New business blocked

[mdickens]

Can anyone help? our IP address is 81.138.21.74, we are flexographic and design business and we seem to have been entered on the Spamcop database, we rely on our e-mail to send proofs and other graphic files, and this block is causing loads of problems and can result in lost business, does anyone know who reported us and why, and is there any way to prevent us being entered again.

many thanks for any help.

[Merlyn]

This looks like a dynamic IP. Why don't you use your providers mail server?

You are also in other blocklists:

+ SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2

Blocked - see http://www.spamcop.net/bl.shtml?81.138.21.74

--------------------------------------------------------------------------------

+ UUINTRUDERS local bl at Uppsala University: intruders.docs.uu.se -> 127.0.0.2

--------------------------------------------------------------------------------

+ JAMDSBL local bl at JAMMConsulting.com: dnsbl.jammconsulting.com -> 127.0.0.30

--------------------------------------------------------------------------------

+ CSMA-SBL McFadden Associates, IPs of mailservers that send spam once in a short timefram: sbl.csma.biz -> 127.0.0.2

http://bl.csma.biz/cgi-bin/listing.cgi?ip=81.138.21.74

--------------------------------------------------------------------------------

+ SORBS spam and Open Relay Blocking System: Aggregate zone: dnsbl.sorbs.net -> 127.0.0.10

Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=81.138.21.74

[removal]

--------------------------------------------------------------------------------

+ SORBSDUL Dynamic IP Address ranges (NOT a Dial Up list!): dul.dnsbl.sorbs.net -> 127.0.0.10

Dynamic IP Address See: http://www.dnsbl.sorbs.net/cgi-bin/lookup?IP=81.138.21.74

[removal]

--------------------------------------------------------------------------------

+ DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

PLEASE SEE http://dnsbl.net.au/lookup/?81.138.21.74

[removal]

--------------------------------------------------------------------------------

+ DNSBLAUSORBS External Block List - SORBS: sorbs.dnsbl.net.au -> 127.0.0.2

81.138.21.74 See http://www.dnsbl.sorbs.net/cgi-bin/lookup?NAME=81.138.21.74

[removal]

--------------------------------------------------------------------------------

+ DRBL-VOTE-SANDY Distributed RBL node: sandy.ru: vote.drbl.sandy.ru -> 127.0.0.2

030624:BT Public Internet Service

--------------------------------------------------------------------------------

+ DRBL-WORK-SANDY Distributed RBL node: sandy.ru: work.drbl.sandy.ru -> 127.0.0.2

zaraza:030624:BT Public Internet Service

--------------------------------------------------------------------------------

+ DRBL-WORK-GREMLIN Distributed RBL node: gremlin.ru: work.drbl.gremlin.ru -> 127.0.0.2

vote.drbl.sandy.ru[at]ns.sci-nnov.ru:030624:BT Public Internet Service

[Miss Betsy]

Spamcop lists IP addresses where spam has been reported as coming from. Sometimes that is because there is an insecurity on your computer that the spammers are exploiting (much more common these days as more and more ISPs are being careful about allowing spammers to operate) or because the IP address is being shared by someone who is either spamming or has an insecure computer.

Since your IP address is on many lists, it apparently has been reported many times and nothing has been done to correct the problem. Spamcop delists the IP address when the spam stops. However, other lists are not as easy to get off of.

Merlyn suggests that you use your provider's server rather than try to get yourself removed from other lists. If sending graphics files through them is a problem (since they are often large files), then there may be some other alternative.

I believe that many admins do not accept email from servers on dynamic IP addresses because spammers often exploit them. Perhaps you can get a static IP address.

I can't be much more help because I don't run a server, but if you keep asking questions, someone with more knowledge may give you some help on how to solve your problem.

Miss Betsy

[Wazoo]

http://www.spamcop.net/w3m?action=blcheck&ip=81.138.21.74

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Why Am I Blocked? FAQ, Please read before posting

Other Topics exist, posted by others that "ran secure systems" ... then finding the compromised machines on their network, found that the e-mail server itself was compromised, found that some brain-dead software was installed or other stuff mis-configured. Take some time and read data already existing to learn how it happened, how to effect a cure, and how to prevent it from happening in the future. That you've already gathered the attention of so many other BLs, but apparently only having been impacted by the SpamCop DNSbl listing suggests the popularity of the SpamCop tool set in other ISPs trying to prevent the incoming spew of undesired traffic. This also seems to suggest that the future holds more blocking of your IP if something isn't straightened out soon.

[Chris Parker]

Can anyone help? our IP address is 81.138.21.74, we are flexographic and design business and we seem to have been entered on the Spamcop database, we rely on our e-mail to send proofs and other graphic files, and this block is causing loads of problems and can result in lost business, does anyone know who reported us and why, and is there any way to prevent us being entered again.

many thanks for any help.

You appear to be running Microsoft Exchange which with it's default settings is prone to being compromised by spammers. You'll want to remove any accounts that are not being used (ie guest) and make sure that all your passwords are non-trivial. Take a look at your outbound logs and that should give you some indication of what is happening.

[WB8TYW]

Going by what appears to be a past history of people posting here that have mail servers listed with only spamtrap hits, it is usually either they have something that is auto-responding to spam, or they have easy to guess passwords on the accounts for the mail server.

For some reason the spammers that use the SMTP AUTH exploit seem to hit spamcop spamtraps more than they hit real reporters or other spamtraps.

See dsbl.org which appears to have some tools for testing to see if your mail server has common vulnerabilities.

Make sure that your mail server is using SMTP rejects on non-deliverable e-mail, and not generating bounces.

While the RFC's permit bounces, they are are likely to go to forged addresses from spam and viruses.

Spamtrap addresses are harvested by viruses and spammers and used for fake sending address.

Anything that auto-responds with a new e-mail to a virus or spam is likely to cause a mail server to send e-mail to a spam trap. Several DNSbls use spam traps.

Virus scanners that abusively send reports to these forged addresses are a good way to get listed. A virus scanner that responds to the forged addresses can use up an innocent person's mail quota real fast.

Some try not to list mail servers and broken virus scanners that bounce to forged addresses, but unlike SMTP reject codes, it is difficult to always detect a misdirected bounce, and real hard to automatically detect a broken virus scanner.

And has been pointed out, most of the mail administrators that I know will not accept any e-mail from any known dynamic pool. Probably more mail administrators block known DHCP pools than use the spamcop.net blocking list. If your mail is not being refused for being in a DHCP pool, it is only a matter of time before it is.

Also ISPs are starting to block direct access to port 25 on their DHCP pools because of the operation costs for them to deal with compromised machines spamming on their network. A compromised machine on a network can cost the ISP more operational cash in a week than they would expect to make in profit for that customer in a month or longer. So preemptive blocking or port 25 is the cheapest way to avoid that cost.

So you need to either relay through your ISP's mail server, or get them to assign you a static I.P. address, with an rDNS that clearly indicates it is static or your domain name. Also your mail server will have to use that rDNS name when it connects to deliver e-mail, or many mail servers will not accept e-mail from it.

If you do not understand any of these terms, you need to either hire someone that does, or outsource your e-mail to someone that does.

Otherwise as soon as you get this problem resolved, you will find again that your mail is being refused. And the DHCP pool lists will not remove I.P. address ranges unless you can prove that they are static, and most of the ISPs that have been reported to have implemented a port 25 have apparently done so with out any advance warning to their users. Usually it is because one or more ISPs have told them to stop the spam delivery attempts from the DHCP pools, or they will simply refuse all e-mail from them.

Also you may not find out about your mail not getting through for quite some time after you sent it. Some mail servers just delete detected spam instead of using SMTP rejects, so neither you or your recipiants will know why your e-mail is not getting through.

-John

Personal Opinion Only

[Wazoo]

For some reason the spammers that use the SMTP AUTH exploit seem to hit spamcop spamtraps more than they hit real reporters or other spamtraps.

I have no doubt that this is intentional, trying to spread the "bad" feelings and news of the impact of the SpamCopDNSbl.