Jump to content
Sign in to follow this  
Pulse001

209.248.146.34 blocked (not IP of mail server??)

Recommended Posts

This is not the IP of the mail server, but our mail is blocked, why?
209.248.146.34.nw.nuvox.net is indeed blocked and if that's not your outward server address that factoid could have nothing to do with your mail being blocked. Apart from nuvox.net (with at least another 682 IP addresses associated with sending messages) the names George Lay Signs, Inc. (network owner) and WICHITA NEPHROLOGY GROUP, PA seem to be associated with the address.

How are you determining your OUTWARDS mail server IP address? You got a non delivery notification quoting 209.248.146.34? That is usually an indication it is the address of the server handling your outwards mail. What happens when you enter your address in http://www.spamcop.net/bl.shtml the BL checker?

Share this post


Link to post
Share on other sites
This is not the IP of the mail server, but our mail is blocked, why?

If it's not the IP address of 'yout' e-mail server then why are you asking about it?

If 'your' e-mail is blocked, where is the requested data to indicate that, typically the rejection / error message from the receiving ISP that should include the IP address in question?

Did look at the Why am I Blocked? FAQ / Pinned entry before Registering / Validating / Posting?

http://www.spamcop.net/w3m?action=checkblo...=209.248.146.34

209.248.146.34 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Listing History

In the past 18.8 days, it has been listed 5 times for a total of 15.5 days

http://www.senderbase.org/senderbase_queri...=209.248.146.34

Date of first message seen from this address 2007-05-26

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 4.6 .. 140%

Last month ... 4.2

Based on the address used to Register here;

auth61.ns.uu.net reports the following MX records:

Preference Host Name IP Address

3 mail.pulseinc.com 63.77.20.11

33 mail.uu.net 199.171.54.245

These would be the incoming e-mail servers, but perhaps what you were thinking of as 'your' servers ????

Share this post


Link to post
Share on other sites

209.248.146.35 is the address of the mail server (comes up clean)

209.248.146.34 is the address of the pix firewall

isp (nuvox) had some storm worm a week or so ago, so

they were blocked in all directions

does this help any?

i did symantec virus scan on all workstations/servers

3 came up with something, and i cleaned those three (this was a week ago)

there is nothing coming up yesterday or today

so, basically, i need to consult with the isp again?

Share this post


Link to post
Share on other sites
so, basically, i need to consult with the isp again?
I would say so - whatever is hitting the spamtraps is still doing it. Haven't a clue why the firewall is showing up but no doubt others here will have an explanation. Meantime, if you've cleaned everything you can find then some logs are needed to look for the leak - could be from someone sharing the address? - whatever - the very limited information the deputies *might* be prepared to release about spamtrap hits they would only do for the ISP. Maybe if there are some recent (non spamtrap) reports, if a reporter here has access and can look.

Share this post


Link to post
Share on other sites
209.248.146.35 is the address of the mail server (comes up clean)

Assimedly your 'oncoming' server??

http://www.senderbase.org/senderbase_queri...=209.248.146.35

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 0.0 N/A

Last month 0.0

Nothing significant seen by SenderBase as far as 'outgoing'

209.248.146.34 is the address of the pix firewall

Why would a "firewall" be seen as an issue related to your outgoing e-mail veing blocked?

07/25/07 13:59:46 Slow traceroute 209.248.146.34

Trace 209.248.146.34 ...

64.89.67.53 RTT: 76ms TTL:170 (se4-0-27c1.wlmgnc-wi-ca001.nw.nuvox.net ok)

64.89.67.168 RTT: 79ms TTL:170 (se2-0-2c0.lxtnky-qi-ma001.nw.nuvox.net ok)

64.19.40.178 RTT: 80ms TTL:170 (64.19.40.178.nw.nuvox.net ok)

209.248.146.34 RTT: 81ms TTL:240 (209.248.146.34.nw.nuvox.net ok)

telnet 209.248.146.34 25

220 ***************************************************0****0*******************

**2******200*********2**0*00

A very unusual 'greeting' string, but ... it wiuld appear to be a server siting there ... defintiely not your normal 'firewall' type of response ....

so, basically, i need to consult with the isp again?

As stated previously, not only do you need to talk to them again .. asking about how your outging e-mail is actually routed .. but "we" are also asking for the signs / clues / rejection notices that you apparently received about being blocked by someone ...

If you haven't looked at any of the FAQ data here yet, then you may have not yet seen that SpamCop.net cannot block any of your e-mail. SpamCop.net does provide the SpamCopDNSBL, but also does not recommend using it in a 'blocking' fashion. It is the receiving ISP that has chosen to configure their system to reject your e-mail due to the SpamCopDNSBL listing .... but the main confusion factor seems to be that you do not know how your e-mail is actually being handled.

Share this post


Link to post
Share on other sites

I believe those pix firewalls have an option where they can be used in a NAT mode to translate one public IP address to another public IP address. Kind of like IP mapping, but using 2 publics instead of mapping a public to a private. Not sure why you would configure one like this, but it appears that is what has been done. I would talk to whoever setup your network to find out why your mail server traffic is not going out on its own IP address.

Share this post


Link to post
Share on other sites

Looks like an infected machine behind the firewall is part of a botnet spewing greeting card spam trying to infect other machines.

here is an example:

http://psbl.surriel.com/evidence?ip=209.24...=Check+evidence

You are getting nto many blocklists, you can check them here:

http://www.moensted.dk/spam/

Merlyn:

The moensted.dk link is what revealed to me that the site was spamming in the first place, as the other

list that checked "147 blacklists" had it coming up clean. Not until I checked the firewall IP did I notice any issues.

I saw that greeting card spam link, but I somehow can't catch it with symantec corporate virus scan with current definitions? What gives?

I guess I should be asking how do I catch the greeting card spam machine, then? It is not coming up on the

virus scan, so I must need stronger scanning software? I've seen mailer-type virii picked up by

symantec corporate in the past, so I was hoping that would be the case with this one, I guess I'm wrong?

This is how the network looks:

{ internet } ---> [firewall ...34] ---> [e-mail server]

the e-mail server is publicly .35, but it receives traffic through the firewall, that redirects to the server based

on it coming in on 209.248.146.35, port 25, 80, etc.

Let me see if I can find a specific "storm worm" fix, then, maybe I have been looking at this all wrong.

Share this post


Link to post
Share on other sites
<snip>

I saw that greeting card spam link, but I somehow can't catch it with symantec corporate virus scan with current definitions? What gives?

...Antivirus software only looks for viruses, not other malware that might send spam.
I guess I should be asking how do I catch the greeting card spam machine, then?

<snip>

...IIUC (I am not a server admin), if you have access to (or access to someone who has access to) the outgoing server firewall logs, that might help you determine which machine is originating the spam.

Share this post


Link to post
Share on other sites

Merlyn:

The moensted.dk link is what revealed to me that the site was spamming in the first place, as the other

list that checked "147 blacklists" had it coming up clean. Not until I checked the firewall IP did I notice any issues.

I saw that greeting card spam link, but I somehow can't catch it with symantec corporate virus scan with current definitions? What gives?

I guess I should be asking how do I catch the greeting card spam machine, then? It is not coming up on the

virus scan, so I must need stronger scanning software? I've seen mailer-type virii picked up by

symantec corporate in the past, so I was hoping that would be the case with this one, I guess I'm wrong?

This is how the network looks:

{ internet } ---> [firewall ...34] ---> [e-mail server]

the e-mail server is publicly .35, but it receives traffic through the firewall, that redirects to the server based

on it coming in on 209.248.146.35, port 25, 80, etc.

Let me see if I can find a specific "storm worm" fix, then, maybe I have been looking at this all wrong.

Just using an antivirus solution will not fix your problem.

You also need a few others:

Spybot Search & Destroy

AdAware

Believe it or not MS Windows Defener

And that is just a start

Share this post


Link to post
Share on other sites

You might also apply the blunt hammer method. Configure your pix firewall to only allow outgoing connections to port 25 if they originate from the mail server. port 25 connections originating from other computers on the LAN side should be blocked. This of course will cause problems if you have someone using an external SMTP server, but in most cases, you shouldn't.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×