Jump to content

[Resolved] delisting time changed on delist...


Recommended Posts

why would the delist go from 4 hours at 11 am est to 15 hours [at] 3 pm eastern?

we should have been in the home stretch, and as a corperate and governments attorneys office for

66.147.47.237

ksm-law.com

why do the mx records shoot back to newsouth.net (which is only the line carrier)?

our mx records are hosted at register.com

but mainly, why when we should have been in a short time as of now, 15 more hours were added when i go to the delist page?????

Link to comment
Share on other sites

why would the delist go from 4 hours at 11 am est to 15 hours [at] 3 pm eastern?[\quote]

Probably because a new report came in:

Submitted: Thursday, May 03, 2007 1:35:40 PM -0400:

Important Notification

2272168621 ( 66.147.47.237 ) To: spamcop[at]nuvox.net

The listing is based on when the message was actually sent however, not when the report was made.

we should have been in the home stretch, and as a corperate and governments attorneys office for

66.147.47.237

ksm-law.com

why do the mx records shoot back to newsouth.net (which is only the line carrier)?

our mx records are hosted at register.com

ksm-law.com MX preference = 5, mail exchanger = server47.appriver.com

ksm-law.com MX preference = 0, mail exchanger = server46.appriver.com

server47.appriver.com internet address = 69.20.60.123

server46.appriver.com internet address = 69.20.60.123

If you are talking about the reports going to spamcop[at]nuvox.net, they go to the owner of the IP address. If you are talking about the quick delisting, if your IP had a reverse lookup pointing to your domain, the MX record found would have been yours. Please do not do that until you know you have fixed the problem (which it appears you have not, or the time would not have gone up).

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

What have you done to fix the problem where you are sending email to addresses that have never been used?

Can you explain the current email traffic leaving that IP address?

http://www.senderbase.org/search?searchBy=...g=66.147.47.237

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.7 820%

Last 30 days 3.2 -69%

Average 3.7

Link to comment
Share on other sites

why would the delist go from 4 hours at 11 am est to 15 hours [at] 3 pm eastern?

Means that something more arrived where it wasn't wanted, resulting in the 'adjustment' of the math formula involved in listing/de-listing ...

http://spamcop.net/w3m?action=checkblock&a...p=66.147.47.237

66.147.47.237 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 14 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

This states that both spamtrap hits and actual people have received unwanted stuff from that IP address.

http://www.senderbase.org/search?searchBy=...g=66.147.47.237

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.7 .. 820%

Last 30 days .. 3.2 .. -69%

Average ........ 3.7

If this is "your" output server, then you can explain this increase on outgoing flow with terms that would rule out spammer abuse, right?

--------------------------------------

Submitted: Thursday, May 03, 2007 12:35:40 PM -0500:

Important Notification

2272168621 ( 66.147.47.237 ) To: spamcop[at]nuvox.net

--------------------------------------

Submitted: Wednesday, May 02, 2007 12:49:21 PM -0500:

Important Notification

2271149722 ( 66.147.47.237 ) To: spamcop[at]nuvox.net

--------------------------------------

we should have been in the home stretch, and as a corperate and governments attorneys office for

66.147.47.237

ksm-law.com

why do the mx records shoot back to newsouth.net (which is only the line carrier)?

our mx records are hosted at register.com

MX records deal with your 'incoming' e-mail .. this listing is due to 'outgoing' e-mail.

dns9.register.com reports the following MX records:

Preference Host Name IP Address

0 server46.appriver.com 69.20.60.123

5 server47.appriver.com 69.20.60.123

Pretty unique set-up you seem to have ...

web-site hosted in Register.com space.

incoming e-mail servers in Rackspace.com space.

outgoing e-mail servers in Newsouth.net space.

I'd suggest that you are a victim of using a shared e-mail server.

but mainly, why when we should have been in a short time as of now, 15 more hours were added when i go to the delist page?????

As above, new reports, spamtrap hits reset the clock .. as "spam has not stopped"

Link to comment
Share on other sites

as to the volume

- one of the largest bankruptcy attonerys files through emails into the ECF system. this is done through emails.

as well as several corperate atty's have been sending and recieving huge contracts for bellsouth/at&t as well as sony music ect ect...

the appriver handled by another company working with our email filters( cybertek),

so our mx records hosted by register.com 216.21.234.75, appriver is one of our outside filters handled by cybertech , and nuvox/newsouth our line carrier.

http://www.dnsstuff.com/tools/lookup.ch?na...com&type=MX

so i see our mx records just fine.

i have been on the phone all afternoon with all of them, and they see us clean and fine.

appriver has all our mail incoming and out going have been on hold for the last 18 hours. this was stated by both cyberteck (trentc[at]cybertek-eng.com who has read this thread as well) and appriver.

as well i have run on all local clients...

adaware,spybot,avg, panda online scan, and hijack this

and the servers i ran the avg for exchange, went to microsoft as well, and panda scan for servers.

only one comp came back with a funweb products which adaware promptly removed with adaware.

Link to comment
Share on other sites

could there be an open relay outside of ksm-law network that is being used?

The mail is coming from your server and a lot of it is being sent to "non people". It is being sent to email addresses that should never receive email.

Link to comment
Share on other sites

like i said...OUR SERVER IS NOT AND HASNT sent mail in the last 18 hours.

appriver has held everything!

and that is any mail!

alright to help aliviete this situation i am running all scans again and will be shutting network and servers down for the night, untill 4:30 am est.

at which time cybertek will notify appriver to release all incoming and outgoing mail at that time.

so if we are listed within this time frame, i know it is not our servers and network, no?

thank you for your suggestions and responces!

Link to comment
Share on other sites

as to the volume

- one of the largest bankruptcy attonerys files through emails into the ECF system. this is done through emails.

as well as several corperate atty's have been sending and recieving huge contracts for bellsouth/at&t as well as sony music ect ect...

Question/pointer dealt with the "last 24 hour' increase .. currently showing as;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.7 .. 779%

Last 30 days .. 3.2 .. -69%

Average ........ 3.7

down a bit from the last datapoint, but certainly not zero ....

per SenderBase's "Magnitude" Explained we're looking at a jump from 2,000 e-mails a day to something like 125,000 e-mails a day .... the amount of chargable hours in that flow would be seen as a bit phenominal ....

the appriver handled by another company working with our email filters( cybertek),

appriver is your 'incoming' e-mail server ... not at issue here

and nuvox/newsouth our line carrier.

these are the folks involved with your 'outgoing' e-mail ... not addressed yet, other than my perceived facts .. this is not a server dedicated to 'only' your outgoing taffic ....

i have been on the phone all afternoon with all of them, and they see us clean and fine.

again, the concept of a 'shared' outgoing e-mail server doesn't seem to have been addressed. The problem may not be 'you' ... rather some other client using that same server for their outgoing .... or of course, that server itself ....

appriver has all our mail incoming and out going have been on hold for the last 18 hours. this was stated by both cyberteck (trentc[at]cybertek-eng.com who has read this thread as well) and appriver.

as well i have run on all local clients...

not stated .... how your incoming e-mail servers interact with those out-going e-mail servers located elsewhere, under different ownership/management, etc.

adaware,spybot,avg, panda online scan, and hijack this

and the servers i ran the avg for exchange, went to microsoft as well, and panda scan for servers.

only one comp came back with a funweb products which adaware promptly removed with adaware.

again, the issue may not be 'you' ... but unknown until someone gets around to qualifying the out-going server involved here. Who controls it, who is using it .....

While we're at it, the reminder that SpamCop.net cannot and does not "block your e-mail" has to be made ... It it the receiving ISP that has chosen to use the SpamCopDNSBL in a blocking fashion (not even recommended by SpamCop.net) that would be causing you e-mail traffic issues ....

Link to comment
Share on other sites

like i said...OUR SERVER IS NOT AND HASNT sent mail in the last 18 hours.

appriver has held everything!

There is no need to yell. Please remain calm.

The spamcop reporters have received spam from that IP address in the last few hours. These messages would not be going through appriver but likely directly to the internet because a machine is comprimised in some way. You are unlikely to find the problem through the email logs (it is not using the official email software, but its own) on the server, but may find them if you have logging enabled on any firewall on the connection. Look for port 25 connections from any machine which should show you if it is a client hidden behind the same IP address causing the problem rather than the server itself.

BTW, according to the FAQ your magnitude of 4.7 seen by senderbase is between:

Magnitude 4 = 13.4 Thousand Estimated Daily Email Volume

Magnitude 5 = 134 Thousand Estimated Daily Email Volume

So senderbase has seen about 100,000 email messages. Are the lawyers you are talking about sending that many messages?

Link to comment
Share on other sites

So senderbase has seen about 100,000 email messages. Are the lawyers you are talking about sending that many messages?

in the last 24 hours .... thus my remark about 'chargable hours' .....

In the old days, they could charge those immense hourly rates based on the overhead/staff needed to manually look-up, review, capsulize that research, hand-type all the paperwork, review, error-correct, re-type all that paperwork .... nowadays, reseach done via on-line databases, forms available on disk only needing a few 'blanks' filled in, a few paragraphs tailored here and there .... but the rates charged remain 'up there' <g> .... the suggestion in this case being just how that same crew of lawyers had enough 'free time' to generate this many new e-mails .... with most charging 'hourly rates', a few I've ran across would charge in half-hour increments, only one that I recall using quarter-hour increments .... in excess of 125,000 outgoing e-mails on a single day seems like a lot of 'hours' involved <g>

BTW: at the time of this posting;

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day ........ 4.7 .. 769%

Last 30 days .. 3.2 .. -69%

Average ........ 3.7

Link to comment
Share on other sites

like i said...OUR SERVER IS NOT AND HASNT sent mail in the last 18 hours.

appriver has held everything!

and that is any mail!

Probably any mail that goes through the following services

SMTP - 25 220 KSMLAWEX.ksm-law.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Thu, 3 May 2007 19:28:38 -0400

POP3 - 110 +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (KSMLAWEX.ksm-law.com) ready.

But is hasn't stopped the "phishes" that have been coming from this server. Sorry to say it but this server has been compromised. ;)

Link to comment
Share on other sites

ok register.com claims to be of no help.

nuvox/newsouth says they have nothing to do with it.

hwoever being that all destops were scanned and shut down, along with the servers and kept that way for the entire night..

i noticed that sender base volume actually went up from 4.7 to 4.9 throughout the night..

and all mail has been held since wensday from the appriver.

i am at a loss of knowledge here....

currently sifting through log files, checking ports....

Link to comment
Share on other sites

hwoever being that all destops were scanned and shut down, along with the servers and kept that way for the entire night..

i noticed that sender base volume actually went up from 4.7 to 4.9 throughout the night..

and all mail has been held since wensday from the appriver.

i am at a loss of knowledge here....

Volume Statistics for this IP

Magnitude Vol Change vs. Average

Last day 4.9 1351%

Last 30 days 3.6 -29%

Average 3.7

Though you have now been delisted from spamcop. That listing will likely return quickly if any further reports are received because your "number" is likely just below the listing level.

I just noticed you are posting from that same IP address meaning that every machine behind your firewall is using the same IP address. Do you have any firewall logs you can check out? Perhaps your firewall is comprimised? Something on a DMZ if you have one? Can you power off your internet connection overnight as a test?

It may be time to hire a professional to figure out what is happening. Messages appear to continue to be sent in high numbers from that IP address. Much further help here will require a more thourough understanding of your environment, more than you may want to post in public.

Also, remember that all scanners only work for the threats they know about.

Link to comment
Share on other sites

i am going for the unplug tonight. but i must wait for the buisness hours to close. and more excederine.

i will not bother you with log files that are under way from researching.

but as stated above i have a rather unique system to crawl through for several hours. to find our hitchhiker.

i did notice in the header packet of on of the violation letters a unique user number as in

Received: from User ([62.142.88.3]) by KSMLAWEX.ksm-law.com

this same setup has been sending from other sources as well...as in

Received: from User (unknown [62.142.88.3])

by mail.timeact.co.uk (Postfix) with ESMTP id 94227489D1A;

and

http://nety.cec.eu.int/youth-white-paper-o...nternetHeader=1

all are paypal phishing emails

... again thank you guys for pointers and direction.

Link to comment
Share on other sites

That IP address is spewing the same types of spam:

Submitted: Wednesday, May 02, 2007 7:21:28 AM -0400: 
Important Notification 
2270716125 ( 62.142.88.3 ) To: mole[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Tuesday, May 01, 2007 7:36:09 PM -0400: 
Important Notification 
2270153113 ( 62.142.88.3 ) To: mole[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Tuesday, May 01, 2007 11:17:21 AM -0400: 
New Notification! 
2269755010 ( [url="http://cytokine.ru/modules/Update/update.php"]http://cytokine.ru/modules/Update/update.php[/url] ) To: abuse[at]masterhost.ru 
2269755008 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi 

--------------------------------------------------------------------------------

Submitted: Tuesday, May 01, 2007 7:19:47 AM -0400: 
Important Notification 
2269688364 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi 

--------------------------------------------------------------------------------

Submitted: Monday, April 30, 2007 8:29:19 PM -0400: 
Important Notification 
2269123756 ( [url="http://210.97.229.34/bbs/icon/private_name/inde."]http://210.97.229.34/bbs/icon/private_name/inde.[/url].. ) To: postmaster[at]eftelecom.net 
2269123712 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi 

--------------------------------------------------------------------------------

Submitted: Monday, April 30, 2007 9:03:34 AM -0400: 
[spam?#####] New Notification! 
2268507085 ( [url="http://cytokine.ru/modules/Update/update.php"]http://cytokine.ru/modules/Update/update.php[/url] ) To: abuse[at]masterhost.ru 
2268507044 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi 

--------------------------------------------------------------------------------

Submitted: Sunday, April 29, 2007 11:51:56 AM -0400: 
New Notification! 
2267437843 ( [url="http://12.26.45.35/html/help/preview.html"]http://12.26.45.35/html/help/preview.html[/url] ) To: nomaster[at]devnull.spamcop.net 
2267437831 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi 

--------------------------------------------------------------------------------

Submitted: Saturday, April 28, 2007 4:42:29 PM -0400: 
New Notification! 
2266618066 ( [url="http://cytokine.ru/modules/Update/update.php"]http://cytokine.ru/modules/Update/update.php[/url] ) To: abuse[at]masterhost.ru 
2266618065 ( 62.142.88.3 ) To: abuse[at]saunalahti.fi 
2266618063 ( 128.121.21.6 ) To: abuse[at]nexpoint.net 
2266618060 ( 128.121.21.39 ) To: abuse[at]nexpoint.net 

Another one at:

http://diswww.mit.edu/bloom-picayune/cfs/15991

With the following:

Received: from User ([207.59.123.82]) by KSMLAWEX.ksm-law.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 May 2007 09:26:58 -0400

There are 2 similiar spamcop reports on that IP address as well:

Submitted: Thursday, May 03, 2007 5:39:15 PM -0400: 
Important Notification 
2272345768 ( 207.59.123.82 ) To: mole[at]devnull.spamcop.net 

--------------------------------------------------------------------------------

Submitted: Thursday, May 03, 2007 4:05:05 AM -0400: 
Important Notification 
2271684112 ( [url="http://cytokine.ru/modules/Update/update.php"]http://cytokine.ru/modules/Update/update.php[/url] ) To: abuse[at]masterhost.ru 
2271684110 ( 207.59.123.82 ) To: abuse#uslec.com[at]devnull.spamcop.net 

Link to comment
Share on other sites

Something odd going on here, lets look at the headers.

Received: (qmail 3633 invoked from network); 2 May 2007 13:22:08 -0000

Received: from nsc66.147.47-237.newsouth.net (HELO KSMLAWEX.ksm-law.com) (66.147.47.237)

by charon.mit.edu with SMTP; 2 May 2007 13:22:08 -0000

Received: from User ([207.59.123.82]) by KSMLAWEX.ksm-law.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 2 May 2007 09:26:58 -0400

Specifically, the second one where it is received from KSMLAWEX.ksm-law.com. That line tells us that the message must have gone through the exchange server itself, rather than a trojan using its own SMTP engine. We can tell this by the HELO KSMLAWEX.ksm-law.com. If the message had been sent direct to MX by a trojan, there is no way it could have known the KSMLAWEX name, as there is no RDNS on that IP address. I would check your Exchange server itself to see if it is the victim of an SMTP auth attack. If you have it configured to allow SMTP relaying, make sure that it requires authentication, and that any authorized users have strong passwords.

Edit: I tried bouncing a message off your server using telnet, and it refused to relay to outside email addresses, which is good, it means you're not set up as an open relay, but that makes the likelyhood of an SMTP AUTH hack much higher.

Link to comment
Share on other sites

we are able to send mail as of today, appriver sees it going through them as well.

however appriver stated when they went to release the mail to us they recieved an "out of memory error" from the exchange server. i have since cleared mem and gone voer registry, and yes i believe the server has been compromised, yet how can the mail still be sent by volumes in such a way when the servers were offline last night. would this lead to the router being used as the relay?

Received: from KSMLAWEX.ksm-law.com (nsc66.147.47.237.newsouth.net

[66.147.47.237])

by ns2.bizsystems.net with ESMTP id l42FSkFN027403

for <michael[at]bizsystems.com>; Wed, 02 May 2007 08:28:48 -0700 (PDT)

Received: from User ([62.142.88.3]) by KSMLAWEX.ksm-law.com with

Microsoft SMTPSVC(6.0.3790.3959);

Wed, 2 May 2007 11:33:42 -0400

this is the one is the one that caused our first listing, why the different headers?

From service[at]paypal.com Sun Apr 29 21:22:04 2007

Return-Path: <service[at]paypal.com>

Delivered-To: munch-mtg[at]charon.mit.edu

Received: (qmail 19478 invoked from network); 29 Apr 2007 21:22:04 -0000

Received: from unknown (HELO ahnhancpas.com) (207.148.216.94)

by charon.mit.edu with SMTP; 29 Apr 2007 21:22:04 -0000

Received: from quimby.hornok.com ([68.60.174.38]) by ahnhancpas.com with Microsoft SMTPSVC(6.0.3790.1830);

Sun, 29 Apr 2007 17:20:15 -0400

Received: from User ([207.59.123.82]) by quimby.hornok.com with Microsoft SMTPSVC(6.0.3790.1830);

Sun, 29 Apr 2007 17:07:12 -0400

though this one with the HELO is the same as our ksm-law header, even with the same made up user ip.

fyi

all mail from ksm is on a manual hold. all att. are using alternate emails (backup system, yes i do have opposable thubs still.)

currently scanning with and streching it with the being a server with some scans..

current avg sever/exchange edition nonstop

spybot

hijackthis

ewido

trend

bitdefender

also ccleaner

windows live care

and a couple of others.

Link to comment
Share on other sites

though this one with the HELO is the same as our ksm-law header, even with the same made up user ip.

It may not be a made up user IP. Your server may be comprimised to the point where someone now has a valid account and it "legally" relaying through your machine, ie. SMTP AUTH hack.

Link to comment
Share on other sites

It may not be a made up user IP. Your server may be comprimised to the point where someone now has a valid account and it "legally" relaying through your machine, ie. SMTP AUTH hack.

As we are able to see a complete example of the phish it looks more like a compromised machine that an AUTH hack, but I have been wrong before :rolleyes:

Link to comment
Share on other sites

Looks like

Last day 4.9 1159%

Last 30 days 3.8 1%

that IP is still spewing phishes. This machine/firewall/whatever should be shut down and everything disconnected from the web until the problem is found. This is getting out of hand. :blink:

Link to comment
Share on other sites

yes it did... indeed.

got yo love the firm partners that think they are tech savy.

an endura and thunder bird account and mindspring account (personal) was infected. a laptop and irc bots. all one man...

i know this poor guy is going to get a letter from the local cable host... erethral netstat zone alarm oh my, hear the bells ring.

thank you guys for your pointers and knowledge.

can you as well point me to something along the lines of "spam" 101 and or the idiots guide to mail for these attorneys?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...