Jump to content
Sign in to follow this  
vzinchenko

[Resolved] Blacklisted again

Recommended Posts

Hello.

Second Monday in a row starts with a headache, unfortunately not because of hot drink-n-party weekends, but because of users complaints that their e-mails won't reach recepients...

Ahhh, blacklisted again! Man, I'm really gonna make http://www.spamcop.net/w3m?action=checkblo...p=212.113.100.2 my browser startpage one day!

Last week (when blacklisted first time) I've doublescanned every computer here in LAN for trojans, the server, analyzed logs and... Found nothing!

But those spam traps addresses make me sick. All about these bounces I guess... But why should I configure my system to do not send out failed delivery status notifications? It is not prohibited to send those! If the reason is "Do so to do not get blacklisted by us", my answer is bold fat NO.

I don't know much about your spamtraps, but could you make them a bit more intelligent, so they analyze what they receive - real spam or just a bounced notifications due to forged FROM? I think the meaning of spam traps to identify spammers, so make them act acordingly! If they identify bounces as spam then it's nothing, but fake. Use smart stuff or don't use it at all. That's the same problem as false spam reporting.

Fortunately, I have another SMTP in my net, so I put all outgoing e-mail traffic through that (surprisingly still) "clean" server.

But what I see today? Countdown timer to make my poor 212.113.100.2 clean is restarted and counting again from 24 hours to 0. Since all the outgoing mail goes now through another machine, I'm wondering how is that possible? I've expected to get out of BL today, as nothing is sent from the BL'd IP now. But instead, 24 hours countdown again...

All that makes me sick... Everything was working for more than 2 years already, but these 2 weeks just a complete headache. I'm completely lost.

Share this post


Link to post
Share on other sites
Ahhh, blacklisted again! Man, I'm really gonna make http://www.spamcop.net/w3m?action=checkblo...p=212.113.100.2 my browser startpage one day!

But as you state, that is just the 'starting page' .. further information is available elsewhere. For example;

http://www.senderbase.org/search?searchBy=...g=212.113.100.2

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.1 .. 16436%

Last 30 days .. 2.3 ..... 190%

Average ........ 1.8

Yes, it's true that this may be due to your re-routing of e-mail traffic to this server, but ... the question has to ased, is this the only valid reason for that noted, massive traffic increase?

But those spam traps addresses make me sick. All about these bounces I guess... But why should I configure my system to do not send out failed delivery status notifications? It is not prohibited to send those! If the reason is "Do so to do not get blacklisted by us", my answer is bold fat NO.

I don't know much about your spamtraps, but could you make them a bit more intelligent, so they analyze what they receive - real spam or just a bounced notifications due to forged FROM? I think the meaning of spam traps to identify spammers, so make them act acordingly! If they identify bounces as spam then it's nothing, but fake. Use smart stuff or don't use it at all. That's the same problem as false spam reporting.

I don't believe you have a grasp of "spamtrap addresses" as used by SpamCop.net. There is no reason for them to receive 'any' e-mail other than forged addresses within an e-mail. One of the primary reasons for a SpamCop.net spamtrap address to be used as a 'forged' Reply-To: (based on your description) is in fact to get folks like you ticked off about SpamCop.net. You might want to start your research at spam Trap .. then off to What is the SpamCop Blocking List (SCBL)? ... then perhaps Blowback, Backscatter, Misdirected Bounces ..... Your premise on "sending these Boinces is OK" is (at best) based on the fact that RFCs and varous software packages have not kept up with spammer abuse of the 'trusted user' environment that most of the 'Internet' was developed around.

Fortunately, I have another SMTP in my net, so I put all outgoing e-mail traffic through that (surprisingly still) "clean" server.

But what I see today? Countdown timer to make my poor 212.113.100.2 clean is restarted and counting again from 24 hours to 0. Since all the outgoing mail goes now through another machine, I'm wondering how is that possible? I've expected to get out of BL today, as nothing is sent from the BL'd IP now. But instead, 24 hours countdown again...

In that case, I'll ask again about the SenderBase traffic numbers being reported. If you've re-routed traffic to "another" server, where's all the 'seen' traffic coming from?

Geeze, and now that you mention it ..... let's hope that this isn't the 'new' server involved ...

http://www.senderbase.org/search?searchBy=...=212.113.100.82

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 3.9 .. 1729%

Last 30 days .. 2.8 ..... 67%

Average ........ 2.6

Date of first message seen from this address 2006-10-24

Real-time blacklists

bl.spamcop.net http://spamcop.net/w3m?action=checkblock&a...=212.113.100.82

cbl.abuseat.org http://cbl.abuseat.org/lookup.cgi?ip=212.113.100.82

http://spamcop.net/w3m?action=checkblock&a...=212.113.100.82

Causes of listing

System has sent mail to SpamCop spam traps in the past week

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

DNS error: 212.113.100.82 has no reverse dns

Share this post


Link to post
Share on other sites

Sorry, it's still unclean...

Last day ........ 4.1 .. 16436%

I don't get where from this digit comes up, as I can see there's 0.0 when I open http://www.senderbase.org/search?searchBy=...g=212.113.100.2

And still I cannot undertsand why it's a good solution to blacklist servers that bounce undeliverable mail...

Thanks for pointing to 212.113.100.82, but it makes no sense,because it's not mine. There're a lot of subnets around in 212.113.100.*, probably around 100, coz there're all small-business companies with the only gateway, we're probably the only one having 2 ones.

Edited by vzinchenko

Share this post


Link to post
Share on other sites
Sorry, it's still unclean...

Giessing that this was meant to be 'unclear' ????

I don't get where from this digit comes up, as I can see there's 0.0 when I open http://www.senderbase.org/search?searchBy=...g=212.113.100.2

Timing is everything <g> ... agreed, it is showing 0.0 for me now also .....

However, the question of the massive increasze in the 'last day' hasn't yet been addressed by you. Numbers like that tend to usually indicate that spammers have gained access/control over that server. That you changed to another server may gave stopped the immediate access by whomever 'was' throwing traffic through that machine .. but if the configuration on the 'other' server is the same, they may be back ...

And still I cannot undertsand why it's a good solution to blacklist servers that bounce undeliverable mail...

Apparently, you've not done/understood the research material previously linked to. It's not that the servers are simply bouncing undeliverable e-mail, it's that they are bouncing that e-mail traffic to the wrong address, typically the From: and/or Reply-To: addresses, which you yourself have noted is typically forged in the spam. The general prionciple stated these days is that if the e-mail is not deliverable, then it should not be accepted to begin with ..... "reject" it at the time of attempted delivery ... a "real" e-mail will then cause a non-delivery message to be generated by the sending server to the e-mail originator, n the case of a 'real' e-mail sending attempt. And again, the 'problem' with accepting any and all e-mail then generating a 'bouce' after the fact is that spammers started using this method of sending their spew.

Bottom line: "I"/"SpamCop.net" didn't send "you" / "your server" any e-mail .. why should I/SpamCop.net accept your "bogus" non-delivery notification just because some spammer forged "my address" or a "SpamCop.net spamtrap address" into a spam e-mail header? Your server should not have accepted that e-mail at all, if it was truly non-deliverable.

Thanks for pointing to 212.113.100.82, but it makes no sense,because it's not mine. There're a lot of subnets around in 212.113.100.*, probably around 100, coz there're all small-business companies with the only gateway, we're probably the only one having 2 ones.

Only working with the data you provided .. and the results of my (volunteer) time in researching things while tryng to offer you some help.

Share this post


Link to post
Share on other sites

Thanks for taking your time, things coming more clear now...

Timing is everything <g> ... agreed, it is showing 0.0 for me now also .....

I'm not sure it was the digit you mentioned above anyway, as I've been on that page before... But I agree it was a good idea to check additional information on a problem IP.

So the idea is to filter bad-recipient-addressed e-mails on incoming SMTP, thus not letting them to be accepted at all at the earlier stage. Something like that?

Share this post


Link to post
Share on other sites

Very strange ..... http://www.senderbase.org/search?searchBy=...g=212.113.100.2

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.1 .. 16343%

Last 30 days .. 2.3 ..... 190%

Average ........ 1.8

and yet from another browser instance;

http://www.senderbase.org/search?searchBy=...g=212.113.100.2

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 0.0 .. -100%

Last 30 days .. 2.0 ... 107%

Average ........ 1.7

No amount of 'refreshing' seems to change the numbers .. yet noting that that the "huge increase' version does show different numbers involved from the previous capture (number going down .) .... I simply don't have a clue as to what this is all about ....

Share this post


Link to post
Share on other sites

http://www.senderbase.org/search?searchBy=...g=212.113.100.2

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 0.0 .. -100%

Last 30 days .. 2.0 ... 107%

Average ........ 1.7

This is the version I am seeing when I check it from any of my computers here, and this would seem to match with the "switched to a different SMTP server" scenario, so is probably the accurate version.

To the OP, the 4.1 magnitude that was showing would coincide with about 10^4.1 or 12500 emails per day. Does that sound right for your server?

Also, on the subject of rejecting undeliverable mail versus bouncing, you will most likely find that this improves your server performance and saves you a ton of bandwidth. It did for me, and I'm just running a 40 user mail server. It makes a big bandwidth difference though because messages are rejected after the "RCPT TO:" phase generally which means I don't ever receive the "DATA" portion of the SMTP exchange and therefore don't commit to using the bandwidth required to receive the message body. It also saves the bandwidth, CPU time, and disk space used to send a "bounce" message after accepting a message.

Share this post


Link to post
Share on other sites
To the OP, the 4.1 magnitude that was showing would coincide with about 10^4.1 or 12500 emails per day. Does that sound right for your server?

According to SMTP logs it's obviously not right. Traffic counters don't show any suspicious increase as well. Talking about numbers, it is close to monthly amount of spam we receive, but it's not a daily value indeed.

Also, on the subject of rejecting undeliverable mail versus bouncing, you will most likely find that this improves your server performance and saves you a ton of bandwidth. It did for me, and I'm just running a 40 user mail server. It makes a big bandwidth difference though because messages are rejected after the "RCPT TO:" phase generally which means I don't ever receive the "DATA" portion of the SMTP exchange and therefore don't commit to using the bandwidth required to receive the message body. It also saves the bandwidth, CPU time, and disk space used to send a "bounce" message after accepting a message.

I have realized that.

By the way is there a way to check whether the server is reported (or has hit spam traps) during last n hours or not? Like 24 or 48 hours? And how many times...

Edited by vzinchenko

Share this post


Link to post
Share on other sites
By the way is there a way to check whether the server is reported (or has hit spam traps) during last n hours or not? Like 24 or 48 hours? And how many times...

Answers to that found in several of the previously suggested FAQ entries. In a nutshell, there are three people involved with access to that database. Already acknowledging their trying to keep up with 800-1800 e-mails a day, it's not easy for anyonw here to say that you'll get an immediate response from them either .... but that's the only access point available.

Share this post


Link to post
Share on other sites

I'm just trying to find out the reason why the 24hr counter has restarted today. Even after I switched to another SMTP.

Probably because I'd switched at nearly 11AM GMT yesterday and I still have to wait some time.

Share this post


Link to post
Share on other sites

According to SMTP logs it's obviously not right. Traffic counters don't show any suspicious increase as well. Talking about numbers, it is close to monthly amount of spam we receive, but it's not a daily value indeed.

I have realized that.

Well, you are aware that the server could be sending email and not going through the proper channels to allow it to be logged, correct? Most viruses and trojans contain their own SMTP engine, so bypass the normal logs. It seems as if you are aware by your next statement about the traffic counter, but just wanted to be sure.

Also, just found a single user report of spam in the last 30 days from that IP address:

Report History:

Submitted: Monday, November 27, 2006 1:58:21 PM -0500:

100% new prices for medicals! just look!

2037868423 ( 212.113.100.2 ) To: abuse[at]relcom.net

--------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

I have found in logs some suspicious activity on outgoing SMTPs from one of PCs in my net. Looks like there it is. Gonna check it tomorrow.

Share this post


Link to post
Share on other sites

Has cleaned the threat... Some unknown kind of trojan that was not identified by up-to-date McAfee %)

Will send it to anti-virus labs for further investigation.

Thanks guys for assistance, sorry for being such an a**h*#e.

Share this post


Link to post
Share on other sites
...Thanks guys for assistance, sorry for being such an a**h*#e.
I'm sure those involved would protest you are no such thing vzinchenko! So refreshing to find someone who is prepared to be responsible and responsive.

Share this post


Link to post
Share on other sites
Has cleaned the threat... Some unknown kind of trojan that was not identified by up-to-date McAfee %)

Will send it to anti-virus labs for further investigation.

...Thank you for taking the time to return here to give us the good news! As a result, I shall mark this thread as "resolved."
Thanks guys for assistance, sorry for being such an a**h*#e.
...Indeed, I wish to associate myself with Farelf's reply. Thank you, again!

Share this post


Link to post
Share on other sites

However, I can confirm the strange behavior of senderbase, noticed by Wazoo earlier.

It can report the magnitide around 4, or 0, even now, when our net is free of trojans and stuff (I'm checking open connections like a junky - every 15 minutes).

So I'm not sure what it's all about. I guess it cannot report our "clean" statistics too accurate anyway, because it's 99,9% of russian-only traffic, and I don't believe they have a good watch over here.

Share this post


Link to post
Share on other sites

Based on past experience, I'm not holding my breath waiting for an answer, but I try anyway .....

From: "WazoO"

To: support at senderbase.org

Subject: Report on IP Address web page display

Date: Thu, 7 Dec 2006 16:14:18 -0600

As noted in a SpamCop.net Forum discussion at

http://forum.spamcop.net/forums/index.php?showtopic=7602

some major confusion offered up in trying to use data

provided by a look-up page ... in this case;

http://www.senderbase.org/search?searchBy=...g=212.113.100.2

Drastically different numbers seen, one can only

guess that perhaps there's a 'mirror' somewhere

involved that isn't being updated/connected?

As seen, issue is described as (and confirmed by another user) ....

Very strange .....

http://www.senderbase.org/search?searchBy=...g=212.113.100.2

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.1 .. 16343%

Last 30 days .. 2.3 ..... 190%

Average ........ 1.8

and yet from another browser instance;

http://www.senderbase.org/search?searchBy=...g=212.113.100.2

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 0.0 .. -100%

Last 30 days .. 2.0 ... 107%

Average ........ 1.7

No amount of 'refreshing' seems to change the numbers .. yet noting that the

"huge increase' version does show different numbers involved from the

previous capture (number going down .) .... I simply don't have a clue as to

what this is all about ....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×