Jump to content
Sign in to follow this  
happycatmeows

Email blocked???

Recommended Posts

Hello all,

I am new here and not an expert on email servers or computers. Since yesterday, at work, I was not able to send emails using our work mail accounts to a few ISPs, such as look.ca, and 2 other independent companies.

My computer does not have any viruses or spyware, and I do not send spam.

I can not contact our mail host because we don't know who they are. Long story short, our IT guy quit suddenly about half a year ago and left us with no info/password/whatsoever. I called up the company that should be hosting our mail server but they said they can't pull up our accounts. So, long story short, I am unable to contact our ISP/mail host for help. :wacko:

Below is one of the three "Mail delivery failed: returning message to sender" that I received. How can I get my email working properly again??? (I've "xxxxx" the names of the people"

By the way, all those emails have different .jpg and .wmv attachments. (I was able to send those email to my personal account, Rogers.com accounts)

Thanks in advance.

************************

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its

recipients. This is a permanent error. The following address(es) failed:

xxxxxxxx[at]mchsi.com

SMTP error from remote mail server after MAIL FROM:<xxxxxx[at]millennium3000.com> SIZE=681510:

host gateway.mchsi.com [204.127.203.150]: 550-67.212.91.2 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net

550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice.

------ This is a copy of the message, including all the headers. ------

------ The body of the message is 670993 characters long; only the first

------ 106496 or so are included here.

Return-path: <xxxxxx[at]millennium3000.com>

Received: from [69.159.202.44] (port=60966 helo=Reception)

by newlondon.sibername.com with esmtpa (Exim 4.69)

(envelope-from <xxxxxx[at]millennium3000.com>)

id 1Lk00g-0001hg-FT

for <elided>[at]mchsi.com; Wed, 18 Mar 2009 13:57:07 -0400

From: "XXXX XXXX <xxxxxx[at]millennium3000.com>

To: <xxxxxxxx[at]mchsi.com>

Subject: XXXXXX

Date: Wed, 18 Mar 2009 13:56:50 -0400

Organization: Millennium 3000 Ltd.

Message-ID: <1E64274EBFB64814BC0F260243A4574E[at]Reception>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="----=_NextPart_000_0003_01C9A7D1.64E7B500"

X-Mailer: Microsoft Office Outlook 11

Thread-Index: Acmn8unxSoYNp7iJSNKBUFCqv5guQg==

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5512

This is a multi-part message in MIME format.

Edited by Wazoo

Share this post


Link to post
Share on other sites

looks to me like you are sending out phishers:

Submitted: Monday, March 16, 2009 4:23:29 AM -0400:

Representative In UK Urgently Needed !!!

3946145240 ( 67.212.91.2 ) ( SIMPLE ) To: postmaster#netelligent.ca[at]devnull.spamcop.net

3946145238 ( 67.212.91.2 ) ( SIMPLE ) To: abuse#netelligent.ca[at]devnull.spamcop.net

--------------------------------------------------

Submitted: Sunday, March 15, 2009 7:05:14 PM -0400:

Abbey Important Security Message

3945225221 ( 67.212.91.2 ) ( SIMPLE ) To: postmaster#netelligent.ca[at]devnull.spamcop.net

3945225218 ( 67.212.91.2 ) ( SIMPLE ) To: abuse#netelligent.ca[at]devnull.spamcop.net

-------------------------------------------------

Submitted: Saturday, March 14, 2009 4:29:09 AM -0400:

Ugent Representative Needed At Textile And Fabric Material Company

3940303528 ( 67.212.91.2 ) ( SIMPLE ) To: postmaster#netelligent.ca[at]devnull.spamcop.net

3940303526 ( 67.212.91.2 ) ( SIMPLE ) To: abuse#netelligent.ca[at]devnull.spamcop.net

---------------------------------------------

Submitted: Thursday, February 26, 2009 11:53:59 AM -0500:

Update your bank account information.

3899585519 ( 67.212.91.2 ) To: abuse[at]netelligent.ca

3899585518 ( 67.212.91.2 ) To: postmaster[at]netelligent.ca

---------------------------------------------

Submitted: Thursday, February 26, 2009 11:53:30 AM -0500:

Update your bank account information.

3899584517 ( 67.212.91.2 ) To: abuse[at]netelligent.ca

3899584512 ( 67.212.91.2 ) To: postmaster[at]netelligent.ca

Oddly I couldnt find more recent reports, the ones in February were the last

Share this post


Link to post
Share on other sites
My computer does not have any viruses or spyware, and I do not send spam.

A message that you sent could not be delivered to one or more of its

recipients. This is a permanent error. The following address(es) failed:

xxxxxxxx[at]mchsi.com

SMTP error from remote mail server after MAIL FROM:<xxxxxx[at]millennium3000.com> SIZE=681510:

host gateway.mchsi.com [204.127.203.150]: 550-67.212.91.2 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net

550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice.

The important factoid in the message is that your mail is sent out from a server at IP 67.212.91.2. You may be sharing that with loads of other clients of your ISP.

That sever was spewing spam Saturday through Monday. It seems that the problem has been solved by your ISP, the volume of mail is down and the IP is no longer listed. It seems you have a responsible ISP who pulled the plug on an infected customer. I wish they were all so clued up. The IP is not on any of the common blacklists AFAICT. All should now (or soon, when caches are refreshed) be back to normal. I don't think there's anything you need to do apart from the usual malware precautions (assuming that you are using Windows).

By the way, why did you think that SpamCop was involved, it's not mentioned in your rejection message!

Share this post


Link to post
Share on other sites

Well you do have a problem. I would suggest you attack your problem on both a short term and a long term bases.

SMTP error from remote mail server after MAIL FROM:<xxxxxx[at]millennium3000.com> SIZE=681510:

host gateway.mchsi.com [204.127.203.150]: 550-67.212.91.2 blocked by ldap:ou=rblmx,dc=mso,dc=att,dc=net

550 Blocked for abuse. Please contact the administrator of your ISP or sending mailservice.

your current problem is not with your ISP it is with the "remote mail server" they are the ones that "Blocled (you) for abuse."

Now when I do a whois on mchsi.com I come up with an IP address of 12.215.20.94. that is listed on SORBS block list. (actually the whole block 12.215.0.0 - 12.215.255.255)

The only way to solve that problem is to get mchsi.com to change their way (or the ways of those that they provide mail service to.)

I can not contact our mail host because we don't know who they are. Long story short, our IT guy quit suddenly about half a year ago and left us with no info/password/whatsoever. I called up the company that should be hosting our mail server but they said they can't pull up our accounts.
That is your long term problem and may underlie your current problem.

when I do Whois on millennium3000.com I get:

Current Registrar: SIBERNAME.COM, INC.

IP Address: 67.55.76.165 (ARIN & RIPE IP search)

IP Location: US(UNITED STATES)-NEW YORK-JERICHO

Record Type: Domain Name

Server Type: Apache 1

Lock Status: ok

Web Site Status: Active

DMOZ no listings

Y! Directory: see listings

Secure: Yes

E-commerce: Yes

Traffic Ranking: 4

Data as of: 22-Apr-2008

When I look up the IP address for you domain I get;

67.55.76.165

Record Type: IP Address

OrgName: Webair Internet Development Inc

OrgID: WAIR

Address: 333 Jericho Tpke

Address: Suite 200

City: Jericho

StateProv: NY

PostalCode: 11753

Country: US

ReferralServer: rwhois://rwhois.webair.com:4321

NetRange: 67.55.64.0 - 67.55.127.255

CIDR: 67.55.64.0/18

NetName: WEBAIRINTERNET6

NetHandle: NET-67-55-64-0-1

Parent: NET-67-0-0-0-0

NetType: Direct Allocation

NameServer: NS.WEBAIR.NET

NameServer: NS2.WEBAIR.NET

Comment: All rwhois info can be found at rwhois.webair.com:4321

RegDate: 2006-07-28

Updated: 2007-04-18

RNOCHandle: ZW64-ARIN

RNOCName: IPAdmin-Webair

RNOCPhone: +1-516-938-4100

RNOCEmail: IPAdmin[at]webair.com

OrgNOCHandle: ZW64-ARIN

OrgNOCName: IPAdmin-Webair

OrgNOCPhone: +1-516-938-4100

OrgNOCEmail: IPAdmin[at]webair.com

OrgTechHandle: ZW64-ARIN

OrgTechName: IPAdmin-Webair

OrgTechPhone: +1-516-938-4100

OrgTechEmail: IPAdmin[at]webair.com

We are only guessing but your email SMTP is most likely the same as the host of you web pages. Someone in your company is sending checks to SIBERNAME.COM, INC. to keep your web page on line. Those that get the check should be able to help resolve the problem.

Edited by Lking

Share this post


Link to post
Share on other sites

It is possible if you stick around here and read and ask questions to learn something about how email works. It might be more economically feasible for you to hire another IT guy if you can afford to do so.

If you can't, you really should hire an IT person to, at least, find out where your ISP is and how to access your account, and maybe make a basic list of typical problems and what to do if you encounter them - including to call in an expert when something is not on the list or the simple troubleshooting doesn't work.

If you are a business, IT should be an important part of your budget. If you had a company car and the mechanic quit, you couldn't just keep driving it without ever paying attention to maintenance. At least, you could, but sooner or later it would quit on you without oil changes, etc. If you didn't know anything about cars, then you could run into all sorts of problems like being stalled at the side of the road because of a flat tire.

Miss Betsy

Share this post


Link to post
Share on other sites
...

Return-path: <xxxxxx[at]millennium3000.com>

Received: from [69.159.202.44] (port=60966 helo=Reception)

by newlondon.sibername.com with esmtpa (Exim 4.69)

(envelope-from <xxxxxx[at]millennium3000.com>)

id 1Lk00g-0001hg-FT

for grantcwsd[at]mchsi.com; Wed, 18 Mar 2009 13:57:07 -0400

...

OK, that's you (69.159.202.44), trying to send through your mail exchange mail.millennium3000.com which presently has an IP address (your MX 'internet address') of 67.212.64.130 (shared, and for which IP SenderBase sees no activity) and a reverse DNS name of newlondon.sibername.com (same as the blocked 67.212.91.2) and that's about as far as it gets. The IP address of mail.millennium3000.com has changed 'recently' - I briefly saw a cached address on robtex (on-line lookup), over a year old (384 days), which was quite different - a completely different range though I didn't make a note of it. There seems to be some sort of variability in the records anyway and it would certainly be worth persevering in trying to send. The blocked 67.212.91.2 (shared) is not necessarily a 'permanent' part of your routing. Certainly contacting sibername.com should be of assistance, as Lou says.

"My computer does not have any viruses or spyware, and I do not send spam." is a brave claim since different AV and AS products might give different answers but the internet wouldn't usually be seeing your computer, just the IP address(es) through which you network and you will be sharing those with hundreds of others and the odds are that some of those are infected, that's the liability of the internet these days.

This does not appear to be a SC blocklist issue as such (nothing specific in the NDR message) - though dra007 did find evidence of earlier reports on 67.212.91.2 (which may or may not have lead to short-term listing on the SCBL which, in turn, may or may not be associated with the cryptic '=rblmx' in the notice).

[Oh yeah, as Miss Betsy says, you need an IT person. An independent contractor if you don't have enough full-time work for a permanent post. You are way too vulnerable, in numerous ways, without one.]

Share this post


Link to post
Share on other sites

Thank you to all of you for your responses. I think I will need more than 2 hours in order to understand entirely what each one of you are saying. :blink:

We do have an independent IT contractor but he couldn't figure out who our mail host is neither. In the past, I tried calling all the companies that LKing found (Sibername, Webair, and also Netelligent). No luck, but anyway.

I knew SpamCop was involved because in one of those "returned mail" messages, it reads "SMTP error from remote mail server after RCPT TO:<xxxxxx[at]look.ca>:

host mail.look.ca [207.136.100.28]: 550-Denied by RBL bl.spamcop.net (Blocked - see

550 http://www.spamcop.net/bl.shtml?67.212.91.2)

So that's why I knew SpamCop was involved.

I think for now, I will just sit and wait for another 2 days to see if the problem will be resolved by our ISP because as mentioned in one reply, it seems that we are sharing the same mail server with other clients of our ISP, so the problem MIGHT not be on our end... In the meantime, I will try to fully understand all the replies. This morning, I tried sending an email to one of the people who I had problem sending emails to, and it was working. However, I was still unable to send emails to the other 2 people.

Thanks~~~

Edited by happycatmeows

Share this post


Link to post
Share on other sites

I think for now, I will just sit and wait for another 2 days to see if the problem will be resolved by our ISP, while I try to fully understand all the replies. This morning, I tried sending an email to one of the people who I had problem sending emails to, and it was working. However, I was still unable to send emails to the other 2 people.

I may be being dense and not fully understanding....

But it isn't all that difficult to make a new arrangement with an ISP that is able to help you. If you have a domain name which the unknown ISP currently controls then you'd need to speak with the registrar for your domain to get it back into your own control.

But I'd want to know who was looking after my interests and at the moment you've no idea who that is.

Time to take action.

Andrew

Share this post


Link to post
Share on other sites
<snip>

I knew SpamCop was involved because in one of those "returned mail" messages, it reads "SMTP error from remote mail server after RCPT TO:<xxxxxx[at]look.ca>:

host mail.look.ca [207.136.100.28]: 550-Denied by RBL bl.spamcop.net (Blocked - see

550 http://www.spamcop.net/bl.shtml?67.212.91.2)

So that's why I knew SpamCop was involved.

<snip>

...Well, not really. I see how you might have come to that conclusion (and, indeed, it may be correct that at some time SpamCop did have that address on its blacklist) but that message must not be treated as authoritative. It's as if I came to your house, knocked on your door and got no answer and a neighbor told me you'd been taken to jail. I could not then assume that the local police had been involved -- your neighbor could either be unintentionally mistaken, telling me something that was true in the past but is no longer true or deliberately lying, I have no way of knowing. :) <g>

Share this post


Link to post
Share on other sites
We do have an independent IT contractor but he couldn't figure out who our mail host is neither. In the past, I tried calling all the companies that LKing found (Sibername, Webair, and also Netelligent). No luck, but anyway.

From the top .. what affiliation/position do you have with the millennium3000.com web-site?

Trace millennium3000.com (67.55.76.165) ...

80.91.249.109 RTT: 194ms TTL:170 (nyk-bb1-link.telia.net probable bogus rDNS: No DNS)

80.91.250.97 RTT: 48ms TTL:170 (nyk-b4-link.telia.net probable bogus rDNS: No DNS)

213.248.82.150 RTT: 41ms TTL:170 (webair-126294-nyk-b1.c.telia.net ok)

209.200.52.5 RTT: 51ms TTL:170 (csa010.nyc.webair.net fraudulent rDNS)

67.55.76.165 RTT: 42ms TTL: 54 (No rDNS)

Apparently a "shared" web-server involved .. DNS and hosting apparently provided by webair.net

Dig millennium3000.com[at]ns2.webair.net (174.137.152.1) ...

Authoritative Answer

Query for millennium3000.com type=255 class=1

millennium3000.com SOA (Zone of Authority)

Primary NS: ns.webair.net

Responsible person: webmaster[at]millennium3000.com

serial:2006041902

refresh:10800s (3 hours)

retry:3600s (60 minutes)

expire:604800s (7 days)

minimum-ttl:43200s (12 hours)

millennium3000.com NS (Nameserver) ns.webair.net

millennium3000.com NS (Nameserver) ns2.webair.net

millennium3000.com MX (Mail Exchanger) Priority: 10 mail.millennium3000.com

millennium3000.com A (Address) 67.55.76.165

mail.millennium3000.com A (Address) 67.212.64.130

This web-site has an incoming e-mail server running at the IP Address of 67.212.64.130 .... however, the data is a bit 'off' .....

Trace mail.millennium3000.com (67.212.64.130) ...

4.69.140.250 RTT: 84ms TTL:170 (ae-11-11.car2.Toronto2.Level3.net ok)

4.69.140.254 RTT: 83ms TTL:170 (ae-2-2.car2.Montreal2.Level3.net ok)

4.59.178.6 RTT: 90ms TTL:170 (NHS.car2.Montreal2.Level3.net probable bogus rDNS: No DNS)

64.15.64.43 RTT: 95ms TTL:170 (No rDNS)

67.212.64.130 RTT: 83ms TTL: 50 (newlondon.sibername.com fraudulent rDNS)

Not sure I'd be all that comfortable dealing with them, looking at their Registration details ....

whois -h whois.tucows.com sibername.com ...

Registrant:

Sibername Internet and Software Technologies Inc.

Suite: 900 - 275 Slater Street

Ottawa, ON K1P 5H9

CA

Domain name: SIBERNAME.COM

Administrative Contact:

TURKOGLU, Bulent mesutbulent[at]yahoo.com

Suite: 900 - 275 Slater Street

Ottawa, ON K1P 5H9

CA

800 613 8915

Technical Contact:

TURKOGLU, Bulent mesutbulent[at]yahoo.com

Suite: 900 - 275 Slater Street

Ottawa, ON K1P 5H9

CA

800 613 8915

Their web-site offers support[at]sibername.com which makes a lot more sense .....

Anyway, the millennium3000.com web-site is hosted by one outfit, but the e-mail is hosted somewhere else. Who is actually running the server that identifies itself as helo=Reception I haven't quite sorted out yet. Your supplied rejection notice shows that you (or your network .. still undefined) sent the original e-mail from your system (or network) to the newlondon.sibername.com e-mail server which then tried to pass that e-mail on to an Mediacom (mchsi.com) e-mail server.

This "should" imply that 'you' (or your network) are an authorized user of the sibername.com (e-mail) system. Why they can't identify "you" as a user is a bit strange, but noting that their Support page does do a bit of bad-mouthing their own (1st level) support folks .. perhaps an e-mail to their 'support' address might actually come up with better results ...???

As previously suggested, it does seem pretty doubtful that e-mail would continue to be passed without payment for those services being received .... yet, perhaps it's just that the subscription due date hasn't come up yet. The fear at this point would be just when that date happens, apparently with no one knowing just who'd be receiving any notifications of the next invoice/bill ...???

Not sure if this will actually help, as the situation does seem to be very confusing with no one "in the know" ... I'm wondering abut the qualifications of your current "independent IT contractor" ... yet realizing that there may be passwords and ID codes not known by anyone but the previous IT person .. might explain other folks not wanting to disclose account/connection data ???

Share this post


Link to post
Share on other sites

If I were you, I would start all over with a new ISP.

Some people like me can find out all those things, but I think it is a gift and not something that you can teach someone. If I were you, I would start over. An independent IT person should be able to find out where your domain is registered. Even if it is someone else, that's not a good recommendation to be listed more than once in a year.

Miss Betsy

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×