Jump to content

I'm not a spammer


smomanaz

Recommended Posts

We are a small compnay that runs a Win2K3/Exchange 2K3 server that I beilieve IS NOT allowing open relay. Many of my clients emails are rejecting us because of an association to an FTP server, at a different address than our mail server.

Can someone at Spamcop please identify our address's as not having aan open relay, and remove us from the list??

208.14.80.199 is our mail server...

208.142.80.201 was our FTP server that I have shut down.

Any questions......... please contact me asap

itman[at]summitbuilders.com

Link to comment
Share on other sites

Currently, Query bl.spamcop.net - 208.14.80.199

208.14.80.199 not listed in bl.spamcop.net

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 0.0 -100%

Last 30 days 0.0 -100%

Average 0.0

Query bl.spamcop.net - 208.142.80.199

208.142.80.199 not listed in bl.spamcop.net

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 0.0 -100%

Last 30 days 0.0 -100%

Average 2.0

Query bl.spamcop.net - 208.142.80.201

208.142.80.201 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 208.142.80.201 has no reverse dns

Listing History

It has been listed for less than 24 hours.

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 3.8 3338%

Last 30 days 2.8 270%

Average 2.3

I'm wondering if you have your IPs mixed up. You obviously haven't looked at the FAQ or read any of the recent Topics that also deal with hooking an Exchange server directly to the 'net' .... The second IP above belongs to a machine that has been compromised. Please look at the FAQ item labelled "Read before Posting" and try again.

Link to comment
Share on other sites

Ah...you DID have a typo in your mail server IP....it should have been:

208.142.80.199

(and I see that you're using MX Logic's email defense system for your incoming messages....I've just started experimenting with that, but my hosting provider is using the TUCOWS reseller version and it's got problems)

DT

Link to comment
Share on other sites

My exchange is the 199.... the 201 wa sthe FTP.. I dont know how spamcop would have cut off our Exchange server for an activity not on the same address....

16283[/snapback]

And again, the FAQ would have explained that SpamCop has no such power to begin with. SpamCop also does not deal with FTP. I am no longer wondering about the confusion of IPs ... your roadmap is wrong. 201 is kicking out e-mail. so if it's not the Exchange server, you've got a seriously screwed machine sitting there.

Link to comment
Share on other sites

My exchange is the 199.... the 201 wa sthe FTP.. I dont know how spamcop would have cut off our Exchange server for an activity not on the same address....

Well...seeing that SpamCop users have reported the FTP IP as a source of spam, I'd say that there's something goofy with your server configs, and that perhaps whatever services exist on that IP include some that are capable of being used by spammers.

Or, here's another scenario....if you've got a particular machine that's dedicated as an FTP server that was assigned to that IP address, and that machine was compromised, perhaps by a trojan, making it a "spam zombie," then it's conceivable that the machine could have been cranking out spam without your knowledge and that's how it got reported.

I'm a choir director in AZ....not a server admin, but maybe I've presented a logical scenario?

BTW, SpamCop doesn't block ANYTHING at all. SpamCop has a DNS BL that ISPs can query and some of them use it as a blocking tool....just to make that clear.

DT

Link to comment
Share on other sites

More on your "FTP IP":

The Senderbase report is pretty scary:

http://www.senderbase.org/?searchBy=ipaddr...=208.142.80.201

That machine is cranking out email....I'd reformat the HD and start from scratch, and then change the way you've got things configured so that it doesn't happen again.

Furthermore, somone has been surfing the web this summer from that IP address...it shows up in the web stats on 06 Jul 2004 - 14:48 for:

http://www.cycletrailerrental.com/

which rents and sells motorcycle trailers in Tampa Bay, Florida. Have you got a "travelling biker" in the office there at Summit? :-)

DT

Link to comment
Share on other sites

The configuration on these machines is really messed up. Were you listed on 199 aand couldn't figure out your problem so you switched servers and now 201 is listed???? Or are they the same machine <_<

(Notice on both the internal IP is 192.168.1.20)

Lets see:

208.142.80.201 listed in bl.spamcop.net (127.0.0.2)

Lets check the machine:

208.142.80.201

SMTP - 25 220 exchange.inside.summitbuilders.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Thu, 2 Sep 2004 15:12:13 -0700

HTTP - 80 HTTP/1.1 200 OK

Content-Length: 1433

Content-Type: text/html

Content-Location: http://192.168.1.20/iisstart.htm

Last-Modified: Sat, 22 Feb 2003 01:48:30 GMT

Accept-Ranges: bytes

ETag: "06be97f14dac21:7fd1"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 02 Sep 2004 22:12:13 GMT

Connection: close

You probably have been hacked by the sptm auth hack:

Your exchange server may be relaying spam for spammers.

Please see this faq for information about the exploit and how to fix the problem:

http://news.spamcop.net/cgi-bin/fom?file=372

And the following

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

208.142.80.199 is not listed.

Lets check the machine anyhow:

208.142.80.199

SMTP - 25 220 exchange.inside.summitbuilders.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Thu, 2 Sep 2004 15:18:36 -0700

HTTP - 80 HTTP/1.1 200 OK

Content-Length: 1433

Content-Type: text/html

Content-Location: http://192.168.1.20/iisstart.htm

Last-Modified: Sat, 22 Feb 2003 01:48:30 GMT

Accept-Ranges: bytes

ETag: "06be97f14dac21:7fd1"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 02 Sep 2004 22:18:36 GMT

Connection: close

You have the exchange server running on Both of them!!!!!!!!!!!!!!!

They are probably both hacked.

You should disconnect them from the web (It's the little wire in back) until you can either fix them or hire someone who can.

Link to comment
Share on other sites

Sorry Guys,..

What Iam being told is spam from me is..

208.142.80.201

It is from Savvis which was Cable and Wireless

16282[/snapback]

IP 208.142.80.199 is not listed and has had no reports or listings for the last 30 days.

IP 208.142.80.201 -- you apparently have/had exchange running on that server and it is being exploited by spammers using the SMTP/AUTH exploit; see these faqs:

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

http://support.microsoft.com/default.aspx?...;EN-US;324958#4

You need to secure this server. IP 208.142.80.201 is listed.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...