Jump to content
Sign in to follow this  
AdamWHughes

My IP is listed but I the Spamcop doesnt say why

Recommended Posts

Query bl.spamcop.net - 209.58.200.92

(Help) (Trace IP) (Senderbase lookup)

209.58.200.92 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

It has been listed for less than 24 hours.

Other hosts in this "neighborhood" with spam reports

209.58.201.60

Share this post


Link to post
Share on other sites

Hi, AdamWHughes!

...Some standard answers I have seen to inquiries like yours:

  • The SpamCop "check block" page you viewed no longer provides real-time information, as it was being used by spammers.
  • Sometimes ISPs and e-mail providers use several block lists and send out a generic message saying an IP address was blocked due to SpamCop when in fact it was blocked due to some other block list.
  • The SpamCop blocklist is so dynamic that it is possible the IP address was listed at some point but has fallen off the list because there have been no recent (which could mean in as little as about 90 minutes) reports.

...IIUC, SpamCop reports for this IP address go to abuse[at]primushost.com (I found this by clicking the "Trace IP" list on the check block page), so that abuse address should have information on any SpamCop reports.

...Your final resort is to contact the SpamCop deputies (deputies <at> spamcop <dot> net), as they are the only ones who have access to the live database.

...Good luck!

Share this post


Link to post
Share on other sites
Query bl.spamcop.net - 209.58.200.92

(Help) (Trace IP) (Senderbase lookup)

209.58.200.92 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

It has been listed for less than 24 hours.

Other hosts in this "neighborhood" with spam reports

209.58.201.60

18137[/snapback]

Sometime the details run behind reality.

Check out: http://www.senderbase.org/?searchBy=ipaddr...g=209.58.200.92

10000% increse in mail from that IP address in the last day.

Looks like you are running Exchange. Chaces are you're victim of an SMTP AUTH HACK. Please read the FAQ: http://www.spamcop.net/fom-serve/cache/372.html

Share this post


Link to post
Share on other sites

I thought you must have made a typo .. Wow! and in reference to Steve's question on the Senderbase update period .. here's a reference .. at the time of this posting, Senderbase was showing 10442% for the "today" data .... talk about getting hammered ...

Share this post


Link to post
Share on other sites

How'd you know that? This poster didn't hit here until after 1700 this evening ... says it's his first post ... another poster addressing the same IP?

Share this post


Link to post
Share on other sites

Sorry, my question about the senderbase stats was made in the thread where senderbase was showing +13000%. I did not look back to see mthat my post was in the same thread I was posting in this time.

Share this post


Link to post
Share on other sites

canonical name mail.egancapital.com.

addresses 209.58.200.92

220 eganex.local.egancapital.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Sat, 2 Oct 2004 00:47:03 -0400

Definately an SMTP AUTH hack....

They should pull the plug untill it gets fixed.

The funny thing is their front page says

"Leveraging our collective experience in computer technologies."

Now that's scary.........

Edited by Merlyn

Share this post


Link to post
Share on other sites

And again for Steven's Senderbase update points .. at the time of this poting, this IP showed 10467% for the daily data.

Share this post


Link to post
Share on other sites

I had suspected an auth attack when I orignally posted. So I took action aganist it. I found that there were several unknown accounts which are now disabled. I changed the passwords for the accounts that were necessary and disabled the guest account which was at one point disabled (pitalls of mulitpul people with admin access I guess).

Very sketchy. Anyway the number of NDRs that are coming back to me has subsided. For a time they were coming every min or so, at this point they have stopped. I blew away my SMTP server with a bunch of retry crap in it and created a new one to see if I finally have this thing stopped.

Share this post


Link to post
Share on other sites

Did any of he NDR's have the original spam attached?

Would be nice to know the spamvertised link so we can trace it to the criminal that stole your resources. It is now a federal offense with jail time I believe.

Your leagal beagles could also use that info.

Share this post


Link to post
Share on other sites

At the time of this posting, Senderbase is still showing 10467% ... so at least it hasn't increased since midnight, and it's only been about an hour since the OP posted that things had been changed at the server ....

Share this post


Link to post
Share on other sites
Did any of he NDR's have the original spam attached?

Would be nice to know the spamvertised link so we can trace it to the criminal that stole your resources. It is now a federal offense with jail time I believe.

Your leagal beagles could also use that info.

18172[/snapback]

No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should?

Share this post


Link to post
Share on other sites
No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should?

18175[/snapback]

That's 1.5 - 48hrs after the last report. If you've not been listed before it ought to tend to the lower figure. It's a complicated formula! the deputies on deputies <at> spamcop <dot> net hae access to the time of last report and the time due to de-list.

Share this post


Link to post
Share on other sites
No, none of the NDR's had the spam attached. I just checked my queues, so far so good. Spamcop says your server will come off the list in 48 hours, is that working as it should?

18175[/snapback]

It's the usual pills spam -- same old, same old. The urls vary. Your IP will delist before noon tomorrow if there are no further reports.

Share this post


Link to post
Share on other sites
It's the usual pills spam -- same old, same old.  The urls vary. Your IP will delist before noon tomorrow if there are no further reports.

18196[/snapback]

AIUI half of spamcop is one coast of the USA, half on t'other. I'm in the UK and 'we' are spead all over the world. Whaddyamean 'noon' Ellen?

Edited by Derek T

Share this post


Link to post
Share on other sites

As of 0935 GMT -5; 209.58.200.92 not listed in bl.spamcop.net

And SenderBase is showing 0 magnitude ... -100% for last 24 hour rate

Share this post


Link to post
Share on other sites
AIUI half of spamcop is one coast of the USA, half on t'other. I'm in the UK and 'we' are spead all over the world. Whaddyamean 'noon' Ellen?

18205[/snapback]

Well I am in -0400 and never get the conversions right so either you have to accept "noon" as my "noon" or trust that I haven't come up with some totally random (converted) time :-)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×