Jump to content
Sign in to follow this  
RyanPietroski

You have blocked my IP, and I cant contact clients

Recommended Posts

For some weird reason you blocked my IP. I have my own xxxxxxxxx Server here at my office, and during an e-mail conversation with one of my clients I got this message:

Your message did not reach some or all of the intended recipients.

Subject: FW: Another introduction letter

Sent: 8/3/2004 10:18 PM

The following recipient(s) could not be reached:

xxxxxxxxxx on 8/3/2004 10:49 PM

You do not have permission to send to this recipient. For assistance, contact your system administrator.

<xxxxxxxxxxxxxxxxxx Your server xxxxxxxxxxxxxxxx[xxxxxxxxx] is listed by the blacklist bl.spamcop.net. Please contact your Dial-Up/DSL/Network ISP Provider. (http://www.spamcop.net/w3m?action=checkblock&ip=xxxxxxx)>

Please explain how and why I am on this list, and get me the heck off of it. I have never propogated spam in my life, so if it is happening from my server, it is news to me, and possibly some virii/spy ware. I would be curious if you knew exactly what is going on. Also, I myself am a victim of a huge amount of unwanted spam. How can I get rid of these bastards? Any help you could give me as soon as possible would be greatly appreciated.

Thanks

Edit: Personal Information Removed after problem solved, you will need to provide this if you want the same level of help that I received.

Edited by RyanPietroski

Share this post


Link to post
Share on other sites

Check out: http://www.spamcop.net/w3m?action=checkblo...xxx.xxx.xxx.xxx

Your mail server has been sending mail to spam traps.

Check out: http://www.senderbase.org/?searchBy=ipaddr...xxx.xxx.xxx.xxx

That would indicate that there has been a 5000% increase in the amount of mail coming from your server.

Since you mentioned that you are running Exchange, you've likely fallen prey to an SMTP Auth Hack in which a spammer has found a weak password and is using that account to send mail. Check your logs and you should be able to find out which account has been compromised.

IP address removed by request

Edited by Chris Parker

Share this post


Link to post
Share on other sites
And once I get this fixed, do you remove me from it right away?

14638[/snapback]

Once you have solved the problem send an email to deputies (at) spamcop.net and let them know what was happening and what you did to resolve the problem and they may remove you from the blocklist. Otherwise you'll be removed within 48 hours of the most recent incident.

Share this post


Link to post
Share on other sites

You should also disconnect this server from the internet until you get it locked down as spammers have probably hacked it and are currently sending their spam from your server.

Do you know how to monitor it and check the logs?

You should also be more concerned about the security leak on your server instead of being on the Spamcop blocklist. You will come off the Blocklist automatically after a couple of days from the last spam report but if your server is insecure then you will get into other blocklists that will never take you off.

Share this post


Link to post
Share on other sites

Guys,

Thanks for the help. I called my Tech guy, who talked me through going into the xxxxxxxxxxxxx manager, and seeing the queues. There are hundreds of queues for domains I have never sent to.

The server is also a xxxxxxxxx which my employees use to log into when away from work. I logged in and checked everyones sent box, and didnt see any of these e-mails. Even my Tech wasnt sure what to do from here to try and stop it. He suggested changing everyones log on password, but since I dont see any sent e-mails under everyones accounts, I am thinking this hacker got in some way else, or to some sort of built in account.

Do you guys have any help you could possibly give me in getting in and shutting this Hacker out? I would like to try to prevent this from happening as well too.

Strange thing is, I have beenwaiting for a bit of free time to figure out how to stop all the spam my empolyees and me get on regular basis.

I am soo upset right now.

Thanks in advance for any help.

Edit: Personal Information Removed after problem solved, you will need to provide this if you want the same level of help that I received.

Edited by RyanPietroski

Share this post


Link to post
Share on other sites
Also, I myself am a victim of a huge amount of unwanted spam.Any help you could give me as soon as possible would be greatly appreciated.

If you read previous posts and hang around and ask specific questions, you will learn a lot about spam fighting. There are many server admins who frequent this forum and even more in the spamcop newsgroup.

How can I get rid of these bastards?

Actually, at the present time there is no way to'get rid' of spammers. However, blocklists like spamcop do help in filtering spam out and if you use blocklists to reject spam at the server level then you don't pay for the bandwidth. Also legitimate correspondents who are using a compromised machine or a spammy provider are notified so that they can do something. spam will be stopped when the *sender* becomes responsible for not allowing spam (or in the case of a user, not supporting incompetent or irresponsible providers). Of course, there will be occasional glitches (people make mistakes), but it is a small price to pay for stopping spam at the server level.

Spamcop is unique in that its purpose is to both help server admins stop any spammers who get on their systems (by reports to them - unfortunately in your case the spam went to spam traps which don't send reports) and to protect other systems from receiving spam until the problem is fixed. At this time, spam is either being sent by compromised machines which yours is apparently - that spam is stopped as soon as the server admin is aware of it and the server ages off the blocklist (it is sometimes sooner than 48 hours, but it is all automatic) - or by service providers who don't care, want spammer money, or are totally incompetent - the latter are more or less perpetually on the blocklist.

Miss Betsy

Share this post


Link to post
Share on other sites
<snip>

Even my Tech wasnt sure what to do from here to try and stop it.  He suggested changing everyones log on password, but since I dont see any sent e-mails under everyones accounts, I am thinking this hacker got in some way else, or to some sort of built in account.

...You may want to think seriously about adding a more e-mail savvy (especially MS Exchange savvy) tech to your staff. As you can see, not having someone who knows a lot about how to secure e-mail can cause your business a lot of damage and you a lot of frustration.

Do you guys have any help you could possibly give me in getting in and shutting this Hacker out? I would like to try to prevent this from happening as well too.

<snip>

14643[/snapback]

...Some additional places to look:

Share this post


Link to post
Share on other sites

Thanks for the help.

I am a small business owner, and cant afford to have full time IT staff. However I have one of my techs coming in 45 mins. He has some program on his laptop that will help to sniff out whats going on. I will show him these links, hopefully it will help.

Thanks again.

Share this post


Link to post
Share on other sites

BTW...shouldn't this topic be in the "Help" forum instead of the "SpamCop Email" forum?

dt

Share this post


Link to post
Share on other sites
Thanks for the help.

I am a small business owner, and cant afford to have full time IT staff.  However I have one of my techs coming in 45 mins.  He has some program on his laptop that will help to sniff out whats going on.  I will show him these links, hopefully it will help.

Thanks again.

14652[/snapback]

...Of course, I'm not in your shoes, but it seems to me you can't afford to not have available someone who is knowledgeable about e-mail. It doesn't have to be full-time or even an IT person. But if your business is reliant on your ability to contact clients by tool x (where x, in this case, is Microsoft Exchange e-mail server), then someone with a deep knowledge of x is essential to your business, as well. Note, by the way, that e-mail is not a guaranteed delivery mode even without block lists. Backhoes can damage communication lines, servers can go down, data packets can be lost....

Share this post


Link to post
Share on other sites
...Of course, I'm not in your shoes, but it seems to me you can't afford to not have available someone who is knowledgeable about e-mail.  It doesn't have to be full-time or even an IT person.  But if your business is reliant on your ability to contact clients by tool x (where x, in this case, is Microsoft Exchange e-mail server), then someone with a deep knowledge of x is essential to your business, as well.  Note, by the way, that e-mail is not a guaranteed delivery mode even without block lists.  Backhoes can damage communication lines, servers can go down, data packets can be lost....

14657[/snapback]

Agreed. The answer (my tech) is here, only a couple hours after I realized this has happened. We noticed two accounts logged into my server, both with IPs that resolve to unknown people. The main problem it seems is that my exchange server is running on the same box as my web server. They have tunneled in through my web server, into my xxxxxxxxx server.

To make a long story short, we are buying a new web server today, and going to separate the boxes. We are in the process of sniffing out exactly what the hackers are doing, and the extent to which they are "into" my network. In a few days this will all be over :)

Thanks for all the help, and thanks to SpamCop for alerting me to this problem. Im not sure how long this would have taken for me to notice this problem with out the alert from SpamCop.

Edit: Personal Information Removed after problem solved, you will need to provide this if you want the same level of help that I received.

Edited by RyanPietroski

Share this post


Link to post
Share on other sites
...Of course, I'm not in your shoes, but it seems to me you can't afford to not have available someone who is knowledgeable about e-mail.  It doesn't have to be full-time or even an IT person.  But if your business is reliant on your ability to contact clients by tool x (where x, in this case, is Microsoft Exchange e-mail server), then someone with a deep knowledge of x is essential to your business, as well.  Note, by the way, that e-mail is not a guaranteed delivery mode even without block lists.  Backhoes can damage communication lines, servers can go down, data packets can be lost....

Agreed. The answer (my tech) is here, only a couple hours after I realized this has happened. We noticed two accounts logged into my server, both with IPs that resolve to unknown people. The main problem it seems is that my exchange server is running on the same box as my web server. They have tunneled in through my web server, into my exchange server.

To make a long story short, we are buying a new web server today, and going to separate the boxes. We are in the process of sniffing out exactly what the hackers are doing, and the extent to which they are "into" my network. In a few days this will all be over :)

Thanks for all the help, and thanks to SpamCop for alerting me to this problem. Im not sure how long this would have taken for me to notice this problem with out the alert from SpamCop.

14666[/snapback]

...Awesome -- well done, Ryan! This is exactly the way it's supposed to work and exactly what we SpamCop reporting users (well, at least this SpamCop reporter) hope for when we submit our spam reports. Thank you very much for taking the time to come back here and let us know the good news. :D <big, big grin!>

Share this post


Link to post
Share on other sites

I hope you have disconnected the machine from the web while all this spam is coming from it.

Share this post


Link to post
Share on other sites
I hope you have disconnected the machine from the web while all this spam is coming from it.

14688[/snapback]

In the end I was able to see two people logged into the server, and removed them. One IP was untrable, the other from Latin America.

We removed all queues, and kicked them out. We adjusted the setting to make it much harer to get in, and they havent been back since. No more spam from me.

Share this post


Link to post
Share on other sites

Agreed. The answer (my tech) is here, only a couple hours after I realized this has happened. We noticed two accounts logged into my server, both with IPs that resolve to unknown people. The main problem it seems is that my exchange server is running on the same box as my web server. They have tunneled in through my web server, into my exchange server.

To make a long story short, we are buying a new web server today, and going to separate the boxes. We are in the process of sniffing out exactly what the hackers are doing, and the extent to which they are "into" my network. In a few days this will all be over :)

Thanks for all the help, and thanks to SpamCop for alerting me to this problem. Im not sure how long this would have taken for me to notice this problem with out the alert from SpamCop.

14666[/snapback]

...Awesome -- well done, Ryan! This is exactly the way it's supposed to work and exactly what we SpamCop reporting users (well, at least this SpamCop reporter) hope for when we submit our spam reports. Thank you very much for taking the time to come back here and let us know the good news. :D <big, big grin!>

14669[/snapback]

I don't know who "pins" threads to the forum, but this should go in as an example to the countless business owners who whine at spamcop when their security holes cause spam instead of taking responsibility and taking quick action like Ryan. (Most recently there was one last week who was trotting out the usual veied threats of "legal action.")

Share this post


Link to post
Share on other sites

Note: After the problem was addressed Ryan has edited out sensitive personal information originally necessary to help fix the problm but no longer necessary to be displayed in public.

Thanks Ryan for setting a great example as how things should and do work here!!!

The following is are links to threads refered to by integrate of how not to ask for help.

I hate Spamcop and spam, They cause the same amount of problems

blocked email

Edited by dbiel

Share this post


Link to post
Share on other sites
I don't know who "pins" threads to the forum, but this should go in as an example to the countless business owners who whine at spamcop when their security holes cause spam instead of taking responsibility and taking quick action like Ryan.

14710[/snapback]

...The Moderators. However, the general consensus here is that there are already too many pinned items.

Share this post


Link to post
Share on other sites
the general consensus here is that there are already too many pinned items.

Indeed! This software presents the user with 15 posts on each forum index, and if another one gets pinned in this forum, that will be 11 pinned vs. only the four most recently-active threads, which will surely scroll other important threads off the user's screen....not good. It's already been suggested elsewhere that there be a re-working of the pinned items on all the forums, collapsing them into a more hierarchical structure of related issues. Unfortunately, there is only one active moderator here at the moment, and although he's a very dedicated volunteer, he also has some RL issues that are more important at the moment (something about trees falling on houses, and maybe trees falling on him....). :blink:

dt

Edited by DavidT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×