Jump to content
Sign in to follow this  
Lollercoaster

Can't understand why I've been "blocked"

Recommended Posts

Hello everyone.

I'm new here, and am new the to game of spam "block lists" seeing as this is the first time something like this has happened.

I have a network at a rather large non-profit organization here in Canada. We use a Qmail mail server with Telus as our ISP for both internet and our e-mail server. Our domain is www.pgnfc.com

The thing is, nobody within my network can now send e-mail from their computer! I get the message you describe in your FAQ when trying to send mail, in which I was directed to the page to look up a "blocked" IP.

It gave me this information:

209.53.184.21 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 19 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

System has been listed for less than 24 hours.

Dispute Listing

If you are the administrator of this system and you are sure this listing is erroneous, you may request that we review the listing. Because everyone wants to dispute their listing, regardless of merit, we reserve the right to ignore meritless disputes.

Dispute listing of 209.53.184.21

In the "TraceIP" section it lists this:

Parsing input: 209.53.184.21

host 209.53.184.21 = m184-21.pgnfc.com. (cached)

Reporting addresses:

abuse[at]telusplanet.net

I tried using the "delist address" option once, but apparently it just blocked me again!

Does anyone have any suggestions on what I can do? It is a very annoying issue that needs to be solved.

If you need more information to help me, please let me know what you need, and I will get it for you.

Any help will be greatly appreciated.

Share this post


Link to post
Share on other sites

I can understand it...........

Maybe this will shed a little light on the subject.

Received: from [209.53.184.21] (helo=localhost)

by in-mta3.plasa.com 77 with smtp id 1E058O-0004K9-W6

for HIDDEN_USER[at]plasa.com; Wed, 03 Aug 2005 05:21:17 +0700

Date: Tue, 02 Aug 2005 15:16:36 +0100

From: "Ellison"<HIDDEN_USER[at]yahoo.com>

To: <HIDDEN_USER[at]plasa.com>

Subject: Any med for your girl to be happy!

Message-ID: <002b01c54b50$10e49590$HIDDEN_USER[at]mmwedw>

MIME-Version: 1.0

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Content-Type: text/html

X-spam-Report:spam detection software has identified this email as possible spam.

If you have any questions, contact HIDDEN_USER[at]telkom.net.id for details.

Content preview: Your girl is unsatisfied with your potency? Don't wait

until she finds another men! Click here to choose from a great variety

of LICENSED love HIDDEN_USER[at]bs! Best pri$es, fast shipping and guaranteed

effect! Here you buy it right from warehouse! We are VERIFIED BY BBB

and APPROVED BY VISA! [...]

Content analysis details: (11.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.2 NO_REAL_NAME From: does not include a real name

0.2 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date

2.3 MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format)

2.2 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers

0.5 INFO_TLD URI: Contains an URL in the INFO top-level domain

1.8 URI_4YOU URI: Message has URI 4you

0.1 HTML_40_50 BODY: Message is 40% to 50% HTML

0.0 HTML_MESSAGE BODY: HTML included in message

1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.6 URIBL_SBL Contains an URL listed in the SBL blocklist

[uRIs: bestpharmacy4you.info]

2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist

[uRIs: bestpharmacy4you.info]

0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only

0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format

Sample 2 of 9:

Received: from [209.53.184.21] (helo=localhost)

by in-mta3.plasa.com 77 with smtp id 1E058K-0004Ih-9d

for HIDDEN_USER[at]plasa.com; Wed, 03 Aug 2005 05:21:12 +0700

Date: Tue, 02 Aug 2005 15:16:32 +0100

From: "Ellison"<HIDDEN_USER[at]yahoo.com>

To: <HIDDEN_USER[at]plasa.com>

Subject: Any med for your girl to be happy!

Message-ID: <002b01c54b50$10e49590$HIDDEN_USER[at]mmwedw>

MIME-Version: 1.0

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Content-Type: text/html

X-spam-Report:spam detection software has identified this email as possible spam.

If you have any questions, contact HIDDEN_USER[at]telkom.net.id for details.

Content preview: Your girl is unsatisfied with your potency? Don't wait

until she finds another men! Click here to choose from a great variety

of LICENSED love HIDDEN_USER[at]bs! Best pri$es, fast shipping and guaranteed

effect! Here you buy it right from warehouse! We are VERIFIED BY BBB

and APPROVED BY VISA! [...]

Content analysis details: (11.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.2 NO_REAL_NAME From: does not include a real name

0.2 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date

2.3 MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format)

2.2 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers

0.5 INFO_TLD URI: Contains an URL in the INFO top-level domain

1.8 URI_4YOU URI: Message has URI 4you

0.1 HTML_40_50 BODY: Message is 40% to 50% HTML

0.0 HTML_MESSAGE BODY: HTML included in message

1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.6 URIBL_SBL Contains an URL listed in the SBL blocklist

[uRIs: bestpharmacy4you.info]

2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist

[uRIs: bestpharmacy4you.info]

0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only

0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format

Sample 3 of 9:

Received: from [209.53.184.21] (helo=localhost)

by in-mta3.plasa.com 77 with smtp id 1E058F-0004HG-8K

for HIDDEN_USER[at]plasa.com; Wed, 03 Aug 2005 05:21:07 +0700

Date: Tue, 02 Aug 2005 15:16:27 +0100

From: "Ellison"<HIDDEN_USER[at]yahoo.com>

To: <HIDDEN_USER[at]plasa.com>

Subject: Any med for your girl to be happy!

Message-ID: <002b01c54b50$10e49590$HIDDEN_USER[at]mmwedw>

MIME-Version: 1.0

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Content-Type: text/html

X-spam-Report:spam detection software has identified this email as possible spam.

If you have any questions, contact HIDDEN_USER[at]telkom.net.id for details.

Content preview: Your girl is unsatisfied with your potency? Don't wait

until she finds another men! Click here to choose from a great variety

of LICENSED love HIDDEN_USER[at]bs! Best pri$es, fast shipping and guaranteed

effect! Here you buy it right from warehouse! We are VERIFIED BY BBB

and APPROVED BY VISA! [...]

Content analysis details: (11.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.2 NO_REAL_NAME From: does not include a real name

0.2 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date

2.3 MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format)

2.2 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers

0.5 INFO_TLD URI: Contains an URL in the INFO top-level domain

1.8 URI_4YOU URI: Message has URI 4you

0.1 HTML_40_50 BODY: Message is 40% to 50% HTML

0.0 HTML_MESSAGE BODY: HTML included in message

1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

0.6 URIBL_SBL Contains an URL listed in the SBL blocklist

[uRIs: bestpharmacy4you.info]

2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist

[uRIs: bestpharmacy4you.info]

0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only

0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format

Sample 4 of 9:

Received: from [209.53.184.21] (helo=localhost)

by in-mta3.plasa.com 77 with smtp id 1E058A-0004FR-6F

for HIDDEN_USER[at]plasa.com; Wed, 03 Aug 2005 05:21:02 +0700

Date: Tue, 02 Aug 2005 15:16:22 +0100

From: "Gersh"<HIDDEN_USER[at]yahoo.com>

To: <HIDDEN_USER[at]plasa.com>

Subject: RE: The OEM Software Licensing Site-XP Pro Technologies

Message-ID: <002b01c54b50$10e49590$HIDDEN_USER[at]jdkwd7ssa>

MIME-Version: 1.0

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Content-Type: text/html

X-spam-Report:spam detection software has identified this email as possible spam.

If you have any questions, contact HIDDEN_USER[at]telkom.net.id for details.

Content preview: TOP quality software: Special Offer #1: Windows XP

Professional+Microsoft Office XP Professional = only $80 Special Offer

#2: Adobe - Photoshop 7, Premiere 7, Illustrator 10 = only $120 Special

Offer #3: Macromedia Dreamwaver MX 2004 + Flash MX 2004 = only $100

[...]

Content analysis details: (15.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.2 NO_REAL_NAME From: does not include a real name

0.2 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date

2.3 MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format)

2.2 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers

0.5 INFO_TLD URI: Contains an URL in the INFO top-level domain

0.1 HTML_40_50 BODY: Message is 40% to 50% HTML

0.0 HTML_MESSAGE BODY: HTML included in message

1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist

[uRIs: mefehmicgh.info]

0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist

[uRIs: mefehmicgh.info]

2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist

[uRIs: mefehmicgh.info]

3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist

[uRIs: mefehmicgh.info]

0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only

0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format

Sample 5 of 9:

Received: from [209.53.184.21] (helo=localhost)

by in-mta3.plasa.com 77 with smtp id 1E0583-0004Ck-IZ

for HIDDEN_USER[at]plasa.com; Wed, 03 Aug 2005 05:20:56 +0700

Date: Tue, 02 Aug 2005 15:16:16 +0100

From: "Gersh"<HIDDEN_USER[at]yahoo.com>

To: <HIDDEN_USER[at]plasa.com>

Subject: RE: The OEM Software Licensing Site-XP Pro Technologies

Message-ID: <002b01c54b50$10e49590$HIDDEN_USER[at]jdkwd7ssa>

MIME-Version: 1.0

X-Priority: 3

X-MSMail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.2180

X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Content-Type: text/html

X-spam-Report:spam detection software has identified this email as possible spam.

If you have any questions, contact HIDDEN_USER[at]telkom.net.id for details.

Content preview: TOP quality software: Special Offer #1: Windows XP

Professional+Microsoft Office XP Professional = only $80 Special Offer

#2: Adobe - Photoshop 7, Premiere 7, Illustrator 10 = only $120 Special

Offer #3: Macromedia Dreamwaver MX 2004 + Flash MX 2004 = only $100

[...]

Content analysis details: (15.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.2 NO_REAL_NAME From: does not include a real name

0.2 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date

2.3 MSGID_OUTLOOK_INVALID Message-Id is fake (in Outlook Express format)

2.2 FORGED_YAHOO_RCVD 'From' yahoo.com does not match 'Received' headers

0.5 INFO_TLD URI: Contains an URL in the INFO top-level domain

0.1 HTML_40_50 BODY: Message is 40% to 50% HTML

0.0 HTML_MESSAGE BODY: HTML included in message

1.2 MIME_HTML_ONLY BODY: Message only has text/html MIME parts

2.0 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist

[uRIs: mefehmicgh.info]

0.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist

[uRIs: mefehmicgh.info]

2.0 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist

[uRIs: mefehmicgh.info]

3.9 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist

[uRIs: mefehmicgh.info]

0.0 FORGED_OUTLOOK_HTML Outlook can't send HTML message only

0.0 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format

Edited by Merlyn

Share this post


Link to post
Share on other sites

Alright...

Well, thanks for the wall of text...I guess.

Doesn't exactly give me much of an idea of what I have to do to rectify this problem, however.

Share this post


Link to post
Share on other sites

If as you say, nobody can send any email, then it is your ISP who is blocking you.

You need to contact them to solve the problem.

If on the other hand specific messages are being blocked by individual users (or their ISP's) then you need to determine just who and how messages were being sent to the SpamTraps. Not an easy thing to do in a large network.

The IP you listed 209.53.184.21 has a host name of m184-21.pgnfc.com

So that apears to be a server under your control.

You need to search you logs and determine who is abusing your system.

It could be a hacker from the outside or some one on the inside

Sender base indicates a 6,312% increase in traffic in the last 24 hours.

You have a huge hole to plug. Until you do, you will have a growing blocking problem.

Share this post


Link to post
Share on other sites

There is only one email in the Report History for m184-21.pgnfc.com [209.53.184.21], as follows:

Submitted: Tuesday, August 02, 2005 16:51:59 -0400:

pumping bottoms til they ache

    * 1480796365 ( http:// orangedge.com/beforeourkingswecelebrate/... ) To: mole[at]devnull.spamcop.net

    * 1480796363 ( 209.53.184.21 ) To: mole[at]devnull.spamcop.net

All of the rest of the items that got that IP Address listed appear to have been spam Trap hits. You need to stop whatever it is that is spewing forth spam out of your system m184-21.pgnfc.com [209.53.184.21]. Research so far points to one or more spammer(s) abusing not only your system but systems in China, selling your typical variety of casual sex, porn, illegal drugs, and pirated software. If you can't do that by yourself, you will need a networking professional to do it for you - some of us are available for hire.

Also, per dr. jørgen mash's DNS database list checker, "209.53.184.21 ... was found in 9 lists (of 260 tested)".

Edited by Jeff G.

Share this post


Link to post
Share on other sites
I tried using the "delist address" option once, but apparently it just blocked me again!

31169[/snapback]

Hopefully the previous messages have pointed you in the right direction. Quite possibly you have a zombied computer on your network and one of your colleagues PCs is generating the junk entirely without their knowledge.

If the problem persists then you can expect your ISP to disconnect your system entirely so your prompt efforts to resolve the matter are clearly correct.

One slight aside, having used the manual de-list process and that having failed because you hadn't first fixed the issue means that manual de-listing is not likely to be available to you in the future.

Andrew

Share this post


Link to post
Share on other sites

Is there a type of trojan or virus that can essentially "zombify" a PC? It's interesting that you mention systems in China, considering my IPCop logs showed IP addresses apparently listed somewhere in China. I mean, the 209.53.184.21 is the IP address assigned to the "Red Interface" on my IPCop firewall.

Since this happened so suddenly, I already have an idea of what computer possibly could have contracted this horrible plague.

A computer doesn't necessarily have to have an e-mail account set up to propegate spam if "zombified" does it?

Share this post


Link to post
Share on other sites
Is there a type of trojan or virus that can essentially "zombify" a PC? It's interesting that you mention systems in China, considering my IPCop logs showed IP addresses apparently listed somewhere in China. I mean, the 209.53.184.21 is the IP address assigned to the "Red Interface" on my IPCop firewall.

31188[/snapback]

Many of the recent viruses can do this.

Since this happened so suddenly, I already have an idea of what computer possibly could have contracted this horrible plague.

A computer doesn't necessarily have to have an e-mail account set up to propegate spam if "zombified" does it?

31188[/snapback]

No, all it needs is a connection to the internet.

Share this post


Link to post
Share on other sites
Is there a type of trojan or virus that can essentially "zombify" a PC?

<snip>

31188[/snapback]

Hi, Lollercoaster,

...Please forgive me for being judgmental but I think the harm being done to the internet and e-mail users may justify it -- I hope you will consider hiring a consultant who is familiar with QMail and e-mail security. The question you ask suggests to me that you have inadequate knowledge to actually find and solve your problem.

...Good luck to you, and thanks for caring about the spam problem! :) <g>

Share this post


Link to post
Share on other sites
Hi, Lollercoaster,

...Please forgive me for being judgmental but I think the harm being done to the internet and e-mail users may justify it -- I hope you will consider hiring a consultant who is familiar with QMail and e-mail security.  The question you ask suggests to me that you have inadequate knowledge to actually find and solve your problem.

...Good luck to you, and thanks for caring about the spam problem! :) <g>

31191[/snapback]

Well, I'm a cable monkey more or less. I was the one who set up the network infrastructure in this organization more or less by running all the Cat5 through the building, placing patch panels and hubs, et cetera et cetera, as well as setting up our file share servers and firewall.

However, you are right when you say I don't exactly have the greatest amount of expertise when it comes to internet security. For example, I know how to administer Qmail, and that's about it. I'm slowly learning more and more about it as issues arise.

However, as a non-profit organization, hiring someone is out of the question. And in these parts, people that are "experts" on the situation are probably non-existent.

The reason I'm asking these questions is because I can't become more well versed in internet security if I don't try to do the research needed to solve these problems myself.

Share this post


Link to post
Share on other sites

You should start by looking at your firewall logs, specifically looking for connections from the inside to Port 25 on the outside, and determining what device(s) on the inside are initiating those connections. Each device is either authorized or unauthorized - check the security of any that are unauthorized. There is probably one infected/zombied device causing that traffic.

Share this post


Link to post
Share on other sites

Haha, some interesting stuff here.

I checked out my firewall logs, and the day the incident happened, August 2, I had 5666 firewall hits logged as opposed to the average of about 500 I get on a regular day.

In addition, many of them were using port 25 to complete the transaction.

So yes, indeed there was a system behind my firewall that was causing havoc.

After a bit of investigation I found out that someone had been in my office over the long weekend, and had used the Dell PC I usually use as the print server for my color copier, and managed to download a whole bunch of trojans onto it. I obviously noticed a little too late. I did a scan on the computer and there was upwards of 40 instances on there, many of them "Mail bombers" and "Mail flooders".

The good thing is is that before I left last night I unplugged the system's patch cable from ethernet port, and since then the my spam cop listing is counting down the hours till the IP is realeased. 7 approximately.

Hopefully this computer was the zombie, which in all probability it was.

This is why I like using a Mac! :)

On another interesting note, while the mail is blocked right away from being sent out, it seems to hang out in the outbox for 10-15 minutes and then go out properly.

Share this post


Link to post
Share on other sites

For documentation / tracking purposes, http://www.senderbase.org/?searchBy=ipaddr...g=209.53.184.21 cirrently shows;

Report on IP address: 209.53.184.21

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.9 .. 6339%

Last 30 days .. 2.8 .... 495%

Average ........ 2.1

Your tale of discovery doesn't include a network scan to see if the malware has propogated to other systems ... point being that I don't see the "last day" traffic yet going down (on the other hand, I don't believe it's changed in the last several hours either ..??)

Your original "no one can send mail" and your last "seems to hang out" both seem to go along with the SenderBase numbers, suggesting that your e-mail server is (still) choking on trying to handle the flow of outgoing e-mail ....???? That the number hasn't been seen to be still increasing perhaps due to already working as fast as it can?

The scary part is that although this IP address is winding down towards a de-listing, this might actually be a result of the "total" traffic 'seen' slewing the results of the mathmatical model used in the listing/de-listing process. Point there being that if the spew is still going out, you may find this server on many other BLs, none as 'forgiving' as SpamCop's.

Share this post


Link to post
Share on other sites

I already scanned my Windows Servers and network drives for any malware, and they came up clean, thankfully.

I'm going to do a search around the building here though to make sure it hasn't spread elsewhere. It doesn't hurt to make sure.

Share this post


Link to post
Share on other sites

Do you have anything that can help you to summarize your firewall logs, baseline them, and alert you to significant variations from the baseline? If so, please use it.

Share this post


Link to post
Share on other sites
<snip>

I checked out my firewall logs, and the day the incident happened, August 2, I had 5666 firewall hits logged as opposed to the average of about 500 I get on a regular day.

In addition, many of them were using port 25 to complete the transaction.

So yes, indeed there was a system behind my firewall that was causing havoc.

After a bit of investigation I found out that someone had been in my office over the long weekend, and had used the Dell PC I usually use as the print server for my color copier, and managed to download a whole bunch of trojans onto it. I obviously noticed a little too late. I did a scan on the computer and there was upwards of 40 instances on there, many of them "Mail bombers" and "Mail flooders".

<snip>

Hopefully this computer was the zombie, which in all probability it was.

<snip>

31202[/snapback]

...You went from "Is there a type of trojan or virus that can essentially "zombify" a PC?" to "this computer was [probably] the zombie" with lightning speed! I hereby retract my earlier words. Please pass the seasoning salt! :) <g>

Share this post


Link to post
Share on other sites
Do you have anything that can help you to summarize your firewall logs, baseline them, and alert you to significant variations from the baseline?  If so, please use it.

31210[/snapback]

I believe there is something like this in place. I will look into it.

...You went from "Is there a type of trojan or virus that can essentially "zombify" a PC?" to "this computer was [probably] the zombie" with lightning speed!  I hereby retract my earlier words.  Please pass the seasoning salt!  :) <g>

31212[/snapback]

What can I say? I learn fast, especially when people are depending on you for answers. :) I'll have to make sure that in the future I am not so lax when checking out new virus threats.

It doesn't look good when the spam coming from your network is pointing to some extremely bad porn sites:

http://orangedge.com/beforeourkingsweceleb...pop/knights.htm

looks like it has an SBL Record

http://www.spamhaus.org/sbl/sbl.lasso?query=SBL29636

I agree with the trojaned machine scenario........

31213[/snapback]

lol, no kidding. It makes us look like a bunch of sex perverts when it's coming from our system.

Share this post


Link to post
Share on other sites

It looks like it's gotten worse since Wazoo's post early this afternoon EDT (31204[/snapback]). http://www.senderbase.org/?searchBy=ipaddr...g=209.53.184.21 cirrently shows;

Report on IP address: 209.53.184.21

Volume Statistics for this IP

...................| Magnitude | Vol Change vs. Average | EstVol/Day

Last day ......|...... 4.2 .....|.............. 8784% ............|..... 21K

Last 30 days |...... 3.1 .....|................ 706% ............|.....1.7K

Average ......|...... 2.1 .....|.....................................| ...0.17K

Edited by Jeff G.

Share this post


Link to post
Share on other sites

Plug pulled perhaps?

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 2.3 ... -33%

Last 30 days ... 3.1 ... 695%

Average ......... 2.2

Share this post


Link to post
Share on other sites
Plug pulled perhaps?

Volume Statistics for this IP 

Magnitude Vol Change vs. Average

Last day ......... 2.3 ... -33%

Last 30 days ... 3.1 ... 695%

Average ......... 2.2

31240[/snapback]

Yes, after doing the appropriate reasearch I pulled the plug on the offender quite some time ago actually. I seem to have been de-listed from the SmapCop block list.

I don't know what's up with Senderbase though, as it appears to refresh its data rather slowly.

Share this post


Link to post
Share on other sites

How can "2.3" be a "-33%" Vol Change vs. an Average of "2.2"? That math doesn't exactly work.

Share this post


Link to post
Share on other sites

Not that I expect an answer, but .... query sent as I have no idea beyond tossing in a guess or two ....

Share this post


Link to post
Share on other sites
How can "2.3" be a "-33%" Vol Change vs. an Average of "2.2"?  That math doesn't exactly work.

31248[/snapback]

I believe that the following may help explain it
Daily magnitude is a measure of how many messages a domain has sent over the last 24 hours. Similar to the Richter scale used to measure earthquakes, SenderBase's magnitude is a measure of message volume calculated using a log scale with a base of 10. The maximum theoretical value of the scale is set to 10, which equates to 100% of the world's email message volume (approximately 10 billion messages/day).

Monthly magnitude is calculated using the same approach as daily magnitude, except the percentages are calculated based on the volume of email sent over the last 30 days.

Estimated volume is SenderBase's "guess" of how many messages a domain is sending in a day, using a sampling of messages received by over 28,000 network owners.

Domain is the domain name associated with the messages in the volume estimate.

Since daily and monthly totals do vary. the relative magitudes would also change. Edited by dbiel

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×