Jump to content
Sign in to follow this  
JohnLangerud

I'm intermittently showing up on your list

Recommended Posts

I’m working on a Windows 2000 SBS with Exchange 2000. The exchange system is set to not send NDR’s.

A couple of weeks ago I tried to send to my personal email and received the following:

You do not have permission to send to this recipient. For assistance, contact your system administrator.

<Eclipse01.extranet.eclipsesolutions.com #5.7.1 smtp;550 5.7.1 Rejected: 209.76.48.243 listed at bl.spamcop.net>

I came here (The spamcop forum) and searched around a bit.

The spam Cop Query results are:

209.76.48.243 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

In the past 15.1 days, it has been listed 3 times for a total of 7.6 days

The informational page states “If the blocklist only lists spamtraps, then auto responses are the likely culprit.”

I have submitted our IP address to the ORDB site and requested a test of this address. It is not listed there.

A few days later e-mail to my personal e-mail address went through just fine. Today it will not go again.

Obviously I/we have something going on here that is causing us to be placed on your list then we are clearing again after the 48 hours stated in your FAQ’s.

What I’m looking for here is where to look now. Are the Autoresponders metioned the “Outlook Out-of Office” replies that users may invoke when they are off on vacation or some such?. Are rejected spam’s creating this condition?

I’m really at a loss here and looking for anything you can suggest to keep this system clear and off your list.

Thank you

John Langerud

Share this post


Link to post
Share on other sites

Your exchange server is probably being used by spammers using the SMTP/AUTH exploit:

Someone has used your Guest Account or logged on via another account.

See:

http://news.spamcop.net/cgi-bin/fom?file=372

http://www.winnetmag.com/article/articleid/40507/40507.html

http://www.winnetmag.com/article/articleid/42406/42406.html

http://support.microsoft.com/default.aspx?...;EN-US;324958#4

Good Luck

Share this post


Link to post
Share on other sites

And just so we don't forget, there is a FAQ here, which also has a a repeated Pinned item, both having a "read before Posting" comment that have much help offered up that's based on previous issues ... Exchange is famous for exploits ... try going through the FAQ and the Why am I Blocked item for sure.

Share this post


Link to post
Share on other sites
Your exchange server is probably being used by spammers using the SMTP/AUTH exploit:

Someone has used your Guest Account or logged on via another account.

18115[/snapback]

Looks like Merlyn is probably right. Senderbase shows a 1492% increase in mail sent in the last day. Someone is spewing from your server. Often what happens is the spew will stop now that the server is back on he BL and then as soon as it drops off, it'll start all over again.

--Louis

Share this post


Link to post
Share on other sites
What I’m looking for here is where to look now. Are the Autoresponders metioned the “Outlook Out-of Office” replies that users may invoke when they are off on vacation or some such?. Are rejected spam’s creating this condition?

I’m really at a loss here and looking for anything you can suggest to keep this system clear and off your list.

Thank you

John Langerud

18113[/snapback]

Notwithstanding the possible SMTP/Auth hack, these out-of-office autoresponses can cause spamtrap hits and should be disabled (spammers spoil it for everyone). Good luck with fixing your server and thank you for your very positive attitude.

Share this post


Link to post
Share on other sites
Are rejected spam’s creating this condition?

I’m really at a loss here and looking for anything you can suggest to keep this system clear and off your list.

You seem to have read about the SMTP/AUTH exploit and that is the main cause. I hope you found the help links to correct that. If not, someone can point them out to you.

However, 'bouncing' spam to the 'From' or return path is a very bad idea. It shouldn't get you on the spamcop bl unless the bounces hit the spam traps (which is likely since spammers use the spam trap addresses), but spamcop reporters are not allowed to report the bounces. Most reporters hate (and that is putting it mildly) bounces because they cannot be reported with out a lot of trouble. Occasionally, if the spammer uses one domain name or one email address, it can make life very difficult for some poor server admin. (all 10000+ are being bounced to one person!)

Good luck on finding the source and making sure that it doesn't happen again by correcting these autoresponse situations.

Miss Betsy

Share this post


Link to post
Share on other sites
I thought I had read all the FAQ's. I must just have missed it.  Sorry.

18125[/snapback]

Yes it appears to be the SMTP/AUTH exploit and it has been going on since at least mid-September.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×