El_Marqué 0 Posted January 10, 2008 (edited) Hello. I know we're listed almost since last saturday, I think is for some trojans I've found in my net. We all share this ip, 80.58.232.129. So no one can use email. I've been reading a lot of things about how to be listed and unlisted. But maybe you can help me giving me some new information, the only information I have is that the IP is blocked. ¿How can I find the PC that is sending the spam?¿Is there any other form than passing an antivirus once and again? Maybe I must continue reading, please, tell me the links. Thanks a lot. Sorry, I forgot this information: Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week Edited January 10, 2008 by El_Marqué Share this post Link to post Share on other sites
Telarin 0 Posted January 10, 2008 The first thing to do is configure your firewall so that only your actual mail server can send data out on port 25. This is a pretty easy thing to do on most firewalls and will prevent computers that aren't supposed to be directly sending email from doing so. You may also want to check you mail server logs to make sure that none of the messages are actually being sent through that computer. Share this post Link to post Share on other sites
StevenUnderwood 0 Posted January 10, 2008 One other useful source of information: http://www.senderbase.org/senderbase_queri...g=80.58.232.129 This shows that IP is currently sending ~16000 (10^4.2) messages per day. If that does not sound correct, you definitely have an issue. You can try to contact deputies[at]spamcop.net and ask them to look at the spamtrap messages. They may provide you with some information about what is going on. P.S. The senderbase number is still rising... currently at 4.3 = approx 20000 messages. Share this post Link to post Share on other sites
Farelf 0 Posted January 11, 2008 ...SpamCop users have reported system as a source of spam less than 10 times in the past weekThese reports are passed on to nemesys[at]telefonica.es - any chance of getting those? They may have the detail of the reported spam which could help find out the source. spam has been coming from that address for over a month. Share this post Link to post Share on other sites
El_Marqué 0 Posted January 11, 2008 Thank you all. I'll try to do this three things, mapping the router, contacting deputies and contacting nemesys. Share this post Link to post Share on other sites
Derek T 0 Posted January 12, 2008 These reports are passed on to nemesys[at]telefonica.es - any chance of getting those? They may have the detail of the reported spam which could help find out the source. spam has been coming from that address for over a month. <thread hi-jack - moderators move/remove if appropriate> We paying users used to be able to see the subject lines of reported spam and sometimes help enquirers that way. I've just looked and can't seem to find that feature now. Has it been withdrawn? Share this post Link to post Share on other sites
Farelf 0 Posted January 12, 2008 ...We paying users used to be able to see the subject lines of reported spam and sometimes help enquirers that way. I've just looked and can't seem to find that feature now. Has it been withdrawn?Yikes - awaiting responses with interest! Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto) Share this post Link to post Share on other sites
StevenUnderwood 0 Posted January 12, 2008 Yikes - awaiting responses with interest! Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto) I still see the subjects. Original IP (only report shown in last 90 days: -------------------------------------------------------------------------------- Submitted: Friday, January 11, 2008 09:42:27 -0500: SALE 80% OFF on Pfizer 2752147419 ( http://online1.turbotax.com/r/c/r?2.1.3Js.2Xb.1... ) To: postmaster[at]merchantmail.net 2752147417 ( http://intuit.p.delivery.net/m/u/itu/mkt/i.asp?... ) To: postmaster[at]merchantmail.net 2752147397 ( http://effectedge.com/ ) To: spamcop[at]kisa.or.kr 2752147382 ( http://effectedge.com/ ) To: spamrelay[at]certcc.or.kr 2752147372 ( http://effectedge.com/ ) To: abuse[at]hanaro.com 2752147365 ( 80.58.232.129 ) To: nemesys[at]telefonica.es -------------------------------------------------------------------------------- Share this post Link to post Share on other sites
Farelf 0 Posted January 13, 2008 I still see the subjects. Original IP (only report shown in last 90 days: -------------------------------------------------------------------------------- Submitted: Friday, January 11, 2008 09:42:27 -0500: SALE 80% OFF on Pfizer ... Ah, thanks Steven (though I could have sworn multiple reports were mentioned and the listing time mentioned was 33 days) - but something has worked (off the SCbl): Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day 0.0..............................N/A Last month 4.5.......................... ?Maybe Telefonica de Espana has simply pulled the plug? Nemesys (love that name) certainly talks tough about network abuse/compromise - "his" standard response includes "In addition, we would like to inform you that we are taking measures to approach the problem in order to prevent it from happening again in the future." Al respecto, le informo que estamos procediendo a tomar las acciones que entendemos pertinentes, para que estos hechos no vuelvan a producirse. Share this post Link to post Share on other sites
turetzsr 0 Posted January 14, 2008 ...They seem to have moved on -- to the US Department of State!?!?!!?! http://www.spamcop.net/sc?id=z1608188092z4...bd6431c10ebd41z. Share this post Link to post Share on other sites
Farelf 0 Posted January 14, 2008 ...They seem to have moved on -- to the US Department of State!?!?!!?! http://www.spamcop.net/sc?id=z1608188092z4...bd6431c10ebd41z.Heh, and USIS seem to know all about it - fastest I've seen a webservice pulled offline. The actual IP address is still pingable though. Say ... what's that black helicopter doing? Share this post Link to post Share on other sites
Derek T 0 Posted January 15, 2008 Yikes - awaiting responses with interest! Have you looked at other cases Derek? How about 202.108.12.145 (both spamtraps and *lots* of member reports) or 211.99.190.4 (ditto) Sorry folks, false alarm. Tried the above and, indeed, the history link is present and correct. Share this post Link to post Share on other sites