rdassow Posted October 19, 2004 Share Posted October 19, 2004 My e-mail server IP Address is being listed by spamcop, 65.88.34.229 but I am given no reasons! My IP has been listed by 4 other spam block lists, and they all say they're listing me because Spamcop is listing me! Ugh! Can someone give me any ideas why spamcop listed me but won't tell me the reason? I have nothing to go on here. Help! Link to comment Share on other sites More sharing options...
Merlyn Posted October 19, 2004 Share Posted October 19, 2004 You are also listed at http://cbl.abuseat.org/lookup.cgi?ip=65.88.34.229 which mean that it is most likely your machine has been hijacked/trojaned. According to Senderbase the mail output from this server is up 5,609% in the last day. This machine needs to be pulled from the internet until it's fixed. Link to comment Share on other sites More sharing options...
Chris Parker Posted October 19, 2004 Share Posted October 19, 2004 My e-mail server IP Address is being listed by spamcop, 65.88.34.229 but I am given no reasons! My IP has been listed by 4 other spam block lists, and they all say they're listing me because Spamcop is listing me! 18970[/snapback] Your server appears to have been sending to spam traps either directly or by bouncing, autoresponding, etc. See: CBL based on Senderbase report of mailing increasing by 5600% in the last 24 hours I'd guess that your server has been compromised. Maybe an SMTP AUTH hack. Check your logs. SpamCop's stats are not real-time because spammers abused the listing details. You may want to send an email to deputies <at> spamcop <dot> net. Link to comment Share on other sites More sharing options...
Wazoo Posted October 19, 2004 Share Posted October 19, 2004 I'd like to hear about the "other 4 blacklists" that base their listings on a SpamCopDNSBL listing. Out of the zillions of BLs out there, I've never heard this scenario before. Link to comment Share on other sites More sharing options...
Merlyn Posted October 19, 2004 Share Posted October 19, 2004 Out of the ones that might mean anything none of them are because of your Spamcop listing. They are from the spew coming from your server. XBL Exploits Block List (includes CBL): xbl.spamhaus.org -> 127.0.0.4 http://www.spamhaus.org/query/bl?ip=65.88.34.229 SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?65.88.34.229 JAMDSBL local bl at JAMMConsulting.com: dnsbl.jammconsulting.com -> 127.0.0.30 DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=65.88.34.229 Link to comment Share on other sites More sharing options...
rdassow Posted October 19, 2004 Author Share Posted October 19, 2004 But of course our percentage is going to go up. Our company has two diverse ISP's with two diverse T1's to the internet. We have redundant MX records to support this (stsconsultants.com) . However, if our primary ISP goes down, our e-mail is re-directed out our backup connection which is the IP that has been BL'd (65.88.34.229). Of course we are going to have a huge percentage increase in e-mail! That IP doesn't see ANY email unless we are in a failover state which happened recently. Why should we be punished for having a redundant connection? Ryan Link to comment Share on other sites More sharing options...
rdassow Posted October 19, 2004 Author Share Posted October 19, 2004 Out of the ones that might mean anything none of them are because of your Spamcop listing. They are from the spew coming from your server. XBL Exploits Block List (includes CBL): xbl.spamhaus.org -> 127.0.0.4 http://www.spamhaus.org/query/bl?ip=65.88.34.229 Merlyn, I'm not listed here SPAMCOP SpamCop Blocking List: bl.spamcop.net -> 127.0.0.2 Blocked - see http://www.spamcop.net/bl.shtml?65.88.34.229 I am listed here with no cause JAMDSBL local bl at JAMMConsulting.com: dnsbl.jammconsulting.com -> 127.0.0.30 I am listed here still trying to find out why. DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2 Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=65.88.34.229 I am not listed here either. 18976[/snapback] Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 19, 2004 Share Posted October 19, 2004 Why should we be punished for having a redundant connection? Well, this is new information, not made public before. It is not caused because of your redundant connection directly, but spamcop has used (not sure if it is currently used) different stats to list "new" servers it finds sending spam. Basically, a new IP will be listed much quicker because spammers were turning on IP's, spamming until they got listed and then going onto the next one. You will need to contact the deputies for 2 reasons then: Find out why you are listed. Ask that your redundant IP address be unmarked as "new" The fact that spam (or spamtrap hit) came from your IP so quick after turning on the server is NOT a good sign, however. Link to comment Share on other sites More sharing options...
Merlyn Posted October 19, 2004 Share Posted October 19, 2004 It was previously listed, but was removed at 2004-10-19 15:13 GMT You had yourself removed? It will be added back if it happens again. I give it a few hours. After you remove yourself more than a couple times and it keeps showing up it will be flagged permanent. If your server has problems you should fix it before you have many more problems. Link to comment Share on other sites More sharing options...
Wazoo Posted October 19, 2004 Share Posted October 19, 2004 Your description of "no cause" for a SpamCopDNSbl listing has now changed. The current "Evidence" page shows; Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) There is no "punishment for redundancy" .... the SpamCopDNSbl is based on a complicated mathematical formula, with spamtrap hits carrying a large scaling factor. Have you been through the "Why am I blocked" FAQ or Pinned item yet? Link to comment Share on other sites More sharing options...
rdassow Posted October 19, 2004 Author Share Posted October 19, 2004 All email coming and going from this IP address is scanned by Symantec for SMTP and symantec for exchange and both are the most recent versions with most recent DAT files. Is is possible if I block at the firewall all outbound requests for port 25 except for mail servers to determine if we have an inside host with a trojan? Your description of "no cause" for a SpamCopDNSbl listing has now changed. The current "Evidence" page shows; Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) There is no "punishment for redundancy" .... the SpamCopDNSbl is based on a complicated mathematical formula, with spamtrap hits carrying a large scaling factor. Have you been through the "Why am I blocked" FAQ or Pinned item yet? 18991[/snapback] Link to comment Share on other sites More sharing options...
Merlyn Posted October 19, 2004 Share Posted October 19, 2004 Actually no because the spammers are authorizing themselves on your machine. Most likely an SMTP AUTH hack. http://news.spamcop.net/cgi-bin/fom?file=372 http://www.winnetmag.com/article/articleid/40507/40507.html http://www.winnetmag.com/article/articleid/42406/42406.html http://support.microsoft.com/default.aspx?...;EN-US;324958#4 http://www.slipstick.com/exs/relay.htm http://www.msexchange.org/tutorials/Preven..._Server_55.html I would bet a lunch on it <g> Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.