Jump to content
Sign in to follow this  
horsepro

Help requested

Recommended Posts

Hi There,

I have n Educational Website that is quite popular and helps a lot of people. My mail is often blocked and I am on spam lists apparently. I cannot work out how to put a dispute form in. It asked for my ip number, I put it in and then no help as to what to do next.

www.horseproblems.com.au

Thanks for any advice.

Share this post


Link to post
Share on other sites

Assuming your email server is at 66.116.206.62, you do not seem to be in any of the major blocklists. You will probably need to post one of the rejection notices.

-- Just a happy user,

JosephK

Share this post


Link to post
Share on other sites
Thanks very much for your advice. Much appreciated.

27694[/snapback]

You're welcome.

Share this post


Link to post
Share on other sites
Assuming your email server is at 66.116.206.62

But it's probably not. In most shared hosting situations, the IP address from which mail emanates is rarely the same as the IP address of the "www" version of the domain, which is what you've supplied here. Did you look it up in SenderBase? Take a look here:

http://www.senderbase.org/?searchBy=ipaddr...g=66.116.206.62

It doesn't seem that any mail is emanating from that IP. However, if you look up the DNS for "horseproblems.com.au" at:

http://dnsreport.com/tools/dnsreport.ch?do...problems.com.au

you'll see that their MX is "mail6.hostexcellence.com" (which is an alias for "mail6.opentransfer.com") and the IP is:

69.6.255.177

Let's look that up in SenderBase:

http://www.senderbase.org/?searchBy=ipaddr...ng=69.6.255.177

Oh my...in the last 30 days, the traffic has risen by 1159%!!! That's a very BAD indicator. The good news is that in the last day, it's dropped by 75%, so perhaps someone is dealing with whatever problem might exist (spammer, hijacked mail scripts, ?) on that server.

The IP isn't currently listed on any blocklists, however, and there's no SpamCop "history" of reports (on either of the IPs), so I'm not sure if that's the sending IP for the server in question, either. We need to see the error message from one of the bounces.

Regarding the hosting provider....some strange stuff...the address given is in Kentucky, but the IPs and servers all appear to be under the control of a person named "Fathi Said" in Austria. If you Google him, you'll find some odd stuff relating to some big flap over "FeaturePrice.com" and Mr. Said. You'll also find this reference to him not caring about spamvertising in Usenet groups:

http://www.talkaboutspam.com/group/alt.kil...sages/9766.html

Hmmm...a little more Googling, and I find this:

http://www.featureprice-scam.com/fathi.html

I checked out some of the "web hosting review sites" mentioned on that page, and there does appear to be a pattern of Mr. Said putting up self-serving review sites, putting his hosting companies as the top-rated hosts. Or maybe he's a fine, upstanding businessman whose reputation was sullied by previously being in partnership with someone who wasn't quite so upstanding? It's hard to tell from a limited bit of research. OK, I guess it's time to get back on topic... ;-)

DT

Share this post


Link to post
Share on other sites

Thanks very much David. Now I am starting to understand it. Thankyou for your kind efforts on my behalf.

Share this post


Link to post
Share on other sites
Thanks very much David. Now I am starting to understand it. Thankyou for your kind efforts on my behalf.

27783[/snapback]

Now senderbase -51% and de-listed. Seems like another case of SpamCop doing what it says on the tin! - alerting server admins of a problem which they seem to have put right.

Share this post


Link to post
Share on other sites

Sorry to bother you again, but when you see the funny writing on your preview in mail washer, like down the bottom of this, does that mean it is a virus?

(Personal data removed by Wazoo)

Date: Mon, 09 May 2005 17:18:18 UTC

Subject: Your email was blocked

Importance: Normal

X-Priority: 3 (Normal)

Message-ID: <bfb3.efb1c996adf[at]vw.ph-heidelberg.de>

MIME-Version: 1.0

Content-Type: multipart/mixed; boundary="======b974a638df438e1b31ef"

Content-Transfer-Encoding: 7bit

This is a multi-part message in MIME format.

--======b974a638df438e1b31ef

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached

--======b974a638df438e1b31ef

Content-Type: application/octet-stream; name=error-mail_info.zip

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename="error-mail_info.zip"

UEsDBAoAAAAAAAGAojKuS6g1MtEAADLRAAAmAAAAV2luemlwcGVkLVRleHRfRGF0YS50eHQgICAg

ICAgICAgIC5waWZNWpAAAwAAAAQAAAD//wAAuAAAAAAAAABAAAAAAAAAA

Edited by Wazoo

Share this post


Link to post
Share on other sites

Although it may have been / probably was a virus, to the question you ask about the data you provided, the specific technical answer would be "no" ... it doesn't "mean" that it's a virus, only that the data had been "packaged" .. the details describing how it was packaged ....

Content-Transfer-Encoding: base64 - says that the included data was encoded to Base-64 ... so you wouldn't see 'plain text'

Example: This is a test ends up looking like VGhpcyBpcyBhIHRlc3Q=

Content-Type: application/octet-stream; name=error-mail_info.zip - then suggests that the included data had been archived/compressed into a .ZIP file, yet another level of data manipulation that would further distance that data from any resemblance to 'plain text' ....

Share this post


Link to post
Share on other sites

Thanks for that. I just had 42 of that type of mail. If I could only get my cottin pickin hands on them for 5 minutes. :angry:

Share this post


Link to post
Share on other sites

42 in one stretch would suggest that it really was a virus infected machine working hard to get your attention ... <g> .. dang Iwent back to look up the source, guess maybe I removed too much? (though don't recall seeing a lot of hand-off data .. just keyed on your address sitting there in plain sight ..)

Share this post


Link to post
Share on other sites
does that mean it is a virus?

Let me state first...."Google is your friend...use it!"

Now for the answer....YES! It's the new variant of the "Sober" worm. I put the zip file name into Google and came up with plenty of hits. Here's the description from Syamtec:

mm.html]http://sarc.com/avcenter/venc/data/w32.sober.o[at]mm.html

Most incoming messages with ".zip" file attachments are worms, as are those with ".pif" and other file types. You can use the headers on this to report it to the source ISP and get them to cut that user's Internet access off until they call in, and are then told to disinfect their computer.

DT

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×