Jump to content
Sign in to follow this  
fireguy

Non mailserver IP blocked

Recommended Posts

I have 2 IP addresses. One is my mail server (and has been since we got them) and the other is the 2nd DNS. I received an email the other day that someone was relaying from our 2nd IP address. How can that be? I am using IMail (latest version) and it is set not to relay mail. Since there is no web mail application on the machine with the 2nd IP how do I make sure no one can relay? Please help.

Thanks

Share this post


Link to post
Share on other sites
I have 2 IP addresses.  One is my mail server (and has been since we got them) and the other is the 2nd DNS.  I received an email the other day that someone was relaying from our 2nd IP address.  How can that be?

<snip>

31958[/snapback]

Hi, fireguy!

...Please see my reply in thread "Spammers using real headers" -- part that begins "Please explain to me what a "zombied machine" is? <snip>"

Share this post


Link to post
Share on other sites

vineland.ccoel.org reports the following MX records:

Preference Host Name IP Address

10 ccoel.org 209.3.204.207

Your NS records at the parent servers are:

VINELAND2.CCOEL.ORG. [209.3.204.254] [TTL=172800] [uS]

VINELAND.CCOEL.ORG. [209.3.204.207] [TTL=172800] [uS]

[These were obtained from tld6.ultradns.co.uk]

So it appears that the IP in question is 209.3.204.254

Quick check - not answering Port 80, port 25

Then again,

ERROR: Some of your nameservers listed at the parent nameservers did not respond. The ones that did not respond are:

209.3.204.254

Perhaps it's actually off-line at present?

Share this post


Link to post
Share on other sites
vineland.ccoel.org reports the following MX records:

Preference Host Name IP Address

10 ccoel.org 209.3.204.207

Your NS records at the parent servers are:

VINELAND2.CCOEL.ORG. [209.3.204.254] [TTL=172800] [uS]

VINELAND.CCOEL.ORG. [209.3.204.207] [TTL=172800] [uS]

[These were obtained from tld6.ultradns.co.uk]

So it appears that the IP in question is 209.3.204.254

31964[/snapback]

Wazoo, If your findings are correct, they have a third IP as well, the posting IP address 209.3.204.211- No reports

host 209.3.204.211 = client-209-3-204-211.ccoel.org (cached)

No recent reports, no history available

host 209.3.204.207 (getting name) = client-209-3-204-207.ccoel.org.

No recent reports, no history available

host 209.3.204.254 = client-209-3-204-254.ccoel.org (cached)

[report history]

Report History:

--------------------------------------------------------------------------------

Submitted: Wednesday, August 24, 2005 12:52:09 PM -0400:

RE: Elegance, beauty, class!

--------------------------------------------------------------------------------

Submitted: Wednesday, August 24, 2005 6:26:47 AM -0400:

Genuine Offer: 3.2%.

--------------------------------------------------------------------------------

Submitted: Wednesday, August 24, 2005 3:50:12 AM -0400:

Healthy Spermatazoa

--------------------------------------------------------------------------------

Submitted: Tuesday, August 23, 2005 1:06:56 PM -0400:

New Emerging Growth St0ck

--------------------------------------------------------------------------------

Submitted: Tuesday, August 23, 2005 12:26:11 AM -0400:

Rolex & LV Bag Replica Sale

--------------------------------------------------------------------------------

209.3.204.254 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 209.3.204.254 is client-209-3-204-254.ccoel.org but client-209-3-204-254.ccoel.org has no DNS information

This machine (.254) looks like it is being used by every spammer out there and is already listed on 3 of the bl's that senderbase monitors.

http://www.senderbase.org/?searchBy=ipaddr...g=209.3.204.254

Pay special attention to the Volume Statistics:

Magnitude Vol Change vs. Average

Last day 5.1 11253%

Last 30 days 3.9 575%

Average 3.0

That machine probably has gotten infected with one of the recent viruses and is now open to the public. I noticed port 8080 is open which is one of the indicators.

Is there a reason you have an FTP server on that IP or is that part of the infection?

C:\>ftp 209.3.204.254

Connected to 209.3.204.254.

220 SSH-1.99-OpenSSH_3.4

User (209.3.204.254:(none)):

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×