Jump to content
Sign in to follow this  
AlexWebster

Conflicting information

Recommended Posts

Hi all,

Our Exchange server (213.31.181.19) has been blocked. However, the Spamcop page is reporting conflicting information.

The Query page says the address is listed (even though it was reported more than 24 hours ago and I requested a delisting): Click Here

However, the Dispute page says the address is not listed: Click Here

And yet, I got this SpamCop Alert email just now: "IPs reported in past hour: 213.31.181.19"

So which one of these is correct and why is there a conflict?

And, since I can't find it, can someone point me to where I can see who reported the server?

Many thanks,

Alex Webster

Share this post


Link to post
Share on other sites

Alex,

I'm hoping you took a good look at the various FAQ and pinned items here? You might have missed this one:

http://forum.spamcop.net/forums/index.php?showtopic=4133

I got to it by first clicking on Start Here - before you make your first Post then on Blocking List Service (SCBL) and finally on NEW! SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained.

Also, what have you done to stop the flow of spam from your IP address? The stats at Senderbase.org indicate that your server had a bit of a jump in email output over it's average....130% higher in fact.

Your IP is also listed on the "Passive spam Block List" at: http://psbl.surriel.com for hitting one of their spamtrap addresses with an obvious spam. Here's the "evidence" page:

http://psbl.surriel.com/evidence?ip=213.31...=Check+evidence

Have you traced down what or who was hijacking/using your server to attack the rest of the world?

DT

Share this post


Link to post
Share on other sites
Our Exchange server (213.31.181.19) has been blocked. However, the Spamcop page is reporting conflicting information.

The Query page says the address is listed (even though it was reported more than 24 hours ago and I requested a delisting): Click Here

However, the Dispute page says the address is not listed: Click Here

And yet, I got this SpamCop Alert email just now: "IPs reported in past hour: 213.31.181.19"

So which one of these is correct and why is there a conflict?

And, since I can't find it, can someone point me to where I can see who reported the server?

Conflicts can occur because of stale information between the mirrors, but I would hope that spamcop would always access the master list. That does not appear to be the case. It is probably working through the mirrors.

My manual testing of that IP address shows it still listed:

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\>nslookup

Default Server: kopdc01.kopin.com

Address: 10.1.75.11

> 19.181.31.213.bl.spamcop.net

Server: kopdc01.kopin.com

Address: 10.1.75.11

Name: 19.181.31.213.bl.spamcop.net

Address: 127.0.0.2

There are two reports visible to paid reporters:

Report History: 
------------------------------------------------------
Submitted: Tuesday, October 24, 2006 7:53:01 AM -0400:
Tehachapi Temecula
1982538337 ( 213.31.181.19 ) To: spamcop[at]imaphost.com
1982538263 ( 213.31.181.19 ) To: mircea_pisica[at]infonet.com
------------------------------------------------------
Submitted: Tuesday, October 24, 2006 7:52:53 AM -0400:
Tehachapi Temecula
1982537972 ( 213.31.181.19 ) To: spamcop[at]imaphost.com
1982537942 ( 213.31.181.19 ) To: mircea_pisica[at]infonet.com

Share this post


Link to post
Share on other sites

No, you can not directly see who reported the server. What you can see is:

213.31.181.19 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

You have already delisted the server once without correcting the problem, so you will not be able to delist it again. The fact that you have a combination of both user reports and spamtrap hits indicates that you probably have a pretty serious problem. Are you running Exchange 2000 or 2003? If you are running 2000, it bounces messages to non-existant addresses by default. You will need to download a hotfix from Microsoft to correct that behaviour.

I'm certain one of the paid reporters will be kind enough to post a history of the user reports so we can see the types of messages being reported.

It looks like the abuse reports are sent to mircea_pisica[at]infonet.com

You could try contacting that address to find out why the reports are not being forwarded to you. You might also request that they list a proper abuse[at] role account in their RIPE listing. The role account is required by RFC 2142, however some providers fail to implement them, or forget to add them to their RIPE contact information.

Share this post


Link to post
Share on other sites

The most recent reports from an individual were on the 24th. Both had the subject below.

Submitted: 24 October 2006 12:53:01 +0100:

Tehachapi Temecula

Other reports look like they relate to spamtraps.

Andrew

Share this post


Link to post
Share on other sites

Thanks all for the very quick response.

I wasn't convinced that the problem was resolved but was under pressure from users - so I took a chance, delisted us, and unfortunately got burned.

We got hit with an MSN Messenger virus a few days ago, and it's entirely possible that this has left a nasty mailer somewhere. I have been de-lousing our desktop PCs but have not yet got to all of them. Unfortunately I haven't been able to identify exactly what payload was carried by the MSN message.

Alex

Share this post


Link to post
Share on other sites
Thanks all for the very quick response.

I wasn't convinced that the problem was resolved but was under pressure from users - so I took a chance, delisted us, and unfortunately got burned.

We got hit with an MSN Messenger virus a few days ago, and it's entirely possible that this has left a nasty mailer somewhere. I have been de-lousing our desktop PCs but have not yet got to all of them. Unfortunately I haven't been able to identify exactly what payload was carried by the MSN message.

On a side note, you have SMTP AUTH enabled, though I couldn't find any weak username/password combinations on your system. If you don't need remote users to be able to send mail through your server from random locations, you should disable remote authentication to reduce your attack surface.

Share this post


Link to post
Share on other sites

If you use a single public IP shared between your mail server and your users using a NAT appliance, you should also consider configuring your firewall to block all outbound traffic on port 25 unless it originates at the mail server.

Share this post


Link to post
Share on other sites

Surprisingly, our firewall was set up allow outgoing SMTP from anyone. Our network manager has now changed this. Hopefully that will stem the tide, and we will then sniff the network for smtp packets going outwards in an attempt to find the offending computer/s.

Re SMTP AUTH, I should be able to disable this - although I would have thought that this would increase rather than decrease the risk...?

I have contacted Infonet and hopefully will be a bit better informed in future.

Many thanks again for all your help.

Alex

Share this post


Link to post
Share on other sites
Re SMTP AUTH, I should be able to disable this - although I would have thought that this would increase rather than decrease the risk...?

Having it enabled allows anybody with a valid username/password combination to relay mail through your server from any IP address on the internet. You didn't detect me scanning around 250 combinations and a spammer might try tens of thousands to get access to your server.

Share this post


Link to post
Share on other sites

What intrigues me is why would an abuse desk use a name which literarly translates as "the cat" and is not a real name.

Share this post


Link to post
Share on other sites

Whimsy?

"The Cat"? Are you sure about that?

What intrigues me is why would an abuse desk use a name which literarly translates as "the cat" and is not a real name.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×