Jump to content
Sign in to follow this  
keithaham

What does this message mean?

Recommended Posts

Our organization sends out a daily message to people who have requested to receive it. I am receiving delivery failure messages that seem to indicate my mail server is being blocked.

Can someone help me to understand what is occurring, and suggest a solution?

Keith

aham.com

normal text:

ERROR: Your message could not be delivered.

The mail server generated the following error message:

Your message has encountered delivery problems

to the following recipient(s):

paulmiller[at]purplemonster.co.uk

Delivery failed

451 Blocked - see http://www.spamcop.net/bl.shtml?216.162.1.102

Failed to deliver to domain purplemonster.co.uk after 111 tries.

Last error was:

No recipients were successfully delivered to.

message source:

Return-Path: <postmaster[at]mailsite2.communityweb.net>

Delivered-To: spamcop-net-ahamspam[at]spamcop.net

Received: (qmail 30365 invoked from network); 15 Jun 2004 15:31:20 -0000

Received: from unknown (HELO c60.cesmail.net) (192.168.1.105)

by blade1.cesmail.net with SMTP; 15 Jun 2004 15:31:20 -0000

Received: from mailgate.cesmail.net (216.154.195.36)

by c60.cesmail.net with SMTP; 15 Jun 2004 11:31:17 -0400

X-Ironport-AV: i="3.81R,117,1083556800";

d="scan'208?txt'208"; a="75436512:sNHT36041560"

Received: (qmail 21799 invoked from network); 15 Jun 2004 15:31:16 -0000

Received: from unknown (HELO mailgate.cesmail.net) (192.168.1.101)

by mailgate.cesmail.net with SMTP; 15 Jun 2004 15:31:16 -0000

Received: from mail.asheboro.com [216.162.1.13]

by mailgate.cesmail.net with POP3 (fetchmail-6.2.1)

for ahamspam[at]spamcop.net (single-drop); Tue, 15 Jun 2004 11:31:16 -0400 (EDT)

To: ahamcntr[at]asheboro.com

Subject: Delivery failure (paulmiller[at]purplemonster.co.uk)

From: postmaster[at]mailsite2.communityweb.net

Message-Id: <B0071573331[at]mailsite2.communityweb.net>

Date: Tue, 15 Jun 2004 11:02:24 -0400

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status; boundary="16378/1532/1087311744/MailSite/mailsite2.communityweb.net"

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade1

X-spam-Level: *

X-spam-Status: hits=1.4 tests=MAILTO_TO_SPAM_ADDR,MIME_SUSPECT_NAME,

NO_REAL_NAME version=2.63

X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.101 216.162.1.13

--16378/1532/1087311744/MailSite/mailsite2.communityweb.net

Content-Type: text/plain

Your message has encountered delivery problems

to the following recipient(s):

paulmiller[at]purplemonster.co.uk

Delivery failed

451 Blocked - see http://www.spamcop.net/bl.shtml?216.162.1.102

Failed to deliver to domain purplemonster.co.uk after 111 tries.

Last error was:

No recipients were successfully delivered to.

--16378/1532/1087311744/MailSite/mailsite2.communityweb.net

Content-Type: message/delivery-status

Content-Disposition: attachment; filename="DSN40CE0A24.txt"

Reporting-MTA: dns; mailsite2.communityweb.net

Received-From-MTA: dns; [192.168.123.135] (unverified [137.118.197.163])

Arrival-Date: Mon, 14 Jun 2004 16:27:16 -0400

Final-Recipient: rfc822; paulmiller[at]purplemonster.co.uk

Action: failed

Status: 5.4.7 (Permanent failure - routing/network: delivery time expired)

Remote-MTA: dns; mailhost1.pipemedia.net

Diagnostic-Code: smtp; 451 Blocked - see http://www.spamcop.net/bl.shtml?216.162.1.102

--16378/1532/1087311744/MailSite/mailsite2.communityweb.net

Content-Type: message/rfc822-headers

Received: from [192.168.123.135] (unverified [137.118.197.163]) by asheboro.com

(Rockliffe SMTPRA 5.3.7) with ESMTP id <B0071520830[at]mailsite2.communityweb.net> for <paulmiller[at]purplemonster.co.uk>;

Mon, 14 Jun 2004 16:27:16 -0400

User-Agent: IntelliMerge Classic 2.5

Date: Mon, 14 Jun 2004 16:32:33 -0400

Subject: Daily Message for Transforming the Mind #1204

From: "AHAM - Association of Happiness for All Mankind " <ahamcntr[at]asheboro.com>

To: Paul Miller <paulmiller[at]purplemonster.co.uk>

Message-ID: <3170075553.33585287117%ahamcntr[at]asheboro.com>

Mime-version: 1.0

Content-type: multipart/alternative; boundary="alternative_boundary"

--16378/1532/1087311744/MailSite/mailsite2.communityweb.net--

Share this post


Link to post
Share on other sites

The website lookup indicates that the mail server is not currently listed. I would guess that unless you are getting a number of non-deliverables that someone else's mail server is misconfigured.

However, doing a search in Google Groups shows a few spam reports (they are a few weeks old)

You can always send an email to deputies <at> spamcop.net and request additional information, which they may (or may not) provide.

Share this post


Link to post
Share on other sites

Sending only to people who request it is not enough. There are typos and malicious people in the world and that ends up with someone who didn't request it getting emails he doesn't want. You must have a confirmed subscription list.

You don't say how many of your emails are bouncing. If you followed the link in the bounce message, do you have any questions about what you found?

There could be a number of reasons - including that whoever is doing the bouncing is using the spamcop blocking message, but blocking with another list. Have you not received a spamcop report? Have you asked your provider if he did? Unless they were all spam trap hits (which probably means your computer was infected), then someone got a report.

If there were spam reports about this IP address a few weeks ago, did you have a problem and now it is fixed? If you didn't, then perhaps you will be listed again.

Miss Betsy

Share this post


Link to post
Share on other sites

The 4xx code indicates that the receiver was rejecting the e-mail message in a way that causes the sending mail server to retry to send it for approximately one week.

This was probably done because a spamcop.net listing only lasts for a maximum of 48 hours after the last spam report, and when a real mail server is listed, it usually gets fixed fast, so a real e-mail will eventually get delivered.

Also most spam will not retry on a 4xx error.

As to why the listing, the spamcop link currently does not show a listing, or any evidence.

So to look else where:

mail abuse OPS look up

Nothing current. The last entry shows that I.P was sending spam in December 2003. looks like a multi-hop exploit of another system in a nearby I.P. range. In MAY of 2003, that I.P. address relayed a virus from a nearby I.P. range.

There is spam listed from that I.P. in news.admin.net-abuse.sightings for the end of MAY 2004.

Examining the available public evidence implies that your server is relaying for other machines that are being controlled by spammers in nearby I.P. ranges.

So either you have an open relay for a larger network than you intend, or you have a several compromised computers on your network.

The current crop of viruses out there install remote control programs for spammers and other criminals, so an untreated infection leaves criminals in charge of your network and your machines.

In some areas, after this occurs, you are legally liable to notify anyone who's personal data is on your systems of the security breach.

With many common LAN protocols, the compromise of one machine means that any machine that connects to it can also be compromised.

It appears that your network was compromised since MAY 2003, and is likely still compromised. Your postmaster account should have been getting regular abuse reports since them up until today. If you can not find them, then that is an indication of a configuration problem.

The general recomendation from the security sites is that when a system is compromised by an intruder, you need to quarantine the data on the hard drives in a backup , erase the hard drives, and reload the operating systems and programs from known good sources, and then carefully restore data files from the backup with out running any scripts or executables on the backup.

Something that a commercial computer operation should have a documented procedure to do.

The lookups that I was able to do now should be something that the person who provides the technical support for your network should know how to do.

Also typically the spammers that exploit such systems as yours will spam until you get on a major blocking list, and then pause for a while to let the listing age off, and they will start the spam up again.

-John

Personal Opinion Only

Edited by WB8TYW

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×