Jump to content

Chris Parker

  • Content Count

  • Joined

  • Last visited

Posts posted by Chris Parker

  1. I'm using Mail 1.3.9 on Mac OS X 10.3.7.  I'd like to be able to forward my spam to Spamcop rather than using the web form, however, I can't find a way to insert messages as attachments into Mail emails.  Does anyone know how (and if!) this can be done?

    I have read elsewhere that forwarding email using Mail will include the full headers if done from the 'raw source' view ... but I tried that and received an error message from Spamcop saying that there was no spam found in the email.



    Visit www.versiontracker.com and search for spamcop. There are several options available. I've been using the spamcop 1.3.2 plugin from Subsume for some time and it's worked great.

  2. My e-mail server IP Address is being listed by spamcop,  but I am given no reasons! My IP has been listed by 4 other spam block lists, and they all say they're listing me because Spamcop is listing me!


    Your server appears to have been sending to spam traps either directly or by bouncing, autoresponding, etc.

    See: CBL

    based on Senderbase report of mailing increasing by 5600% in the last 24 hours I'd guess that your server has been compromised. Maybe an SMTP AUTH hack. Check your logs.

    SpamCop's stats are not real-time because spammers abused the listing details. You may want to send an email to deputies <at> spamcop <dot> net.

  3. Hello Sir,

    I have blocked the IP ,that showed frequent occurance in maillog. I hope this helps in decreasing amount of spam.


    You need to fix the problem, not just put a band-aid on it. They could just inject from a different IP....

  4. Please unblock our IP and let us know the particular account that is responsible for spamming . we will take care of it. But please first unblock the IP .


    Since it appears that the machine itself has been compromised it may not actually be an account within your mail server software package. You'll want to look at your firewall logs. You do have a firewall, right?

  5. Hello Sir,

    My IP is It appears that you have blocked this IP. our clients cannot send out mail. Please immediately unblock this IP.  We are ready to follow all your instructions and suggestions.  But please imdiately unblock the above given IP . looking forward for positive reply .


    I suggest that you unplug the network cable from the back of the machine until you figure out how to secure your machine. The block will be removed no more than 48 hours after your machine stops sending spam.

    Research indicated that the machine as been compromised with "Backdoor.Xibo"

    See also: SORBS and PSBL

    Sample Header from messages: (Evidence) -- Looks like your machine is sending eBay Phishing scams...

    From anonymous[at]alicia.netpivotal.com Mon Oct 11 17:35:28 2004

    Delivery-date: Mon, 11 Oct 2004 17:35:28 -0400

    Received: from [] (helo=alicia.netpivotal.com)

    by mail.victim.example with esmtp (Exim 4.41)

    id 1CH7pI-0006fa-0x

    for psbltrap[at]kernelnewbies.nl; Mon, 11 Oct 2004 17:35:28 -0400

    Received: (qmail 15002 invoked by uid 48); 11 Oct 2004 21:29:22 -0000

    Date: 11 Oct 2004 21:29:22 -0000

    To: psbltrap[at]kernelnewbies.nl

    Subject: Important Notice From eBay inc.

    From: eBay Billing <aw-confirm[at]eBay.com>

    Reply-To: aw-confirm[at]eBay.com

    MIME-Version: 1.0

  6. We also have restricted the routing to only our internal ip address. Where is this spam coming from?


    Doesn't look like your routing configuration worked. You'll want to look at your firewall logs (you have a firewall, right?) You'll want to look at your mail server logs... If properly configured it will show all the mail that it's been sending. In the mean time you'll want to make sure that there is a non-trivial password for EVERY account on the server. I suggest that you disable the admin, test, guest, etc accounts.

    Here's some evidence that I was able to dig up...

    Subject: PENI||S EN1lIARGEMENT

    Received: from screens ( []) by exchange1.asmnc.com ... Tue, 5 Oct 2004 12:56:49 -0700


    Received: from screens ( []) by exchange1.asmnc.com ... Tue, 5 Oct 2004 13:33:36 -0700

    Subject: MAX|MUM EXP0OSURE

    Received: from micro ( []) by exchange1.asmnc.com ... Tue, 5 Oct 2004 23:44:42 -0700

  7. Query bl.spamcop.net -

    (Help) (Trace IP) (Senderbase lookup) listed in bl.spamcop.net (

    Causes of listing

    Additional potential problems

    (these factors do not directly result in spamcop listing)

    Listing History

    It has been listed for less than 24 hours.

    Other hosts in this "neighborhood" with spam reports


    Sometime the details run behind reality.

    Check out: http://www.senderbase.org/?searchBy=ipaddr...g=

    10000% increse in mail from that IP address in the last day.

    Looks like you are running Exchange. Chaces are you're victim of an SMTP AUTH HACK. Please read the FAQ: http://www.spamcop.net/fom-serve/cache/372.html

  8. what do you advice me to do in order to be removed from the blak list now?


    You'll be removed within 48 hours of the last reported incident of spamming from that IP address. If the problem is solved the block will go away automatically. If the problem is not fixed and that IP address continues to send out spam that people report, it will remain listed here and likely get listed in some not so friendly block lists.

  9.     SMTP error from remote mailer after RCPT TO:<links[at]jrox.com>:

        host mail.jrox.com []: 550-Message rejected because alpha.main-hosting.com [] is

        550-blacklisted at bl.spamcop.net see Blocked - see

        550 http://www.spamcop.net/bl.shtml?


    Interesting domain name info on the host name your mail server is claiming to be...




    N/A,  45858


    Domain name: MAIN-HOSTING.COM

    Administrative Contact:

        N/A, N/A  hostmaster[at]main-hosting.com


        N/A,  45858



    Based on the 1400% increase in mail from that sever I'd guess that it's been compromised. Check your logs!

  10. Our server has been blocked by Spamcop for the last 2 days due to our automated news/product alerts emails being sent to their spamtraps.  I know that we will be unblocked after sometime, but what concerns me the most is that we have a double opt in confirmation policy and there is no way our emails could have triggered off dedicated Spamcop spamtraps unless somebody had maliciously signed us up for them by clicking on the confirmation email.


    What's the IP address of the server is question?

  11. I disabled the GUEST account on my server.

    My Exhcange server is not a open relay but it did have some history in their spam database.  See below.  What does this mean?  Thanks for any help you may provide.


    It appears that your machine has been compromised either by a virus/trojan or that the mail server itself has been compromised (SMTP AUTH HACK?)

    Disabling the guest account is a good start, however you really should disable any accounts that are not currently being used. For all accounts that are being used you should change *ALL* the passwords to something that is non-trivial.

    Unless someone who uses that mail server needs to access it from outside of your LAN I'd suggest than you disable all remote sending capabilities.

    A full virus/trojan scan of the machine should also be in order. If the machine has been compromised by a virus/trojan it would be in your best interest to format the drive and rebuild the machine taking all the proper security measues.

    Thanks for your desire to resolve the core problem leading to the listing of your server. You may also want to send an email to deputies <at> spamcop <dot> net who may provide you some additional information as to what is happening.

  12. Mr McCormick promised that within the next 10 days all spammers will be taken off their network."

    Interesting discussion of this going on at spam-L. Most people seem to be taking the we'll believe it when we see it approach. Steve Linford (SpamHaus) seems optimistic about it.

  13. My current issue is with abuse [at]aol.com which Spamcop uses for reporting, but AOL does not acknowledge as a live address, and my experience confirms that it's dead.

    Does it bounce or does AOL just not auto-ack or ack at all to messages sent to it?

  14. Since you don't have any links on your main page (ie. no way to just send you an e-mail),  we would like to know why our e-mail server is listed (  We use Kerio and require a login to send e-mail so I doubt that anyone is sending spam through our server (Open relay).  Naturally I want to know if there is a problem!

    Are you implying that you have a *dedicated* server? If so, it looks as if it may have been compromised in some form. There has been a significant increase in the amount of mail that server has been sending. See SenderBase Lookup. Just because it may not be an open relay does not mean that the machine macy not have been compromised.

    1) If you have AV software that generates virus notifications, turn the notification feature off.

    2) If you have a mail server that generates delivery notification messages on inbound mail, turn the feature off.

    3) Send a polite email to deputies <at> spamcop.net asking for any additional information that may be available concerning the listing of your IP address.

  15. That is the second time in a few weeks that the mails I send are rejected because you blocked one of the main mail servers of my ISP.

    That is very annoying since I work mostly on week end with other people worldwide on open source software and my ISP is not accessible on week ends.

    That is even more annoying if you consider I participate activately to spam fights by sending you any spam I receive. So I question the system: is it the fact I send you spam I receive that makes you block my ISP? In this case, I, who am not guilty, receive the punishment, which is kind of weird. 

    Could you take action, please, so that I can work with my comates?

    We are unable to provide any answer other than generalities since you have not provided any error messages. Please post an error message so that we may be able to assist you.

    If you are not careful, yes, you could be the one that is getting your ISP listed. You *always* want to make sure you review every report before you send it.

  16. Please see the pinned item: Why am I blocked? FAQ

    See: Lookup for

    Looks like your server has been sending to spam traps. The listing will be removed no longer than 48 hours after the most recent incident.

    You may also choose to send an email to deputies <at> spamcop.net and explain the situation with the action that you have taken to prevent it from happening in the future and they *may* choose to manually remove your server from the DNSbl.

  17. Our company's IP: has been listed on your Blacklist, but our business has been closed during the holidays.

    What can i do about it?

    Looks like an SMTP AUTH Hack to your Exchange server.

    You'll need to change the password for *every* account to something that is non-trivial. Disable any unused (ie guest) accounts. Disable SMTP AUTH if you do not have any employees that access their mail from outside your network.

    See the section under For people who are operating servers in the posted FAQ - Why Am I Blocked? FAQ, Please read before posting

  18. <crpowa1.structural.net #5.5.0 smtp;554 Service unavailable; Client host [] blocked using bl.spamcop.net; Blocked - see http://www.spamcop.net/bl.shtml?>

    It appears that you are running MS Exchange. You have probably fallen victim to an attack vector know as an SMTP AUTH Hack. It would be in your best interest to go through all accounts on your Exchange server and close any unused accounts (guest, etc) and then change the password for each and every account to something that is non-trivial. If you do not have employees that need to check/send mail from outside your network then you should disable SMTP AUTH access to your mail server.

    You may also want to read the pinned FAQ: Why am I blocked? which has additional links concerning the SMTP AUTH hack.