80.58.232.129 listed

[El_Marqué]

Hello.

I know we're listed almost since last saturday, I think is for some trojans I've found in my net. We all share this ip, 80.58.232.129. So no one can use email. I've been reading a lot of things about how to be listed and unlisted. But maybe you can help me giving me some new information, the only information I have is that the IP is blocked. ¿How can I find the PC that is sending the spam?¿Is there any other form than passing an antivirus once and again?

Maybe I must continue reading, please, tell me the links.

Thanks a lot.

Sorry, I forgot this information:

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

[Telarin]

The first thing to do is configure your firewall so that only your actual mail server can send data out on port 25. This is a pretty easy thing to do on most firewalls and will prevent computers that aren't supposed to be directly sending email from doing so. You may also want to check you mail server logs to make sure that none of the messages are actually being sent through that computer.

[StevenUnderwood]

One other useful source of information: http://www.senderbase.org/senderbase_queri...g=80.58.232.129

This shows that IP is currently sending ~16000 (10^4.2) messages per day. If that does not sound correct, you definitely have an issue.

You can try to contact deputies[at]spamcop.net and ask them to look at the spamtrap messages. They may provide you with some information about what is going on.

P.S. The senderbase number is still rising... currently at 4.3 = approx 20000 messages.

[Farelf]

...SpamCop users have reported system as a source of spam less than 10 times in the past week

These reports are passed on to nemesys[at]telefonica.es - any chance of getting those? They may have the detail of the reported spam which could help find out the source. spam has been coming from that address for over a month.

[El_Marqué]

Thank you all.

I'll try to do this three things, mapping the router, contacting deputies and contacting nemesys.

[Derek T]

These reports are passed on to nemesys[at]telefonica.es - any chance of getting those? They may have the detail of the reported spam which could help find out the source. spam has been coming from that address for over a month.

<thread hi-jack - moderators move/remove if appropriate>

We paying users used to be able to see the subject lines of reported spam and sometimes help enquirers that way. I've just looked and can't seem to find that feature now. Has it been withdrawn?

[Farelf]

...We paying users used to be able to see the subject lines of reported spam and sometimes help enquirers that way. I've just looked and can't seem to find that feature now. Has it been withdrawn?

Yikes - awaiting responses with interest!

Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto)

[StevenUnderwood]

Yikes - awaiting responses with interest!

Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto)

I still see the subjects.

Original IP (only report shown in last 90 days:

--------------------------------------------------------------------------------

Submitted: Friday, January 11, 2008 09:42:27 -0500:

SALE 80% OFF on Pfizer

2752147419 ( http://online1.turbotax.com/r/c/r?2.1.3Js.2Xb.1... ) To: postmaster[at]merchantmail.net

2752147417 ( http://intuit.p.delivery.net/m/u/itu/mkt/i.asp?... ) To: postmaster[at]merchantmail.net

2752147397 ( http://effectedge.com/ ) To: spamcop[at]kisa.or.kr

2752147382 ( http://effectedge.com/ ) To: spamrelay[at]certcc.or.kr

2752147372 ( http://effectedge.com/ ) To: abuse[at]hanaro.com

2752147365 ( 80.58.232.129 ) To: nemesys[at]telefonica.es

--------------------------------------------------------------------------------

[Farelf]

I still see the subjects.

Original IP (only report shown in last 90 days:

--------------------------------------------------------------------------------

Submitted: Friday, January 11, 2008 09:42:27 -0500:

SALE 80% OFF on Pfizer ...

Ah, thanks Steven (though I could have sworn multiple reports were mentioned and the listing time mentioned was 33 days) - but something has worked (off the SCbl):

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 0.0..............................N/A

Last month 4.5..........................

?Maybe Telefonica de Espana has simply pulled the plug? Nemesys (love that name) certainly talks tough about network abuse/compromise - "his" standard response includes "In addition, we would like to inform you that we are taking measures to approach the problem in order to prevent it from happening again in the future." Al respecto, le informo que estamos procediendo a tomar las acciones que entendemos pertinentes, para que estos hechos no vuelvan a producirse.

[turetzsr]

...They seem to have moved on -- to the US Department of State!?!?!!?! http://www.spamcop.net/sc?id=z1608188092z4...bd6431c10ebd41z.

[Farelf]

...They seem to have moved on -- to the US Department of State!?!?!!?! http://www.spamcop.net/sc?id=z1608188092z4...bd6431c10ebd41z.

Heh, and USIS seem to know all about it - fastest I've seen a webservice pulled offline. The actual IP address is still pingable though. Say ... what's that black helicopter doing?

[Derek T]

Yikes - awaiting responses with interest!

Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto)

Sorry folks, false alarm. Tried the above and, indeed, the history link is present and correct.