Why college email server is being blocked

[hilag]

Hello,

I am writing from the College of Saint Rose ALbany New York. Our email server is being blocked from your lists. THe domain is registered and we don't use it for spam. Here is the IP address 65.167.152.40.

Here is all I can find from searching the db:

(Help) (Trace IP) (Senderbase lookup)

65.167.152.40 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

In the past 233.8 days, it has been listed 2 times for a total of 6.7 days

[Wazoo]

Have you looked at http://forum.spamcop.net/forums/index.php?showtopic=972 ?

Granted the lack of evidence sucks, but you have to thank the spammers for the continued removal of more and more data from that page ... however, if you'd hit the Sanderbase link, you;d see that there's been a 530% increase in traffic from that IP in the last day ... suggesting something has started spewing ... that ISP needs to get started looking for the cause of the increased traffic flow ...

[DavidT]

Given the lack of specific information as to the reason for the blocking by SpamCop, you should start by talking to the onsite person listed in the ARIN database as being responsible for your IP address, which is a "William Traver" becase copies of SpamCop complaints are sent to his address: traverw (at) mail.strose.edu

It's possible that someone at St. Rose has a SpamCop account and is inadvertently "reporting themselves" by using the SpamCop reporting features. If that's the case, details would have been sent to his address. If he's not available, or you want to pursue this further, try writing to:

bl (at) admin.spamcop.net

and maybe also to:

deputies (at) admin.spamcop.net

Good luck

[Miss Betsy]

It is more probable that someone has an infected computer that is sending spam without the owner's knowledge (because of the increase in traffic) or is sending virus notifications or email 'bounces'.

Get the person in charge to contact spamcop either through the addresses given or post here in the forum. If it is an infected computer, people here will tell you how to find it.

Miss Betsy

[hancockm]

I am the admin for mail.strose.edu. I have check my event logs on my exchange server(1708) to see if any compromised users were sending out. I found 3. I changed passwords or disabled them. I checked to see if we are relaying. We are not. Betsy mentioned about infected computer and how to track it. Would anyone have any hints.

Thanks for any help,

Mark

[Wazoo]

the data found at http://www.senderbase.org/?searchBy=ipaddr...g=65.167.152.40 shows a 199% increase today, and it's still morning here .... and 65.167.152.40 listed in bl.spamcop.net so it'd would appear that the "3 accounts" got you listed again. However, as you bring in the "exchange serve" .. that opens up the world of exploits. One of the first places to take a read is http://www.spamcop.net/fom-serve/cache/372.html but in all fairness, this just barely scratches the issue. Weak passwords, exploited accounts, and the possibility that the system has been totally compromised at this point is a valid possibility. Though also noting that you made no mention of looking at firewall logs to ensure that traffic is not leaving your network by means other than through the exchange server ....

As the current SpamCopDNSbl listing shows that spamtrap traffic is the main cause, asking for some help from Deputies <at> admin.spamcop.net may allow some data to be passed back to you that might identify whther it's your server that's been compromised or a networked machine that's responsible.

If you've got the time (and you probably should make it available) pleas read an existing Topic at http://forum.spamcop.net/forums/index.php?showtopic=1652 which deals with a successful work through for another exchange server admin