Jump to content

Need Help getting off blacklist

m57rm

By m57rm
in SpamCop Blocklist Help

Recommended Posts

m57rm Newbie

m57rm

Posted
Posted

We have done the test for open relay and we are not an open relay and yet we are still blacklisted. We have changed ip address twice (12.162.1.172 and 12.162.1.171) and still keep getting on the blacklist. How can we get off the blacklist permanently? We have scanned our users for viruses and worms and everybody is clean. We also have restricted the routing to only our internal ip address. Where is this spam coming from?

Your help is appreciated.

Link to comment
Share on other sites
dra007 Been There

dra007

Posted
Posted
12.162.1.172 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

It has been listed for 4.3 days.

Other hosts in this "neighborhood" with spam reports

12.162.1.171

Looks like you may have suffered an attack. Have you read the pinned FAQs? They will point you to the possible reasons you are blocked and ways to fix it, they were put there for people like you. If you still have questions after you read them, plenty of people here will give you further assistance. spam trap hits are a bad sign, but they may be caused by misconfigured bounces as well.

PS. You are also showing a large increase in traffic, that is also a bad sign!!:

Report on IP address: 12.162.1.172 

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day 3.4 4007%

Last 30 days 2.9 1178%

Average 1.7 

Link to comment
Share on other sites
Merlyn Been There

Merlyn

Posted
Posted
We have done the test for open relay and we are not an open relay and yet we are still blacklisted.  We have changed ip address twice (12.162.1.172 and 12.162.1.171) and still keep getting on the blacklist. How can we get off the blacklist permanently?  We have scanned our users for viruses and worms and everybody is clean.  We also have restricted the routing to only our internal ip address.

Looks like you have changed your server again.

Spamcop is not a list of open relays but a list of IP's that have been reported for being the source of spam

Where is this spam coming from?

Your help is appreciated.

18307[/snapback]

Maybe it's you. You cannot send stuff to people who have not requested it.

It's all about conSent not conTent

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted

10/05/04 17:42:01 Slow traceroute 12.162.1.172

Trace 12.162.1.172 ...

12.123.213.17 RTT: 67ms TTL: 48 (ar2-p3110.rd2ca.ip.att.net bogus rDNS: host not found [authoritative])

12.119.240.158 RTT: 75ms TTL: 48 (No rDNS)

12.162.1.172 RTT: 76ms TTL: 52 (exchange.asmnc.com ok)

10/05/04 17:45:00 Browsing http://12.162.1.172/

Fetching http://12.162.1.172/ ...

GET / HTTP/1.1

Host: 12.162.1.172

Server: Microsoft-IIS/5.0

<HTML>

<!--Microsoft Outlook Web Access-->

<!--default.htm-->

<!--Copyright © Microsoft Corporation 1993-1997. All rights reserved.-->

<META HTTP-EQUIV="REFRESH" CONTENT="0; URL=/exchange/logon.asp">

All together now, can we say SMTP/AUTH hack just one more time?

Please, keep right on changing the IP address, that is certainly the most recommended "fix" for the use of an Exchange server put directly onto the Internet. Please try to read at least some of the FAQ here .. if you don't believe what you find there, I'll suggest Google.

Link to comment
Share on other sites
Merlyn Been There

Merlyn

Posted
Posted
I tried a few ID/PW combinations, the most common were disabled!

18319[/snapback]

I am thinking in another direction but I might be wrong.

I am probably wrong maybe it is an SMTP Auth hack

220 exchange1.asmnc.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready

YUP! Someone has usercode/password access to it...

Sure are a lot of sites pointing to the same site:

ACSM.COM

ASMAGENCY.COM

ASMCO.COM

ASMDEN.COM

ASMNC2.COM

ASMNET.COM

ASMPHX.COM

ASMSC.COM

ASMSCB.COM

ASMSLC.COM

JNJSLC.COM

MARKETINGSLS.COM

PROMOPOINTMARKETING.COM

Link to comment
Share on other sites
dra007 Been There

dra007

Posted
Posted
I am thinking in another direction but I might be wrong.

I am probably wrong maybe it is an SMTP Auth hack

220 exchange1.asmnc.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready

YUP!  Someone has usercode/password access to it...

18321[/snapback]

Funny, maybe I will send some V?A/G/R/A ....

PS. Looks like another PYRAMID scheme!

Link to comment
Share on other sites
Chris Parker Advanced Member

Chris Parker

Posted
Posted
We also have restricted the routing to only our internal ip address. Where is this spam coming from?

18307[/snapback]

Doesn't look like your routing configuration worked. You'll want to look at your firewall logs (you have a firewall, right?) You'll want to look at your mail server logs... If properly configured it will show all the mail that it's been sending. In the mean time you'll want to make sure that there is a non-trivial password for EVERY account on the server. I suggest that you disable the admin, test, guest, etc accounts.

Here's some evidence that I was able to dig up...

Subject: PENI||S EN1lIARGEMENT

Received: from screens (200.82.178.140 [200.82.178.140]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 12:56:49 -0700

Subject: |NCREASE YOUR PEN1lS SIZE!

Received: from screens (200.82.178.140 [200.82.178.140]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 13:33:36 -0700

Subject: MAX|MUM EXP0OSURE

Received: from micro (200.5.234.3 [200.5.234.3]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 23:44:42 -0700

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...