Jump to content
Sign in to follow this  
Chris Norgaard

199.89.170.139 is on the blacklist

Recommended Posts

According to http://www.spamcop.net/w3m?action=checkblo...=199.89.170.139 :

Query bl.spamcop.net - 199.89.170.139

199.89.170.139 is mail1.univarusa.com

199.89.170.139 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 23.8 days. In the past 45 hours, it has been listed 2 times for a total of 36 hours

In the past week, this system has:

Been reported as a source of spam less than 10 times

Been detected sending mail to spam traps

Been witnessed sending mail about 90 times

A sample sent sometime during the 24 hours beginning :

Received:

Subject: - now

From: ch.. at ..o.com

Been detected sending mail to spam traps is a kiss of death for any IP Address. ISPs whose IP Addresses have Been detected sending mail to spam traps need to review FAQ Entry "How can I be de-listed" at http://www.spamcop.net/fom-serve/cache/298.html ASAP.

Please see the "Pinned: FAQ Entry: Why is my email blocked?" Topic at

http://forum.spamcop.net/forums/index.php?showtopic=35 for more information.

Share this post


Link to post
Share on other sites

Er... unfortunately none of that stuff is relevant in this case, Jeff.

The IP was indeed listed due to MyDoom. The MyDoom worm generates email addresses from a list of names and attaches them to known domains, and unfortunately it seems to have come up with a spamtrap address in that way.

I've removed the IP from the list. I hope the virus has been cleaned up now.

Share this post


Link to post
Share on other sites

Michael,

Thank you for taking care of this.

Can you tell if that spamtrap was embedded in a web page or computed using a common first name?

Thanks!

Share this post


Link to post
Share on other sites
Can you tell if that spamtrap was embedded in a web page or computed using a common first name?

I'm only guessing, but it looks like just a common first name at a known domain.

Share this post


Link to post
Share on other sites
Can you tell if that spamtrap was embedded in a web page or computed using a common first name?

I'm only guessing, but it looks like just a common first name at a known domain.

In the interest of justice, it might be advisable to disable that one and others which match the profile, at least until this worm expires.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×