Jump to content
Sign in to follow this  
mtsupport

blocklisted 38.104.99.170

Recommended Posts

Got blocklisted, checked all the servers. Updated security patches, definition lists, spamware, spyware. Any assistance or details on how to fix would be greatly appreciated.

Share this post


Link to post
Share on other sites

Spamcop bl is automatic - as long as no more spam is reported, this IP address will delist in 9 hours.

* DNS error: 38.104.99.170 is mediatec-publishing-inc.demarc.cogentco.com but mediatec-publishing-inc.demarc.cogentco.com has no DNS information

Because of the above problems, express-delisting is not available

I am not a server admin, but I assume that this will mean something to you.

I am not sure what you mean by 'how to fix' - are you satisfied that you have found the source of the spam? Or are you asking what else you can do?

Otherwise, you will be delisted automatically. You cannot use the express delisting because of the DNS error.

Miss Betsy

Share this post


Link to post
Share on other sites
Got blocklisted, checked all the servers. Updated security patches, definition lists, spamware, spyware. Any assistance or details on how to fix would be greatly appreciated.

Nothing said about any research done on your part at all. Nothing said about anything "found" after all that patching and updating. Nothing said about just what tools/hardware are in use. Nothing said about firewalls, for instance, to include any logs. Noting about any network details, if this is an e-mail server for you or a thousand users, etc. etc. etc. Nothing said about checking out the FAQ or reading any of the Pinned items, specifically, the Why am I Blocked? entries.

http://www.spamcop.net/w3m?action=checkblo...p=38.104.99.170

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* SpamCop users have reported system as a source of spam less than 10 times in the past week

Both situations suggest a number of things )see the FAQ entry)

DNS error: 38.104.99.170 is mediatec-publishing-inc.demarc.cogentco.com but mediatec-publishing-inc.demarc.cogentco.com has no DNS information

.... suggests other work needs to be done or explanations offered

In the past 3.6 days, it has been listed 2 times for a total of 2.2 days

... says it was on the list, came off the list, got back on the list .... was this because your server was down for a period, but brought back on-line while still in a spewing mode .. or some other storyline involved?

http://www.senderbase.org/senderbase_queri...g=38.104.99.170

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 3.4 .. 196%

Last month .. 3.0

No idea how 'old' these numbers are at this point, but the obvious question is .. can you go along with the numbers and the increase in traffic flow?

Share this post


Link to post
Share on other sites

My apologies, you are absolutely correct.

We have 6 Windows 2003 SBS Servers behind a single linksys firewall rv016.

One of them is running Exchange 2003 SP2

I did automatic updates on all the servers. There were 17 security updates installed.

Ran updates on Mcafee Virus and Spamkiller Server definition and signature lists current.

Ran Malwarebytes, it detected some tracking cookies, but nothing else.

Can you guys check to see if your traps are still seeing things from 38.104.99.170.

I'm assuming there's trojan or bot that might be causing this. We are just trying to run a nice clean mail server. BTW, this is the first time this server has been listed. ( twice )

Thanks,

Share this post


Link to post
Share on other sites
Can you guys check to see if your traps are still seeing things from 38.104.99.170.

We're all users of SpamCop so have only limited access to data. In fact you can see pretty much everything we can see except for content of the spam that has been reported (for those of us who are paying users).

If you have a trojan on your net then your best bet is to start logging traffic through the firewall/router and identify the source machine.

Andrew

Share this post


Link to post
Share on other sites

Thanks Andrew,

I was under the assumption that the admin in this forum could actually check the status of a blocklisted ip. I read a previous thread replying to a blocked user saying they could still see spam coming from their server.

I just want to be sure everything is in order, so that 9 hours later we are not still blocklisted.

Any advice will be helpful.

Share this post


Link to post
Share on other sites
I was under the assumption that the admin in this forum could actually check the status of a blocklisted ip. I read a previous thread replying to a blocked user saying they could still see spam coming from their server.

I just want to be sure everything is in order, so that 9 hours later we are not still blocklisted.

Any advice will be helpful.

SpamCopAdmin stops by from time to time, and he has that access. The Forum Admin does not.

BTW, I assume you are aware you are posting from the same IP that is listed. Any machine behind that IP could be affecting the listing.

These are the reports available to paid customers:

Submitted: Monday, January 26, 2009 22:30:24 -0500:

Try Viagara Free

3818911302 ( 38.104.99.170 ) To: abuse[at]cogentco.com

---------------------------------------------------------

Submitted: Tuesday, January 06, 2009 20:42:18 -0500:

Diversity & Inclusion contact person & info request

3771639926 ( 38.104.99.170 ) To: abuse[at]cogentco.com

-------------------------------------------------------

Submitted: Tuesday, January 06, 2009 20:42:16 -0500:

Diversity & Inclusion contact person & info request

3771639880 ( 38.104.99.170 ) To: abuse[at]cogentco.com

Share this post


Link to post
Share on other sites

Steven,

I have frantically checked 35 workstation behind this location. Have both PC and Mac clients updated and clean. One of our less disciplined employees had a couple of trojans on his machine, but all clean now.

Is there any utility or tool you would recommend to see whats coming from 38.104.99.170. I need to be absolutely sure that this is fix by morning. It could mean my job.

Thanks for everyones input.

PS I did not know there was a paid membership option.

Share this post


Link to post
Share on other sites
<snip>

I have frantically checked 35 workstation behind this location. Have both PC and Mac clients updated and clean. One of our less disciplined employees had a couple of trojans on his machine, but all clean now.

...Sounds like a good start. But IANASA (I am not a server admin) so my suggestions should be taken with a large grain of salt.
Is there any utility or tool you would recommend to see whats coming from 38.104.99.170.

<snip>

...Wazoo earlier mentioned firewall logs. Perhaps you could check the logs to try to find some of the verbiage presented earlier by StevenUnderwood (noting, again, that IANASA).
PS I did not know there was a paid membership option.
...No reason you should. This is a reporting membership option and (I assume) you have not registered as a SpamCop reporter. :) <g>

Share this post


Link to post
Share on other sites
I have frantically checked 35 workstation behind this location. Have both PC and Mac clients updated and clean. One of our less disciplined employees had a couple of trojans on his machine, but all clean now.

The timer has not been reset on the SpamCopDNSBL listing (now showing 4 hours remaining) .. The SenderBase number has come down slightly. At least there's the hint that something good happened, perhaps that single machine.

Is there any utility or tool you would recommend to see whats coming from 38.104.99.170. I need to be absolutely sure that this is fix by morning. It could mean my job.

To actually "see" what's going out, a network/packet sniffer would be required. In all honesty, there's probably not enough time left in the day to learn how to use one of those and gather any good/specific data. If the " linksys firewall rv016" is programmable, can you limit Port 25 output to be limited to those authorized servers? (and there's the question as to whether or not that appliance offers enough detail in its logs to show traffic coming from non-authorized systems, again, focusing in on Port 25 outgoing?)

PS I did not know there was a paid membership option.

SpamCop Reporting Accounts

and more specifically, ISP Account or How can I get SpamCop reports about my network?

Share this post


Link to post
Share on other sites

Wazoo,

Thanks for the words of encouragement. I've used packet sniffers before. SnifferPro. I just want to monitor or listen to that external ip. I have VLANs and switched networks, even with a promiscuous card I have trouble seeing all traffic. May need to install 4 port hub at the WAN port.

I just don't want this to happen again, it has been a total nightmare.

I wish someone from spamcop.net would relay some feedback. I've been on this for 13 hours straight.

Thanks again.

Share this post


Link to post
Share on other sites

I have a question for everyone. Are there any early warning tools or utilities to get jump start on this before it escalates?

Thanks, for all the help.

Share this post


Link to post
Share on other sites
I wish someone from spamcop.net would relay some feedback. I've been on this for 13 hours straight.

That "someone" is active in the forums this afternoon, but perhaps he hasn't had a chance to respond here or get in touch with you (not sure if he ever uses the PM system or not...I'm guessing not). Maybe he'll post or get in touch.

DT

Share this post


Link to post
Share on other sites

Still counting down, that's good. Note 38.104.99.170 is also on dnsbl-1.uceprotect -

H:\>nslookup 170.99.104.38.dnsbl-1.uceprotect.net

...

Name: 170.99.104.38.dnsbl-1.uceprotect.net

Address: 127.0.0.2

Unfortunately they don't seem to give detail on the cause(s) of listing, admitting I don't know their site and may have missed something there.

Share this post


Link to post
Share on other sites
Note 38.104.99.170 is also on dnsbl-1.uceprotect -

(snip)

Unfortunately they don't seem to give detail on the cause(s) of listing, admitting I don't know their site and may have missed something there.

Just a little...which can be obtained by using their query tool, at:

http://www.uceprotect.net/en/rblcheck.php

What means listed at UCEPROTECT-Level 1?

It means spamtraps were hit from IP 38.104.99.170 directly within the last 7 days, and therefore your mail got blocked.

Last Impact: 24.01.2009 3:50pm CET +/-10min| Earliest Expiretime: 31.01.2009 4:00pm CET

If you are responsible for IP 38.104.99.170:

You can easy find out, which UCEPROTECT-Server did list your IP and for what reason.

To do this, search your mailservers logs (last 8 days) for following expression: Access denied and blocklisted

All you need to know in order to locate the problem should be inside your logfiles.

If you can't find that string, you mostly have a trojan with own smtp engine in your lan.

How can the IP 38.104.99.170 be removed from UCEPROTECT-Level 1?

Level 1 listing will be removed automatically and free of charge, as soon as there is no abusive action seen for 7 days.

So...IPs stay on that BL for 7 days...it's not a good source of realtime info regarding your status.

DT

Share this post


Link to post
Share on other sites
...I have a question for everyone. Are there any early warning tools or utilities to get jump start on this before it escalates?...
Tools and utilities - I will leave that to others but you might browse thedatalist - http://lists.thedatalist.com/index.html commented on at http://forum.spamcop.net/forums/index.php?showtopic=8241

As you may have noticed in an earlier post, SC reports go to abuse[at]cogentco.com as the nominal abuse handler for that IP address. They should contact you when they get a report. In the case of a spamtrap hit there is no report (and immediate listing) otherwise (member reports) it might give some notice. You may be able to register on an ISP account which would give you direct access. Wazoo's earlier post had the link about that.

Share this post


Link to post
Share on other sites

This is a really good forum. I will frequent it often. I'm sure the Spamcop admin have their hands full. Anyways, you guys are a wealth of information. Do you belong to any other forums or groups?

Any recommendations on a good server anti-spam application, I hear GFI is pretty good. Anyone have experiences with SpamTitan?

Share this post


Link to post
Share on other sites
Just a little...which can be obtained by using their query tool, at:

http://www.uceprotect.net/en/rblcheck.php

Thanks David.

For the O/P - when we had problems with our server I made a habit of checking the comprehensive BL listings - the Robtex one is good http://www.robtex.com/ip/38.104.99.170.html - gives a listing summary near the top of the page, hit the "blacklists" tab for the complete run-down of coverage. Some of those BLs might happen to pick up a spam hit (or other problems) in time for you to fix things and stay off other lists. That's one of the strengths of the SCBL - an early notification.

Share this post


Link to post
Share on other sites
http://www.cisco.com/en/US/docs/routers/cs...0_UG_NC-WEB.pdf (an absolutely horrible and massive PDF of a bad scan job) seems to suggest that services (SMTP in this case) can be configured in, both as allowed/denied activities, and as a log specific ... though admitting it looks a bit painful for the first go-through. Of course, that probably also depends on whether you've got your networked devices (e-mail servers for sure) set on dedicated IP Addresses .... everything accepting DHCP assignments would probably really make the above a total waste of time.

Share this post


Link to post
Share on other sites

http://spamcop.net/w3m?action=checkblock;ip=38.104.99.170

38.104.99.170 not listed in bl.spamcop.net

http://www.senderbase.org/senderbase_queri...g=38.104.99.170

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 ... N/A

Last month .. 3.0

Hopefully, things are still working and this isn't simply due to a change of the IP Address in use ...????

Later Edit: ... as of 0420 GMT -6

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 1.8 .. -94%

Last month .. 3.0

Share this post


Link to post
Share on other sites

Just to note that the paid reporter options are also available to Email account subscribers. That can be a more economical approach for some.

Andrew

Share this post


Link to post
Share on other sites

One other thing you might consider doing if you haven't already. Since you are using an RV016, which has the ability to configure firewall rules, you might consider adding a rule to block any traffic originating from your land that is destined for port 25 unless it is coming from your mail server. That way even if one of your workstations does get infected and start spewing spam again, it will be blocked at the firewall before it can leave your network. You might also try configuring one-to-one NAT so that your Exchange server is using a different IP from your workstations, although I have never been able to get that to work as it is supposed to on the RV series routers.

Share this post


Link to post
Share on other sites

Thanks for everyone's feedback. Everything is back online. There seems to be some residual effects of the blocklist. ATT and sbcglobal.net are still showing blocks.

I have modified the firewall to only allow port 25 traffic from the mail server as suggested.

I've install enterprise virus management software, so I can see which machine get infected.

I have inventoried all the machines, assigned asset tags and documented their LAN IPs.

Ran auto updates on all the servers.

Downloaded the firewall access log, excel ran out of space, I'll review later to identify the spam output.

Otherwise things aren't too bad. I'm sure I will have an interesting discussion with by boss, hopefully i'm still employed.

Thanks again guys, you are all a great teem!

Share this post


Link to post
Share on other sites
Otherwise things aren't too bad. I'm sure I will have an interesting discussion with by boss, hopefully i'm still employed.

Thanks again guys, you are all a great teem!

You might point out that if instead of using a windows server and windows PCs behind it, they had all been running (free) linux, then none of this would have happened :D

Share this post


Link to post
Share on other sites

Except that if everyone ran linux, that would simply become the new OS of choice for hackers and virus writers.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×