Jump to content
Sign in to follow this  
Nickolay

195.239.28.26 and 62.152.87.202 blocked

Recommended Posts

Hello!

Last month, my ip-addresses blocked by spamcop several times, but no spammers here.

It's because spammers send us email with wrong recipient addresses, and set Return-Path to spamcop traps.

I did hard work to change my network infrastructure of e-mail servers, add possibility to external MTA for checking local users on my internal MTA servers before receiving emails, and now, all attempts for sending emails on wrong recipients are fails on RCPT TO command, and no bounce message.

But now I wonder, because my ip-addresses are still blocked from morning, with "it will be delisted automatically in a short time".

What does this mean? Spamcop bug?

Thanks.

Share this post


Link to post
Share on other sites

SpamCop FAQ links at the top of the page

Jump/scroll down to the Blocking List section

SpamCop Blocking List Service

How do I configure my mailserver to reject mail based on the blocklist?

What is on the list?

How can I be de-listed

One-time automatic BL De-listing

How much does it cost?

Is it possible to download the entire blocklist?

How can I check if an IP is on the list?

If my IP is listed, does it mean I am a spammer or my ISP hosts spammers?

Why can't I get to the blocking list from ATT's network?

NEW! SCBL "will be delisted in 0 hours" (now shown as 'in a short time') explained

Also note, the DNS error still exists;

DNS error: 195.239.28.26 is ns.protei.ru but ns.protei.ru is 62.152.87.202 instead of 195.239.28.26

Share this post


Link to post
Share on other sites

Also note, the DNS error still exists;

It's a reason for blocking too?

"it will be delisted automatically in a short time" and be blocked during ~12 hours is really confused!

Share this post


Link to post
Share on other sites

Last month, my ip-addresses blocked by spamcop several times, but no spammers here.

It's because spammers send us email with wrong recipient addresses, and set Return-Path to spamcop traps.

Looks like there is spam coming from your network. Though delayed NDRs may be hitting spam traps, there is no indication that users have reported NDRs.

62.152.87.202:

Submitted: Fri, 08 Dec 2006 15:46:11 GMT:
Microsoft Office 2007 Enterprise ready to download

    * 2054681757 ( 62.152.87.202 ) To: mole[at]devnull.spamcop.net 

Submitted: Tue, 28 Nov 2006 15:35:30 GMT:
Looking for a cheap high-quality software?

    * 2039339276 ( 62.152.87.202 ) To: support#lanck.net[at]devnull.spamcop.net
    * 2039339254 ( 62.152.87.202 ) To: abuse[at]lanck.net 

Submitted: Tue, 28 Nov 2006 14:38:26 GMT:
Software from well-known companies!

    * 2039222373 ( 62.152.87.202 ) To: support#lanck.net[at]devnull.spamcop.net
    * 2039222299 ( 62.152.87.202 ) To: abuse[at]lanck.net 

Submitted: Tue, 28 Nov 2006 14:38:26 GMT:
Software from well-known companies!

    * 2039222527 ( 62.152.87.202 ) To: support#lanck.net[at]devnull.spamcop.net
    * 2039222482 ( 62.152.87.202 ) To: abuse[at]lanck.net 

Submitted: Tue, 28 Nov 2006 14:38:26 GMT:
Software from well-known companies!

    * 2039222676 ( 62.152.87.202 ) To: support#lanck.net[at]devnull.spamcop.net
    * 2039222640 ( 62.152.87.202 ) To: abuse[at]lanck.net 

Submitted: Tue, 28 Nov 2006 11:16:24 GMT:
Save up to $500 on OEM software supersales!

    * 2038943777 ( 62.152.87.202 ) To: spamcop[at]imaphost.com
    * 2038943759 ( 62.152.87.202 ) To: support#lanck.net[at]devnull.spamcop.net
    * 2038943729 ( 62.152.87.202 ) To: abuse[at]lanck.net 

Submitted: Thu, 09 Nov 2006 08:44:51 GMT:
Undelivered Mail Returned to Sender

    * 2008807524 ( 62.152.87.202 ) To: support#lanck.net[at]devnull.spamcop.net
    * 2008807521 ( 62.152.87.202 ) To: abuse[at]lanck.net 

195.239.28.26:

Submitted: Tue, 05 Dec 2006 16:59:40 GMT:
Must Have Pharmacy we recommend: Christmas discounts.

    * 2049904338 ( 195.239.28.26 ) To: spamcop[at]imaphost.com
    * 2049904303 ( 195.239.28.26 ) To: postmaster#superweb.ru[at]devnull.spamcop.net 

Submitted: Tue, 05 Dec 2006 11:11:39 GMT:
Must Have Pharmacy at your service: Christmas discounts.

    * 2049545224 ( 195.239.28.26 ) To: spamcop[at]imaphost.com
    * 2049545221 ( 195.239.28.26 ) To: postmaster#superweb.ru[at]devnull.spamcop.net 

Submitted: Tue, 28 Nov 2006 14:38:23 GMT:
Software at incredibly low price!

    * 2039224774 ( 195.239.28.26 ) To: postmaster#superweb.ru[at]devnull.spamcop.net 

Submitted: Tue, 28 Nov 2006 14:11:43 GMT:
Software from well-known companies!

    * 2039172717 ( [url="http://8mehdhv9w1e9u983vqq3dqq8.uagahl.cd/"]http://8mehdhv9w1e9u983vqq3dqq8.uagahl.cd/[/url] ) To: cnc-abuse[at]abuse.sprint.net
    * 2039172652 ( [url="http://8mehdhv9w1e9u983vqq3dqq8.uagahl.cd/"]http://8mehdhv9w1e9u983vqq3dqq8.uagahl.cd/[/url] ) To: abuse[at]cnc-noc.net
    * 2039172547 ( [url="http://8mehdhv9w1e9u983vqq3dqq8.uagahl.cd/"]http://8mehdhv9w1e9u983vqq3dqq8.uagahl.cd/[/url] ) To: postmaster[at]china-netcom.com
    * 2039172452 ( 195.239.28.26 ) To: spamcop[at]imaphost.com
    * 2039172377 ( 195.239.28.26 ) To: postmaster#superweb.ru[at]devnull.spamcop.net 

By the way, support at lanck.net and postmaster at superweb.ru are rejecting mail. This is why the reports are going to devnull.spamcop.net, the system has detected the rejections and stopped sending further reports.

Edited by GraemeL

Share this post


Link to post
Share on other sites
Looks like there is spam coming from your network. Though delayed NDRs may be hitting spam traps, there is no indication that users have reported NDRs.

Sorry, I don't understand. What users you talked about?

By the way, support at lanck.net and postmaster at superweb.ru are rejecting mail. This is why the reports are going to devnull.spamcop.net, the system has detected the rejections and stopped sending further reports.

What reports? Why lanck.net and postmaster at superweb.ru receives my reports?

I am administrator of ip-addresses 195.239.28.26 and 62.152.87.202, not lanck.net and postmaster at superweb.ru.

Share this post


Link to post
Share on other sites

Nickolai, you have to get in touch with the staff at spamcop, here we are volunteers so we cannot fix the problem. Clearly you still have a problem with spam not just spamtrap hits but what looks like a (many) hijacked/ compromized machines.

Share this post


Link to post
Share on other sites

Nickolai, you have to get in touch with the staff at spamcop, here we are volunteers so we cannot fix the problem. Clearly you still have a problem with spam not just spamtrap hits but what looks like a (many) hijacked/ compromized machines.

Thank you for your answer!

Can you explain me more please?

How I can check, that problem not with spamtaps?

Thanks!

Share this post


Link to post
Share on other sites
What reports? Why lanck.net and postmaster at superweb.ru receives my reports?

I am administrator of ip-addresses 195.239.28.26 and 62.152.87.202, not lanck.net and postmaster at superweb.ru.

http://www.spamcop.net/sc?track=62.152.87.202

Parsing input: 62.152.87.202

host 62.152.87.202 = mail2.protei.ru (cached)

host 62.152.87.202 = mail2.protei.ru (cached)

Routing details for 62.152.87.202

[refresh/show] Cached whois for 62.152.87.202 : abuse[at]lanck.net

Using abuse net on abuse[at]lanck.net

abuse net lanck.net = sergey[at]lanck.net, abuse[at]lanck.net, support[at]lanck.net

Using best contacts sergey[at]lanck.net abuse[at]lanck.net support[at]lanck.net

sergey[at]lanck.net redirects to lanck.net[at]abuse.net

De-referencing sergey[at]lanck.net

abuse net lanck.net = sergey[at]lanck.net, abuse[at]lanck.net, support[at]lanck.net

support[at]lanck.net bounces (7 sent : 6 bounces)

Using support#lanck.net[at]devnull.spamcop.net for statistical tracking.

sergey[at]lanck.net redirects to lanck.net[at]abuse.net

De-referencing sergey[at]lanck.net

abuse net lanck.net = sergey[at]lanck.net, abuse[at]lanck.net, support[at]lanck.net

support[at]lanck.net bounces (7 sent : 6 bounces)

Using support#lanck.net[at]devnull.spamcop.net for statistical tracking.

support[at]lanck.net bounces (7 sent : 6 bounces)

sergey[at]lanck.net redirects to lanck.net[at]abuse.net

12/08/06 14:22:41 Slow traceroute 62.152.87.202

Trace 62.152.87.202 ...

81.222.0.85 RTT: 184ms TTL: 64 (so-0-0-0.RT033-001.spb.retn.net bogus rDNS: host not found [authoritative])

81.222.1.14 RTT: 176ms TTL: 64 (GE-Lanck.retn.net bogus rDNS: host not found [authoritative])

62.152.64.30 RTT: 177ms TTL: 64 (gw-30.lanck.net ok)

62.152.87.202 RTT: 176ms TTL: 49 (mail2.lanck.net ok)

whois -h whois.ripe.net 62.152.87.202 ...

inetnum: 62.152.87.0 - 62.152.87.255

netname: LANCK-ISP

descr: Saint-Petersburg, Russia

descr: LANCK Telecom's Leased Lines Pool.

country: RU

admin-c: LTr1-RIPE

tech-c: LTr1-RIPE

status: ASSIGNED PA

mnt-by: LANCK-MNT

source: RIPE # Filtered

role: LANCK Telecom role

address: LANCK Telecom, Ltd.

address: Bolshoy Sampsonievsky pr., 60 Litera A

address: 194044, St.Petersburg,

address: Russia

phone: +7 812 325 8888

fax-no: +7 812 325 8888

remarks: ---------------------------------------------------

remarks: ***************************************************

remarks: ********* spam, Viruses: abuse[at]lanck.net *********

remarks: ****** WWW Site: http://spb.lancktelecom.ru/ ******

remarks: ***************************************************

remarks: ---------------------------------------------------

abuse-mailbox: abuse[at]lanck.net

http://www.spamcop.net/sc?track=195.239.28.26

Parsing input: 195.239.28.26

host 195.239.28.26 = ns.protei.ru (cached)

host 195.239.28.26 = ns.protei.ru (cached)

Routing details for 195.239.28.26

[refresh/show] Cached whois for 195.239.28.26 : admin[at]superweb.ru

Using abuse net on admin[at]superweb.ru

No abuse net record for superweb.ru

Using default postmaster contacts postmaster[at]superweb.ru

postmaster[at]superweb.ru bounces (55 sent : 28 bounces)

Using postmaster#superweb.ru[at]devnull.spamcop.net for statistical tracking.

12/08/06 14:24:28 Slow traceroute 195.239.28.26

Trace 195.239.28.26 ...

195.239.13.101 RTT: 173ms TTL: 64 (cisco02.Moscow.gldn.net fraudulent rDNS)

194.186.159.230 RTT: 178ms TTL: 64 (cisco0.Spb.gldn.net fraudulent rDNS)

212.44.131.190 RTT: 177ms TTL: 64 (No rDNS)

213.221.61.210 RTT: 174ms TTL: 64 (210.spb.sovintel.ru bogus rDNS: host not found [authoritative])

194.67.62.142 RTT: 183ms TTL: 64 (texnokom-gw.Spb.gldn.net ok)

195.239.28.26 RTT: 182ms TTL: 50 (ns.protei.ru ok)

whois -h whois.ripe.net 195.239.28.26 ...

inetnum: 195.239.28.0 - 195.239.28.255

netname: TECHNOCOM-SPB

descr: Technocom Internet Service Provider

descr: Saint-Petersburg, Gelsingforsskaya-4/1

country: RU

admin-c: MII2-RIPE

tech-c: MII2-RIPE

status: ASSIGNED PA

mnt-by: AS3216-MNT

source: RIPE # Filtered

person: Maksim I Ivanov

address: RUSSIAN FEDERATION

address: Saint-Petersburg

address: 194044 Gelsingforsskaya st. 4/1 offfice 46

e-mail: admin[at]superweb.ru

phone: +7 812 591 63 28

fax-no: +7 812 327 11 82

nic-hdl: MII2-RIPE

source: RIPE # Filtered

Listing/de-listing is based on the results of a bit of math. What appears to be happening is hat your systems are sill sending e-mail that is hitting spamtraps/getting reported, such that the math results are right on the cusp of listing/de-listing .... so the easy answer seems to be to make the statement that the problems still are not fixed.

Share this post


Link to post
Share on other sites

Hi, Nickolay!

Also note, the DNS error still exists;
It's a reason for blocking too?
...Not a reason for SpamCop to put an IP address on its blacklist.
"it will be delisted automatically in a short time" and be blocked during ~12 hours is really confused!
...Wazoo already pointed you to the answer 51954[/snapback].

Share this post


Link to post
Share on other sites
Looks like there is spam coming from your network. Though delayed NDRs may be hitting spam traps, there is no indication that users have reported NDRs.
Sorry, I don't understand. What users you talked about?

<snip>

...The users to whom GraemL refers are SpamCop reporting users -- those of us who have signed up with SpamCop to use its Parsing & Reporting Service.

Share this post


Link to post
Share on other sites

Sorry, I don't understand. What users you talked about?

What reports? Why lanck.net and postmaster at superweb.ru receives my reports?

I am administrator of ip-addresses 195.239.28.26 and 62.152.87.202, not lanck.net and postmaster at superweb.ru.

Those are the addresses that are listed for abuse. You should talk to them about the reports. They seem to be your internet providers. If the reports are going just to spam traps, there won't be any reports. (spam traps do not send email)

You can sign up as a third party recipient of reports. However, many people uncheck those boxes because many spammers sign up. Because spammers try to sign up, it is not easy to become a third party.

If you have worked hard to stop all auto-responses (NDRs and also out of office replies), then if it will delist in a short time, perhaps you have fixed the problem. You also need to look at all your logs to see if there is a computer sending spam without your knowledge. Sometimes the infected computers are found by looking at firewall logs.

The DNS error won't get you listed by spamcop, but it may cause blocking by other people, if I understand correctly. It is worth fixing.

Miss Betsy

Share this post


Link to post
Share on other sites

http://spamcop.net/w3m?action=checkblock&a...p=62.152.87.202

62.152.87.202 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

http://spamcop.net/w3m?action=checkblock&a...p=195.239.28.26

195.239.28.26 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Again, appearances are that the spamtrap hits have not stopped yet, but not arriving in a quantity needed to reset the counter/timer to a number other than 'ready to be de-listed' ....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×