Jump to content
Sign in to follow this  
VRod74

68.160.79.3

Recommended Posts

Hi,

68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.

Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.

I'm going nuts here, what else am I missing?

Share this post


Link to post
Share on other sites
68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.

Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.

I'm going nuts here, what else am I missing?

You are correct that it is not listed and the only publically available report in the last 30 days is:

Submitted: Friday, November 03, 2006 5:24:58 AM -0500:

Undeliverable: spam: Eleanor wrote:

1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net

Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net.

Share this post


Link to post
Share on other sites
68.160.79.3 is not listed when I check your database, but my domain is still getting blocked and I get a lot of bounce backs from your reporting service. MX and PTR records check out fine. I don't have open relays since the last time I checked and I'm using TrendMicro IMSS for email gateway. Cisco firewall is hardened to the only port 25 for this IP. I have also turned off NDR's and and Out Of Office replies to the internet from going out.

Heck, I have even ran a full fledged AV scan on all nodes inside my network and they turn up clean.

I'm going nuts here, what else am I missing?

What's missing 'here' is an example of one or more of the rejection notices you say you are receiving.

http://spamcop.net/w3m?action=checkblock&ip=68.160.79.3

68.160.79.3 not listed in bl.spamcop.net

http://www.senderbase.org/search?searchBy=...ing=68.160.79.3

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.5 .. 650%

Last 30 days .. 3.2 .. 277%

Average ........ 2.6

Can you justify that increase in traffic as something other than spam/misdirected bouces/etc. ??

Report History:

Submitted: Friday, November 03, 2006 4:24:58 AM -0600:

Undeliverable: spam: Eleanor wrote:

1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net

The only item showing as a reported spam ....

So, from 'just another user' viewpoint, it is not currently listed, no sign available that it was ...

so if it was, it's not now ..

The other possibility is that the receiving ISP has a screwed up configuration, whereas your e-mail may be rejected, but the wrong 'justification/error' message is being generated ....

Share this post


Link to post
Share on other sites

You do not get any 'bouncebacks' from spamcop. You get rejection messages by server admins who are using the spamcop blocklist.

Some admins are lazy and use the spamcop message format to reject email for reasons other than that the IP address is on the spamcop bl. Your IP address is not listed on any other blocklists, however. Are all the 'bouncebacks' coming from one place? If so, it would probably be a good idea to contact that server admin and ask hir.

It might be a good idea to provide the rejection message. The only alarming thing is that your senderbase stats show an increase.

A real server admin may be by shortly to ask you more technical questions. Meanwhile, I would continue looking for a way that something could be compromised.

Miss Betsy

Share this post


Link to post
Share on other sites
You are correct that it is not listed and the only publically available report in the last 30 days is:

Submitted: Friday, November 03, 2006 5:24:58 AM -0500:

Undeliverable: spam: Eleanor wrote:

1998972172 ( 68.160.79.3 ) To: abuse[at]verizon.net

Please provide the full text of one of the bounce messages so we can try to help. I don't know what you mean by "bounce backs from your reporting service"? Reports for that IP address would be sent to verizon.net.

Sorry I call them bounced emails... Here is are two examples:

****** Message from InterScan Messaging Security Suite ******

Sent <<< [session Initiation]

Received >>> 554 http://www.senderbase.org/search?searchstring=68.160.79.3

Unable to deliver message to <2046[at]prtc.net>.

************************ End of message **********************

and the other is this:

****** Message from InterScan Messaging Security Suite ******

Sent <<< [session Initiation]

Received >>> 554 "your access to this mail system has been rejected due to the sending mta's poor reputation. please reference the following url for more information: http://www.senderbase.org/search?searchstring=68.160.79.3 if you believe that this failure is in error, please contact the intended recipient via alternate means."

Unable to deliver message to <mleone[at]oxfordshirtmakers.com>.

************************ End of message **********************

I have already contacted Verizon.net regarding this. I haven't heard from them since.

By the way all that increase in traffic is all the spam that's trying to get in my server which I try to filter as much as I can.

Share this post


Link to post
Share on other sites

OK, what I am seeing is that the SpamCopDNSBL is not involved here. Those rejection notices are dealing with something using SenderBase Reputation scores to make the call. And the only thing I can suggest on that is to point back to my previous question ....

OK, you edited your last while I was typing in the above ... editing this one to add a reply;

By the way all that increase in traffic is all the spam that's trying to get in my server which I try to filter as much as I can.

No, your "incoming" is not what is 'scored' on that SenderBase page. However, the 'connection' may be that your server is sending out those mis-directed bounces in reply to that flood of spam .... which then may also be feeding into the 'bad reputation' point scoring' ...???

Share this post


Link to post
Share on other sites

Wow, I can't say I've ever seen ANY ISP reject email based solely on senderbase reputation. I'm not even sure where they would pull that information from. Perhaps a paid service from senderbase?

The senderbase reputation, while handled by IronPort, the same company that owns Spamcop, is not in any way related to the SCBL.

I would try to contact the receiving ISP to find out what the problem is, since I don't believe there is any way to access the "Senderbase reputation" without paying for that service. It doesn't appear that that IP is listed in ANY blocklists, so I would write this off as a clueless admin on the receiving end.

Share this post


Link to post
Share on other sites

Wazoo I will check my spam server and see if this is a case of misdirection based on the traffic information from senderbase. I will monitor outgoing traffic from side and see what's happening. :ph34r:

Share this post


Link to post
Share on other sites

Wow! Something appears to have happened for sure ...

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.1 .. 106%

Last 30 days .. 3.2 .. 278%

Average ........ 2.6

Thanks!

Share this post


Link to post
Share on other sites
... Wow, I can't say I've ever seen ANY ISP reject email based solely on senderbase reputation. I'm not even sure where they would pull that information from. Perhaps a paid service from senderbase? ...
The concept is addressed in the IronPort whitepaper http://www.ironport.com/pdf/ironport_c60_rep_based_paper.pdf - part of the "solution" package.

Share this post


Link to post
Share on other sites

Ok I got listed this time. Although traffic from senderbase.org has lowered.

68.160.79.3 listed in bl.spamcop.net (127.0.0.2)

Listing History

In the past 8.5 days, it has been listed 4 times for a total of 3.5 days.

It's definitely misdirected spam from side, i'll get working on this. :P

Share this post


Link to post
Share on other sites
It's definitely misdirected spam from side, i'll get working on this. :P

There is still only the one 'reported' spam ... the SpamCopDNSBL page only mentions spamtrap hits.

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 3.3 200%

Last 30 days 3.2 285%

Average 2.6

It may have been that the spammer took a bit of a break from your server, allowing it to fall off the 'listed' status .... then came back ....

Good luck and thanks for keeping at it!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×