Jump to content

Snowbat

Membera
  • Content Count

    158
  • Joined

  • Last visited

Everything posted by Snowbat

  1. Snowbat

    Help 201.7.180.25

    One of my ISP's mail servers is currently listed. Could a paid member retrieve and post details of any recent reports for 201.7.180.25 so I can take this issue up with my provider?
  2. Snowbat

    Help 201.7.180.25

    Thanks to all - clueX4 applied.
  3. Snowbat

    Misdirected Bounces

    It's an approach - requires least work, effective, but with the potential to dump legitimate mail without notifying the sender. For me the correct approach would be to scan for viruses/spam/invalid_recipients at the edge server during the SMTP transaction and 5XX reject unwanted mails with an appropriate reason for rejection. Why don't you ask Interscan about that, or install Linux/BSD on the box and configure your mail system to do that with open source software. This has the advantage that legitimate senders will still get notification that you've rejected their mail along with a reason for rejection via a bounce from their local MTA while not sending any bounces or notifications yourself. If you have a secondary MX, you'll need to configure it in a similar way to avoid junk getting in 'through the back door'. Such mail has the potential to hit spamtrap addresses and SpamCop users and is reportable. Why don't you send virus notifications and autoreply messages as SMTP 5XX reason for rejection messages instead?
  4. Snowbat

    My domain is blacklisted

    Given the above, it seems very strange that your OUTGOING mail goes through a server in China. Maybe the hosting provider was actually trying to tell you that they've blocked INCOMING spam from that server in China?
  5. Snowbat

    Example of Microsoft "Support"

    ntlworld autoresponder October 2003: ntlworld autoresponder March 2004: ntlworld autoresponder June 2004: I don't know what possessed ntlworld to introduce that policy but I'm guessing they dropped it because the vast majority of us continued to send exclusively to their abuse reporting address. Maybe the same tactic would work for MSN/Hotmail? I know I don't have time to pre-classify abuse reports or do any kind of hoop-jumping for any provider. They can either deal with it at their abuse reporting address or ignore it. MSN/Hotmail annoyed many abuse reporters by autobouncing spam reports due to "spam content" recently and this new policy seems more of the same idiocy.
  6. Snowbat

    All Inbound mail blocked

    Unless you have control of your backup MX (ie. also configured to reject mail from SCBL-listed hosts), you run the risk of spammers sending mail to you and your customers via your backup MX and your system rejecting mail from your backup MX. If some of those rejected mails contain forged addresses, it will cause your backup MX to bounce to forgery victims or spamtraps which could easily get your backup MX listed in SCBL. Feel free to reject SCBL-listed hosts on your own servers but, without control of your backup MX, you definitely need to whitelist all incoming mail from your backup MX to avoid problems like this.
  7. Snowbat

    All Inbound mail blocked

    One of their severs currently is: http://www.spamcop.net/w3m?action=checkblo...=204.16.252.100
  8. 82.192.89.201 probably HELOs as "mx1.noxa.nl" - the HELO/EHLO string is typically inserted at that point in the header. I suggest you take a look at /etc/passwd on 82.192.89.201 and find out who is userid 80. Userids below 500 are normally assigned to system accounts. postfix is userid 73 on my system. You may find that userid 80 is the postfix 'user' on 82.192.89.201 but if not, be suspicious. Check /var/log/mail/info and (or equivalent on your system) for clues. grep EB840170D3 /var/log/mail/info If the system runs logrotate, EB840170D3 data may have been rotated so check info.1.gz, info.2.gz etc.: for i in /var/log/mail/info.*; do gunzip -c $i | grep EB840170D3; done The headers certainly point to injection by a local user account on 82.192.89.201 (either real user or compromised software). Check for rootkits. Change root password or key, restrict user logins, firewall all non-essential ports and turn off all non-essential services. Good hunting.
×