Jump to content

sesblacklisted

Members
  • Content Count

    33
  • Joined

  • Last visited

Community Reputation

0 Neutral

About sesblacklisted

  • Rank
    Member
  1. sesblacklisted

    209.12.205.10 blacklisted, stumped.

    no, the help is appreciated but the comment by Merlyn wasn't either beneficial to anyone nor did was it helpful in any shape or form. There is no need to add stab at someone in these situations, it's stressfull enough already. This is the "SpamCop Blocklist Help" forum. If one doesn't want to help then there really is no need to comment. All the other members that have posted here i appreciate the help, the ones that don't add anything can just no comment as far as I am concerned, nobody needs the nastiness. I've don't that approach in intervals trying to pin it down. I've tracked down one machine but I think there is another that is compromised. Thanks for this tips, you've been very helpful. I just wish there was an easier way to pin down these things. maybe I will write an FAQ on my specific situation and hardware. I've done a lot of research and there seems to be a good open source sniffer that will do what I think I need, I will post results when I have solved the problem.
  2. sesblacklisted

    209.12.205.10 blacklisted, stumped.

    alright, thanks for the help. ;(
  3. sesblacklisted

    209.12.205.10 blacklisted, stumped.

    I have a Sonicwall TZ 170 Standard firewall and from the looks at it I don't think i have the ability to do that. So far I spent a lot of time on this so I really am trying. What program do you suggest in finding out what computer is using SMTP 25 to send out spam?
  4. sesblacklisted

    209.12.205.10 blacklisted, stumped.

    We have about 30 machines in the network, is there any quick solution on finding the compromised machine other than going to each machine and checking it individually?
  5. I've been trying to pin down what is going on. We have a sonicwall firewall and we don't have an open relay so I am stumped. Any help would be appreciated. [ SpamCop Summary Report ] -- See footer for key to columns and notes about this report -- IP_Address Start/Length Trap User Mole Simp Comments RDNS 209.12.205.10 Aug 2 15h/5 31 2 0 0 blocklisted mail.cpa-ws.com 209.12.205.10 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours. Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) * SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) * System administrator has already delisted this system once Because of the above problems, express-delisting is not available Listing History In the past 6.1 days, it has been listed 2 times for a total of 4.3 days
  6. sesblacklisted

    I am at my wits end....keep getting listed

    We have an ADTRAN total access 608, thanks for the help Telarin!
  7. sesblacklisted

    I am at my wits end....keep getting listed

    At this point I am starting to think the same way, however I did an exhaustive clean of the machines on our network a couple of weeks ago and nothing turned up. As far as the router, I am uncertain as to why type it is as I can not easily access it. That is the last avenue of investigation I have and have put it off because it's a complete chore to get to. Maybe there is some software firewall I can download on a trial basis to catch this. I will look into it.
  8. sesblacklisted

    I am at my wits end....keep getting listed

    I email Ellen a few days ago and go this: Partial headers from a spamtrap: Received: from friend (mail.cpa-ws.com [209.12.205.10]) [trap servername] (Postfix) with ESMTP id x for <x>; Sat, 15 Jul 2006 22:xx:xx +0000 (GMT) Subject: Products that can improve you life! Ellen SpamCop I looked through the logs and found nothing on "products that can improve".
  9. sesblacklisted

    I am at my wits end....keep getting listed

    Here is one of the results from your instructions: All I find are messages received from spammers to one of the mailboxes on our exchange, I don't see messages being sent that have that subject.
  10. sesblacklisted

    I am at my wits end....keep getting listed

    And thank you for your understanding. Yes I agree that is doesn't tell you much which is why I really didn't post my messages to begin with. What steps do I need to take to get more information? It it being run on Server1, the name of the computer. We only have 1 external routable IP address. I really don't think there is a backdoor to the computer running exchange.
  11. sesblacklisted

    I am at my wits end....keep getting listed

    I don't think we've loaded patches since then. Check in the system manager under: Servers->Servername->Protocols->Default SMTP Server (properties) Access tab->Relay Under the Select which computer may relay through this virtual server: Yes, that has been done many months ago, I just checked again to make sure and they are the correct settings as you have listed. We have logs going back several months, but it's hard to figure out the partial headers.
  12. sesblacklisted

    I am at my wits end....keep getting listed

    Seriously, I can do without the cracks, if it's not obvious to you that I am not trying to fix this then feel free to pile it on. I am not the enemy, the spammers are. June??? That is wll over a month ago. Here you go: Return-path View brief message headers<> Received from ms-mta-04 (ms-mta-04-eri0.texas.rr.com [10.93.46.18]) by ms-mss-06.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J00MT6XHTZF[at]ms-mss-06.texas.rr.com> for xxxx[at]elp.rr.com; Mon, 17 Jul 2006 09:27:36 -0500 (CDT) Received from ms-smtp-01.texas.rr.com (ms-smtp-01.texas.rr.com [24.93.47.40]) by ms-mta-04.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J003K1XHXCL[at]ms-mta-04.texas.rr.com> for xxxx[at]elp.rr.com (ORCPT xxx[at]elp.rr.com); Mon, 17 Jul 2006 09:27:33 -0500 (CDT) Received from localhost (localhost) by ms-smtp-01.texas.rr.com (8.13.6/8.13.6) id k6HERSNY007228; Mon, 17 Jul 2006 09:27:28 -0500 (CDT) Date Mon, 17 Jul 2006 09:27:28 -0500 (CDT) From Mail Delivery Subsystem <MAILER-DAEMON[at]ms-smtp-01.texas.rr.com> Subject Returned mail: see transcript for details To xxx[at]elp.rr.com Message-id <200607171427.k6HERSNY007228[at]ms-smtp-01.texas.rr.com> Auto-submitted auto-generated (failure) MIME-version 1.0 Content-type multipart/report; report-type=delivery-status; boundary="k6HERSNY007228.1153146448/ms-smtp-01.texas.rr.com" Original-recipient rfc822;xxx[at]elp.rr.com Attachments message/delivery-status 1K The original message was received at Mon, 17 Jul 2
  13. sesblacklisted

    I am at my wits end....keep getting listed

    I sent myself a message by logging into the Web Access: Microsoft Mail Internet Headers Version 2.0 Received: from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 08:58:08 -0600 x-pp-smtpvs:1 x-pp-sclvalue:-1 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary Subject: test Date: Mon, 17 Jul 2006 08:58:07 -0600 Message-ID: <2D588D03F7C48D42B13C19F0B6F8B5AC01FD73[at]server1.cpa-ws.internal> X-MS-Has-Attach: X-MS-TNEF-Correlator: <2D588D03F7C48D42B13C19F0B6F8B5AC01FD73[at]server1.cpa-ws.internal> Thread-Topic: test Thread-Index: AcapsWnkaDDYSrsYQIWYfWOmcUARfg== From: "xxxx" <xxxx[at]cpa-ws.com> To: "xxxxx" <xxxxx[at]cpa-ws.com> X-OriginalArrivalTime: 17 Jul 2006 14:58:08.0859 (UTC) FILETIME=[6A8D52B0:01C6A9B1] Here is a message I sent a completely independent email address of mine from a machine on the network: Return-path View brief message headers<xxxx[at]cpa-ws.com> Received from ms-mta-03 (ms-mta-03-eri0.texas.rr.com [10.93.46.17]) by ms-mss-06.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J00M66YWFZF[at]ms-mss-06.texas.rr.com> for xxxx[at]elp.rr.com; Mon, 17 Jul 2006 09:57:51 -0500 (CDT) Received from hrndva-mx-07.mgw.rr.com (hrndva-mx-07.mgw.rr.com [24.28.204.26]) by ms-mta-03.texas.rr.com (iPlanet Messaging Server 5.2 HotFix 2.10 (built Dec 26 2005)) with ESMTP id <0J2J006ONYWBCS[at]ms-mta-03.texas.rr.com> for xxxxx[at]elp.rr.com (ORCPT xxxx[at]elp.rr.com); Mon, 17 Jul 2006 09:57:51 -0500 (CDT) Received from mail.cpa-ws.com (HELO server1.cpa-ws.internal) ([209.12.205.10]) by hrndva-mx-07.mgw.rr.com with ESMTP; Mon, 17 Jul 2006 10:57:42 -0400 Received from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 09:02:46 -0600 Date Mon, 17 Jul 2006 09:02:44 -0600 From xxxx <xxxx[at]cpa-ws.com> Subject test To xxxxx[at]elp.rr.com Message-id <2D588D03F7C48D42B13C19F0B6F8B5AC690073[at]server1.cpa-ws.internal> MIME-version 1.0 X-MIMEOLE Produced By Microsoft MimeOLE V6.00.3790.1830 Content-type multipart/alternative; boundary="----_=_NextPart_001_01C6A9B2.0F0FA356" Content-class urn:content-classes:message Thread-topic test Thread-index Acapsg8KhqdsVKA/Qj6JS3BtbJJSnA== X-MS-Has-Attach X-MS-TNEF-Correlator Original-recipient rfc822;xxxxxx[at]elp.rr.com X-OriginalArrivalTime 17 Jul 2006 15:02:46.0593 (UTC) FILETIME=[10182B10:01C6A9B2] Some machines are running AVG others are using Trend Micro. All are set for daily scans and updates, this I have made sure, twice! We have several users that have laptops on the network and can access their emails when out of the office using Outlooks Web Access. I have checked for virii and trojans just last week, all were clean. We had installed SP2, but had a conflict with some of our software at the time. I will look into the problems we've had and research this a little. Yes we enforce strong passwords and change them regularly. I just changed them last week in fact.
  14. sesblacklisted

    I am at my wits end....keep getting listed

    It's not really a trust issue, I am providing you what you are asking. Maybe I need to just post things that aren't asked? Thank you for your response Telarin. Here is a recent email I have sent from my account on cpa-ws.com to a completely different server. Content-Class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C6A9AE.9B3A05B4" Date: Mon, 17 Jul 2006 08:38:01 -0600 [08:38:01 AM MDT] Delivery-date: Mon, 17 Jul 2006 08:33:07 -0600 Envelope-to: xxxxx[at]browseelpaso.com From: XXXXX<xxxxx[at]cpa-ws.com> MIME-Version: 1.0 Message-ID: <2D588D03F7C48D42B13C19F0B6F8B5AC690070[at]server1.cpa-ws.internal> Received: * from browseel by box30.bluehost.com with local-bsmtp (Exim 4.52) id 1G2U9U-00081f-Dk for xxx[at]browseelpaso.com; Mon, 17 Jul 2006 08:33:06 -0600 * from mail.cpa-ws.com ([209.12.205.10] helo=server1.cpa-ws.internal) by box30.bluehost.com with esmtp (Exim 4.52) id 1G2U9R-00080X-Rq for xxxxx[at]browseelpaso.com; Mon, 17 Jul 2006 08:32:50 -0600 * from mail pickup service by server1.cpa-ws.internal with Microsoft SMTPSVC; Mon, 17 Jul 2006 08:38:03 -0600 Return-path: <xxxxx[at]cpa-ws.com> Subject: test Thread-Topic: test To: xxxxxx[at]browseelpaso.com X-MS-Has-Attach: X-MS-TNEF-Correlator: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830 X-OriginalArrivalTime: 17 Jul 2006 14:38:03.0640 (UTC) FILETIME=[9C2F7F80:01C6A9AE] X-spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on box30.bluehost.com X-spam-Level: X-spam-Status: No, score=0.3 required=5.0 tests=AWL,HTML_MESSAGE autolearn=ham version=3.1.3 thread-index: AcaprpswXnvaEZgTSTa0XHWdrVFnOg==
  15. sesblacklisted

    I am at my wits end....keep getting listed

    It's a catch 22, I am putting considerable amount of time in trying to fix this (just look at the length of these posts) and yet I have to be able to conduct my business. thanks for the zinger however, this makes it even more painful. All I am trying to do is get some answers and figure out what the problem is, coming to these forums I thought I would get that, as most of the forums I participate in we exchange knowledge and lend a hand as much as possible. As far as trust, sure I can post the bounced message. I sent this from my Roadrunner account to a ficticious address on our server, this is the message I got back. The original message was received at Mon, 17 Jul 2006 09:27:24 -0500 (CDT) from [10.93.38.36] ----- The following addresses had permanent fatal errors ----- <spammers[at]cpa-ws.com> (reason: 550 5.1.1 User unknown) ----- Transcript of session follows ----- ... while talking to mail.cpa-ws.com.: >>> DATA <<< 550 5.1.1 User unknown 550 5.1.1 <spammers[at]cpa-ws.com>... User unknown <<< 503 5.5.2 Need Rcpt command.
×