Jump to content
Sign in to follow this  
rneedham

Not on bl.spamcop.net list

Recommended Posts

I do appologize to this user group. I was out of line in my comments and my anger was misplaced. Thank you for pointing out that we are sending spam, this had not shown up on any of my logs. I routinly check my server for relay and continually try to stay ahead of spamers. I guess I have faild!

I will work to eliminate the spam going through my server.

Thank you again.

Share this post


Link to post
Share on other sites
Ellen, how do I find the information you posted here?

The first obvious guess is that she referenced data collected in various spamtraps. There is a lot of data in the Why am I blocked FAQ that should address this. Her words about "relaying for several IPs" should be a large clue to go look at some thingss. Another active Topic today dealt with someone on staff re-enabling the Guest account on the output server, which was also hacked/owned in a very short time-frame. (an exchange server once again)

Your last "sample" failed to include an IP address, so there's no way to even begin a look-up onit at this point in time.

Share this post


Link to post
Share on other sites
If there are bugs or problems in the software we provide it is our obligation to correct it just as it should be the obligation of SpamCop to correct the "Missuse" of there service or whatever is causing us to have mail bounced when we are not listed.

OK, then we can hold every SMTP server maker accountable for all the spam we get because the spammers are mis-using their tool to send the spam. And every screwdriver that breaks because it was being used as a chisel, etc.

The only part of this system that is under the control of spamcop is the actual list. How people use that list is not under their control. There was a recent problem recently where the mirrors holding the list data were out of sync, but I would expect, since Ellen looked into this issue, that this is not the problem here. She did not specifically rule it out, however.

At this point in time, you are not showing as being listed. Unless one of the mirrors is out of sync, there is nothing spamcop can do about the situation of someone incorrectly configuring their software to say that the block was because of spamcop. They could just have easily programmed the message to say the block was because of sunspots or aliens.

Did you see the message from Ellen, one of the spamcop deputies in this thread that said your server was relaying spam messages?

Some of the IPs that you are relaying for include:

61.53.111.30

218.58.63.38

211.158.90.115

This has been going on since at least 8/6/2004.

This information was gathered from the spamcop reports on your IP which the deputies have access to. This is why you are being listed intermittantly. Fix that and you will have no more problems with spamcop.

Share this post


Link to post
Share on other sites

Thank you StevenUnderwood, I am now working to figure out which user account is being used. I have already made sure that the guest account is inactivated and I changed administrator passwords yesterday. Is their any way for me to identify the information Ellen has so I can check daily?

Share this post


Link to post
Share on other sites

Thank you again. I have been going through my logs and I am only finding one instance of one of the IP's she listed. I will contact her.

Thank you again.

Share this post


Link to post
Share on other sites

I have seen reference to me as Birch? Birch is our T1 provider and we have 5 ip's from them but we are not Birch. Will this be a problem for us?

Share this post


Link to post
Share on other sites

The only real way to answer any issue with a birtch association would be based on the content, data, and structure of the outgoing e-mail servers. The SpamCop parsing engine attempts to follow the flow/handoffs of the e-mail as it makes its travels, specifically talking about the part called the "chain test" ... if all headers lines are RFC compliant and server data/registration al works out, then there should be no problem at all. However, there's a recent Topic in here from an Admin that kept repeating the mantra .."I know which server is which, so they don't need any damn reconfiguration" .... which left the SpamCop parser pointing to the "broken" chain in the handoff sequence every time.

Share this post


Link to post
Share on other sites

I have read the articles posted on the other pages but they seem to reference an Exchange server and I am not running an Exchange server, I am running Vopmail. With thousands of users, how am I to tell which one has been comprimised? I have been going through my Operation log but this has had no net effect :-( I have ensured that guest is inactivated and have changed the passwords for administrator in both my local machine and the Active Directory, I do not have a test or demo account.

Share this post


Link to post
Share on other sites

http://www.serverwatch.com/stypes/servers/index.php/16133 sure makes it appear that Vopmail is probably more than a bit long in the tooth ...????

Ouch!!!! http://www.vircom.com/Support/

Vircom's second-generation email security products (all VOPMail versions, Modus 2.x and VOP Anti-spam Gate 2.x) will be supported until June 30th 2004. Starting June 30th 2004, Vircom will no longer provide Anti-spam updates to Modus 2.x customers and technical support will only be given for upgrade issues.

I guess that would explain the long time since the last update.

Share this post


Link to post
Share on other sites

HI...

adding to this as I am having somewhat of the same problem. Have an IP address coming up in the maillog as being listed in bl.spamcop.net but yet when I check the address via the provided link or spamcop.net it comes back as not listed in bl.spamcop.net.

Sep 1 15:47:13 relay sendmail[4221]: [iD 801593 mail.notice] i81JlDMf004221: ruleset=check_rcpt, arg1=<mmmm[at]ziplink.net>, relay=mail2.hagner.com [65.105.133.220] (may be forged), reject=553 5.3.0 <mmmm[at]ziplink.net>... spam blocked see: http://spamcop.net/bl.shtml?65.105.133.220

Also, connected to the IP in question and attempted to send email and it would allow and returned unable to relay so it isn't a wide open server.

Any info is appreciated.

Thanks,

Lauri-

Share this post


Link to post
Share on other sites

According to Senderbase 65.105.133.220

Last day 3.9 Up 731%

Last 30 days Up 3.8 659%

Looks like the spammers have more control of this machine than the admin does <_<

Share this post


Link to post
Share on other sites

Are you able to sort your logs by number of messages sent per user.

If you can do that, start with the largest number first and work backwards.

Spammers generally send more mail that vaild customers.

Also if you can check trends in volumn by user, a sudden increase in mail should raise a red flag. That is not to say they are spamming but it is sure worth checking out. This holds especially true if the cause of you being added to the blocking list is spam traps.

If the cause is user reports, it would be good for you to contact your customers and remind them of the importance of using fully opt in lists (confirmed lists) and it is not a bad idea to make it a habit to reconfirm lists on an annual basis. People sometimes forget that they have signed up for a list.

Share this post


Link to post
Share on other sites
I have seen reference to me as Birch?  Birch is our T1 provider and we have 5 ip's from them but we are not Birch.  Will this be a problem for us?

16181[/snapback]

I think I started that. Senderbase lists that IP as belonging to Birch; Birch have a lot of compromised servers. I wrongly assumed you were an admin for birch. Apologies.

Share this post


Link to post
Share on other sites
HI...

adding to this as I am having somewhat of the same problem. Have an IP address coming up in the maillog as being listed in bl.spamcop.net but yet when I check the address via the provided link or spamcop.net it comes back as not listed in bl.spamcop.net.

<snip>

Also, connected to the IP in question and attempted to send email and it would allow and returned unable to relay so it isn't a wide open server.

16199[/snapback]

1. The SpamCop blocklist is real-time and dynamic. In all probability your IP was listed at the time of the reject but had aged off by the time you followed the link. It happens. It was listed THEN, it isn't NOW, IYSWIM.

2. Open Relays are getting rarer. We get (probably) 5 admins per week saying that they're not open relays so why are they listed? The SMTP/Auth hack is now far more common. spam relayed through a compromised but legitimate account. Times change, relay tests don't cut the mustard any more, spammers spoil it for everyone. Good luck in sorting your problem.

3. Senderbase shows over 700% increase in traffic: sorry, you have been hacked - see article in FAQ on SMTP/Auth

Edited by Derek T

Share this post


Link to post
Share on other sites
I have read the articles posted on the other pages but they seem to reference an Exchange server and I am not running an Exchange server, I am running Vopmail.  With thousands of users, how am I to tell which one has been comprimised?  I have been going through my Operation log but this has had no net effect :-(  I have ensured that guest is inactivated and have changed the passwords for administrator in both my local machine and the Active Directory, I do not have a test or demo account.

16185[/snapback]

If the spammer / Cracker has guessed or phished the password to an administrative level account, then it is possible that they have replaced the administrative tools or virus scanners with ones tthat will not show their activity, or remove it.

A SMTP auth exploit or guesed password exploit can happen on any platform.

If your machine has the LANMAN ports open to the public internet, then other exploits are possible.

A virus infection can also allow complete remote control of a vulnerable machine.

Generally the first thing that a cracker does when they get control of a machine, they will install back door programs, and disable or modify the system logs.

Once a machine has been compromised, the only way to be sure it is clean is to quarantine the data on the disks, format or replace the disks, and install from fresh sources, bringing over only data files that contain no executable content, or scripts that can be manually inspected.

In some areas, for some businesses, the law requires that all persons that could have had confidential data accessed be notified of the security breach.

Note that the exploit could also be a multi-hop exploit by a different computer, so any insecure computer on your network can be a source.

Testing programs are available from http://dsbl.org/programs that allow you to test systems for vulnerabilities.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
Also, connected to the IP in question and attempted to send email and it would allow and returned unable to relay so it isn't a wide open server.

16199[/snapback]

That test is not sufficient to deterimine if the mail server is open or compromised.

See the test programs at http://dsbl.org/programs for more comprehensive tests.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
Ellen, how do I find the information you posted here?

16166[/snapback]

As has been said even tho you are not running exchange this same exploit has been seen with other MTA's -- basically a spammer guessing or cracking a name/password combo and authenticating on the server and then sending spam. The most commonly exploited accounts are administrator, admin, test, demo, guest but of course others can also be exploited. The headers appear to indicate that this is what is happening. *However* it is always possible that the spammer has found an insecure proxy on your server and is spamming thru it or has compromised the server or a machine nat'd behind the server and is smarthosting thru the server.

Certainly changing all the passwords on all the accounts to strong passwords would be a good thing to do in general and specifically if the spammer is using an smtp/auth type exploit this would stop it. Obviously changing all the passwords and enforcing a strong password policy does tend to lead to a lot of screaming and running around ....

BTW there was another spamtrap hit today thru your IP :-(

Share this post


Link to post
Share on other sites
Ellen, how do I find the information you posted here?

16166[/snapback]

Let me quickly answer this one. Unfortunately you can't. This type of data used to be accessible but then spammers began to use it to "game" the system and avoid being blocked. Then for a while a little bit of limited data was being shown on the listing page, but that too was being abused. So now all you can get is listed or not. Yes, I know that really sucks, but you can thank the spammers.

The only way to get this type of info is by contacting deputies at spamcop dot net when an issue occurs.

Share this post


Link to post
Share on other sites

Thank you Ellen, I am attempting to find which account they are using but have not had much luck yet. Are there tools available which will help me in this task?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×