Jump to content
Sign in to follow this  
m57rm

Need Help getting off blacklist

Recommended Posts

We have done the test for open relay and we are not an open relay and yet we are still blacklisted. We have changed ip address twice (12.162.1.172 and 12.162.1.171) and still keep getting on the blacklist. How can we get off the blacklist permanently? We have scanned our users for viruses and worms and everybody is clean. We also have restricted the routing to only our internal ip address. Where is this spam coming from?

Your help is appreciated.

Share this post


Link to post
Share on other sites
12.162.1.172 listed in bl.spamcop.net (127.0.0.2)

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

Listing History

It has been listed for 4.3 days.

Other hosts in this "neighborhood" with spam reports

12.162.1.171

Looks like you may have suffered an attack. Have you read the pinned FAQs? They will point you to the possible reasons you are blocked and ways to fix it, they were put there for people like you. If you still have questions after you read them, plenty of people here will give you further assistance. spam trap hits are a bad sign, but they may be caused by misconfigured bounces as well.

PS. You are also showing a large increase in traffic, that is also a bad sign!!:

Report on IP address: 12.162.1.172 

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day 3.4 4007%

Last 30 days 2.9 1178%

Average 1.7 

Edited by dra007

Share this post


Link to post
Share on other sites
We have done the test for open relay and we are not an open relay and yet we are still blacklisted.  We have changed ip address twice (12.162.1.172 and 12.162.1.171) and still keep getting on the blacklist. How can we get off the blacklist permanently?  We have scanned our users for viruses and worms and everybody is clean.  We also have restricted the routing to only our internal ip address.

Looks like you have changed your server again.

Spamcop is not a list of open relays but a list of IP's that have been reported for being the source of spam

Where is this spam coming from?

Your help is appreciated.

18307[/snapback]

Maybe it's you. You cannot send stuff to people who have not requested it.

It's all about conSent not conTent

Share this post


Link to post
Share on other sites

10/05/04 17:42:01 Slow traceroute 12.162.1.172

Trace 12.162.1.172 ...

12.123.213.17 RTT: 67ms TTL: 48 (ar2-p3110.rd2ca.ip.att.net bogus rDNS: host not found [authoritative])

12.119.240.158 RTT: 75ms TTL: 48 (No rDNS)

12.162.1.172 RTT: 76ms TTL: 52 (exchange.asmnc.com ok)

10/05/04 17:45:00 Browsing http://12.162.1.172/

Fetching http://12.162.1.172/ ...

GET / HTTP/1.1

Host: 12.162.1.172

Server: Microsoft-IIS/5.0

<HTML>

<!--Microsoft Outlook Web Access-->

<!--default.htm-->

<!--Copyright © Microsoft Corporation 1993-1997. All rights reserved.-->

<META HTTP-EQUIV="REFRESH" CONTENT="0; URL=/exchange/logon.asp">

All together now, can we say SMTP/AUTH hack just one more time?

Please, keep right on changing the IP address, that is certainly the most recommended "fix" for the use of an Exchange server put directly onto the Internet. Please try to read at least some of the FAQ here .. if you don't believe what you find there, I'll suggest Google.

Share this post


Link to post
Share on other sites
I tried a few ID/PW combinations, the most common were disabled!

18319[/snapback]

I am thinking in another direction but I might be wrong.

I am probably wrong maybe it is an SMTP Auth hack

220 exchange1.asmnc.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready

YUP! Someone has usercode/password access to it...

Sure are a lot of sites pointing to the same site:

ACSM.COM

ASMAGENCY.COM

ASMCO.COM

ASMDEN.COM

ASMNC2.COM

ASMNET.COM

ASMPHX.COM

ASMSC.COM

ASMSCB.COM

ASMSLC.COM

JNJSLC.COM

MARKETINGSLS.COM

PROMOPOINTMARKETING.COM

Edited by Merlyn

Share this post


Link to post
Share on other sites
I am thinking in another direction but I might be wrong.

I am probably wrong maybe it is an SMTP Auth hack

220 exchange1.asmnc.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13) ready

YUP!  Someone has usercode/password access to it...

18321[/snapback]

Funny, maybe I will send some V?A/G/R/A ....

PS. Looks like another PYRAMID scheme!

Edited by dra007

Share this post


Link to post
Share on other sites
We also have restricted the routing to only our internal ip address. Where is this spam coming from?

18307[/snapback]

Doesn't look like your routing configuration worked. You'll want to look at your firewall logs (you have a firewall, right?) You'll want to look at your mail server logs... If properly configured it will show all the mail that it's been sending. In the mean time you'll want to make sure that there is a non-trivial password for EVERY account on the server. I suggest that you disable the admin, test, guest, etc accounts.

Here's some evidence that I was able to dig up...

Subject: PENI||S EN1lIARGEMENT

Received: from screens (200.82.178.140 [200.82.178.140]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 12:56:49 -0700

Subject: |NCREASE YOUR PEN1lS SIZE!

Received: from screens (200.82.178.140 [200.82.178.140]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 13:33:36 -0700

Subject: MAX|MUM EXP0OSURE

Received: from micro (200.5.234.3 [200.5.234.3]) by exchange1.asmnc.com ... Tue, 5 Oct 2004 23:44:42 -0700

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×