Jump to content
Sign in to follow this  
ldewey

Blocklisted, please help

Recommended Posts

We are an ISP. We have been placed on the blocking list a second time today, and we have not been given any information regarding the reason...the server is 216.134.224.9 and it has been blocked due to : "System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by Spamcop)"

Please tell me how we can get mail header information on the offending messages. We cannot correct the issue with no information.

Again, we are an isp and the block is effecting several thousand mail accounts. Please help.

Leslie

Share this post


Link to post
Share on other sites

Hi Leslie,

spam TRAP HITS (click on this link) are bad. They may be an indication your system has been compromized by trojans, worms, viruses and various neferious creatures like that.

I did not see A LARGE INCREASE in activity of the IP you mention, so the problem may not be overblown at this stage.

However, A CLOSELY RELATED IP does show unusually high volume of traffic!! Same is true for 216.134.231.79.

You may need to explain your set up for the gurus here to give you additional help.

Edited by dra007

Share this post


Link to post
Share on other sites

Thanks for the quick reply -

We have suspended traffic for both 216.134.231.79 and 216.134.231.91. Please let me know what further steps we can take. Is there anyway to see what the spam Traps are catching? Have inspected server, not seeing any open port connections or anything out of place. We will continue looking for anything out of place.

We are running Sun JavaSystems Messaging server v6.1 Running on SUn hardware with Solaris . If the problem messages are from automatic email notices (over quota, user unknown, etc) we cannot stop these messages...have looked for a way to disable, but can't find. Any help would be appreciated.

Leslie

Share this post


Link to post
Share on other sites

If you are sending messages back to the "From" address then this will get you on the list and many other lists. Spammers and virus forge the "From" address so you send the junk back to innocent victims where it did not originate from.

Share this post


Link to post
Share on other sites

Varius links offered already, some suggestions made, but one is still under the impression that neither the FAQ or the repeated Pinned item "Why am I blocked" has been looked at yet. Would you do that please?

Share this post


Link to post
Share on other sites

Sir-

We have read both items mentioned. We still haven't found out what was reported by the spam Traps. We have also contacted Sun for help turning off all auto-replys, we are waiting for that information. We have suspended traffic for the specific IP's mentioned, as they were individual users. We are still requesting help because the IP that is blocklisted is our mail server. There are several thousand users whose mail is being blocked and we want to get them back on.

Is there anything that we can do to get this corrected prior to the automatic lift of the block? Not only do we need to get the users back on, but if someone doesn't offer us some specific help, I am afraid that the block will be instigated again immediately after being lifted. How can we correct a problem, if we aren't sure exactly what the problem is?

We would appreciate any direction anyone can give on this matter.

Share this post


Link to post
Share on other sites

Hi, Leslie,

Sir-

20210[/snapback]

...Unsolicited suggestion: not everyone here is a "sir" and some non-sir's may be a bit sensitive about being referred to in this manner. Please consider using asexual salutations, such as "Hi, Wazoo" or "Greetings" or even skipping the salutation entirely. Thanks!
We have read both items mentioned.  We still haven't found out what was reported by the spam Traps.

20210[/snapback]

...In that case, you must have missed the following in the page referenced by the "Pinned: Why Am I Blocked? FAQ" entry:
If you need to know what triggered the report from a spamtrap, email deputies <at> spamcop.net. Only they can see.

<snip>

We are still requesting help because the IP that is blocklisted is our mail server.  There are several thousand users whose mail is being blocked and we want to get them back on. 

Is there anything that we can do to get this corrected prior to the automatic lift of the block?

20210[/snapback]

...If you read the FAQ, then you also seemed to have missed this in the "Pinned: Why Am I Blocked? FAQ" entry:

Not only do we need to get the users back on, but if someone doesn't offer us some specific help, I am afraid that the block will be instigated again immediately after being lifted.  How can we correct a problem, if we aren't sure exactly what the problem is?

20210[/snapback]

...You are asking exactly the right questions! Hopefully, you will find the answers by re-reading the FAQ, with particular attention to the bits I mentioned, above.

We would appreciate any direction anyone can give on this matter.

20210[/snapback]

...Well, I hope I helped, at least a bit. If you still have questions after referring back to the FAQ, please don't hesitate to post a follow-up here.

...Good luck!

Share this post


Link to post
Share on other sites

http://www.spamcop.net/fom-serve/cache/76.html

http://forum.spamcop.net/forums/index.php?showtopic=673

http://www.spamcop.net/fom-serve/cache/401.html

All items taken from the FAQ.

Repeated data: only the Deputies and Admin staff have the capability to "look" at spamtrap data. And as noted in the message, spamtrap data is not handed out freely, based on the definition of a spamtrap.

FAQ specifics also cover items of spam spew that are not found in mail derver logs .. but you make no mention of checjing these other places.

Share this post


Link to post
Share on other sites
Hi, Leslie,...Unsolicited suggestion: not everyone here is a "sir" and some non-sir's may be a bit sensitive about being referred to in this mann
er.

Sorry - I generally get hot about gendered salutations as well. :-)

In that case, you must have missed the following in the page referenced by the "Pinned: Why Am I Blocked? FAQ"

Yes, I apologize. My coworker thought that I had alredy emailed 'deputies' and I re-read the page 3 x w/out ever seeing the mention. I have now sent an inquiry to the 'deputies' address.

I also, hoped that while the "short answer" "how do I get removed" is "you can't" that there might be another option.

...

Well, I hope I helped, at least a bit.  If you still have questions after referring back to the FAQ, please don't hesitate to post a follow-up here.

...Good luck!

Yes! You have helped, at least now we have in inquiry into the deputies address.

Thanks

Share this post


Link to post
Share on other sites

...Thanks for taking the time to follow-up.

...Hope the deputies can help you! :) <g>

Share this post


Link to post
Share on other sites
Sorry - I generally get hot about gendered salutations as well. :-)

Funny, while looking through the FAQ ... went back myelf and fixed a couple of those "he" things <g> ... (how long has the "newsgroup" link been pointing to the Forum anyway? <g>)

Yes, I apologize. My coworker thought that I had alredy emailed 'deputies' and I re-read the page 3 x w/out ever seeing the mention.  I have now sent an inquiry to the 'deputies' address.

Now a matter of time for them to catch your e-mail, look stuff up, and see what they can relate to you about the traffic seen.

However .... looking at the page I'm going to reference in response to your next point, the database has been update (hasn't been real-time in a long while due to spammer exploitation) .. and reports are also now added to the mix. It's no longer "just" spamtraps involved.

I also, hoped that while the "short answer"  "how do I get removed" is "you can't" that there might be another option. 

I'm a bit confused, in that had you gone to one of the pages referenced, http://www.spamcop.net/w3m?action=checkblo...=216.134.231.79 you'd have noted an option right there. But, noting as you've yet to figure out the problem, you'd have blown the one-time chance at a quick de-listing, it appears.

And unfortunately, though you say you've stopped all traffic, SenderBase traffic reports are still going up. Suspicions are that you've got a compromised machine that's still spewing ..... once again, check stuff above, beyond, and around your allegedly halted e-mail server ....

BTW: strange names assigned to "e-mail servers"

Query for 91.231.134.216.in-addr.arpa type=255 class=1

91.231.134.216.in-addr.arpa PTR (Pointer) 91.231.dsl-dhcp.ytc.net

231.134.216.in-addr.arpa NS (Nameserver) dns.ytc.net

dns.ytc.net A (Address) 216.134.224.11

Query for 79.231.134.216.in-addr.arpa type=255 class=1

79.231.134.216.in-addr.arpa PTR (Pointer) 79.231.dsl-dhcp.ytc.net

231.134.216.in-addr.arpa NS (Nameserver) dns.ytc.net

dns.ytc.net A (Address) 216.134.224.11

Going right along with the problem SpamCop had in trying to guess a valid e-mail address;

Looking for potential administrative email addresses for 216.134.231.79:

cannot find an mx for 79.231.dsl-dhcp.ytc.net

cannot find an mx for 231.dsl-dhcp.ytc.net

cannot find an mx for dsl-dhcp.ytc.net

216.134.224.200 is an mx ( 10 ) for ytc.net

Share this post


Link to post
Share on other sites
.. and reports are also now added to the mix.  It's no longer "just" spamtraps involved.

Are you referring to the 216.134.231.79? This is a user who we have suspended per our AUP. Though I suspect both .79 and .19 are both issues stemming from viruses...we deal with all spam activity first with suspension and ask questions later. :-)

And unfortunately, though you say you've stopped all traffic, SenderBase traffic reports are still going up. 

The 2 ip addresses we suspended 216.134.231.79 and 216.134.231.19 these aren't mailservers, but individual DSL users. The mailserver is 216.134.224.9

BTW: strange names assigned to "e-mail servers"

216.134.231.79 and 216.134.231.19 are users, so they don't have names assigned.

We are still waiting for Sun to reply regarding auto-reply msgs, any info from deputies, as well as looking for any other problems. I appreciate your help and everyone else who has replied.

Thanks!

Share this post


Link to post
Share on other sites

I'm confused then ... From your very first post;

Again, we are an isp and the block is effecting several thousand mail accounts.

Thus all the pointing to and discussion centered on an e-mail server.

Now that there's the combination of spamtrap hits, actual spam complaints / submittals, and that you have identified two users and knocked them off-line ... why the further "wait for SUN" and leading the conversation back to an e-mail server / application / situation?

Your referenced e-mail server is not listed at present.

OK, I'll take the hit. I'm the one that went off looking at the two "other" IPs ....

Report on IP address: 216.134.231.79

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 3.8 .. 2575%

Last 30 days ... 3.6 .. 1423%

Average ......... 2.4

Report on IP address: 216.134.231.91 (not the .19 last mentioned)

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.2 .. 2618%

Last 30 days .. 3.9 .. 1423%

Average ........ 2.7

Report on IP address: 216.134.224.9

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.0 .. 200%

Last 30 days .. 3.9 .. 159%

Average ........ 3.5

OK, the flow from the e-mail server hasn't increased since the last time I looked at it. Maybe you've got it all nailed down.

Share this post


Link to post
Share on other sites
Thus all the pointing to and discussion centered on an e-mail server.

:-) What a day. The email server (216.134.224.9) was the one that was actually blocked, thus causing such a problem on our end.

Now that there's the combination of spamtrap hits, actual spam complaints / submittals, and that you have identified two users and knocked them off-line ... why the further "wait for SUN" and leading the conversation back to an e-mail server / application / situation?

We have just heard from Spamcop...the problems were all related to the two individual users .79 & .19, but, not knowing the specifics of the issue, we were afraid that there might be a also be a problem with our mail server's auto-replys (which we are still going to fix.)

Your referenced e-mail server is not listed at present
.

Yes, thank goodness, I think we have all back to rights. The block was lifted a short time ago.

Again, I thank you for your help.

Leslie

Share this post


Link to post
Share on other sites

Edidted my last post, but see that you're still looking at the page ... I admitted to my screw up ... went on a run with the wrong IPs ... edited my last post, maybe do a refresh and pull it into view .. apologies for going the wrong direction. Thanks for handling the spew!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×