El_Marqué Posted January 10, 2008 Share Posted January 10, 2008 Hello. I know we're listed almost since last saturday, I think is for some trojans I've found in my net. We all share this ip, 80.58.232.129. So no one can use email. I've been reading a lot of things about how to be listed and unlisted. But maybe you can help me giving me some new information, the only information I have is that the IP is blocked. ¿How can I find the PC that is sending the spam?¿Is there any other form than passing an antivirus once and again? Maybe I must continue reading, please, tell me the links. Thanks a lot. Sorry, I forgot this information: Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Link to comment Share on other sites More sharing options...
Telarin Posted January 10, 2008 Share Posted January 10, 2008 The first thing to do is configure your firewall so that only your actual mail server can send data out on port 25. This is a pretty easy thing to do on most firewalls and will prevent computers that aren't supposed to be directly sending email from doing so. You may also want to check you mail server logs to make sure that none of the messages are actually being sent through that computer. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 10, 2008 Share Posted January 10, 2008 One other useful source of information: http://www.senderbase.org/senderbase_queri...g=80.58.232.129 This shows that IP is currently sending ~16000 (10^4.2) messages per day. If that does not sound correct, you definitely have an issue. You can try to contact deputies[at]spamcop.net and ask them to look at the spamtrap messages. They may provide you with some information about what is going on. P.S. The senderbase number is still rising... currently at 4.3 = approx 20000 messages. Link to comment Share on other sites More sharing options...
Farelf Posted January 11, 2008 Share Posted January 11, 2008 ...SpamCop users have reported system as a source of spam less than 10 times in the past weekThese reports are passed on to nemesys[at]telefonica.es - any chance of getting those? They may have the detail of the reported spam which could help find out the source. spam has been coming from that address for over a month. Link to comment Share on other sites More sharing options...
El_Marqué Posted January 11, 2008 Author Share Posted January 11, 2008 Thank you all. I'll try to do this three things, mapping the router, contacting deputies and contacting nemesys. Link to comment Share on other sites More sharing options...
Derek T Posted January 12, 2008 Share Posted January 12, 2008 These reports are passed on to nemesys[at]telefonica.es - any chance of getting those? They may have the detail of the reported spam which could help find out the source. spam has been coming from that address for over a month. <thread hi-jack - moderators move/remove if appropriate> We paying users used to be able to see the subject lines of reported spam and sometimes help enquirers that way. I've just looked and can't seem to find that feature now. Has it been withdrawn? Link to comment Share on other sites More sharing options...
Farelf Posted January 12, 2008 Share Posted January 12, 2008 ...We paying users used to be able to see the subject lines of reported spam and sometimes help enquirers that way. I've just looked and can't seem to find that feature now. Has it been withdrawn?Yikes - awaiting responses with interest! Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto) Link to comment Share on other sites More sharing options...
StevenUnderwood Posted January 12, 2008 Share Posted January 12, 2008 Yikes - awaiting responses with interest! Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto) I still see the subjects. Original IP (only report shown in last 90 days: -------------------------------------------------------------------------------- Submitted: Friday, January 11, 2008 09:42:27 -0500: SALE 80% OFF on Pfizer 2752147419 ( http://online1.turbotax.com/r/c/r?2.1.3Js.2Xb.1... ) To: postmaster[at]merchantmail.net 2752147417 ( http://intuit.p.delivery.net/m/u/itu/mkt/i.asp?... ) To: postmaster[at]merchantmail.net 2752147397 ( http://effectedge.com/ ) To: spamcop[at]kisa.or.kr 2752147382 ( http://effectedge.com/ ) To: spamrelay[at]certcc.or.kr 2752147372 ( http://effectedge.com/ ) To: abuse[at]hanaro.com 2752147365 ( 80.58.232.129 ) To: nemesys[at]telefonica.es -------------------------------------------------------------------------------- Link to comment Share on other sites More sharing options...
Farelf Posted January 13, 2008 Share Posted January 13, 2008 I still see the subjects. Original IP (only report shown in last 90 days: -------------------------------------------------------------------------------- Submitted: Friday, January 11, 2008 09:42:27 -0500: SALE 80% OFF on Pfizer ... Ah, thanks Steven (though I could have sworn multiple reports were mentioned and the listing time mentioned was 33 days) - but something has worked (off the SCbl): Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day 0.0..............................N/A Last month 4.5.......................... ?Maybe Telefonica de Espana has simply pulled the plug? Nemesys (love that name) certainly talks tough about network abuse/compromise - "his" standard response includes "In addition, we would like to inform you that we are taking measures to approach the problem in order to prevent it from happening again in the future." Al respecto, le informo que estamos procediendo a tomar las acciones que entendemos pertinentes, para que estos hechos no vuelvan a producirse. Link to comment Share on other sites More sharing options...
turetzsr Posted January 14, 2008 Share Posted January 14, 2008 ...They seem to have moved on -- to the US Department of State!?!?!!?! http://www.spamcop.net/sc?id=z1608188092z4...bd6431c10ebd41z. Link to comment Share on other sites More sharing options...
Farelf Posted January 14, 2008 Share Posted January 14, 2008 ...They seem to have moved on -- to the US Department of State!?!?!!?! http://www.spamcop.net/sc?id=z1608188092z4...bd6431c10ebd41z.Heh, and USIS seem to know all about it - fastest I've seen a webservice pulled offline. The actual IP address is still pingable though. Say ... what's that black helicopter doing? Link to comment Share on other sites More sharing options...
Derek T Posted January 15, 2008 Share Posted January 15, 2008 Yikes - awaiting responses with interest! Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto) Sorry folks, false alarm. Tried the above and, indeed, the history link is present and correct. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.