Jump to content
Sign in to follow this  
br53

[Resolved] Spam traps help

Recommended Posts

Hi,

Our server is listed due to spam traps: http://www.spamcop.net/bl.shtml?210.9.130.146

I've since made changes so that we don't accept messages and then bounce back delivery failures. But this morning when we were due to be automatically delisted, it's back to 23 hours.

I've used the form to contact Spamcop already, but it's becoming quite urgent so I'm posting here too.

Any help is appreciated.

Thanks

Josh

Share this post


Link to post
Share on other sites

Sender base shows an unusual increase in trafic recently:

Report on IP address: 210.9.130.146

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.0 404%

Last 30 days 2.9 -64%

Average 3.3

I, however, cannot find any reported history that would shed some light on this. If you already wrote to the deputies, patience is golden, and I am sure you'll be able to resolve your issue. Please let us know.

Share this post


Link to post
Share on other sites

If the volume is up, that can mean a compromised machine that does not use the normal port 25 to send the spew. Check your firewall logs for unusual traffic.

Miss Betsy

Share this post


Link to post
Share on other sites
If the volume is up, that can mean a compromised machine that does not use the normal port 25 to send the spew. Check your firewall logs for unusual traffic.

and the PSBL evidence shows real fresh spam rather than bounces, which also suggests either a trojanned machine or an SMPT-AUTH hack, rather than the problem being simply auto-replies.

There is also now one human report to add to the spamtrap hits:

Submitted: 08 September 2006 08:11:27 +0100:

Fwd:

* 1912415028 ( 210.9.130.146 ) To: abuse[at]connect.com.au

(which will have reset the delist clock)

looks like the reports are going to your upstream, you might discuss with them getting copies of the reports or registering your own abuse address. It seems you have a real 'live' problem to deal with here, things seem to be going from bad to worse.

Share this post


Link to post
Share on other sites

The PSBL is pretty interesting:

2006-09-01 00:36:36.18671 received spamtrap mail

2006-09-04 23:13:08.923761 major smtp violation

2006-09-05 19:08:39.299366 received spamtrap mail

2006-09-07 20:03:03.386709 received spamtrap mail

Wonder what a major smtp violation is?

Share this post


Link to post
Share on other sites

Thanks for all the replies.

We located 4 computers infected with variants of w32.stration.

Josh

Share this post


Link to post
Share on other sites
We located 4 computers infected with variants of w32.stration.
...Great going, Josh, and thanks for taking the time to return here to let us know! :) <g>

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×