0.0 tests=HTML_MESSAGE version=3.0.2 X-SpamCop-Checked: 192.168.1.101 219.88.242.3 X-SpamCop-Disposition: Blocked bl.spamcop.net Original-recipient: ichangedthisaddress[at]mac.com
  9. I am more than ready to dig deeper. I am not discouraged at all. On the contrary, I need to understand how something as ludicrous as spam is able to proliferate. For me its like an itch that needs to be scratched. I just don't like the fact it can happen technologically and more so, I don't like it bothering me. I appreciate the time and thought people here put into my issue and the advice given. I will not report any spam until I have done some groundwork. Thanks folks, Stefan
  10. 202.156.64.59 was me and still is me. I didn't decide I was the spammer, SpamCop code did. Also, I am not running an email server and all I did was submit spam (porn) that made it through the SpamCop to my username[at]mac.com email address. I collected those (there were 2) emails over POP from mail.mac.com. Let me explain how I reported them: This was my first day using SpamCop. I went to the members area on spamcop.net and selected Report spam. I then clicked the Report spam tab. I was presented with an email address e.g. submit.7IrUnLGHWxw5N4gR[at]spam.spamcop.net or the option to cut & paste the headers on the web form. I opted to send the offending email to the provided email address from my email client. Now I suspect that what I did next *may* have some bearing on the outcome: I first "redirected" the email to the cryptic SpamCop email address provided. I am using Microsoft Entourage and this is a feature I am in the habit of using. I also forwarded both emails to the said address. I don't recall the sequence but there were 4 messages sent. When I checked back on "Past Reports" in the members area and saw this: Submitted: Tuesday, December 28, 2004 08:44:37 +0800: FW: Wet Motehr wants a date 1324635587 ( 202.156.64.59 ) To: abuse[at]starhub.com ... if I click on the incident number then parse the results I get this: SpamCop v 1.393 © SpamCop.net, Inc. 1998-2004 All Rights Reserved Removing X-Yahoo-Forwarded: from x to safendoulis[at]spamcop.net Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z706931677z05...5f66f9983bc2e7z Reports regarding this spam have already been sent: Re: 202.156.64.59 (Administrator of network where email originates) Reportid: 1324635587 To: abuse[at]starhub.com If reported today, reports would be sent to: Re: 202.156.64.59 (Administrator of network where email originates) abuse[at]starhub.com Re: 202.156.64.59 (Third party interested in email source) spamcop[at]imaphost.com Re: http://myluxembourg.info/dbb07a9e731871435e7715... (Administrator of network hosting website referenced in spam) postmaster[at]chinatietong.com I hope I am misunderstanding this. If it is as I think, that I was reported as the spammer, something should be done to understand how it went wrong. A correction also needs to be sent to abuse[at]starhub.com. Any of you out there who know anything about Singapore will know why I don't want spam, particularly porno spam, linked to me. IP = account = ID Card = black mark for me. We all live in glass houses here. Its just fine as long as we follow the rules and play nicely like good citizens Regards, Stefan
  11. Hey, check out my previous reports: Submitted: Tuesday, December 28, 2004 08:44:37 +0800: FW: Wet Motehr wants a date 1324635587 ( 202.156.64.59 ) To: abuse[at]starhub.com that's my ISP and I live in Singapore. These people take this seriously! What's gone on here???
×