Farelf Posted January 22, 2013 Share Posted January 22, 2013 Hello petzl, thanks for the reply, I cannot send emails to either one of them (Yahoo or Gmail or even Hotmail), I am not 100% but, I don't think is a shared IP since is a VPS, It should not be sending any more spam emails since we increase server security about 5 days ago since we so the problem and solve it. How can I be sure the problem is solve and the server did not got hack again, is there a way to be sure? I just want for this to be solve. Please help! Regards, Codeman Your IP address appears to be dedicated to just you, looking at http://www.robtex.com/ I think most of the filtering for Yahoo, Gmail and Hotmail is internal/proprietary although they may use some public DNSBLs as well for premium services. I think you must contact them, individually, to find answers. It may not be any past issues with spam at all (certainly not with the APEWS list). All your DNS records - internet address, (main) name servers and mail exchange - point to the same address. They may not like that, especially the different TLD for the nameserver aliases on that same address - ns1.YOURSITE.eu and ns2.YOURSITE.eu instead of .com (but I don't know). You have rDNS, that is good and I think necessary for them. But they may not like your SPF record (I do not know). Those three lookups: C:\Documents and Settings\Admin>nslookup -type=ns YOURSITE.COM 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: YOURSITE.COM nameserver = ns2.YOURSITE.eu YOURSITE.COM nameserver = ns1.YOURSITE.eu C:\Documents and Settings\Admin>nslookup -type=ptr XXX.XXX.XXX.XXX 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: XXX.XXX.XXX.XXX.in-addr.arpa name = YOURSITE.COM C:\Documents and Settings\Admin>nslookup -type=txt YOURSITE.COM 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: YOURSITE.COM text = "v=spf1 +a +mx -all" C:\Documents and Settings\Admin> The e-mail side of SpamCop is itself having the devil of a job getting off the hotmail list, that is a different set of circumstances but may indicate the emerging difficulties with those services. All are e-mail service providers and while they could not do anything untoward about limiting the connectivity of rival providers (principally each other) without risking review for monopolization, it is in their users' interests and beyond reproach for them to set high standards for the negotiation of mail into their networks. If, co-incidentally, their competitors and other e-mail services are disadvantaged I would not think they would be too unhappy. Ironically, all three are prime sources of registration addresses for another type of spammer - forum/bulletin board comment spammers. Good luck in approaching them and finding answers. You really do seem to have done as much as you can about your network security and reputation, from what you have said. But don't forget about double opt-in for your distribution lists (the earlier post from petzl). Link to comment Share on other sites More sharing options...
codeman1234 Posted January 22, 2013 Share Posted January 22, 2013 Ok perfect, thanks to all anyways you been really helpfull. Please I ask to all users who respond this email or a moderator to change my url and ip address to the following in all posts of this thread: IP: XXX.XXX.XXX.XXX URL: http://www.mysite.com Thanks again, and please change it so, I dont have anymore future problems with it, I would really appreciatte. Regards, Codeman Link to comment Share on other sites More sharing options...
Farelf Posted January 23, 2013 Share Posted January 23, 2013 OK, your posts and mine edited to munge, permissions sought to edit others. My edit to your last post was to kill the "live" link to that domain which I suppose you thought was spurious. It is not but no harm done with the link broken. Refer to RFC 2606 for "safe" domain names to use in future for anonymising/munging. Link to comment Share on other sites More sharing options...
InvisiBill Posted January 24, 2013 Share Posted January 24, 2013 How can I be sure the problem is solve and the server did not got hack again, is there a way to be sure? 10 Immutable Laws of Security The only way to be sure is to revert to a known good state. For most people, this means restoring to a clean backup or completely reinstalling. Once someone else has control of your machine, there's no way to be 100% certain of exactly what they've done, which in turn means there's no way to be completely sure you've fixed everything. In most cases you can be pretty sure you've cleaned it all up, but you can never be positive. Link to comment Share on other sites More sharing options...
codeman1234 Posted January 31, 2013 Share Posted January 31, 2013 10 Immutable Laws of Security The only way to be sure is to revert to a known good state. For most people, this means restoring to a clean backup or completely reinstalling. Once someone else has control of your machine, there's no way to be 100% certain of exactly what they've done, which in turn means there's no way to be completely sure you've fixed everything. In most cases you can be pretty sure you've cleaned it all up, but you can never be positive. Hey man, thanks for the reply, I already did all that, I want to know how I can delete my IP from Apews.org, since it is the only blacklist left I got to remove and because of that I still cannot send emails to Gmail. Can someone please let me know how to contact them so, they can remove my IP since their page has no way to contact them. Please help! Thanks PD: Can a moderator please remove my IP/URL Completely from this post, so, I dont have further issues. It is mostly remove but, there is still some posts with it, please replace IP with XXX.XXX.XXX.XXX and URL: http://www.yoursite.com Link to comment Share on other sites More sharing options...
turetzsr Posted January 31, 2013 Share Posted January 31, 2013 <snip> PD: Can a moderator please remove my IP/URL Completely from this post, so, I dont have further issues. It is mostly remove but, there is still some posts with it, please replace IP with XXX.XXX.XXX.XXX <snip> ...Sorry, you will have to directly contact the person whose post still has your IP address. His e-mail address is service[at]admin.spamcop.net. ...Good luck! Link to comment Share on other sites More sharing options...
tecnit Posted May 13, 2013 Share Posted May 13, 2013 APEWS Record Number: E-359846 IP : 201.219.39.98 Please help me with deactive for blacklist in apews. Thanks. Link to comment Share on other sites More sharing options...
petzl Posted May 14, 2013 Share Posted May 14, 2013 APEWS Record Number: E-359846 IP : 201.219.39.98 Please help me with deactive for blacklist in apews. Thanks. APEWS has nothing to do with me or SpamCop I just looked from what I can tell, if you wish to report a "False Positive" they have a blog site to report it http://apews-user.blogspot.com.au/ If you know the, or a ISP using APEWS, send them a email through 201.219.39.98 , if it bounces past the header and bounce message in this blog? Click the Blue "Join this site" button Good Luck. Often though it's simpler to use Gmail often free (yes you can use your domain name) they though don't tolerate spammers http://support.google.com/a/bin/answer.py?...mp;answer=33352 Another how to http://smarterware.org/3628/host-your-doma...hout-forwarding Seems no one should be using APEWSL2? 18 201.219.39.98 APEWS Level 2 l2.apews.org Listed Comment: Don't worry. No one is using this block list to filter email. They do not accept solicitations for removal, so just ignore them. Link to comment Share on other sites More sharing options...
Farelf Posted May 14, 2013 Share Posted May 14, 2013 Thanks petzl, more helpful than our standard "template" which is nevertheless added FWIW: There is no connection between SpamCop.net and APEWS. However, because the APEWS FAQ was apparently misunderstood, the following data is provided; ______________________________________________________________________________ Considering the current behavior and management of the APEWS blacklist, we can only agree with the advice given at Al Iverson's DNS RESOURCE - If you are listed on the APEWS blacklist, as confirmed by checking their website, here's how I would recommend that you handle the situation. (Who the heck am I?) Note: This isn't guidance on how to avoid a blacklisting or sidestep anti-spam groups. If you have a spam issue, fix it. Don't spam, ever, for any reason. This is information is regarding how to address an issue with a blacklist that is very aggressive at listing non-abusing IP addresses and networks, with no published, attainable path to resolution. - read it at: http://www.dnsbl.com/2007/08/what-to-do-if-you-are-listed-on-apews.html ________________________________________________________________________________ Link to comment Share on other sites More sharing options...
drobles Posted May 24, 2013 Share Posted May 24, 2013 How will my IP address be remove from apews.org? Oooops 63.166.XXX.XX is currently listed in APEWS :-( Entry matching your Query: E-435726 63.166.XXX.0/21CASE: C-17 Spambots, zombies, contaminated CIDR, bad reputation providerHistory: Entry created 2010-12-10 Link to comment Share on other sites More sharing options...
turetzsr Posted May 24, 2013 Share Posted May 24, 2013 There is no connection between SpamCop.net and APEWS. However, because the APEWS FAQ was apparently misunderstood, the following data is provided; ______________________________________________________________________________ Considering the current behavior and management of the APEWS blacklist, we can only agree with the advice given at Al Iverson's DNS RESOURCE - If you are listed on the APEWS blacklist, as confirmed by checking their website, here's how I would recommend that you handle the situation. (Who the heck am I?) Note: This isn't guidance on how to avoid a blacklisting or sidestep anti-spam groups. If you have a spam issue, fix it. Don't spam, ever, for any reason. This is information is regarding how to address an issue with a blacklist that is very aggressive at listing non-abusing IP addresses and networks, with no published, attainable path to resolution. - read it at: http://www.dnsbl.com/2007/08/what-to-do-if-you-are-listed-on-apews.html] ________________________________________________________________________________ Link to comment Share on other sites More sharing options...
srikardavuluri Posted August 7, 2013 Share Posted August 7, 2013 Our Domain out going Ip address got blocked in Apews.org block list. Need your help to delist the Ip's Link to comment Share on other sites More sharing options...
Farelf Posted August 7, 2013 Share Posted August 7, 2013 There is no connection between SpamCop.net and APEWS. However, because the APEWS FAQ was apparently misunderstood, the following data is provided; ______________________________________________________________________________ Considering the current behavior and management of the APEWS blacklist, we can only agree with the advice given at Al Iverson's DNS RESOURCE - If you are listed on the APEWS blacklist, as confirmed by checking their website, here's how I would recommend that you handle the situation. (Who the heck am I?) Note: This isn't guidance on how to avoid a blacklisting or sidestep anti-spam groups. If you have a spam issue, fix it. Don't spam, ever, for any reason. This is information is regarding how to address an issue with a blacklist that is very aggressive at listing non-abusing IP addresses and networks, with no published, attainable path to resolution. - read it at: http://www.dnsbl.com/2007/08/what-to-do-if-you-are-listed-on-apews.html] ________________________________________________________________________________ Link to comment Share on other sites More sharing options...
Farelf Posted August 7, 2013 Share Posted August 7, 2013 Further comment (just a suggestion, again nothing to do with SpamCop) - you might like to check the results at http://www.senderbase.org/lookup/domain?se...ring=nus.edu.sg (if that's yours, none of us can actually be sure). Looks like you have a few dynamic allocations that are listed on the CBL. Those have links to the CBL and identify problems observed. None of that should affect your designated outgoing servers but, while you're at it ... Examples on the first page http://cbl.abuseat.org/lookup.cgi?ip=137.132.3.9 ("This IP is infected with, or is NATting for a machine infected with Win32/Zbot (Microsoft). ") http://cbl.abuseat.org/lookup.cgi?ip=137.132.3.10 ("This IP is infected with, or is NATting for a machine infected with Win32/Zbot (Microsoft). ") ... there may be others on subsequent results pages. Also have a look at senderscore.org - metrics are not brilliant, may be showing problems with your mail exchange which would be more relevant - but then you've probably already caught up with whatever was happening with that if you're looking at APEWS delisting: https://www.senderscore.org/lookup.php?lookup=137.132.14.18&ipLookup=Go https://www.senderscore.org/lookup.php?lookup=137.132.14.19&ipLookup=Go https://www.senderscore.org/lookup.php?lookup=137.132.14.28&ipLookup=Go https://www.senderscore.org/lookup.php?lookup=137.132.14.29&ipLookup=Go Good luck. Link to comment Share on other sites More sharing options...
Farelf Posted August 8, 2013 Share Posted August 8, 2013 O/P hasn't logged in since replies posted. senderscore.org metrics haven't been updated but CBL have added some amended comment to the two observations referenced above, following further detections. This IP address is infected with, or is NATting for a machine infected with Pushdo. Pushdo is a DDOS trojan - meaning that it was (at least of the timestamp given above) participating in a HTTP-based (web protocol) distributed denial of service attack on web server. REMEMBER: Pushdo is a HTTP (web), NOT Email, DDOS tool. The attacks are on port 80 Pushdo is usually associated with the Cutwail spam trojan, as part of a Zeus or Spyeye botnet. Together, this provides the attacker with DDOS, email spam, and information theft capabilities. This is something you really want to get rid of. But remember, we detected this specifically by the DDOS traffic to a web server. Some scary stuff going down on t'interwebz at the moment. Link to comment Share on other sites More sharing options...
srikardavuluri Posted August 12, 2013 Share Posted August 12, 2013 Hi Team, need your assistance to remove our domain ip's from the blocklist Can anyone help on this please Thanks, Srikar D srikar_davuluri[at]yahoo.com Link to comment Share on other sites More sharing options...
srikardavuluri Posted August 12, 2013 Share Posted August 12, 2013 Hi Team, For your information our all Outgoing IP's got blocked at apews.org. Need your advice how to unblock the Ip's. We have checked all the mentioned link which you have posted and looks normal Thanks Link to comment Share on other sites More sharing options...
Derek T Posted August 12, 2013 Share Posted August 12, 2013 Hi Team, need your assistance to remove our domain ip's from the blocklist Which IP's? Which blocklist? Link to comment Share on other sites More sharing options...
petzl Posted August 12, 2013 Share Posted August 12, 2013 Hi Team, For your information our all Outgoing IP's got blocked at apews.org. Need your advice how to unblock the Ip's. We have checked all the mentioned link which you have posted and looks normal Thanks Your "senderbase score" needs to over 90 or someone is hitting spamtraps https://www.senderscore.org/lookup.php?look...amp;ipLookup=Go https://www.senderscore.org/lookup.php?look...amp;ipLookup=Go https://www.senderscore.org/lookup.php?look...amp;ipLookup=Go https://www.senderscore.org/lookup.php?look...amp;ipLookup=Go You need to advise your email marketers to confirm email address's, only respond to email address's that reply confirming that address and wish to receive email (must have a WORKING unsubscribe) http://en.wikipedia.org/wiki/Opt-in_email Just bombing email address's makes YOU and marketeer hated The secret to get off blocklists is not to get on them Link to comment Share on other sites More sharing options...
Farelf Posted August 12, 2013 Share Posted August 12, 2013 Linear posts 6 and 7 merged from "new" topic which appears to be the same as existing. Unless there is some indication of SpamCop blocklist involvement this will he moved to the lounge, the only indication so for has been APEWS listing and, as we have said, that is nothing to do with SC. There is no indication any of the further advice has been understood or acted upon - srikardavuluri please IGNORE APEWS blocking as clearly advised in the references provided - can you nominate a single significant destination that is actually using that BL to block mail delivery? At the same time, if you are nus.edu.sg (we're not sure and you're not saying so far) the CBL is showing evidence of compromised machines on your network which might actually affect the deliverability of e-mail from your network - but nothing involving SpamCop. People are still interested in offering advice but really you are giving us nothing to work with at this point. Don't hesitate to query anything you are not understanding. srikardavuluri - answering Derek T's query at 85408[/snapback] above "Which IP's? Which blocklist?" would be a good way to progress if you want to tap into the experience of members here. You have real issues more immediate than the inconsequential APEWS listing (if you are nus.edu.sg) as petzl and I are trying to tell you. Link to comment Share on other sites More sharing options...
srikardavuluri Posted August 15, 2013 Share Posted August 15, 2013 Hi Farelf, Can you please provide your email address or the contact number so that we will contact you for the domain blocking issue Thanks Link to comment Share on other sites More sharing options...
Farelf Posted August 15, 2013 Share Posted August 15, 2013 Hi Farelf, Can you please provide your email address or the contact number so that we will contact you for the domain blocking issue Thanks Well, this is a public forum whereby we all try to learn as we go through open discussion, but we can all understand some matters are best not discussed in public - sending PM. Link to comment Share on other sites More sharing options...
srikardavuluri Posted August 16, 2013 Share Posted August 16, 2013 Hi Team, We are from NUS Singapore,Below are the Ip address got blocked in the apews.org and also provided the blocked URL when one of our user try to send the email 137.132.14.25 137.132.14.26 http://www.apews.org/?page=test&C=1402...p=137.132.14.25 Can you please assist to delist the IP address Thanks Link to comment Share on other sites More sharing options...
petzl Posted August 16, 2013 Share Posted August 16, 2013 Hi Team, We are from NUS Singapore,Below are the Ip address got blocked in the apews.org and also provided the blocked URL when one of our user try to send the email 137.132.14.25 137.132.14.26 http://www.apews.org/?page=test&C=1402...p=137.132.14.25 Can you please assist to delist the IP address Thanks http://www.apews.org/ abuse[at]apews.org Might pay to ask if they are still alive? This guy Al Verson (knowledgeable) has his doubts http://www.dnsbl.com/2007/08/what-to-do-if...d-on-apews.html APEWS IP is 208.83.212.43 contact PDIBENEDETTO[at]datacenterscanada.com The site expire December this year Expiration Date:27-Dec-2013 19:25:43 UTC Unless reneWed Link to comment Share on other sites More sharing options...
Farelf Posted August 16, 2013 Share Posted August 16, 2013 I can only repeat what I have said before - APEWS is NOT your problem and SpamCop has nothing to do with it anyway. Please re-read previous posts. Consult: http://multirbl.valli.org/dnsbl-lookup/137.132.14.25.html http://multirbl.valli.org/dnsbl-lookup/137.132.14.26.html Note the comments there: APEWS Level 2 l2.apews.org Listed Comment: Don't worry. No one is using this block list to filter email. There are other blocklists you should be more concerned about as indicated by the multirbl.valli.org results, also your SenderScore metrics are not good for assured e-mail deliverability. Both outgoing servers (as you designate them) have the same servername in their pointer records which may not be helping (I don't know but servernames are usually unique within a network): C:\Documents and Settings\Admin>nslookup -type=ptr 137.132.14.25 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: 25.14.132.137.in-addr.arpa name = exch-out.nus.edu.sg C:\Documents and Settings\Admin>nslookup -type=ptr 137.132.14.26 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 Non-authoritative answer: 26.14.132.137.in-addr.arpa name = exch-out.nus.edu.sg C:\Documents and Settings\Admin> Talk to your IT people (ccenet[at]nus.edu.sg). And those are not your only outgoing servers. Back to SenderScore.org. 58 domains are logged as sending through 137.132.14.25 (could be many more). Hardly any of them are using any form of authentication. Any of them could be sending spam and some certainly are. Similarly 41 domains are logged through 137.132.14.26. From the CBL via SenderBase.org - other servers are sending direct to the internet from the nus.edu.sg network and some of those "appear(s) to be infected with a spam sending trojan, proxy or some other form of botnet." Currently: http://cbl.abuseat.org/lookup.cgi?ip=137.132.3.9 http://cbl.abuseat.org/lookup.cgi?ip=137.132.3.10 http://cbl.abuseat.org/lookup.cgi?ip=137.132.228.5 http://cbl.abuseat.org/lookup.cgi?ip=137.132.250.13 http://cbl.abuseat.org/lookup.cgi?ip=137.132.250.14 Note the CBL pages offer extensive and often specific advice on clearing up infections - at both the individual machine and network levels. There is a possibility many others are infected but as yet undetected - including 137.132.14.25 and 137.132.14.26 and/or machines sending through them. Your mail exchangers designated in your nus.edu.sg domain DNS records are (as noted earlier by petzl) mailc.nus.edu.sg (137.132.14.18) maild.nus.edu.sg (137.132.14.28) maila.nus.edu.sg (137.132.14.19) mailb.nus.edu.sg (137.132.14.29) Those also operate as outgoing servers, when they identify themselves as mail3.nus.edu.sg (137.132.14.18) mail4.nus.edu.sg (137.132.14.28) mail1.nus.edu.sg (137.132.14.19) mail2.nus.edu.sg (137.132.14.29) I'm no expert but that doesn't seem kosher to me - but who knows? Contact your IT people to do something to fix your e-mail problems - otherwise they can only get worse. Apart from pointing out the apparent anomalies which might contribute to those problems and the more likely causes and sources of blocking, I'm afraid nobody here can do much more for you. Certainly we cannot help with any de-listing. Least of all with the lame APEWS. You can confess now that you're just a bored student having a laugh, if you want to. Well, I suppose your e-mail service doesn't actually give you a lot to laugh about - but it's probably better than many. S Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.