Jump to content
Sign in to follow this  
OlegD

Mismatch between DNS blacklist and Web site

Recommended Posts

Hi all,

Mail server with IP 80.82.32.19 is blacklisted in DNS:

oleg$ host 19.32.82.80.bl.spamcop.net

19.32.82.80.bl.spamcop.net has address 127.0.0.2

But on your site (http://www.spamcop.net/w3m?action=checkblock&ip=80.82.32.19):

80.82.32.19 not listed in bl.spamcop.net

Why ?

15257[/snapback]

Because the block-list is real-time and the web page (to prevent spammers using it to get round the filters) is not. The web-page will catch up in time!

Senderbase shows it listed in spamcop and SORBS at the time of posting.

Noting the similarity between your username and the hostname, is this an IP you control? Do you want help with reasons for listing and/or stopping a spam spew?

Edited by Derek T

Share this post


Link to post
Share on other sites
Because the block-list is real-time and the web page (to prevent spammers using it to get round the filters) is not. The web-page will catch up in time!

Hm-m. Is several days (approximately 3 days) a sufficiently long time for an web page update ?

Noting the similarity between your username and the hostname, is this an IP you control? Do you want help with reasons for listing and/or stopping a spam spew?

15259[/snapback]

Yes, reasons for listing - that's what I expected to see on the Web page.

Share this post


Link to post
Share on other sites
Yes, reasons for listing - that's what I expected to see on the Web page.

The web page will not tell you very much, unfortunately, because spammers used the info to evade the blocklist.

If you read the "Why Am I Blocked FAQ" it will list the most common reasons that servers are blocked.

If you are in the Senderbase and SORBS as well, it sounds like a compromised machine - probably the SMTP/Auth exploit (the remedies are also in the FAQ).

If you want more information, you can get that confirmed by deputies <at> spamcop.net who will confirm what kind of problem you are having. They do not let you see the email, I believe. Obviously you are hitting spamtraps which could be auto responses of some kind, but if the traffic has increased drastically than more than likely it is an exploit.

Miss Betsy

Share this post


Link to post
Share on other sites
The web page will not tell you very much, unfortunately, because spammers used the info to evade the blocklist.

If you read the "Why Am I Blocked FAQ" it will list the most common reasons that servers are blocked.

If you are in the Senderbase and SORBS as well, it sounds like a compromised machine - probably the SMTP/Auth exploit (the remedies are also in the FAQ). 

If you want more information, you can get that confirmed by deputies <at> spamcop.net who will confirm what kind of problem you are having. They do not let you see the email, I believe.  Obviously you are hitting spamtraps which could be auto responses of some kind, but if the traffic has increased drastically than more than likely it is an exploit.

Miss Betsy

15264[/snapback]

Reason for listing in SORBS is spam from our client with IP 80.82.58.223 via our mail relay. This problem resolved approximately two weeks ago (client's machine was compromised). Our relay listed in SORBS because we treat "fine" as extortion and will not pay it. We does not agree with SORBS policy on this point.

I doesn't see any responses from spamtraps at last week containing IP 80.82.32.19, only some direct mailings from our dialup clients (we have thousands of them, so it doesn't seems strange to me).

I doesn't have any Exchange server under my control.

So, if my host listed, I should know, why, isn't it ?

Thanks for contacts, I'll try to ask deputies.

Share this post


Link to post
Share on other sites
Reason for listing in SORBS is spam from our client with IP 80.82.58.223 via our mail relay. This problem resolved approximately two weeks ago (client's machine was compromised).

Then you have another spamming client because your server has been sending to other spamtraps several times in the last week. PSBL Lookup

Share this post


Link to post
Share on other sites
Then you have another spamming client because your server has been sending to other spamtraps several times in the last week. PSBL Lookup

15267[/snapback]

All right, but I couldn't identify it :-) "Check evidence" (and "Remove IP") button returns the following:

We have no spamtrap mail on record for 80.82.32.19. If 80.82.32.19 was listed in the past, the mail may have been expired from the spool already.

So I have no evidences -> couldn't identify spammer -> he(she) will spam again.

That's not good.

Share this post


Link to post
Share on other sites
All right, but I couldn't identify it :-) "Check evidence" (and "Remove IP") button returns the following:

We have no spamtrap mail on record for 80.82.32.19. If 80.82.32.19 was listed in the past, the mail may have been expired from the spool already.

So I have no evidences -> couldn't identify spammer -> he(she) will spam again.

That's not good.

15268[/snapback]

Oleg - it seems to me that you have done everything right, that you want to stop the spam and are getting no help in identifying the source. It probably doesn't help but you have my sincere sympathy. My first response is clearly wrong, the web-page shouldn't be SO MUCH out of synch. Apologies. One thought, do have ANY sort of autoresponder working on that server? Out of office? virus bounce to return envelope etc. etc.? (I mean autoresponses to the return envelopes rather than SMTP rejects to the incomimh IP)

Miss Betsy, Oleg is using either unix or linux (oleg$ host 80... is the equivalent of Windoze C:\nslookup 80...) so it CAN'T be the usual SMTP/Auth hack here.

DEPUTIES - can you help out here? the bl is still returning a 127.0.0.2 and the webpage a 'not listed' - Senderbase rightly shows it as in the bl, what's going on? This chap is obviously responsible, has read the FAQ's wants to track down his spammer and is getting no help at all!

Edited by Derek T

Share this post


Link to post
Share on other sites
so it CAN'T be the usual SMTP/Auth hack here.

Well it can be SMTP/Auth hack as that is not exclusive to Exchange. Exchange DOES make it easier on the hackers because they leave this open by default, but that does not preclude someone making a configuration error or having an easily guessable password that has been compromised.

From the top of the FAQ entry:

Note: While this faq is written towards Exchange, any mail server is vulnerable to the smtp-auth exploit attack.
Edited by StevenUnderwood

Share this post


Link to post
Share on other sites
Well it can be SMTP/Auth hack as that is not exclusive to Exchange.  Exchange DOES make it easier on the hackers because they leave this open by default, but that does not preclude someone making a configuration error or having an easily guessable password that has been compromised.

From the top of the FAQ entry:

15273[/snapback]

Oops I stand corrected! (Mind you, I still maintain it can't be the usual hack because that involves the Exchange defaults) Either way, there doesn't seem to be the usual drastic increase in throughput in this case.

Edited by Derek T

Share this post


Link to post
Share on other sites
Oleg - it seems to me that you have done everything right, that you want to stop the spam and are getting no help in identifying the source. It probably doesn't help but you have my sincere sympathy. My first response is clearly wrong, the web-page shouldn't be SO MUCH out of synch. Apologies. One thought, do have ANY sort of autoresponder working on that server? Out of office? virus bounce to return envelope etc. etc.? (I mean autoresponses to the return envelopes rather than SMTP rejects to the incomimh IP)

Miss Betsy, Oleg is using either unix or linux (oleg$ host 80... is the equivalent of Windoze C:\nslookup 80...) so it CAN'T be the usual SMTP/Auth hack here.

DEPUTIES - can you help out here? the bl is still returning a 127.0.0.2 and the webpage a 'not listed' - Senderbase rightly shows it as in the bl, what's going on? This chap is obviously responsible, has read the FAQ's wants to track down his spammer and is getting no help at all!

15272[/snapback]

My clients can tune an autoresponder ("away responder" for example) on their IMAP mailboxes. If this is a problem, I can turn it off. We send no virus bounces, of course. There can be only bounces like 'No such user', for example, when our mail relay acts as a backup MX for some client's mailserver.

But I need headers of spam (or bounce, or autorespond message) at least to identify problem.

Share this post


Link to post
Share on other sites

The only way anyone can help him is by looking at the spam which only the deputies can do (or fixing the web page so it is accurate, again not something a poster can do).

People have said before that things were fixed and they weren't - also the possibility exists that someone else has a problem. He didn't say anything about looking at firewall logs where some people who can't find another reason, *do* find evidence of why.

He asked about finding out why he was listed. There are only so many ways to be listed and they are all in the FAQ. More specific answers can only be gotten by emailing the deputies. That's what I told him - which I think he thought was helpful. (but IIRC, that information has also been added to the FAQ).

Miss Betsy

Share this post


Link to post
Share on other sites
Well it can be SMTP/Auth hack as that is not exclusive to Exchange.  Exchange DOES make it easier on the hackers because they leave this open by default, but that does not preclude someone making a configuration error or having an easily guessable password that has been compromised.

From the top of the FAQ entry:

15273[/snapback]

I believe that this is not in my case, but anyway - I need message that sent via my relay to identify weaknesses.

To deputies: Can you provide such information to admin-c or tech-c of corresponding inetnum objects in RIPE, for example ? I am a tech-c.

Share this post


Link to post
Share on other sites
The only way anyone can help him is by looking at the spam which only the deputies can do (or fixing the web page so it is accurate, again not something a poster can do).

People have said before that things were fixed and they weren't - also the possibility exists that someone else has a problem.  He didn't say anything about looking at firewall logs where some people who can't find another reason, *do* find evidence of why.

He asked about finding out why he was listed.  There are only so many ways to be listed and they are all in the FAQ.  More specific answers can only be gotten by emailing the deputies.  That's what I told him - which I think he thought was helpful.  (but IIRC, that information has also been added to the FAQ).

Miss Betsy

15277[/snapback]

What "firewall logs" do you mean ? I check logs daily for anomalies, but, I repeat - I have thousands of clients, they send ten thousands of mail messages for a day, with the exception of incoming mail messages. I simply can not handle such volume, simply looking to maillogs. Sent mail isn't an anomaly. Is sent message is spam or simply business message - I couldn't say this only looking to a log.

Share this post


Link to post
Share on other sites

You need to send an email to deputies<at>spamcop.net requesting information on the block of your IP address. While the deputies do post here from time to time, it has been stated to be low on their priorities.

If it is a spamtrap, they will not give you much but may be able to indicate whether it is an infected machine on your LAN, the SMTP/Auth hack, etc. You will not get the actual messages as they would reveal too much information about the spamtrap.

Any normal reports on this address would have gone to:

Parsing input: 80.82.32.19

host 80.82.32.19 = serv4.vsi.ru (cached)

Reporting addresses:

alexf<at>vsi.ru

alexs<at>vsi.ru

You should check with the people who man these addresses for any reports filed against your IP.

Share this post


Link to post
Share on other sites
You need to send an email to deputies<at>spamcop.net requesting information on the block of your IP address.  While the deputies do post here from time to time, it has been stated to be low on their priorities.

If it is a spamtrap, they will not give you much but may be able to indicate whether it is an infected machine on your LAN, the SMTP/Auth hack, etc.  You will not get the actual messages as they would reveal too much information about the spamtrap.

Any normal reports on this address would have gone to:

You should check with the people who man these addresses for any reports filed against your IP.

15282[/snapback]

I already wrote message to deputies. But, if I may, I believe that such information should be granted automatically. Such information is actually the basis of problem troubleshooting.

Share this post


Link to post
Share on other sites
Reporting addresses:

alexf<at>vsi.ru

alexs<at>vsi.ru

15282[/snapback]

By the way, what is the source of these information (usually) ? In RIPE there are alexf[at]vsi.ru and oleg[at]vsi.ru (me) as the tech-c and alexs[at]vsi.ru as admin-c. How frequently this get updated ?

Share this post


Link to post
Share on other sites
My clients can tune an autoresponder ("away responder" for example) on their IMAP mailboxes. If this is a problem, I can turn it off. We send no virus bounces, of course. There can be only bounces like 'No such user', for example, when our mail relay acts as a backup MX for some client's mailserver.

Scenario 1: Spammer sends UCE to one of your clients using a harvested spamtrap address in the return envelope. Client is on vacation and has 'out of office' auto-reply set up. Reply is relayed through your server. Spamcop identifies your server as source of spamtrap 'hit'.

Scenario 2: Worm or virus ditto etc. etc.

Scenario 3: Client sets up 'no such user' routine to accept the mail at the SMTP transaction and then to respond to return envelope (rather than reject at the time of the SMTP transaction to the originating IP) Reply is relayed through your server etc. etc. etc.

Any of these might get you onto one or more blocklists. Draw your own conclusions!

Hope the deputies are able to point you in the right direction. :rolleyes:

Share this post


Link to post
Share on other sites
By the way, what is the source of these information (usually) ? In RIPE there are alexf<at>vsi.ru and oleg<at>vsi.ru (me) as the tech-c and alexs<at>vsi.ru as admin-c. How frequently this get updated ?

15285[/snapback]

As I understand it: The database at abuse.net is used first, the registration information is used second and the default addresses (abuse and postmaster) are used last. I don't know if this makes a difference, but your entry does not have a "notify:" field where the other 2 listed in the lookup do. That may be why your address is not appearing. The lookups are done interactively with some sort of cacheing system in place to limit the lookups, but it have definitely been refreshed since: changed: alexf<at>vsi.ru 20010806 :)

Also, FYI, these pages are archived by the various search engines and allow robots to grab information. You will probably want to modify your posts to obscure the email addresses you posted. :o

% This is the RIPE Whois server.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum:      80.82.32.0 - 80.82.33.255

netname:      VSI-NET-VORONEZH

descr:        "VoronezhSviazInform"

descr:        35, Revolutsii prosp.

descr:        Voronezh,394000

descr:        Russia

country:      RU

admin-c:      AS120-RIPE

tech-c:    AVF12-RIPE

tech-c:    OOD3-RIPE

status:    ASSIGNED PA

notify:    alexf<at>vsi.ru

mnt-by:    VSI-MNT

mnt-lower:    VSI-MNT

mnt-routes: VSI-MNT

changed:      hostmaster<at>ripe.net 20010725

changed:      alexf<at>vsi.ru 20040816

source:    RIPE

route:        80.82.32.0/19

descr:        VSI

descr:        "VoronezhSviazInform"

descr:        35, Revolutsii prosp.

descr:        Voronezh,394000

descr:        Russia

origin:    AS21017

mnt-by:    VSI-MNT

changed:      alexf<at>vsi.ru 20020903

source:    RIPE

person:    Alex M Sedykh

address:      "Voronezhsvjazinform"

address:      35, Revolutsii prosp.

address:      Voronezh,394000

address:      Russia

phone:        +7 (0732) 53-09-17

fax-no:    +7 (0732) 53-09-17

e-mail:    alexs<at>vsi.ru

nic-hdl:      AS120-RIPE

notify:    alexs<at>vsi.ru

changed:      sergk<at>ic.vrn.ru 20000120

source:    RIPE

person:    Alexey V Fedorov

address:      35, Revolutsii prosp.

address:      Voronezh,394000

address:      Russia

phone:        +7 (0732) 53-09-17

fax-no:    +7 (0732) 53-09-17

e-mail:    alexf<at>vsi.ru

nic-hdl:      AVF12-RIPE

notify:    alexs<at>vsi.ru

changed:      alexs<at>vsi.ru 20000120

source:    RIPE

person:    Oleg O Derevenetz

address:      35, Revolutsii prosp.

address:      Voronezh, 394000

address:      Russia

phone:        +7 (0732) 53-17-89

fax-no:    +7 (0732) 20-13-96

e-mail:    oleg<at>vsi.ru

nic-hdl:      OOD3-RIPE

mnt-by:    VSI-MNT

changed:      alexf<at>vsi.ru 20010806

source:    RIPE

Share this post


Link to post
Share on other sites
I already wrote message to deputies. But, if I may, I believe that such information should be granted automatically. Such information is actually the basis of problem troubleshooting.

I am writing in hypotheticals here because we do not know if the listing is even caused by a spamtrap or by regular users reporting spam coming from your IP address.

If this is a spamtrap we are talking about, I disagree. The information on the web page used to be pretty much live data and that data was being used to keep using a spamtrap until it became listed and then switch to another IP. When the first address was released, it was immediately put back into service spamming. The information also included a history of the listings and you could see IP's being listed for 48 hours, being unlisted for a few hours, then being listed again, over and over again. Spamtrap information is guarded closely to keep the spamtrap address secret. There are other types of reports if it is actual spam being sent.

Another problem I just realized you may have is that some people will not sent their reports to email addresses that are not role type accounts, fearing they are sending their reports directly to the spammers. You may want to setup an abuse<at> address and register that at www.abuse.net for your domain.

Share this post


Link to post
Share on other sites
Hi all,

Mail server with IP 80.82.32.19 is blacklisted in DNS:

oleg$ host 19.32.82.80.bl.spamcop.net

19.32.82.80.bl.spamcop.net has address 127.0.0.2

But on your site (http://www.spamcop.net/w3m?action=checkblock&ip=80.82.32.19):

80.82.32.19 not listed in bl.spamcop.net

Why ?

15257[/snapback]

We had a synchronization glitch between the database and the mirrors which caused the mirrors to not update in a timely fashion. Your IP delisted this morning.

Share this post


Link to post
Share on other sites
My clients can tune an autoresponder ("away responder" for example) on their IMAP mailboxes. If this is a problem, I can turn it off. We send no virus bounces, of course. There can be only bounces like 'No such user', for example, when our mail relay acts as a backup MX for some client's mailserver.

But I need headers of spam (or bounce, or autorespond message) at least to identify problem.

I don't operate a server so my explanations may not be very clear.

IIUC, some trojans open other than the usual email port to send the spam. The admin doesn't notice an abnormal increase in outgoing mail until he looks at what is happening at other ports.

There is a difference between rejecting (bouncing) mail at the server without accepting the DATA and accepting the DATA and then sending an email "bounce" to the return path. Because of spammers it is no longer a good idea to generate email "bounces" because 9 times out of 10 they simply send spam on to an innocent person.

I hope some other server admins read your posts because they might give you better hints. Someone has told you how to get spamcop reports sent directly to you so that you will see the headers. The only problem is that if it is an autoresponder and only hits spamtraps, then that doesn't generate a report. So if you do get yourself registered properly to receive the reports, if you get listed again and you didn't get a report, you might as well email the deputies directly since no one else knows any more than you would and the hints that are published in the FAQ. Once in a while someone may be able to give you a hint on where to look to find the spammer on your own so it doesn't hurt to ask here.

Share this post


Link to post
Share on other sites

All right, big thanks to all, especially Derek_T, StevenUnderwood, Ellen, Chris Parker, Miss Betsy :-)

Only one objection:

I don't operate a server so my explanations may not be very clear. 

There is a difference between rejecting (bouncing) mail at the server without accepting the DATA and accepting the DATA and then sending an email "bounce" to the return path.  Because of spammers it is no longer a good idea to generate email "bounces" because 9 times out of 10 they simply send spam on to an innocent person.

15300[/snapback]

This is not always possible. For example, if relay acts as a backup MX for client's mailserver, and mailserver is currently down, relay accumulates mail for client's domain. Relay doesn't know about users in client's domain. But, when client's mailserver comes up, and send ETRN command, relay will send all client's mail to the mailserver. Mailserver will respond with 5xx code to every unknown address, and relay shall send an error report to sender to indicate delivery problems. This is generally accepted and standard scheme when SMTP protocol is used for delivery. Do you recommend to decline this scheme ? What fault tolerant delivery scheme you recommend in this case ?

Share this post


Link to post
Share on other sites
All right, big thanks to all, especially Derek_T, StevenUnderwood, Ellen, Chris Parker, Miss Betsy :-)

Only one objection:

This is not always possible. For example, if relay acts as a backup MX for client's mailserver, and mailserver is currently down, relay accumulates mail for client's domain. Relay doesn't know about users in client's domain. But, when client's mailserver comes up, and send ETRN command, relay will send all client's mail to the mailserver. Mailserver will respond with 5xx code to every unknown address, and relay shall send an error report to sender to indicate delivery problems. This is generally accepted and standard scheme when SMTP protocol is used for delivery. Do you recommend to decline this scheme ? What fault tolerant delivery scheme you recommend in this case ?

15307[/snapback]

First of, you're very welcome: this is how this forum ought to work. ;)

You get my vote for 'most clued-up admin of the month' you should see some of the bozos we get in here at times!

I have no expertise in running a mailserver. Perhaps someone with more knowlege might answer your 'objection' with a pratical suggestion.

I can only reflect that 'spammers spoil it for everyone': what seemed a good idea a couple of years, months or even weeks ago suddenly doesn't seem quite so good in the light of the latest worm or exploit. In my opinion, if spamtraps get to the point where all they're catching is autoresponds then they themselves will have outlived their usefulness. </CONTROVERSIAL>

Good luck in tracking down the cause of your listing.

Edited by Derek T

Share this post


Link to post
Share on other sites

This is where we need a server admin.

Personally, IMVHO, the likelihood of a 'real' unknown user email being notified is very small compared to the likelihood of people becoming spam victims and it would be better to just dump them.

Also, I don't know why those rejects can't be sent through a spam and virus filter before being sent. That would eliminate most, if not all, of them.

Email does not have to be failsafe and email can disappear. If it was an important email, the sender should have contacted the recipient by phone or fax to see why there was no reply and would already know that his email did not go through. If it was a typo and not important, then either the sender would send another email or forget about it.

As Derek T says, spammers have ruined email in a number of ways. IMO, ISPs and computer magazines are to blame for not educating senders on ways to be responsible netizens and that email service can be interrupted and email lost for a number of reasons. This is one of them - the sender may not always get an undeliverable message. Since anyone who gets spam has also gotten bounces using their email address, most people should understand and accept it - just like good drivers accept being caught in a traffic jam because some other driver was careless and had an accident.

I would like to echo Derek's sentiment of your coolness under pressure (I know it is no fun to have to deal with being on a blocklist) and his wish that your problems will be fixed. I wish I could be of more help.

Miss Betsy

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×