Jump to content
Sign in to follow this  
Cale

IP blocked

Recommended Posts

About 5 days ago I started getting emails from my clients saying that their email is blocked because of Spamcop. I have been running the same configuration on my email server for at least 2 years without a problem, however now im getting endless problems.

This is what the report says

196.15.203.170 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 17 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 196.15.203.170 has no reverse dns

Because of the above problems, express-delisting is not available

Listing History

In the past 5.9 days, it has been listed 2 times for a total of 4.8 days

I have TrendMicro enterprise running and it seems to be clear for my server and whole network. There arent any viruses on at all.

We got delisted today, but after a few hours got listed again.

Here is a response from Ellen at Spamcop.

If this is your IP/server then you have a virus/worm infection somewhere in your network or an insecure server being used by spammers  and you need to find the compromised machine and disinfect it or you may have a server exploit such as an insecure cgi or php scri_pt; an open proxy or an smtp/auth issue where the spammer has cracked a name/password.

If i have a insecure cgi or and smtp/auth issue, how do I fix it?

also Is it possible that I have a DNS problem as stated in the original report?

Thanks in advance...

Share this post


Link to post
Share on other sites

Telnet response shows; 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:04:39 +0200 .. which reflects some out of date software ... current version is shown at http://www.merakmailserver.com/ as being 8.3.8 ....

Reading the "spiffy" stuff, one sees right off the bat the "Challenge/Response" settings ... not a good sign. Are you using this function?

How you "find" stuff ...???? Logs for starters. You talk about anti-virus checks but say nothng about a firewall ...???

http://www.senderbase.org/?searchBy=ipaddr...=196.15.203.170

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.5 .. 8539%

Last 30 days ... 3.1 ... 236%

Average ......... 2.6

I don't quite understand how this kind of traffic increase would be that hard to not see somewhere ...

Hmm, looks like someone has already been woeking in other areas ...

http://psbl.surriel.com/listing?ip=196.15....PSBL+list+query

Currently listed in PSBL? No.

spam and removal history for 196.15.203.170 (times in UTC):

2006-02-25 21:23:17.458613 received spamtrap mail

2006-02-25 22:18:53.136368 received spamtrap mail

2006-03-02 07:12:47.886267 removed through website

Just as with SpamCop, playing the "get me off the list" without finding/fixing the problem is pretty much a waste of time. Did whoever hit the "Remove" button there look at the evidence files from those spamtrap hits? Was any work done to track down the source of that spew?

03/02/06 07:24:38 Slow traceroute 196.15.203.170

Trace 196.15.203.170 ...

196.43.9.145 RTT: 293ms TTL:240 (rrba-ip-lir-1-pos-6-1.telkom-ipnet.co.za ok)

196.43.10.66 RTT: 298ms TTL:240 (ndn-ip-esr-1-fe-1-0-0.telkom-ipnet.co.za bogus rDNS: host not found [authoritative])

196.25.220.54 RTT:1416ms TTL:240 (select-online-gw.telkom-ipnet.co.za bogus rDNS: host not found [authoritative])

196.15.203.170 RTT: 889ms TTL:116 (No rDNS)

ns2.zadns.net reports the following MX records:

Preference Host Name IP Address

5 mail.selectonline.net 196.15.203.170

http://www.mxtoolbox.com/blacklists.aspx?IP=196.15.203.170

PSBL LISTED Return codes were: 127.0.0.2 300 656

SPAMCOP LISTED Blocked - see Detail

Return codes were: 127.0.0.2 2100 609

UCEPROTECTL1 LISTED Sorry, IP 196.15.203.170 is blacklisted at Level 1 by UCEPROTECT-Network see Detail

Return codes were: 127.0.0.2

Reverse DNS FAILED! This is a problem

http://www.dnsreport.com/tools/dnsreport.c...electonline.net

ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries

The problem MX records are:

170.203.15.196.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0)

http://www.dnsstuff.com/tools/ptr.ch?ip=196.15.203.170

No PTR records exist for 196.15.203.170

Share this post


Link to post
Share on other sites

EDIT Ok im totally freaked out at the moment. Panda Online Scan has detected over 20 viruses which Trend ( updated upto today ) never did. How can this happen? Surely this is the source of my problem???

Thank you for your response.

There are a lot of things to be done, judging by your post. I will download the newest version of Merak to get things started, and just as a measure use an online antivirus check to verify that we dont have any viruses on our server.

Now onto your post.

one sees right off the bat the "Challenge/Response" settings ... not a good sign. Are you using this function?

What is challenge/response? Where can i identify this setting under Merak?

How you "find" stuff ...???? Logs for starters. You talk about anti-virus checks but say nothng about a firewall ...???

I didnt think it pertinent. We have a firewall im place as well and is functional. Here is some suspicious log file evidence

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:48 +0200 <<< HELO thedirtybear.com

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:48 +0200 >>> 250 mail.selectonline.net Hello thedirtybear.com [209.221.40.204], pleased to meet you.

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 <<< MAIL FROM:<halldofortier[at]thedirtybear.com>

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 >>> 250 2.1.0 <halldofortier[at]thedirtybear.com>... Sender ok

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 <<< RCPT TO:<kathy[at]selectonline.net>

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:49 +0200 >>> 250 2.1.5 <kathy[at]selectonline.net>... User unknown

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:51 +0200 <<< DATA

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:51 +0200 >>> 354 Enter mail, end with "." on a line by itself

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:53 +0200 *** <halldofortier[at]thedirtybear.com> <kathy[at]selectonline.net> 1 3878 00:00:02 OK

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:53 +0200 >>> 250 2.6.0 3878 bytes received in 00:00:02; Message accepted for delivery

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 <<< QUIT

209.221.40.204  [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection

SYSTEM          [00000EC8] Thu, 02 Mar 2006 15:21:54 +0200 Disconnected

and

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:07 +0200 Connected

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:07 +0200 >>> 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:29:07 +0200

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:08 +0200 <<< HELO mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:08 +0200 >>> 250 mail.selectonline.net Hello mxtoolbox.com - DIAGNOSTIC TEST - See http://www.mxtoolbox.com/Policy.aspx [209.198.149.186], pleased to meet you.

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:09 +0200 <<< HELO mxtoolbox.com

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:09 +0200 >>> 250 mail.selectonline.net Hello mxtoolbox.com [209.198.149.186], pleased to meet you.

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:10 +0200 <<< MAIL FROM: <test[at]mxtoolbox.com>

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:10 +0200 >>> 250 2.1.0 <test[at]mxtoolbox.com>... Sender ok

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 <<< RCPT TO: <test[at]mxtoolbox.com>

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 >>> 550 5.7.1 <test[at]mxtoolbox.com>... we do not relay <test[at]mxtoolbox.com>

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 <<< QUIT

209.198.149.186 [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection

SYSTEM          [00000C70] Thu, 02 Mar 2006 15:29:11 +0200 Disconnected

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:54 +0200 Connected

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:54 +0200 >>> 220 mail.selectonline.net ESMTP Merak 8.0.2; Thu, 02 Mar 2006 15:30:54 +0200

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 <<< HELO test.DNSreport.com

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 >>> 250 mail.selectonline.net Hello test.DNSreport.com [66.36.241.109], pleased to meet you.

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 <<< MAIL FROM:<>

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:55 +0200 >>> 250 2.1.0 <>... Sender ok

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<postmaster[at]selectonline.net>

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 250 2.1.5 <postmaster[at]selectonline.net>... Recipient ok

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<abuse[at]selectonline.net>

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 250 2.1.5 <abuse[at]selectonline.net>... User unknown

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 <<< RCPT TO:<postmaster[at][196.15.203.170]>

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:56 +0200 >>> 550 5.7.1 <postmaster[at][196.15.203.170]>... we do not relay <>

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:57 +0200 <<< RCPT TO:<Not.abuse.see.www.DNSreport.com.from.IP.12.214.114.136[at]DNSreport.com>

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:57 +0200 >>> 550 5.7.1 <Not.abuse.see.www.DNSreport.com.from.IP.12.214.114.136[at]DNSreport.com>... we do not relay <>

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 <<< QUIT

66.36.241.109   [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 >>> 221 2.0.0 mail.selectonline.net closing connection

SYSTEM          [00000F10] Thu, 02 Mar 2006 15:30:59 +0200 Disconnected

2006-02-25 21:23:17.458613 received spamtrap mail

2006-02-25 22:18:53.136368 received spamtrap mail

2006-03-02 07:12:47.886267 removed through website

Did whoever hit the "Remove" button there look at the evidence files from those spamtrap hits? Was any work done to track down the source of that spew?

If you could point me in the right direction in how to do this it would be appreciated.

It also seems I have to put in a reverse PTR entry for my IP?? Correct ?

PS It seems you are a bit upset. It might not have occured to you that I really dont know how to go about fixing my problem. Hence my detailed answers to your post. I really would like to fix it but need some assistance in doing so. Thank you very much.

Edited by Cale

Share this post


Link to post
Share on other sites

Don't take Wazoo's short answers as him being upset, its not unusual in a forum like this to get answers of that nature. Its not intended to be rude, just direct and to the point.

You can read more about Challenge/Response and other Auto-Responder problems here:

http://www.spamcop.net/fom-serve/cache/329.html#CR

That would be one place to start. However, from what Ellen told you, I don't think that is your problem, as she would have immediately noticed C/R or NDR messages as a problem.

An insecure scri_pt can be any scri_pt on a webpage that allows users of your website to send mail to anywhere else. Many of these scripts will have the TO address in a hidden field on the form, which means that a malicious user can change it and submit to any to address they like. You need to make sure that any form to mail scripts you are using have a hard coded to address.

The PTR record, while not directly related to your problem, is a problem that you will want to take care of. Many ISPs will automatically reject any mail coming from a server without a proper PTR record. You should talk to whoever actually owns the IP address (Your connectivity provider usually) and have them put in the correct PTR record for your server.

Share this post


Link to post
Share on other sites
I really would like to fix it but need some assistance in doing so. Thank you very much.

40873[/snapback]

As you are already aware that this is a bad problem and you do not know what to do then it would probably be very productive to hire someone that is competent in this area otherwise your server(s) will keep bombarding the web with needless and unwanted junk. Good luck.

Share this post


Link to post
Share on other sites
The PTR record, while not directly related to your problem, is a problem that you will want to take care of. Many ISPs will automatically reject any mail coming from a server without a proper PTR record. You should talk to whoever actually owns the IP address (Your connectivity provider usually) and have them put in the correct PTR record for your server.

40874[/snapback]

Cale:

The reverse address for your mailserver "196.15.203.170" is "170.203.15.196.in-addr.arpa". There is no PTR Record for "170.203.15.196.in-addr.arpa". "170.203.15.196.in-addr.arpa" is in a zone "203.15.196.in-addr.arpa" run by Telkom SA's dnsadmin[at]saix.net which has not been updated since December 27th, 2005, as follows:

C:\>dig [at]igubu.saix.net 170.203.15.196.in-addr.arpa ptr

; <<>> DiG 9.2.3 <<>> [at]igubu.saix.net 170.203.15.196.in-addr.arpa ptr

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41

;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;170.203.15.196.in-addr.arpa.  IN      PTR

;; AUTHORITY SECTION:

203.15.196.in-addr.arpa. 3600  IN      SOA    localhost.203.15.196.in-addr.arpa. dnsadmin.saix.net. 2005122701 10800 3600 604800 3600

;; Query time: 701 msec

;; SERVER: 196.25.1.1#53(igubu.saix.net)

;; WHEN: Thu Mar 02 09:57:59 2006

;; MSG SIZE  rcvd: 108

When discussing this issue with Telkom SA, please ask them to see http://forum.spamcop.net/forums/index.php?...027entry36027 and to put a proper nameserver name in their SOA Record. Thanks! Edited by Jeff G.

Share this post


Link to post
Share on other sites

All of the about 11-20 incidents regarding 196.15.203.170 appear to be Spamtrap hits.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×