Rafael Posted January 28, 2005 Share Posted January 28, 2005 Hello, Since 3 days I send emails, and I receive an email with this text: : host mail.domain.com[66.220.7.80] said: 451 Blocked - see http://www.spamcop.net/bl.shtml?82.223.190.20 (in reply to RCPT TO command) We are a software company and we send e-news to our customers. All the address are gives from our customers, and we have emails with this confirmations. In our enews, the customer have the possibility to unsubscribe only click a link, and we always unsubscribe them. But it is curious because we only receive 1 or 2 unsubscribes every e-news (our customer database is 800 customers). Please how I can unlock my account. We can not send email! Regards, Rafael del Molino TDM Solutions; www.VisualMillSpain.com Link to comment Share on other sites More sharing options...
dra007 Posted January 28, 2005 Share Posted January 28, 2005 82.223.190.20 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately zero time. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week You may want to contact your provider, there seem to be spam and/or bounces to inocent an/or spamtrap addresses, or you a have a trojaned/compromized machine spewing that crap. The Sender Base also shows a large increase in volume: Volume Statistics for this IPĀ Magnitude Vol Change vs. Average Last day 4.9 885% Last 30 days 4.8 808% Average 3.9 Personally I also noticed a large increase in spam from Spain! I know <<it rains in Spain>> but that would have to be rephrased <<it rains spam from careless ISPs in Spain>>? Link to comment Share on other sites More sharing options...
dra007 Posted January 28, 2005 Share Posted January 28, 2005 As a side note there is a history of spam and Phishers spewed from the domain for the IP you provided. The largest ISP in the world with the largest staff and the biggest budget and Rule # 1 challenged spammers can outsmart them. How sad, how very sad indeed. Hostdepartment.com is part of the problem. They "Shirley" aren't part of the solution nor is horneyspace.com who also protects/shields AOL niche spammers. And AOL wonders why they are losing customers daily. Sent from 217.76.128.17 inetnum: 217.76.128.0 - 217.76.128.223 netname: NET-ARSYS-EURO-1 descr: arsys.es country: ES admin-c: ARO12-RIPE tech-c: ARO12-RIPE rev-srv: atlante.servidoresdns.net rev-srv: prometeo.servidoresdns.net status: ASSIGNED PA notify: r...[at]arsys.es mnt-by: ARSYS-RIPE-MNT mnt-lower: ARSYS-RIPE-MNT changed: r...[at]arsys.es 20040402 source: RIPE Link to comment Share on other sites More sharing options...
Wazoo Posted January 28, 2005 Share Posted January 28, 2005 Moved from the "Reporting" Forum to the "Blocking List" Forum. Link to comment Share on other sites More sharing options...
petzl Posted January 29, 2005 Share Posted January 29, 2005 Hello, Since 3 days I send emails, and I receive an email with this text: : host mail.domain.com[66.220.7.80] said: 451 Ā Ā Blocked - see http://www.spamcop.net/bl.shtml?82.223.190.20 (in reply to Ā Ā RCPT TO command) Please how I can unlock my account. We can not send email! 23727[/snapback] Try using my Signature file to check your computers security. That IP has been taken over and nothing on it is safe Link to comment Share on other sites More sharing options...
callconc Posted February 4, 2005 Share Posted February 4, 2005 one of our domains keeps getting this: ----- The following addresses had permanent fatal errors ----- <carrie[at]expedia.com> (reason: 550 5.2.1 Mailbox unavailable. Your IP address 209.239.37.102 is blacklisted using SPAMCOP. Details: Blocked - see http://www.spamcop.net/bl.shtml?209.239.37.102.) ----- Transcript of session follows ----- ... while talking to mail2.expedia.com.: >>> DATA <<< 550 5.2.1 Mailbox unavailable. Your IP address 209.239.37.102 is blacklisted using SPAMCOP. Details: Blocked - see http://www.spamcop.net/bl.shtml?209.239.37.102. 550 5.1.1 <carrie[at]expedia.com>... User unknown <<< 503 5.5.2 Need Rcpt command. But then when I go to the blocklist to verify we are blacklisted, it says we aren't. Whats the deal? Link to comment Share on other sites More sharing options...
Merlyn Posted February 4, 2005 Share Posted February 4, 2005 It could just be a timing thing. Parsing input: 209.239.37.102 host 209.239.37.102 = host.callconceptshost.com (cached) ISP does not wish to receive report regarding 209.239.37.102 ISP does not wish to receive reports regarding 209.239.37.102 - no date available Routing details for 209.239.37.102 Report routing for 209.239.37.102: abuse[at]alabanza.com [report history] Submitted: Sunday, January 30, 2005 12:11:09 PM -0500: Subject =?iso-8859-5?B?SG9tZSBpbmNlc3Qh?= Submitted: Saturday, January 29, 2005 7:22:06 AM -0500: Subject =?iso-8859-5?B?SG9tZSBJTkNFU1Qh?= Submitted: Friday, January 28, 2005 11:51:37 AM -0500: Subject =?iso-8859-5?B?Qm95c05ldzogZ3JhbmQgb3Bl?= Submitted: Friday, January 28, 2005 1:22:03 AM -0500: Subject =?iso-8859-5?B?Qm95c05ldzogZ3JhbmQgb3Bl?= Submitted: Thursday, January 27, 2005 1:54:20 PM -0500: Subject =?iso-8859-5?B?Qg==?= Submitted: Thursday, January 27, 2005 12:51:38 PM -0500: Subject =?iso-8859-5?B?Qm95c05ldzogZ3JhbmQgb3Bl?= Submitted: Thursday, January 27, 2005 10:57:46 AM -0500: Subject =?iso-8859-5?B?Qg==?= Submitted: Wednesday, January 26, 2005 11:28:28 AM -0500: Subject =?iso-8859-5?B?Qm95c05ldzogZ3JhbmQgb3Bl?= Submitted: Wednesday, January 26, 2005 6:06:56 AM -0500: Subject =?iso-8859-5?B?Qm95c05ldzogZ3JhbmQgb3Bl?= Link to comment Share on other sites More sharing options...
callconc Posted February 4, 2005 Share Posted February 4, 2005 So what does that mean? Why on earth was this domain blacklisted? And I can't find the place on the site where you go about getting it removed... thanks for the help. Link to comment Share on other sites More sharing options...
Wazoo Posted February 4, 2005 Share Posted February 4, 2005 From the top .. the SpamCopDNSBL doesn't use "Domain" names. As noted, the link to the SpamCopDNSBL pages shows that this IP address is not currently listed. Some timing issues could be involved as there are mirros of this database distributed around the world. On the other hand, the system that offered you the rejsected message could also have ben configured wrongly, rejecting for another reason, but pointing to the SpamCop line. And from another view, http://www.senderbase.org/?searchBy=ipaddr...=209.239.37.102 shows a downward trend on e-mail traffic from this IP. Maybe the problem spew has been handled? The "Why am I blocked" FAQ entry / Pinned item attempts to explain many things. Link to comment Share on other sites More sharing options...
Derek T Posted February 4, 2005 Share Posted February 4, 2005 So what does that mean? Why on earth was this domain blacklisted? And I can't find the place on the site where you go about getting it removed... thanks for the help. 23933[/snapback] I means that that server was spewing spam last wednesday through to sunday. That is why it was blacklisted. The spamcop list reacts quickly to blacklist current spews and then automatically de-lists after a few (typically 2-48) hours. That IP is not currently listed, if no more spam comes from it it will remain de-listed. If you control it you should have received abuse reports. Link to comment Share on other sites More sharing options...
Miss Betsy Posted February 4, 2005 Share Posted February 4, 2005 So what does that mean? Why on earth was this domain blacklisted? And I can't find the place on the site where you go about getting it removed... IIUC, your computer (or one at the same IP address) has a trojan that is sending scam spam. What has happened is that a spammer has gained access to this computer and is sending scam spam through it. The spammer does it in spurts so that when you go to look it up on the blocklist, it is no longer listed on the spamcop blocklist. However, as soon as the spammer rotates back to it, it will be listed again. There is no way to get your IP address removed from the blocklist because it is automatic. When spam is reported from an IP address, the IP address is listed. When spam is no longer reported (because the spammer stopped using that IP address or the computer was cleaned of the trojan), then the IP is delisted. For compromised computers, spamcop is an early warning system. If you do not fix this computer, then eventually that IP address will get on other lists that are not automatic and much more difficult to get off. And 'domains' are not listed - only IP addresses from which email comes. For trojanned computers the email does not leave through the normal method, but through 'ports' that are generally used for something else. (someone explained how to explain this in technical terms the other day, but I have forgotten already. However, since you do not seem to be technically fluent either, maybe my explanation will make more sense to you). Miss Betsy Link to comment Share on other sites More sharing options...
callconc Posted February 4, 2005 Share Posted February 4, 2005 So how do I stop this from being hijacked? Thanks SO much for all of your help! Tomas Link to comment Share on other sites More sharing options...
Wazoo Posted February 4, 2005 Share Posted February 4, 2005 A few suggestions for further research have already been suggested ... (I'm going to add another here to take a look at the "how to use ..." Forum .. under the section there for using the SpamCop Forum, there's a bit I wrote up about the various buttons used 'here' .... noting that I've edited all of your replies thus far to remove the 'quoted in full' items you've responded to) Are you running a web-site perhaps, using an e-mail server from that host? (noting that your posting IP doesn't immediately tie to the regerenced problem IP) 02/04/05 12:06:37 IP block 209.239.37.102 Trying 209.239.37.102 at ARIN Trying 209.239.37 at ARIN OrgName: Alabanza, Inc. OrgID: ALAB Address: 10 East Baltimore St., 10th floor City: Baltimore StateProv: MD PostalCode: 21202 Country: US This is who would have received any complaints/reports. Assumedly, this is also who you'd want to ask this question of ... But again, you've not defined your connection to the system at the problem IP .... Link to comment Share on other sites More sharing options...
DavidT Posted February 4, 2005 Share Posted February 4, 2005 shedding a little more light, hopefully: The company Tomas works for is "Call & Associates" (http://www.callandassociates.com) aka "callconcepts.com" who leases a dedicated server from Alabanza, Inc. The IP cited earlier is the "host server" IP address that is used for all outgoing SMTP traffic from all of the hosting accounts on that server. This can include stuff allowed by the "popauth" feature on the server...maybe from compromised machines other than the server. It appears that Call & Associates has one or more hosting clients on that server whose SMTP privileges were allowing the transmission of spam recently, resulting in the blacklisting. The reports were sent to Alabanza Abuse, so as a customer of Alabanza, the Call folks can simply contact Alabanza abuse and work with them regarding the details of the abuse. Or, if you've got a competent server administrator, you should be able to go through your server's logs and figure it out. DT (I'm involved with some accounts on machines in the Alabanza farm, and I formerly had a dedicated server there, so I know what I'm talking about) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.