why is 204.194.72.241 listed? need help

[vookenmeister]

Hi!

One of our users recently received an email that our main mail server, 204.194.72.241 or mailserver1.caci.com, was being blacklisted by blacklist.bl.spamcop.net.

I visited the site and entered info on the IP per this URL (http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=204.194.72.241)

However, I was unable to see any valid reasons or statistics for the IP being listed. Just a noticed that it was listed less than 10 times by less than 10 users.

Senderbase does not show our IP as being currently blocked nor does it say whether t was blocked before (if it was) or anything.

I receive all email directed to postmaster[at]caci.com, but didn;t see any spamcop alerts recently.

Why is our IP showing up at spamcop.net and how can we "fix" it?

Please advise.

Thanks,

Paul

[Chris Parker]

http://www.spamcop.net/w3m?action=checkblo...=204.194.72.241

At least two people reported that they received spam from that IP.

Possible the reporters were in "mole" status, in that reports are not sent.

You'll want to drop a line to deputies at spamcop dot net and include the IP that you are asking about.

As long as there are no additional spam reports, the listing should come off within 48 hours of the most recent report.

[vookenmeister]

Chris,

Thanks for the feedback.

I sent an email to bl[at]admin.spamcop.net earlier today asking for info.

Haven't received a reply yet.

It's unfortunate that the two complainers didn't supply any info. How can we figure out the problem without any info?

Anyways, we're just a normal defense contractor. We are not in the business of sending out unsolicited emails. It's possible a trusted server was abused/relayed. However, I can't track down the whereabouts or what happened without any info. <sigh>

- paul

[Chris Parker]

I sent an email to bl[at]admin.spamcop.net  earlier today asking for info.

Haven't received a reply yet. 

It's unfortunate that the two complainers didn't supply any info.    How can we figure out the problem without any info? 

Anyways, we're just a normal defense contractor. We are not in the business of sending out unsolicited emails.    It's possible a trusted server was abused/relayed.

Try deputies [at] spamcop . net.

Yes, that is the disadvantage of mole accounts. While they protect the reporters, they hinder those involved that actually care. Spams spoil it again.

Possible also that an employee sent out an email to everyone on his contact list and those were reported as spam.

[jefft]

This IP is sending mail not only to users who have reported it but also to spamtraps. That's a very bad sign as no legitimate mail should ever be sent to a spamtrap address.

JT

[Chris Parker]

This IP is sending mail not only to users who have reported it but also to spamtraps. That's a very bad sign as no legitimate mail should ever be sent to a spamtrap address.

Any reason there is no mention of the spamtraps on the stats page?

http://www.spamcop.net/w3m?action=checkblo...=204.194.72.241

[jefft]

Any reason there is no mention of the spamtraps on the stats page?

http://www.spamcop.net/w3m?action=checkblo...=204.194.72.241

I don't run that page, but I can only assume that had to be removed when the other information was redacted. I suppose if a spammer suspected an address of being a spamtrap, he could send a single spam to it from a known clean IP and see if it showed up.

JT

[Chris Parker]

Any reason there is no mention of the spamtraps on the stats page?

http://www.spamcop.net/w3m?action=checkblo...=204.194.72.241

I don't run that page, but I can only assume that had to be removed when the other information was redacted. I suppose if a spammer suspected an address of being a spamtrap, he could send a single spam to it from a known clean IP and see if it showed up.

JT

Ouch, it's getting hard to help people.

[vookenmeister]

Jeff,

How can I tell 204.194.72.241 is sending email to Spamtraps?

Can you at least give me an email address that we supposedly sent to or anything?

I manage the logs on this firewall/email server (it is Ciphertrust's Ironmail by the way). I can go look it up.

I can be reached at 703-841-4039 or pgordon[at]caci.com or postmaster[at]caci.com if you prefer not to post online.

All I want to do is get this server "working" again. CACI is not in the business of spamming. We are just a defense contractor. I've had to redirect all of our company's outbound mail across a saturated T-1 to a different server to avoid email bouncing due to spamcop's blackhole list.

I'd like to prevent what caused this from happening occurring again....

Still no reply from bl[at]admin.spamcop.net or deputies[at]spamcop.net

- paul

[vookenmeister]

Chris,

Thanks for your help. This is painful. I really appreciate your going out of your way. it's been a very frustrating day.

All I know is I come into work today and our main mailserver is blackholed.

Not everywhere... ONLY on spamcop. With no notification whatsoever.

We've had issues before over my 7 years working here. We even got "mail relayed" 3 or 4 years back. However, on those occasions I actually had a Spamcop warning delivered to postmaster[at]caci.com with the offending email inside. This time I got nothing via postmaster or abuse[at]caci.com. (although it's possible an email was sent to my boss' old address at emartin[at]hq.caci.com because that is how 204.194.72/22 is listed at ARIN. We flag mail headed to that as spam so he might've deleted it. )

I go to Spamcop and maybe I don't know how to navigate the site well, but basically it is useless.

No info on why we're being blocked or what we can do to stop it. It just says less than 10 users complained less than 10 times. I don't want to wait 48 hours for it go away. Especially, since whatever caused us to get blackholed might happen again.

Anyways, I really do appreciate your assistance in the matter. At least you directed me to deputies[at]spamcop.net Hopefully, they will give me the info I need.

A quick lookup of caci.com will show my email and phone number as the POC. A quick visit to www.caci.com will show that we are just defense contractors.

I'll post back whenever I have the resolution to this....

- paul

[Chris Parker]

Does your mail server send antivirus notifications to people who send you mail?

[Ellen]

Our spamtraps are receiving emails with the subject line:

Report to Sender

You can write to me at deputies <at> spamcop.net where I can provide some further information.

[WB8TYW]

(ellen)

Our spamtraps are receiving emails with the subject line:

Report to Sender

That looks like it is generated by a virus. Some virus scanners will remove the virus and let the rest of the content through.

I have received one copy of this latest virus that was missing the payload.

(jefft) I don't run that page, but I can only assume that had to be removed when the other information was redacted. I suppose if a spammer suspected an address of being a spamtrap, he could send a single spam to it from a known clean IP and see if it showed up.

The spammer could use the old statistics to find both spamtraps and reporters by doing successive binary searches on fresh I.P. addresses.

The spamtrap detection issue can be avoided by having spamtraps only randomly visibly react to e-mail sent to them. Spamcop management does not admit or deny that any such countermeasures are in place.

The page use to also give the spammer a real time verification that a domain that they were spamming was letting the spew through to reporters.

-John

Personal Opinion Only

[vookenmeister]

All,

deputies replied and sent me the headers on the email complaint

I just replied back with the very long email complaint that I will include below:

Bottom line is the complaint was generated due to a "bounced email message warning" that we return. That's what the "report to Sender" subject line is.

We use the bounce replies to let valid users know that their mail did not reach the recipient.

I wonder if it's time for our company to stop sending bounce replies. This is not a decision I can make in a vacuum. Anybody have opinions on this?

-------------------------------------------------------------------------------------

Don,

In an nutshell, I think this is crap. The complaint that is referenced below was not from a spam email. Unless you consider a bounced reply message spam.

Our business-purpose email server sends about 50,000 messages a day from caci.com employees.

I just checked through our mail logs. On Sunday, there was one message sent to nicar.org (johnmiller[at]nasw.org).

The message sent was a bounce reply (from our internal Notes smtp server, 10,11.4.62) to an email sent to a bad recepient at caci.com.

Our bounce replies are sent from cacimta/caci[at]caci.com so I can tell this from the logs.

I suspect this is the makings of the MyDoom virus. As we know, an infected pc can craft an email from johnmiller[at]nasw.org and send it to baduser[at]caci.com Our email server will reply to the spoofed from address and say baduser[at]caci.com does not exist.

That is probably what happened here below. If you look at your spamcop logs on your site, you'll notice a sizable peak of complaints right about when the mydoom virus was unleashed. Coincidence? I think not.

How can we avoid being blacklisted in the future? Is this gonna force us to turn off our bounce replies ? Most of our dealings are with military customers. We'd prefer to let them know if an email has bounced. However, we can't afford to get blacklisted.

So we got a whole total of TWO COMPLAINTS and you blacklisted us!!!! Who verifies that these complaints are legitimate?? Why would you blacklist someone for 2 complaints? I realize you are trying to help rid the world of spam, but in the process you have screwed us.

Do you have any other copies of the complaints that were directed about 204.194.72.241? This one is obviously bogus. I'd like to track down the "supposed" others.

PS. I'd cc johnmiller[at]nasw.org on this reply, but I'm scared we might get blacklisted again. PLEASE FEEL FREE TO FORWARD THIS EMAIL TO THE USER WHO COMPLAINED. My phone number is below if he/she would like to call me.

- paul

Paul Gordon,

Information Technology Scientist,

CISSP, CISM, CCNA, CCNP Routing,

CIS Network Operations Manager

CACI - Federal

1100 North Glebe Road

Arlington, VA 22201

703-841-4039

Here is a trail of logs from our mailserver.

-rw-r--r-- 1 logger system 11863001 Feb 3 02:05 smtpo.log.ends20040202mailserver1.caci.com.gz

cpmrsdb1.hq.caci.com[8]:gzip -d smtpo.log.ends20040202mailserver1.caci.com.gz

cpmrsdb1.hq.caci.com[9]:grep -i nicar.org smtpo.log.ends20040202mailserver1.caci.com

325946:10:1:02012004 08:26:18:Lookup Returned. Data = <(0, 'svr1.nicar.org')>, Type = <MX>

325946:10:1:02012004 08:26:18:Lookup Returned <[(0, 'svr1.nicar.org', ('128.206.143.228',))]>.

325946:10:1:02012004 08:26:18:Connecting to MX <svr1.nicar.org> ....

325946:10:1:02012004 08:26:27:reply: '220 svr1.nicar.org ESMTP Sendmail 8.12.10/8.12.10; Sun, 1 Feb 2004 13:26:27 GMT'

325946:10:1:02012004 08:26:27:reply: '250-svr1.nicar.org Hello mailserver1.caci.com [204.194.72.241], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-EXPN\r\n250-VERB\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-DELIVERBY\r\n250 HELP'

325946:10:1:02012004 08:26:39:reply: '221 2.0.0 svr1.nicar.org closing connection'

cpmrsdb1.hq.caci.com[10]:grep -i 325946:10:1:02012004 smtpo.log.ends20040202mailserver1.caci.com

325946:10:1:02012004 08:26:18:Lookup Returned. Data = <(0, 'svr1.nicar.org')>, Type = <MX>

325946:10:1:02012004 08:26:18:Lookup Returned <[(0, 'svr1.nicar.org', ('128.206.143.228',))]>.

325946:10:1:02012004 08:26:18:Connecting to MX <svr1.nicar.org> ....

325946:10:1:02012004 08:26:27:reply: '220 svr1.nicar.org ESMTP Sendmail 8.12.10/8.12.10; Sun, 1 Feb 2004 13:26:27 GMT'

325946:10:1:02012004 08:26:27:reply: '250-svr1.nicar.org Hello mailserver1.caci.com [204.194.72.241], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-EXPN\r\n250-VERB\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-DELIVERBY\r\n250 HELP'

325946:10:1:02012004 08:26:39:reply: '221 2.0.0 svr1.nicar.org closing connection'

cpmrsdb1.hq.caci.com[10]:grep 325946:10:1:02012004 smtpo.log.ends20040202mailserver1.caci.com

325946:10:1:02012004 08:26:18:Starting to process for domain <nasw.org> and msgids <[30680808]>

325946:10:1:02012004 08:26:18:Processing nasw.org

325946:10:1:02012004 08:26:18:Lookup Returned. Data = <(0, 'svr1.nicar.org')>, Type = <MX>

325946:10:1:02012004 08:26:18:Lookup Returned <[(0, 'svr1.nicar.org', ('128.206.143.228',))]>.

325946:10:1:02012004 08:26:18:Connecting to Domain nasw.org

325946:10:1:02012004 08:26:18:Block time out set to = (300) seconds.

325946:10:1:02012004 08:26:18:Connecting to MX <svr1.nicar.org> ....

325946:10:1:02012004 08:26:18:Connecting to A <128.206.143.228> ....

325946:10:1:02012004 08:26:27:reply: '220 svr1.nicar.org ESMTP Sendmail 8.12.10/8.12.10; Sun, 1 Feb 2004 13:26:27 GMT'

325946:10:1:02012004 08:26:27:Connection Status ------<1>

325946:10:1:02012004 08:26:27:reply: '250-svr1.nicar.org Hello mailserver1.caci.com [204.194.72.241], pleased to meet you\r\n250-ENHANCEDSTATUSCODES\r\n250-PIPELINING\r\n250-EXPN\r\n250-VERB\r\n250-8BITMIME\r\n250-SIZE\r\n250-DSN\r\n250-ETRN\r\n250-DELIVERBY\r\n250 HELP'

325946:10:1:02012004 08:26:27:Starting SendSmtpMsg for msg_id <30680808> in domain <nasw.org>

325946:10:1:02012004 08:26:27:Sendmail Begin from : cacimta/caci[at]caci.com

325946:10:1:02012004 08:26:27:Sending MAIL FROM: <cacimta/caci[at]caci.com> size=707

325946:10:1:02012004 08:26:28:reply: '250 2.1.0 <cacimta/caci[at]caci.com>... Sender ok'

325946:10:1:02012004 08:26:28:Sending RCPT TO: <johnmiller[at]nasw.org>

325946:10:1:02012004 08:26:28:reply: '250 2.1.5 <johnmiller[at]nasw.org>... Recipient ok'

325946:10:1:02012004 08:26:28:Sending DATA

325946:10:1:02012004 08:26:28:reply: '354 Enter mail, end with "." on a line by itself'

325946:10:1:02012004 08:26:28:RETR COMMAND RECEIVED ('/ct/data/mss/00/03/06/80/810',)

325946:10:1:02012004 08:26:39:reply: '250 2.0.0 i11DQQYJ010374 Message accepted for delivery'

325946:10:1:02012004 08:26:39:LOG_STAT|cacimta/caci[at]caci.com|['johnmiller[at]nasw.org']|707|2004/02/01 08:26:39|0

325946:10:1:02012004 08:26:39:Sending RSET

325946:10:1:02012004 08:26:39:reply: '250 2.0.0 Reset state'

325946:10:1:02012004 08:26:39:Closing SMTP Connection

325946:10:1:02012004 08:26:39:reply: '221 2.0.0 svr1.nicar.org closing connection'

325946:10:1:02012004 08:26:39:Finished to process for domain <nasw.org> and msgids <[30680808]>

SpamCop Admin <service[at]admin.spamcop.net>

02/03/2004 12:25 AM

To

Paul Gordon <pgordon[at]caci.com>

cc

bl[at]admin.spamcop.net, CIS Network <CIS_Network[at]caci.com>

Subject

Re: why is 204.194.72.241 listed as blackholed?

Paul Gordon writes:

>One of our users recently received an email that our main mail server,

>204.194.72.241 or mailserver1.caci.com, was being blacklisted by

>blacklist.bl.spamcop.net.

204.194.72.241 has been sending spam to our users and to our

spamtraps. Not a lot, but enough to get it listed. The spam appears to

have stopped about 24 hours ago. The server will automatically come off

our list 48 hours after the last complaint came in.

http://www.spamcop.net/sc?id=z278998573z25...05be1ca647c284z

You can use that link to review the headers from the recent user

complaint. The complaint was sent to postmaster[at]caci.com

http://www.spamcop.net/w3m?action=checkblo...=204.194.72.241

- Don -

[Chris Parker]

We use the bounce replies to let valid users know that their mail did not reach the recipient.

I wonder if it's time for our company to stop sending bounce replies. This is not a decision I can make in a vacuum.  Anybody have opinions on this?

These days, unfortunately, with viruses and spammers forging the from addresses in messages it's best not to generate bounces or virus notifications after the SMTP process has ended.

The problem is that systems which create bounce messages after the SMTP process can be used to send "bounce spam" to innocent people.

[kwdavids]

We use the bounce replies to let valid users know that their mail did not reach the recipient.

I wonder if it's time for our company to stop sending bounce replies. This is not a decision I can make in a vacuum.  Anybody have opinions on this?

I certainly think that there should be no automated virus notifications. We've been peppered with virus rejection emails based on forged header information for the last week or so. But for each of these we have to check to make sure that someone in the company hasn't been bitten by MyDoom or whatever.

Unless a mail server can verify that the sender of the message is legitimate, it has no business sending an automated reply.

[Jeff G.]

Antivirus filters should never send notifications to senders or recipients about emails containing viruses or worms that are known to forge from and to addresses. If they or other systems could be configured to send notifications to the admins of the IP Addresses that source those emails, that would be great!

[vookenmeister]

We don't send virus notifications. Fully agree on that. We do send bounce notifications. Here's our dilemma:

We use Ciphertrust's Ironmail product to accept the email and then deliver it to our internal servers. Unfortunately, email sent to bad recipients is not flagged until it reaches our internal servers. Thus, we can't deny email and send a bounce-reply back to the original server as it's occurring (that I know of). We can only send bounces back to the sender.

It sounds like our best course of action is to turn off our bounce replies completely. I'm gonna call our Ciphertrust, our vendor, and see if there's some way this server can do an LDAP lookup to our internal Notes servers to verify the username exists. If we can do that, then we can deny the email as we receive it (and thus the bounce will go back to the server sending the message and not to the forged "from" address.. I think. not too sure.)

Anyway, if anybody's got some clever ideas... I'm all ears.

Thanks for all the advice so far.

- paul

[jefft]

It sounds like our best course of action is to turn off our bounce replies completely.    I'm gonna call our Ciphertrust, our vendor, and see if there's some way this server can do an LDAP lookup to our internal Notes servers to verify the username exists. If we can do that, then we can deny the email as we receive it (and thus the bounce will go back to the server sending the message and not to the forged "from" address..  I think. not too sure.)

Anyway, if anybody's got some clever ideas... I'm all ears.   

Paul,

I don't have any clever ideas, but you're definitely on the right track. Many mail servers can be configured to do just what you're saying: an LDAP lookup before even accepting the email. And, you're right. This should avoid sending bounces to innocent people.

It also helps with your bandwidth usage because you don't have to accept all those bogus messages and then send bounces out for them.

JT