Jump to content

unblock my IP


helpline

Recommended Posts

Hi,

I don't want this to turn in to any more of a flame fest. We need to get a couple of things straight.

I apologise for this ticket being raised by helpdesk. Helpdesk had not read the FAQ and therefore did not realise the blocking is removed automatically.

The box has in no way been compromised. The reports of a Backdoor.Xibo virus were not correct. First of all that Backdoor.Xibo is only vulnerable on Windows machine and the machine listed in SPAMCop is a Linux machine.

The spam was being sent out by a customer of ours who had created a php scri_pt to send the spam out to individuals. Once we found the account that was the culprit we turned it off.

We take spam seriously here and do our best to prevent our boxes from being used for spam. We receive enough of it ourselves:( Unfortunately we have to allow our customers to run scripts which then opens us up to abuse of our services. To prevent spam we do not allow SMTP and so looking in the firewall logs will have no bearing on the origin of this spam. As mentioned earlier the spam was being sent via a scri_pt and being a web host we get a lot of people connecting to our box over port 80.

We have also adjusted the DNS entries to match. Although, as mentioned on SPAMCop, this will make no difference to the listing.

Wazoo, yes the percentage has gone up but if you read the statistics it says that percentage for "the last day" has gone up. As I had only narrowed down the account causing issues just before I sent you a message, then this will not be reflected. You will see that drop down within the next day along with our listing in SPAMCop.

I asked to have this thread removed because of comments like "You may be using a hijacked/compromised machine. ", "I suggest that you unplug the network cable from the back of the machine until you figure out how to secure your machine. " Both these suggest that a server has been compromised, which is just not the case.

Link to comment
Share on other sites

Well, I can't argue the story, you do make it interesting. However, your posting IP doesn't reflect any association with the original poster or the system in question, so I still don't have a clue as to who you are or what connection you have with any of this. Actually still waiting for the connection between 'helpline' and the system in question to be cleared up a bit.

Agree, if you managed to shut down the only issue, then yes, SpamCop will drop the IP from the DNSBL. However, Senderbase is still showing;

Volume Statistics for this IP

............. Magnitude Vol Change vs. Average

Last day ....... 4.8 ..... 1794%

Last 30 days . 4.0 ......166%

Average ....... 3.5

Yes, it's gone down from the 1941% from 16 hours ago, but I'd say that the jury is still out on whether the spew is actually stopped at this point. (making a note to check again in a few hours and see if the decrease in the average continues) http://psbl.surriel.com/listing?ip=66.216.122.76 does give the appearance that the e-bay phisher might have been stopped. though the removal and then more spamtrap hits feed into the above questionable situation.

Link to comment
Share on other sites

However, your posting IP doesn't reflect any association with the original poster or the system in question, so I still don't have a clue as to who you are or what connection you have with any of this.  Actually still waiting for the connection between 'helpline' and the system in question to be cleared up a bit.

From his Time Zone, it would appear that "AdamF" is in London, where the "netpivotal.com" company is located. You'll note that he didn't confirm or deny that "Helpline" is from India and is from one of the ultra-cheap third-party tech support companies there.

DT

Link to comment
Share on other sites

Here is one from yesterday:

From root[at]alicia.netpivotal.com Mon Oct 18 06:59:45 2004

Delivery-date: Mon, 18 Oct 2004 06:59:45 -0400

Received: from [66.216.122.76] (helo=alicia.netpivotal.com)

by mail.victim.example with esmtp (Exim 4.41)

id 1CJVEv-0000BX-BW

for spamvictim; Mon, 18 Oct 2004 06:59:45 -0400

Received: (qmail 24347 invoked by uid 48); 18 Oct 2004 09:27:37 -0000

Date: 18 Oct 2004 09:27:37 -0000

To: munged

Subject: Important Notice From eBay inc.

From: eBay Billing <aw-confirm[at]eBay.com>

Reply-To: aw-confirm[at]eBay.com

MIME-Version: 1.0

Link to comment
Share on other sites

I admit that I don't know much about the workings of an email system. However, I thought that some trojans are able to infect Linux boxes. It is just unlikely because of the way that they are delivered.

Another idea that I had from reading this thread is that if there are lot of customers connected to this server, then perhaps maybe one of them may have an infected machine.

Of course, if the spam stops, then Adam did find the problem.

IMHO, wanting the thread to be deleted is sort of silly. The conjectures about a compromised machine were intended to be helpful (I don't know how accurate that kind of guess can be) and the entire thread is trying to help the OP find out why he is blocked. If anyone reads the thread, s/he can accept Adam's rebuttal.

Another case of where 'someone who hates spam' is not really willing to cooperate with blocklists. I would like to know more of why Adam thinks his policies about allowing customers to run scripts is 'ok' - perhaps that kind of policy doesn't really add to the spam burden of other people (or his spam burden by others who have the same kind of policies)?

Miss Betsy

Link to comment
Share on other sites

Almost 24 hours after seeing the 1941% volume change, SenderBase is now showing;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.4 ..... 679%

Last 30 days ... 4.0 ..... 167%

Average ......... 3.5

So am willing to go along that the major source of the problem appears to have been nailed.

Wondering now if there is/was enough data in those logs to track down the actual source of all those e-bay phishing e-mails and pass on the bandwidth costs ..??

Link to comment
Share on other sites

Yesterday, Senderbase was still showing a 370% volume increase, so was wondering why the decline seemed to be slowing down so much. Just checked, now two days after the 1941% number, and it's now down to -33% ... now wondering if more accounts were shut down.

Wow! ... Was wondering at Julian's presence in here yesterday ... now perhaps seeing what that might have been about .... note the massive changes to the lookup page http://www.spamcop.net/w3m?action=checkblo...p=66.216.122.76

Link to comment
Share on other sites

Wow! ... Was wondering at Julian's presence in here yesterday ... now perhaps seeing what that might have been about .... note the massive changes to the lookup page http://www.spamcop.net/w3m?action=checkblo...p=66.216.122.76

Looks good to me.

New option for server owners to automatically de-list the address if they think they have fixed the problem. A confirmation mail sent to what SC considers the responsible role accounts requiring a response before the de-list takes place. It also has protection to stop it being used repeatedly.

Second new option to dispute the listing and send additional information to the deputies.

It should now be a much more streamlined process and easier for server owners to deal with listed boxes.

Good work Julian. I hope it makes the jobs of all those behind the scenes much simpler.

Link to comment
Share on other sites

  • 2 weeks later...
http://www.spamcop.net/w3m?action=checkblo...p=66.216.122.76 now shows "66.216.122.76 not listed in bl.spamcop.net" and http://www.senderbase.org/?sb=1&searchBy=i...g=66.216.122.76 now shows:
Volume Statistics for this IP  
               Magnitude  Vol Change vs. Average 
Last day      3.4       - 24% 
Last 30 days  4.0        191% 
Average       3.5

Link to comment
Share on other sites

Looks good to me.

New option for server owners to automatically de-list the address if they think they have fixed the problem. A confirmation mail sent to what SC considers the responsible role accounts requiring a response before the de-list takes place. It also has protection to stop it being used repeatedly.

Second new option to dispute the listing and send additional information to the deputies.

It should now be a much more streamlined process and easier for server owners to deal with listed boxes.

Good work Julian. I hope it makes the jobs of all those behind the scenes much simpler.

19097[/snapback]

It sure has been generating a lot of mail ... that's both the good news and the bad news :-)

Link to comment
Share on other sites

Ellen, have you had any major spamhausen ask to be removed like Optinrealbig/Optinbig - ProcessRequest.com/Bluestreak - bluerockdove or others in that kind of category?

19442[/snapback]

Most of the mails tend to be (and have always tended to be) from people with compromised systems and/or ISPs not previously known to us where the parser lists the mailserver rather than than continuing to the header with the injecting user IP.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...