I am consulting for a company that has been added to the spamcop bl. The address is 220.127.116.11 and the domain is whitegoss.com. They have a rather odd setup (IMHO) and have traffic going to redundant connections through time warner and at&t. The bl was listed 16 hours ago according to spam cop though I have recieved no notification that I am aware of. I actually found out when client email started bouncing (its a law office). Anyway according the person I emailed at spamcop it was phishing emails passing through our server. We sit behind a decent firewall and as far as I can find have no open relay's.
This was the reason given:
Received: from rrcs-24-123-103-228.central.biz.rr.com (HELO
[trap servername] with SMTP; 27 Oct 2006 05:xx:xx -0000
Received: from User ([18.104.22.168]) by WGEX.domain.com with Microsoft
Thu, 26 Oct 2006 07:xx:xx -0500
Subject: Update your online banking account information.
The 22.214.171.124 traces to the nameserver at iil.com which is according to arin in Canada. Im rather stumped, in the meantime I have an office full of lawyers breathing down my neck for "breaking their email". Any suggestions on what I could start looking for. BTW I am running exchange 2003.
Hope i've provided enough info.