Jump to content
Sign in to follow this  
dan406

63.134.198.102 Blocked. Can't find reason

Recommended Posts

63.134.198.102 is the mail server for broadwaybox.com. We have a strictly opt-in mailing list. We are whitelisted by AOL and others. It is a dedicated server. Hosted by Crystaltech.

We were listed once in the past, but now we were listed 4 times in last week. One day on, one day off.

Trying to find the reason I contacted our hosting company but could not find the “detailed report from Spamcop”

A. How can I get the report sent to me, or find the info/links in this report?

The first 3 listings quoted “less than 10 users”, but the last one added spam traps.

B. Is our situation deteriorating?

Message also says:

Looking for potential administrative email addresses for 63.134.198.102:

cannot find an mx for mail.broadwaybox.com

63.134.198.102 is an mx ( 10 ) for broadwaybox.com

C. Is it a reason for blacklisting? Does mail need a separate mx record?

Senderbase.org reports our traffic as 500% above average. Our average there is significantly low since we started using this server only 2 months ago (I guess..). I already requested them to update the average.

C. Is this (supposedly) surge in traffic, a reason for listing?

I read all FAQs and reviewed server settings. Any advice is appreciated.

Share this post


Link to post
Share on other sites

One more question: I wonder if the Worm/Sober.Y is part of the problem. We get many emails with this worm. I guess it is the risk when your mailer address is in many address-books.

Share this post


Link to post
Share on other sites
63.134.198.102 is the mail server for broadwaybox.com. We have a strictly opt-in mailing list. We are whitelisted by AOL and others. It is a dedicated server. Hosted by Crystaltech.

We were listed once in the past, but now we were listed 4 times in last week. One day on, one day off.

Trying to find the reason I contacted our hosting company but could not find the “detailed report from Spamcop”

A. How can I get the report sent to me, or find the info/links in this report?

The first 3 listings quoted “less than 10 users”, but the last one added spam traps.

B. Is our situation deteriorating?

Message also says:

Looking for potential administrative email addresses for 63.134.198.102:

cannot find an mx for mail.broadwaybox.com

63.134.198.102 is an mx ( 10 ) for broadwaybox.com

C. Is it a reason for blacklisting? Does mail need a separate mx record?

Senderbase.org reports our traffic as 500% above average. Our average there is significantly low since we started using this server only 2 months ago (I guess..). I already requested them to update the average.

C. Is this (supposedly) surge in traffic, a reason for listing?

I read all FAQs and reviewed server settings. Any advice is appreciated.

37165[/snapback]

Currently, Reporting addresses: abuse[at]crystaltech.com and they have receiced at least the following reports.

Report History: removed because Derek provided the same

A. Currently spamcop is getting the abuse address from an entry at abuse.net. If thaat entry is changed, the report destination will change.

Tracking details

Display data:

"whois 63.134.198.102[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse[at]crystaltech.com

63.134.192.0 - 63.134.255.255:abuse[at]crystaltech.com

Routing details for 63.134.198.102

Using abuse net on abuse[at]crystaltech.com

abuse net crystaltech.com = abuse[at]crystaltech.com

Using best contacts abuse[at]crystaltech.com

B. If messages are now hitting spamtraps, than yes things are deteriorating. Recently, if traps were the problem, it was because of bouncing undeliverables to the forged sender address but your actual reports are not showing that type of traffic. I also tested your server replies to non existant accounts with a 550 error (good). It is likely you have an infected machine behind that IP acting as a zombie for the spamming community.

C. It is not the reason for the listing but is the reason spamcop will not allow you to delist manually.

C2 (D). The average is continuously recalculated so that shows a realistic picture of what is coming from that IP. Do you have any firewall logs you can look at. Specifically, you would be looking for SMTP traffic coming from either machines other than your mail server or unusual traffic (overnight, fr instance) coming from your mail server.

Share this post


Link to post
Share on other sites
The first 3 listings quoted “less than 10 users”, but the last one added spam traps.

B. Is our situation deteriorating?

I read all FAQs and reviewed server settings. Any advice is appreciated.

37165[/snapback]

No, but Julian's English is: that should, of course, read 'fewer than...'

Does this look like legitimate mail from that server?

Report History:

Submitted: Fri, 02 Dec 2005 20:36:31 GMT:

YAHOO©ç½æ50¸Uµ§email+¥IÃؤj¶qµo°eªºµo«H³nÅé+§K¶O±Ð§A¾Ç¨ì·|

    * 1573113009 ( http://www.seekshop.net/pay/asp-pay.htm ) To: spam[at]ms1.hinet.net

    * 1573113007 ( 63.134.198.102 ) To: spamcop[at]imaphost.com

    * 1573113006 ( 63.134.198.102 ) To: abuse[at]crystaltech.com

Submitted: Thu, 01 Dec 2005 09:13:15 GMT:

¸t½Ï§Ö¼Ö¡I¤pÁ¨¡A§Ö¼Ö³Ð·~¥h¡I

    * 1571495131 ( http://www.tw413941.net ) To: agnes.chien#eracom.com.tw[at]devnull.spamcop.net

    * 1571495129 ( http://www.tw413941.net ) To: jason#eracom.com.tw[at]devnull.spamcop.net

    * 1571495124 ( http://www.myedm.com/unsubscribe.php?unsubid=08... ) To: yihao[at]rit.com.tw

    * 1571495123 ( http://www.goodedm.com/epaper22.htm ) To: yihao[at]rit.com.tw

    * 1571495121 ( 63.134.198.102 ) To: spamcop[at]imaphost.com

    * 1571495111 ( 63.134.198.102 ) To: abuse[at]crystaltech.com

Submitted: Tue, 29 Nov 2005 00:44:27 GMT:

=?Big5?B?pGquYcRuqNO2VQ==?=

    * 1568970366 ( http://dd.apower.info/edm/111007/index1.html ) To: yihao[at]rit.com.tw

    * 1568970365 ( http://no.apower.info/ ) To: moka[at]kbtelecom.net

    * 1568970363 ( http://counter.apower.info/fm.asp? ) To: moka[at]kbtelecom.net

    * 1568970362 ( http://no.apower.info/ ) To: maxchang[at]kbtelecom.net

    * 1568970360 ( http://counter.apower.info/fm.asp? ) To: maxchang[at]kbtelecom.net

    * 1568970357 ( http://apower.info ) To: spam[at]ms1.hinet.net

    * 1568970354 ( 63.134.198.102 ) To: spamcop[at]imaphost.com

    * 1568970350 ( 63.134.198.102 ) To: abuse[at]crystaltech.com

Submitted: Wed, 23 Nov 2005 16:55:14 GMT:

--------情趣娃娃-線上圖片#...

    * 1563654630 ( 63.134.198.102 ) To: spamcop[at]imaphost.com

    * 1563654628 ( 63.134.198.102 ) To: abuse[at]crystaltech.com

Submitted: Tue, 22 Nov 2005 04:12:17 GMT:

YAHOO©ç½æªº½æ®a¦³ºÖ¤F¡Aºë·Ç50¸Uµ§YAHOO©ç½æªºEMAILÅý§Aª½±µ¦æ¾P

    * 1562231903 ( http://www.seekshop.net/pay/asp-pay.htm ) To: spam[at]ms1.hinet.net

    * 1562231901 ( 63.134.198.102 ) To: spamcop[at]imaphost.com

    * 1562231900 ( 63.134.198.102 ) To: abuse[at]crystaltech.com

Submitted: Wed, 02 Nov 2005 20:18:29 GMT:

¼v¤ù-¶W²]¶Ã¤k«Ä¡AÅý§A¬Ýªº¦å¯ß¼Q±i¡I

    * 1546015985 ( 63.134.198.102 ) To: spamcop[at]imaphost.com

    * 1546015983 ( 63.134.198.102 ) To: abuse[at]crystaltech.com

Submitted: Tuesday, October 11, 2005 02:45:15 +0100:

ºÆ¨g¤j·mÁÊ

    * 1527073826 ( 63.134.198.102 ) To: spamcop[at]imaphost.com

    * 1527073825 ( 63.134.198.102 ) To: abuse[at]crystaltech.com

If not, and given the senderbase stats, then I suspect a zombied machine.

Note to moderators: posted at same time as steve, please feel free to snip repeated data.

Edited by Derek T

Share this post


Link to post
Share on other sites

Message also says:

Looking for potential administrative email addresses for 63.134.198.102:

cannot find an mx for mail.broadwaybox.com

63.134.198.102 is an mx ( 10 ) for broadwaybox.com

C. Is it a reason for blacklisting? Does mail need a separate mx record?

Senderbase.org reports our traffic as 500% above average. Our average there is significantly low since we started using this server only 2 months ago (I guess..). I already requested them to update the average.

C. Is this (supposedly) surge in traffic, a reason for listing?

37165[/snapback]

There is one and only one reason for listing: spam currently spewing or bouncing back from the server. Listing is entirely automatic, as is de-listing. Some admins will block on the basis of no rDNS but this has nothing to do with SpamCop. Surges only get you listed if they contain spam :)

Share this post


Link to post
Share on other sites
One more question: I wonder if the Worm/Sober.Y  is part of the problem. We get many emails with this worm. I guess it is the risk when your mailer address is in many address-books.

37166[/snapback]

Only if your server or another machine behind that IP address is infected with this (or another) WORM.

Share this post


Link to post
Share on other sites
A. How can I get the report sent to me, or find the info/links in this report?

37165[/snapback]

Please see How can I get SpamCop reports about my network?.
The first 3 listings quoted “less than 10 users”, but the last one added spam traps.

B. Is our situation deteriorating?

37165[/snapback]

Yes.
Message also says:

Looking for potential administrative email addresses for 63.134.198.102:

cannot find an mx for mail.broadwaybox.com

63.134.198.102 is an mx ( 10 ) for broadwaybox.com

C. Is it a reason for blacklisting? Does mail need a separate mx record?

37165[/snapback]

No, this is not a reason for blacklisting. Your "mail.broadwaybox.com" server has its own implicit MX Record as itself with Priority 0.
Senderbase.org reports our traffic as 500% above average. Our average there is significantly low since we started using this server only 2 months ago (I guess..). I already requested them to update the average.

C. Is this (supposedly) surge in traffic, a reason for listing?

37165[/snapback]

Your server's SenderBase Magnitude number 4.6 reflects having sent approximately 53 thousand email messages in the past 24 hours. Does that square with your legitimate use? The surge in traffic may correlate with a surge in worm or zombied spam traffic that could be a reason for listing, but it is not a reason for listing by itself.
I read all FAQs and reviewed server settings. Any advice is appreciated.

37165[/snapback]

Thank you very much for that, and for asking informed questions.

Also, please see FAQ Entry: Am I Running Mailing Lists Responsibly?. Thanks!

Edited by Jeff G.

Share this post


Link to post
Share on other sites

As you can see from the above examples there are links to known spam sites in Taiwan, Korea and others. I cannot believe you are sending these. If I were you the I would take a closer look at the mail logs. If you cannot find anything in them then your machine has been taken over by the spammers. If the spammers have more control of your server than you do then the best think would be to shut it down until you can remove the threat and secure the machine.

Share this post


Link to post
Share on other sites
Your server's SenderBase Magnitude number 4.6 reflects having sent approximately 53 thousand email messages in the past 24 hours.  Does that square with your legitimate use?  The surge in traffic may correlate with a surge in worm or zombied spam traffic that could be a reason for listing, but it is not a reason for listing by itself.

53 thousand emails reflects our average legitimate traffic. So spammers did not take over the machine. We are behind a firewall. mail relay disabled.

there are links to known spam sites in Taiwan, Korea and others. I cannot believe you are sending these.

What are those links? are those the people who reported spam? or the sites that were promoted in the emails that supposedly came from us?

Thanks all for your help

Share this post


Link to post
Share on other sites
What are those links? are those the people who reported spam? or the sites that were promoted in the emails that supposedly came from us?

37173[/snapback]

Those "links" are URLs for web pages that were promoted in the emails that supposedly came from your server's IP Address. Edited by Jeff G.

Share this post


Link to post
Share on other sites

Thanks again for taking the time to help.

I know that five far eastern sites seem to be promoted from our IP.

I looked at our server and it looks OK "on the surface"

A. Is it possible that the emails did not REALLY come from our server (sender email spoofed?). How do I prove it?

B. Any tools I can use to find a spammer "hidden" on our site? We use IIS on win server 2003. and Smarttools mail server.

C. What's next best step?

I signed up for an ISP account on SC so I get future reports directly.

Share this post


Link to post
Share on other sites

Thanks again for taking the time to help.

I know that five far eastern sites seem to be promoted from our IP.

I looked at our server and it looks OK "on the surface"

A. Is it possible that the emails did not REALLY come from our server (sender email spoofed?). How do I prove it?

37177[/snapback]

ALL sender envelopes are spoofed, that's why spamcop doesn't take a blind bit of notice of them! The SpamCop reporting service is designed to identify the IP address of the injection point of the spam, ignoring anything that can be forged. That's why you will find people in here complaining that 'their' shared server is listed because they share it with spammers/zombied machines. SpamCop is a bit of a blunt instrument in that it lists IPs currently spewing spam, domains and email addresses are ignored, except for reporting spamvertised sites to their providers, but note that being spamvertised doesn't result in a listing, only the injection point of the spam is listed.

Be assured that if the SpamCop reporting tool says your IP sent it, it sent it! Sorry and all that!

Share this post


Link to post
Share on other sites
We use IIS on win server 2003. and Smarttools mail server.

C. What's next best step?

37177[/snapback]

Buy/download your favourite Linux distribution. Put the CD in the tray, reboot and when it asks 'Delete all Windows partitions?' answer 'yes' :D

Share this post


Link to post
Share on other sites
C. What's next best step?

37177[/snapback]

You could get a consultant who is more familiar with security in a Windows environment to examine your server's exact configuration, make specific recommendations, and implement those recommendations.

Share this post


Link to post
Share on other sites
Thanks again for taking the time to help.

I know that five far eastern sites seem to be promoted from our IP.

I looked at our server and it looks OK "on the surface"

A. Is it possible that the emails did not REALLY come from our server (sender email spoofed?). How do I prove it?

B. Any tools I can use to find a spammer "hidden" on our site? We use IIS on win server 2003. and Smarttools mail server.

C. What's next best step?

I signed up for an ISP account on SC so I get future reports directly.

37177[/snapback]

I'm not sure that I can see that you have ruled out the possibility that one or more of your machines has been infected by a worm and thus is spewing out the junk without your immediate knowledge.

That you are running Windows based machines raises that possibility to a higher level.

Others have recommended you rigorously check for viral/worm infections as a matter of urgency.

You may also want to check whether your clients are running Email lists responsibly. See the FAQ entry.

Andrew

Share this post


Link to post
Share on other sites
I'm not sure that I can see that you have ruled out the possibility that one or more of your machines has been infected by a worm and thus is spewing out the junk without your immediate knowledge.

37189[/snapback]

Acyually it looks like it is!

Last day 4.5 450%

Last 30 days 4.5 430%

And he is sitting back letting it happen while he is waiting for a report he probably will not get.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×