Jump to content
Sign in to follow this  
helpline

unblock my IP

Recommended Posts

Hi,

I don't want this to turn in to any more of a flame fest. We need to get a couple of things straight.

I apologise for this ticket being raised by helpdesk. Helpdesk had not read the FAQ and therefore did not realise the blocking is removed automatically.

The box has in no way been compromised. The reports of a Backdoor.Xibo virus were not correct. First of all that Backdoor.Xibo is only vulnerable on Windows machine and the machine listed in SPAMCop is a Linux machine.

The spam was being sent out by a customer of ours who had created a php scri_pt to send the spam out to individuals. Once we found the account that was the culprit we turned it off.

We take spam seriously here and do our best to prevent our boxes from being used for spam. We receive enough of it ourselves:( Unfortunately we have to allow our customers to run scripts which then opens us up to abuse of our services. To prevent spam we do not allow SMTP and so looking in the firewall logs will have no bearing on the origin of this spam. As mentioned earlier the spam was being sent via a scri_pt and being a web host we get a lot of people connecting to our box over port 80.

We have also adjusted the DNS entries to match. Although, as mentioned on SPAMCop, this will make no difference to the listing.

Wazoo, yes the percentage has gone up but if you read the statistics it says that percentage for "the last day" has gone up. As I had only narrowed down the account causing issues just before I sent you a message, then this will not be reflected. You will see that drop down within the next day along with our listing in SPAMCop.

I asked to have this thread removed because of comments like "You may be using a hijacked/compromised machine. ", "I suggest that you unplug the network cable from the back of the machine until you figure out how to secure your machine. " Both these suggest that a server has been compromised, which is just not the case.

Edited by AdamF

Share this post


Link to post
Share on other sites

Well, I can't argue the story, you do make it interesting. However, your posting IP doesn't reflect any association with the original poster or the system in question, so I still don't have a clue as to who you are or what connection you have with any of this. Actually still waiting for the connection between 'helpline' and the system in question to be cleared up a bit.

Agree, if you managed to shut down the only issue, then yes, SpamCop will drop the IP from the DNSBL. However, Senderbase is still showing;

Volume Statistics for this IP

............. Magnitude Vol Change vs. Average

Last day ....... 4.8 ..... 1794%

Last 30 days . 4.0 ......166%

Average ....... 3.5

Yes, it's gone down from the 1941% from 16 hours ago, but I'd say that the jury is still out on whether the spew is actually stopped at this point. (making a note to check again in a few hours and see if the decrease in the average continues) http://psbl.surriel.com/listing?ip=66.216.122.76 does give the appearance that the e-bay phisher might have been stopped. though the removal and then more spamtrap hits feed into the above questionable situation.

Share this post


Link to post
Share on other sites
However, your posting IP doesn't reflect any association with the original poster or the system in question, so I still don't have a clue as to who you are or what connection you have with any of this.  Actually still waiting for the connection between 'helpline' and the system in question to be cleared up a bit.

From his Time Zone, it would appear that "AdamF" is in London, where the "netpivotal.com" company is located. You'll note that he didn't confirm or deny that "Helpline" is from India and is from one of the ultra-cheap third-party tech support companies there.

DT

Share this post


Link to post
Share on other sites

Also it seems odd they don't admit to having a problem eventhough (as pointed out by Wazoo), they still show a suspiciously high output!

Share this post


Link to post
Share on other sites

Here is one from yesterday:

From root[at]alicia.netpivotal.com Mon Oct 18 06:59:45 2004

Delivery-date: Mon, 18 Oct 2004 06:59:45 -0400

Received: from [66.216.122.76] (helo=alicia.netpivotal.com)

by mail.victim.example with esmtp (Exim 4.41)

id 1CJVEv-0000BX-BW

for spamvictim; Mon, 18 Oct 2004 06:59:45 -0400

Received: (qmail 24347 invoked by uid 48); 18 Oct 2004 09:27:37 -0000

Date: 18 Oct 2004 09:27:37 -0000

To: munged

Subject: Important Notice From eBay inc.

From: eBay Billing <aw-confirm[at]eBay.com>

Reply-To: aw-confirm[at]eBay.com

MIME-Version: 1.0

Share this post


Link to post
Share on other sites

I admit that I don't know much about the workings of an email system. However, I thought that some trojans are able to infect Linux boxes. It is just unlikely because of the way that they are delivered.

Another idea that I had from reading this thread is that if there are lot of customers connected to this server, then perhaps maybe one of them may have an infected machine.

Of course, if the spam stops, then Adam did find the problem.

IMHO, wanting the thread to be deleted is sort of silly. The conjectures about a compromised machine were intended to be helpful (I don't know how accurate that kind of guess can be) and the entire thread is trying to help the OP find out why he is blocked. If anyone reads the thread, s/he can accept Adam's rebuttal.

Another case of where 'someone who hates spam' is not really willing to cooperate with blocklists. I would like to know more of why Adam thinks his policies about allowing customers to run scripts is 'ok' - perhaps that kind of policy doesn't really add to the spam burden of other people (or his spam burden by others who have the same kind of policies)?

Miss Betsy

Share this post


Link to post
Share on other sites

Almost 24 hours after seeing the 1941% volume change, SenderBase is now showing;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.4 ..... 679%

Last 30 days ... 4.0 ..... 167%

Average ......... 3.5

So am willing to go along that the major source of the problem appears to have been nailed.

Wondering now if there is/was enough data in those logs to track down the actual source of all those e-bay phishing e-mails and pass on the bandwidth costs ..??

Share this post


Link to post
Share on other sites

Yesterday, Senderbase was still showing a 370% volume increase, so was wondering why the decline seemed to be slowing down so much. Just checked, now two days after the 1941% number, and it's now down to -33% ... now wondering if more accounts were shut down.

Wow! ... Was wondering at Julian's presence in here yesterday ... now perhaps seeing what that might have been about .... note the massive changes to the lookup page http://www.spamcop.net/w3m?action=checkblo...p=66.216.122.76

Share this post


Link to post
Share on other sites

I noticed it yesterday. I bet every admin that checks will just click to remove their IP only to have it in there again!

Share this post


Link to post
Share on other sites
Wow! ... Was wondering at Julian's presence in here yesterday ... now perhaps seeing what that might have been about .... note the massive changes to the lookup page http://www.spamcop.net/w3m?action=checkblo...p=66.216.122.76

Looks good to me.

New option for server owners to automatically de-list the address if they think they have fixed the problem. A confirmation mail sent to what SC considers the responsible role accounts requiring a response before the de-list takes place. It also has protection to stop it being used repeatedly.

Second new option to dispute the listing and send additional information to the deputies.

It should now be a much more streamlined process and easier for server owners to deal with listed boxes.

Good work Julian. I hope it makes the jobs of all those behind the scenes much simpler.

Share this post


Link to post
Share on other sites
http://www.spamcop.net/w3m?action=checkblo...p=66.216.122.76 now shows "66.216.122.76 not listed in bl.spamcop.net" and http://www.senderbase.org/?sb=1&searchBy=i...g=66.216.122.76 now shows:
Volume Statistics for this IP  
               Magnitude  Vol Change vs. Average 
Last day      3.4       - 24% 
Last 30 days  4.0        191% 
Average       3.5

Share this post


Link to post
Share on other sites
I noticed it yesterday. I bet every admin that checks will just click to remove their IP only to have it in there again!

19094[/snapback]

Well you only get to do that once in a lifetime :-)

Share this post


Link to post
Share on other sites
Looks good to me.

New option for server owners to automatically de-list the address if they think they have fixed the problem. A confirmation mail sent to what SC considers the responsible role accounts requiring a response before the de-list takes place. It also has protection to stop it being used repeatedly.

Second new option to dispute the listing and send additional information to the deputies.

It should now be a much more streamlined process and easier for server owners to deal with listed boxes.

Good work Julian. I hope it makes the jobs of all those behind the scenes much simpler.

19097[/snapback]

It sure has been generating a lot of mail ... that's both the good news and the bad news :-)

Share this post


Link to post
Share on other sites

Ellen, have you had any major spamhausen ask to be removed like Optinrealbig/Optinbig - ProcessRequest.com/Bluestreak - bluerockdove or others in that kind of category?

Share this post


Link to post
Share on other sites
Ellen, have you had any major spamhausen ask to be removed like Optinrealbig/Optinbig - ProcessRequest.com/Bluestreak - bluerockdove or others in that kind of category?

19442[/snapback]

Most of the mails tend to be (and have always tended to be) from people with compromised systems and/or ISPs not previously known to us where the parser lists the mailserver rather than than continuing to the header with the injecting user IP.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×