Jump to content

ERROR-Domain reported by spoofed email address.


mark

Recommended Posts

It appears any spoofed address can report a domain a a source of spam, crippling the domain for 48 hours, as stated in the FAQ.

Consider removing SPAMCOP as a method of blocking spam, as it appears the system may prevent legitimate mail.

Below is a response from the ISP, stating that they are not the reporting source.

http://www.spamcop.net/sc?track=66.241.135.153

~~~~~~~

We are not sure why our email address is listed although we are certain

that we did not report this to Spamcop. If we where to receive spam

from you we would contact you first. If there is any thing else we can

help you with please feel free to give us a call or email.

Regards,

Dennis

Network Operations Centre

Toronto Hydro Telecom Inc.

185 The West Mall, Suite 500

Toronto, Ontario, M9C 5L5

Tel: (416) 542-2525

Backup Tel: (416) 626-0450

Fax: (416) 626-5419

Email: noc[at]thtelecom.ca

-----Original Message-----

From: Mark Munro [mailto:Mark.Munro[at]AllianceAtlantis.com]

Sent: Friday, January 30, 2004 3:01 PM

To: NOC [at] thtelecom; Mark Munro

Subject: RE: spamcop

Thanks, Dennis,

Can you explain why your email address is listed at SPAMCOP as the

address that reported us as a source of spam?

-----Original Message-----

From: NOC [at] thtelecom [mailto:noc[at]thtelecom.ca]

Sent: Friday, January 30, 2004 2:59 PM

To: 'Mark Munro'

Subject: RE: spamcop

Hi Mark,

There is nothing we can do on our side to resolve this issue with

Spamcop. I do suggest that you contact Spamcop directly and resolve

this issue with them. It seems that you have been put on their blocking

list and you must convince them to take you off. If you have any

questions you can contact our NOC.

Link to comment
Share on other sites

Please post the original message you received stating that you are on the Spamcop blocklist, with the IP address in question, and someone will be able to provide you with more assistance.

Thanks!

Link to comment
Share on other sites

It appears any spoofed address can report a domain a a source of spam, crippling the domain for 48 hours, as stated in the FAQ.

That's simply not correct.

The SpamCop parser completely and totally ignores any email addresses found in the headers of the spam. So, when email is sent with forged From: or sender addresses, that's not a problem since we ignore those anyway.

SpamCop also mostly ignores the domain names found in the headers of the message. It does use the domain names, but only to double-check the IP address found in the headers. The IP address is always considered the authoritative reference for where the email was each step of the way on its travels.

Spammers can't forge IP addresses into spam as they are automatically recorded by the receiving mail server, based on the IP address that connects to the mail server.

We can settle this pretty easily. What is the IP address that is on the blacklist?

JT

Link to comment
Share on other sites

It appears any spoofed address can report a domain a a source of spam, crippling the domain for 48 hours, as stated in the FAQ.

That's simply not correct.

The SpamCop parser completely and totally ignores any email addresses found in the headers of the spam. So, when email is sent with forged From: or sender addresses, that's not a problem since we ignore those anyway.

SpamCop also mostly ignores the domain names found in the headers of the message. It does use the domain names, but only to double-check the IP address found in the headers. The IP address is always considered the authoritative reference for where the email was each step of the way on its travels.

Spammers can't forge IP addresses into spam as they are automatically recorded by the receiving mail server, based on the IP address that connects to the mail server.

We can settle this pretty easily. What is the IP address that is on the blacklist?

JT

I have no idea why this is listed, I see no evidence indicating I am relaying, and I am recieving numerous reports that the spamcop database is the cause.

Can you please get this IP removed immediately!

-----Original Message-----

From: System Administrator

Sent: Friday, January 30, 2004 12:54 PM

To: lmenary[at]roots.com

Subject: Undeliverable: RE: Delivery Status Notification (Failure)

Your message did not reach some or all of the intended recipients.

Subject: RE:

Sent: 1/30/2004 12:53 PM

The following recipient(s) could not be reached:

lmenary[at]roots.com on 1/30/2004 12:53 PM

You do not have permission to send to this recipient. For assistance, contact your system administrator.

<webmail1.allianceatlantis.com #5.7.1 smtp;550 5.7.1 Rejected: 66.241.135.153 listed at bl.spamcop.net>

Link to comment
Share on other sites

According to http://www.spamcop.net/w3m?action=checkblo...=66.241.135.153 :

Query bl.spamcop.net - 66.241.135.153

66.241.135.153 is webmail1.allianceatlantis.com

66.241.135.153 listed in bl.spamcop.net (127.0.0.2)

Since SpamCop started counting, this system has been reported less than 10 times by less than 10 users. It has been sending mail consistently for at least 92.9 days. It has been listed for 26 hours.

In the past week, this system has:

Been reported as a source of spam less than 10 times

Been witnessed sending mail about 270 times

A sample sent sometime during the 24 hours beginning :

Received: from -.-.com (-.-.com [66.241.135.153])-

by -.-.-.- (-.-.-.-.-) with - id -

for <-[at]-.com>- Thu, - Jan 2004 - -

Subject: business - specialists - id -

From: de.. at ..li.fr

Link to comment
Share on other sites

I am not an admin and I cannot see the email but the sample looks like the spam that has been going around with the subject "Web Business Programming Specialists" through hijacked machines. The link in it is to their email address at laposte.net. the faked from was probably developers03 at tiscali.fr

I am sure a deputy will confirm if it was spam or not.

Are you sure your machine is locked down?

Link to comment
Share on other sites

Thanks Jeff, I did see this page.

If I understand this correctly, then the page states that some domain in .fr is highjacking our IP address?

Can you offer any suggestions on how this is possible?

I have tested for open relays on a number of test sites. I have also submitted our ip to the ordb.org site, and I dont see how the .fr domain highjacked our address.

Please help.

Link to comment
Share on other sites

Your mailserver appears to be running Microsoft Exchange Server 5.0 -

according to http://west-pub.mail-abuse.org/tsi/ar-fix.html#exchange :

Microsoft Exchange Server

Status: Commercial (Microsoft Corp.)

Systems: Win/NT

Info: http://www.microsoft.com/

Versions through 5.0 are vulnerable to relay if they permit any local SMTP

users. (Servers that only act as a gateway between internal non-SMTP mail

and the Internet don't have relay problems.) In other words, if your

Exchange 5.0 server is connected to the Internet, it WILL relay for anyone,

and that cannot be stopped.

Starting with version 5.5, provisions have been made to prevent unauthorized

relay. These are described in detail in an article from Windows NT Magazine

http://www.exchangeadmin.com/Articles/Inde...?ArticleID=7696 . If you're

running an older version, it's time to upgrade.

Microsoft has an article

http://www.microsoft.com/technet/treeview/...il/excrelay.asp

or http://tinyurl.com/ywb5n on their TechNet site that discusses securing

Exchange 2000 and 5.5.

Link to comment
Share on other sites

Mail server is running Exchange 2000 sp3.

Can you tell me why the address, Reporting addresses:

postmaster[at]thtel.ca <mailto:postmaster[at]thtel.ca>

-----Original Message-----

From:  Mark Munro 

Sent: Thursday, January 29, 2004 6:21 PM

To: 'noc[at]thtelecom.ca'

Subject: spamcop

http://www.spamcop.net/sc?track=66.241.135.153

Because that is who the IP is registered to in arin.

Link to comment
Share on other sites

More specifically, per http://ws.arin.net/cgi-bin/whois.pl?queryi...=66.241.135.153 :

OrgName: Toronto Hydro Telecom

OrgID: THTI

Address: 185 THe West Mall

City: Toronto

StateProv: ON

PostalCode: M9C-5L5

Country: CA

NetRange: 66.241.128.0 - 66.241.143.255

CIDR: 66.241.128.0/20

NetName: THTI

NetHandle: NET-66-241-128-0-1

Parent: NET-66-0-0-0-0

NetType: Direct Allocation

NameServer: DNS1.THTEL.CA

NameServer: DNS2.THTEL.CA

Comment:

RegDate: 2002-03-06

Updated: 2003-09-05

TechHandle: TECH15-ARIN

TechName: tech

TechPhone: +1-416-542-2525

TechEmail: tech[at]thtel.ca

OrgTechHandle: TECH15-ARIN

OrgTechName: tech

OrgTechPhone: +1-416-542-2525

OrgTechEmail: tech[at]thtel.ca

# ARIN WHOIS database, last updated 2004-01-29 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

Now, since thtel.ca doesn't have an abuse.net contact, SpamCop sent the report to postmaster[at]thtel.ca per recommendations in Internet Standards 10 and 11.

You should create an abuse.net listing for each of the domains you manage per http://www.abuse.net/addnew.html.

Link to comment
Share on other sites

If I understand this correctly, then the page states that some domain in .fr is highjacking our IP address?

Can you offer any suggestions on how this is possible?

It's not necessarily anything to do with .fr - the connections to your server are coming via exploited proxy servers in various places around the world.

If it helps, the spam headers look something like this:

Received: from webmail1.allianceatlantis.com [66.241.135.153] by <spam_recipient_server>

Received: from mail.salter.com ([172.16.180.23]) by webmail1.allianceatlantis.com with Microsoft SMTPSVC(5.0.2195.6713);

Wed, 28 Jan 2004 12:40:39 -0500

Received: from <open_proxy> by mail.salter.com with Microsoft SMTPSVC(5.0.2195.6713);

Wed, 28 Jan 2004 13:40:15 -0400

172.16.180.23 is a LAN address. That server is accepting email and relaying it to webmail1.allianceatlantis.com, which in turn relays it to the recipients of the spam.

The latest spam reported was sent just 5 hours ago, so I imagine the problem is ongoing.

Link to comment
Share on other sites

The open proxy, then, would be the public interface of mail.salter.com at 142.176.128.51

According to http://www.spamcop.net/w3m?action=checkblo...=142.176.128.51 :

Query bl.spamcop.net - 142.176.128.51

DNS error: 142.176.128.51 has no reverse dns

142.176.128.51 not listed in bl.spamcop.net

Since SpamCop started counting, this system has been reported about 40 times by about 10 users. In the past 53.7 days, it has been listed 3 times for a total of 4.7 days

A sample sent sometime during the 24 hours beginning Tuesday 2003/12/09 19:00:00 -0500:

Received: from -.-.com ([142.176.128.51])

by -.net-.- (-.-.-.-.-) with - id -

for <-[at]-.com>- Wed, - Dec 2003 - -

Subject: james want - please the ladies

From: pa.. at ..l.net

A sample sent sometime during the 24 hours beginning Thursday 2004/01/15 19:00:00 -0500:

Received:

Subject: lowest price for - cartridges - administrator

From: ma.. at ..s.com

According to http://moensted.dk/spam/?addr=142.176.128.51 :

142.176.128.51 was found in 5 lists (of 259 tested)

According to its listing in RSL, 142.176.128.51 is the input of a two-stage open relay.

Testing reveals that 142.176.128.51 is running Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 but is not accepting mail for postmaster[at]mail.salter.com

Link to comment
Share on other sites

The open proxy, then, would be the public interface of mail.salter.com at 142.176.128.51

...

According to its listing in RSL, 142.176.128.51 is the input of a two-stage open relay.

No, that's not an open proxy - it is, as that RSL message says, the input point of an open relay.

An open proxy is something quite different - in this case, open proxies are being used to transmit the spam to 142.176.128.51.

Link to comment
Share on other sites

Jeff,

The information you provided was correct.

That external address, 142.176.128.51 was accepting inbound mail, and relaying over our internal network. The header information was key in finding this problem.

Can you also confirm the open relay is now closed?

Link to comment
Share on other sites

Can you tell me if I am scheduled to be removed from this database, and when?

Are you still receiving new reports of spam from this addres?

Sorry, I don't have access to that info. Only Deputies and Admins have access to that info.

Link to comment
Share on other sites

Is there anything I can do to expedite the removal from this list?

How can I report on when I will be delisted.?

Having closed the relay, you can ask the Deputies (deputies at spamcop.net) to expedite removal. If they don't remove your IP Address, they should at least be able to tell you when you are scheduled to be delisted (assuming no more reports).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...