blacklisted, but reverse DNS and SPF records okay

[dwb]

I'm a newbiew. sorry in advance. out email is showing up on blacklists, AOL service 421 Not available and others.

I have made sure there is no open relay, no viruses/trojans on any of the desktops, and run managed virus scan (mcAfee) on everything.

blocked message info:

Unable to deliver the message due to a communications failure

The MTS-ID of the original message is: c=US;a= ;p=Noir Medical;l=NOIR-FS-060515195514Z-367

MSEXCH:IMS:Noir Medical:NOIR:NOIR-FS 3571 (000B099C) 571 - MAIL REFUSED - IP (24.180.245.82) is in RBL black list bl.spamcop.net

i was sending to RH-USA.com from our system, noir-medical.com.

since our domain name (noir-medical.com) doesn't match our primary domain with Verio (noirkim.best.vwh.net) i added the correction to our SPF record. Also I had charter associate the correct FQDN to 24-180-245-82.static.bycy.mi.charter.com, but still nothing's working. I've manually delisted in some places, but am paralyzed here.

thanks for any help

[Telarin]

listed. It is showing both spamtrap hits and user reports. The first thing I would do is check and make sure you aren't sending NDRs to the envelope sender of underliverable mail. The envelope sender of spam is always forged, so NDRs sent to it will be going to innocent 3rd parties and will themselves be considered spam.

You can contact deputies[at]spamcop.net to find out what kind of mail has been hitting the spamtraps. One of the paid spamcop members should be along shortly and I'm certain they will be kind enough to post the report history for this IP so we can look at those as well.

It looks like reports should be going to abuse[at]charter.net who should have forwarded them to you. You might want to contact them to find out why you are not receiving abuse reports.

[Wazoo]

As Telerin states, both spamtrap hits and user complaints are involved.

The PSBL offers up an item that hit their spamtraps just a bit ago .. see http://psbl.surriel.com/evidence?ip=24.180...=Check+evidence

No doubt where it came from, and this doesn't appear to be "backscatter" stuff ....

http://www.senderbase.org/?searchBy=ipaddr...g=24.180.245.82 doesn't show signs of anything major right now, but also noting the "newness" of the BL listings ....????

hmmm .. noting that while I typed this, the "last day" figure dropped from -17% to -45% ... hmmmmm

ns3.best.com reports the following MX records for noir-medical.com

Preference Host Name IP Address

10 mail.noir-medical.com 24.180.245.82

20 noir-medical.com 128.121.99.168

Looking for potential administrative email addresses for 24.180.245.82:

cannot find an mx for 24-180-245-82.static.bycy.mi.charter.com

cannot find an mx for static.bycy.mi.charter.com

cannot find an mx for bycy.mi.charter.com

cannot find an mx for mi.charter.com

65.54.244.40 is an mx ( 10 ) for charter.com

abuse[at]charter.com bounces (15 sent : 8 bounces)

[Derek T]

One of the paid spamcop members should be along shortly and I'm certain they will be kind enough to post the report history for this IP so we can look at those as well.

It looks like reports should be going to abuse[at]charter.net who should have forwarded them to you. You might want to contact them to find out why you are not receiving abuse reports.

Herewith:

Report History:

Submitted: 10 May 2006 17:36:55 +0100:

Islam sharp

* 1745793451 ( 24.180.245.82 ) To: spamcop[at]imaphost.com

* 1745793443 ( 24.180.245.82 ) To: abuse[at]charter.net

Submitted: Wed, 15 Feb 2006 15:50:05 GMT:

Undeliverable: All kinds of dr[at]gs at one huge licensed store--Mil eti Vincenzo

* 1659165808 ( 24.180.245.82 ) To: abuse[at]charter.net

[dwb]

Thanks for the response.

I've just made corrections to our mx records with Verio and have had charter correctly associate our mail.noir-medical.com address with the 24.180.245.82 IP.

I have checked all the machines for viruses etc with a couple programs, and I'm frustrated and over my head...

i'm going back into the server to make sure it's not compromisec.

[Derek T]

Thanks for the response.

I've just made corrections to our mx records with Verio and have had charter correctly associate our mail.noir-medical.com address with the 24.180.245.82 IP.

I have checked all the machines for viruses etc with a couple programs, and I'm frustrated and over my head...

i'm going back into the server to make sure it's not compromisec.

You DO have NDR (post-facto), OOO etc. all switched off? This looks like a typical post-facto 'bounce' to the spoofed Return envelope scenario to me. Mind you, I could be wrong and often am! <teaching grandmother to suck eggs> rejections should be done at the time of the SMTP transaction with a 5xx failure message </teaching...>

[dwb]

i will double check all the NDR to be sane.

[Telarin]

Hmm, those two that Derek posted look pretty spammy. I would guess someone is relaying mail through that server. Any of the machines on the network could potentially be the culprit, though most viruses and trojans now have their own SMTP server built in so they don't use your MX. Are all your computers sharing the same IP address, or does each have its own seperate public IP?

[dwb]

all machines share one public IP address. no open relay on the server. i'm rechecking all the machines, but did find that texchange 5.5 had automatic replies to the internet enabled. i changed that!~

[Wazoo]

all machines share one public IP address. no open relay on the server. i'm rechecking all the machines, but did find that texchange 5.5 had automatic replies to the internet enabled. i changed that!~

Who all are you passing taffic for? Again, I'll point to the PBSL evidence of their spamtrap hit ... cleaned up a bit for the spamcop parser .... http://www.spamcop.net/sc?id=z944898570z44...31775c2a202ca6z