Our IP has been Black Listed - Please Remove

[dacloud]

Hi

Our IP - 203.48.247.108 has been blacklisted.

http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108

When will we be delisted? It's severely affecting my users.

Thanks

[agsteele]

When will we be delisted? It's severely affecting my users.

Did you read the info at the link you provided? Says a short time.

What is more important is the reason you or your ISP are currently listed. Since the info says spam traps are involved you will to read through the many postings on this subject and attempt to prevent spam trap entries for your IP.

Senderbase indicates a severe problem for your IP.

Magnitude Vol Change vs. Average

Last day 4.5 23344%

Last 30 days 2.6 261%

Average 2.1

A 23000% increase in mail volume indicates something way out of line.

Andrew

[Farelf]

Just users here - we're basically seeing the same as you. Delisting "in a short time". I was sort of hoping http://www.dnsstuff.com/tools/lookup.ch?na...et&type=ALL might give an early indication that delisting has actually happened but it still shows you "in" -

Answer:

Domain Type Class TTL Answer 108.247.48.203.bl.spamcop.net. A IN 2100 127.0.0.2 108.247.48.203.bl.spamcop.net. TXT IN 2100 "Blocked - see http://www.spamcop.net/bl.shtml?203.48.247.108"

Your prospects do not seem good of staying off the list frankly, unless you've fixed whatever was hitting spamtraps. You've already "used up" your express delisting - record says listed twice, 30 hours in last 31 (SC link you provided). Note huge increase in volume shown by SenderBase (a link from the SC link you provided).

[dacloud]

Hi

How long is a short time? Is there a time frame because it seems a bit ambiguous. Also I believe I have fixed the problem with the massive increase in the SenderBase. As an extra pre-caution I have denied all smtp traffic besides the exchange 2005 server.

Thanks

[Farelf]

...How long is a short time? Is there a time frame because it seems a bit ambiguous. Also I believe I have fixed the problem with the massive increase in the SenderBase. As an extra pre-caution I have denied all smtp traffic besides the exchange 2005 server.

Wish there was an answer I could give you - previous discussion at http://forum.spamcop.net/forums/index.php?...ost&p=30412 deals with it but you will see there are some "indeterminates".

And good work in attacking the problem - thanks for that.

[agsteele]

How long is a short time? Is there a time frame because it seems a bit ambiguous. Also I believe I have fixed the problem with the massive increase in the SenderBase. As an extra pre-caution I have denied all smtp traffic besides the exchange 2005 server.

THanks for taking action. The link Farelf provides suggests a 3 hour time period. In the past the message would say in so many hours. This changed to 'a short time' since the process never seemed to take the suggested time.

My experience is that 3 hours is at the low end as an estimate. I'd say sometime today - but that's a user's experience not an official response.

Andrew

[Wazoo]

How long is a short time? Is there a time frame because it seems a bit ambiguous.

SpamCop FAQ

jump/scroll down to the SpamCop Blocking List Service section

NEW! SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained

(*New" really doesn't count, as this entry has been there for quite a while now ... but I do get tired of the "can't find it" scenario ....)

Answer is ambiguous for the reasons stated ... recall, it took just as long to actually get listed and have that data propagate .....

[dacloud]

Thanks for the replies, is there anyone I can contact to help speed this process up? Or is there really nothing I can do except wait? It's very hard to explain to users that nothing can be done but wait.

Thanks

[Farelf]

...is there anyone I can contact to help speed this process up? ...

You could always put your case (email) to deputies[at]admin.spamcop.net and describe your actions to fix things. But the remaining time (whatever it is) is probably not completely under their control as discussions, FAQ would indicate.

[Wazoo]

I'm going to have to say that there does seem to be a bit of an oddity going on here. Topic starting post was over six hours ago. Yet ....

http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108

203.48.247.108 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.

http://www.senderbase.org/?searchBy=ipaddr...=203.48.247.108

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.4 .. 22521%

Last 30 days .. 2.6 ..... 262%

Average ........ 2.1

Small decline, but also would think that six hours of "problem fixed" would have reduced it a lot further ....

I'll kick up a note about the apparent 'hang time' .. but I think that perhaps the system involved might need some more scrutiny and work ....

The only thing I can guess at from here (based on not Reports showing) is something happening due to the math involved .... something along the lines ot a thousand e-mails going out, which sets up ine variable, but then a spamtrap hit occurs on one of those, which sets up another variable. And the cach is that the massive spew and the occasional spamtrap hit is keeping the equation fluttering on the cusp of de-listing/re-listing .... e-mail to Deputies has been sent ...

[StevenUnderwood]

Thanks for the replies, is there anyone I can contact to help speed this process up? Or is there really nothing I can do except wait? It's very hard to explain to users that nothing can be done but wait.

Thanks

My latest check shows: 203.48.247.108 not listed in bl.spamcop.net

That does not mean that the people you are sending to all have updated their own caches (if they use them) or even that all of the mirrors are updated. But it is a start.

[Farelf]

Both "direct" SC lookup http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108 and "indirect" rDNS method http://www.dnsstuff.com/tools/lookup.ch?na...et&type=ALL showing blocklisting at this time. SenderBase

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.4 23066%

Last 30 days 2.6 261%

Average 2.1

"fluttering on the cusp of de-listing/re-listing" as Wazoo said - but there does seem to be something still leaking, volume seems fairly constant, not reducing.

[2 minutes later - off the listing on the SC lookup (again), still showing as listed via the indirect lookup]

[5 minutes more, back on per the SC lookup.]

[Wazoo]

At the time of this posting;

http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108

203.48.247.108 not listed in bl.spamcop.net

http://www.dnsstuff.com/tools/ip4r.ch?ip=203.48.247.108

SPAMCOP Not listed

However;

http://www.senderbase.org/?searchBy=ipaddr...=203.48.247.108

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 4.5 .. 23329%

Last 30 days ... 2.6 ..... 261%

Average ......... 2.1

Still a serious question about a 'fix' being applied.

Ellen's response;

It's a brand new mail sending IP to the system; the delist takes longer.

Ellen

SpamCop

As seen on the SenderBase page, Date of first message seen from this address 2006-10-15 ... which makes the 'new' status apparent, but .... I'm still going with my previous guess, myself.

[dacloud]

Hi

I have just checked http://www.senderbase.org/?searchBy=ipaddr...8&showRBL=1

and it seems the volume has dropped to 7130%, I know it's still high but at least it's reducing. I will continue to monitor. But how come on senderbase it says were still listed on bl.spamcop.net.

Yet on here it's not?

http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108

Is it due to the cache and systems still updating?

Thanks

[A_Friend]

This IP seems to be delisted now:

203.48.247.108 not listed in bl.spamcop.net

However, Senderbase is up again:

Report on IP address: 203.48.247.108

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.4 23009%

Last 30 days 2.6 261%

Average 2.1

23009%?!?! Something's definitels wrong here...

Good luck,

A. Friend

[dacloud]

Hi

On another note. I want to prevent this from happening again and will follow throught FAQs and suggestions. However for redundancy and to prevent major email disruption from happing again I want to implement the following:

1. Create another mx (mail2.charterhall.com.au) record that will point to ip 203.48.247.107

2. Configure required Firewall settings to have this IP ready for use with Exchange server, but have it only deny until required.

3. If for unforseen reason ie. new vulnerability, we are listed anywhere.

4. Change FQDN in Exchange Virutal SMTP Server to mail2.charterhall.com.au

5. Change external IP of firewall to 203.48.247.107

5. Deny all SMTP for 203.48.247.108

6. Re-route all SMTP traffic via 203.48.247.107

Thus email will traverse through the backup IP and mx record.

Please suggest if this will work.

This IP seems to be delisted now:

203.48.247.108 not listed in bl.spamcop.net

However, Senderbase is up again:

Report on IP address: 203.48.247.108

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.4 23009%

Last 30 days 2.6 261%

Average 2.1

23009%?!?! Something's definitels wrong here...

Good luck,

A. Friend

I just check and it says the followiing?

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.0 7140%

Last 30 days 2.6 261%

Average 2.1

Is there something wrong with Senderbase?

[StevenUnderwood]

Please suggest if this will work.

A spamcop listing will not affect your incoming messages at all, only outgoing and only to domains that use DNSBL's.

If it is a vulnerability with that server causing the issues, you are likely to cause both IP's to become listed. You are better off fixing the issue than working around it.

That being said, if you can setup your firewall to send messages as a different IP, that would work.

I am seeing:

Report on IP address: 203.48.247.108

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.0 7145%

Last 30 days 2.6 261%

Average 2.1

Cache issue?

[dacloud]

Hi

Thanks, I understand that if the problem is not fix that both IP can be blacklisted. I just want to have a backup IP so that emails can still be sent to domains using DNSBL and Spamcop after I fix the problem, while Spamcop does it's 24hr wait thing on the other IP.

I also create a second mx record for reverse lookup. This is correct yeah?

ie mail2.charterhall.com.au <---> 203.48.247.109

With the cache thing I was referring to A_Friend, he saw the SenderBase reporting

- Last day 4.4 23009%

Thanks

[StevenUnderwood]

I also create a second mx record for reverse lookup. This is correct yeah?

ie mail2.charterhall.com.au <---> 203.48.247.109

Either your updates have not fully propagated, or you may have a slight error.

Using Server: resolver1.opendns.com

Address: 208.67.222.222

mail2.charterhall.com.au = 203.48.247.107

203.48.247.107 = *** resolver1.opendns.com can't find 203.48.247.107: Non-existent domain

203.48.247.109 = mail.charterhall.com.au = 203.48.247.108

mail.charterhall.com.au = 203.48.247.108 = mail.charterhall.com.au

[dacloud]

Hi

Yeah just did it 2 hours ago.

Thanks

[Farelf]

Showing up in the MX records per http://www.dnsreport.com/tools/dnsreport.c...terhall.com.au+

Your 4 MX records are:

10 mail.charterhall.com.au. [TTL=3600] IP=203.48.247.108 [TTL=3600] [AU]

15 mail2.charterhall.com.au. [TTL=3600] IP=203.48.247.107 [TTL=3600] [AU]

20 mail1.ozhosting.com. [TTL=3600] IP=203.30.164.89 [TTL=600] [AU]

30 postoffice.telstra.net. [TTL=3600] IP=203.50.2.186 [TTL=2848] [AU]

IP=203.50.4.186 [TTL=2848] [AU]

but without rDNS or connectivity yet

ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries (if you see "Timeout" below, it may mean that your DNS servers did not respond fast enough). RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server). The problem MX records are:

107.247.48.203.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0) (check it)]

Connect to mail servers ERROR: I could not complete a connection to one or more of your mailservers:

mail2.charterhall.com.au: Timed out [Last data sent: [Did not connect]]

postoffice.telstra.net: Timed out [Last data sent: [Did not connect]]

That is understood - but are there any causes for concern in DNSReport? I don't know enough (anything) but re name servers with ozhosting.com

Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server 203.30.164.2 reports that it will do recursive lookups. [test]

Server 203.30.164.3 reports that it will do recursive lookups. [test]

See this page for info on closing open DNS servers.

Can't see how that could possibly be anything to do with mail issues but then this stuff is ALL whitefella magic to me.

[Wazoo]

Another data point;

http://www.spamcop.net/w3m?action=checkblo...=203.48.247.108

203.48.247.108 not listed in bl.spamcop.net

http://www.senderbase.org/?searchBy=ipaddr...=203.48.247.108

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.0 .. 7152%

Last 30 days .. 2.6 .... 261%

Average ........ 2.1

and while I'm at it, another e-mail to IronPort about some of the data involved ....

[Wazoo]

another data point;

http://www.senderbase.org/?searchBy=ipaddr...=203.48.247.108

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ......... 2.5 .... 74%

Last 30 days ... 2.6 .. 256%

Average ......... 2.1

[Telarin]

Good sign, looks like output has dropped back to "normal" for that server.

[Wazoo]

As far as a SpamCopDNSBL listing, things would appear to be resolved. The follow-on SenderBase Reputation points issue (another Topic that was moved to the Lounge) would seem to still probably be an issue for a while ...

Storyline seems to be;

http://www.senderbase.org/?sb=1&search...rterhall.com.au

Date of first message seen from this domain 2006-09-21

http://www.senderbase.org/?sb=1&search...=203.48.247.108

Date of first message seen from this address 2006-10-15

That server was somehow compromised almost immediately, spewing stuff out at a magnificent rate. What it was spewing is still in question. There is no "Report History" so it doesn't appear that any spam was reported. A check of a couple of other BLs that work on spamtrap hits didn't 'see' this IP address. So the logic also seems to include that the folks that took over this server were including (if not specifically targetting) SpamCop.net spamtrap addresses.

And flowing with that stream, note the change in the statistics showing in the Reporting System Statistics link at the top-right of this page .... (well actually, follow that link and scroll down to the weekly chart) ... possible connection ???? at least, it's an odd coincidence .....