Jump to content
Sign in to follow this  
mvanwyk

Sender refused by the DNSBL bl.spamcop.net

Recommended Posts

Hi Guys.

We host a merak pop3 mail server for a small town.

This morning when trying to send mail to anyone using one or any of the domains we host we received this error message.

<example[at]exampledomain.co.za>... Sender refused by the DNSBL bl.spamcop.net

The mail server has a local IP address of 172.17.0.6 with a public Address 41.208.36.76.

I check the Public address and noticed that it was not listed.

Could someone please assist or point me in the right direction.

I hope i have given enough information.

Thanks in advance.

Share this post


Link to post
Share on other sites
We host a merak pop3 mail server for a small town.

This morning when trying to send mail to anyone using one or any of the domains we host we received this error message.

<example[at]exampledomain.co.za>... Sender refused by the DNSBL bl.spamcop.net

1. AIUI mail is sent from an SMTP server and received from a POP3, so I am, to say the least, puzzled.

2. That IP seems to have a good reputation and I can find no reports against it. If there were they would have been sent to abuse[at]mtnns.za, is that you? Who checks that mailbox?

3. You get the error message when trying to send to anyone? Are you using the SCBL and if so is it configured correctly? Could you post the full text of a rejection please?

It just doesn't add up as you have presented it.

Share this post


Link to post
Share on other sites
It just doesn't add up as you have presented it.

My Bad!

Point 1

We also have the Merak SMTP as well.

Point 2

mtnns.za is our ISP i'm sure thier admin checks the mailbox

Point 3 (This is one of the domains / users trying to email)

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 Connected

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 >>> 220 mail.igrade.co.za ESMTP Merak 8.2.0; Thu, 7 May 2009 10:00:38 +0200

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 <<< EHLO JAKESPC

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:38 +0200 >>> 250-mail.igrade.co.za Hello JAKESPC [196.11.146.71], pleased to meet you.

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 <<< MAIL FROM: <jakes[at]tekalarms.co.za>

196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 >>> 501 5.7.1 <jakes[at]tekalarms.co.za>... Sender refused by the DNSBL bl.spamcop.net

SYSTEM [000017D4] Thu, 7 May 2009 10:00:39 +0200 Disconnected

Share this post


Link to post
Share on other sites
196.11.146.71 [000017D4] Thu, 7 May 2009 10:00:39 +0200 >>> 501 5.7.1 <jakes[at]tekalarms.co.za>... Sender refused by the DNSBL bl.spamcop.net

http://www.spamcop.net/w3m?action=checkblo...p=196.11.146.71

196.11.146.71 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

System has been listed for less than 24 hours.

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 196.11.146.71 has no reverse dns

http://www.senderbase.org/senderbase_queri...g=196.11.146.71

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 4.4 .. 301%

Last month .. 3.8

DNS-based blocklists

bl.spamcop.net

cbl.abuseat.org

Spamtrap hits, user Reports, and an increase in traffic .... as noted in the Why am I Blocked? FAQ, Pinned, and Wiki entries points to an infected/compromised computer/network involved.

Share this post


Link to post
Share on other sites

http://www.spamcop.net/w3m?action=checkblo...p=196.11.146.71

196.11.146.71 listed in bl.spamcop.net (127.0.0.2)

Oh dear!

Submitted: 07 May 2009 09:21:39 +0100:
Renew your virility for yourself,for her and for your love.

	* 4116004757 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 04 May 2009 19:47:11 +0100:
Newsletter_12:_Making_money_with_SMS_SHORT_CODES

	* 4106883551 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 04 May 2009 13:58:23 +0100:
[ipc] LATEST IPC CONNECT

	* 4106132192 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 04 May 2009 07:00:03 +0100:
GOLD_DUST_and_GOLD_NUGGETS

	* 4104789442 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 04 May 2009 05:39:19 +0100:
GOLD_DUST_and_GOLD_NUGGETS

	* 4104537549 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 03 May 2009 19:01:40 +0100:
GOLD_DUST_and_GOLD_NUGGETS

	* 4103343570 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

Submitted: 03 May 2009 19:01:28 +0100:
Newsletter_12:_Making_money_with_SMS_SHORT_CODES

	* 4103342733 ( http://www.payprofit.net/payprofit/unsubscribe.... ) To: abuse[at]navigata.net
	* 4103342617 ( 196.11.146.71 ) To: nomaster[at]devnull.spamcop.net 

and

Parsing input: 196.11.146.71
[report history]
Routing details for 196.11.146.71
[refresh/show] Cached whois for 196.11.146.71 : risk[at]vodacom.co.za
spampolice[at]vodamail.co.za bounces (241 sent : 121 bounces)
Using best contacts
No reporting addresses found for 196.11.146.71, using devnull for tracking.
Statistics:
196.11.146.71 listed in bl.spamcop.net (127.0.0.2)
More Information..
196.11.146.71 not listed in dnsbl.njabl.org ( 127.0.0.8 )
196.11.146.71 not listed in dnsbl.njabl.org ( 127.0.0.9 )
196.11.146.71 not listed in cbl.abuseat.org
196.11.146.71 not listed in dnsbl.sorbs.net
No valid email addresses found, sorry!

	* There are several possible reasons for this: The site involved may not want reports from SpamCop.
	* SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
	* SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
	* There may be no working email address to receive reports. 

Houston, we have a problem :unsure:

Edited by Derek T

Share this post


Link to post
Share on other sites
Houston, we have a problem :unsure:

Thanks Guys.

One thing i forgot mention is that most of the people are using Vodacom as thier ISP to connect to the net using thier 3G network it seems like the public address which is assigned is blacklisted.

Share this post


Link to post
Share on other sites

Assuming that the problem is not a compromised mail server, which seems to rarely be the case, there are a couple of good solutions to this problem:

1) If you have, or can get, multiple public IP addresses, use one IP address for the mail server, and a seperate IP address for your NAT.

2) Configure your router to deny all Outbound traffic, with a destination port of 25, and a source IP address OTHER than the mail server.

An even better solution would be to do BOTH of these items if possible.

Of course, this is just a stop-gap measure. The real solution is going to be finding the infected machine or machines on the network and getting it cleaned, but 1 and 2 above should get your IP to quit sending spam so that you can get delisted quickly while tracking down the bad machine.

Edited by Telarin

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×