Jump to content
Sign in to follow this  
JanetMVDC

[Resolved] 206.45.95.155 blocked

Recommended Posts

206.45.95.155 is our static IP address. Our company is on the list since last Friday. We have an ordering online website. Now we can't send our Order comformation email to borderlink.ca,wcgwave.ca,ets....Our exchange server has no virus, I schedule the virus scanning every night....

I have no idea why we are on this list...Our customers can't get their order comfirmation emails and we can't send our purchasing email to venders....It makes us feeling bad.

206.45.95.155 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 23 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Listing History

In the past 4.9 days, it has been listed 3 times for a total of 2.9 days

Other hosts in this "neighborhood" with spam reports

206.45.95.42

Dispute Listing

If you are the administrator of this system and you are sure this listing is erroneous, you may request that we review the listing. Because everyone wants to dispute their listing, regardless of merit, we reserve the right to ignore meritless disputes.

Dispute listing of 206.45.95.155

Edited by JanetMVDC

Share this post


Link to post
Share on other sites

Hi!

<snip>...Our customers can't get their order comfirmation emails and we can't send our purchasing email to venders....It makes us feeling bad.

<snip>

...If you are relying on e-mail service for your communications with your customers and suppliers, you may wish to re-think that. Internet e-mail never has been, is not now and will not be for the forseeable future a guaranteed delivery mechanism. You would be well advised to have alternative means to complete important business communications.

...Here are some more resources for you:

  • Senderbase. Are you able to explain why there has apparently been a 1230% volume change in e-mail from your server in the past month?
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "Why am I Blocked?"
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "Has your email been blocked? (ISP, Mailing List Admin, Advertiser)"
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "What is on the list?"
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "How can I be de-listed"
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "The SpamCop Checkblock page says: "System has sent mail to SpamCop spam traps...." How do I get information about spam trap hits?"

If you have any questions after reading these, please drop back here to ask.

Share this post


Link to post
Share on other sites

Hi!...If you are relying on e-mail service for your communications with your customers and suppliers, you may wish to re-think that. Internet e-mail never has been, is not now and will not be for the forseeable future a guaranteed delivery mechanism. You would be well advised to have alternative means to complete important business communications.

...Here are some more resources for you:

  • Senderbase. Are you able to explain why there has apparently been a 1230% volume change in e-mail from your server in the past month?
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "Why am I Blocked?"
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "Has your email been blocked? (ISP, Mailing List Admin, Advertiser)"
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "What is on the list?"
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "How can I be de-listed"
  • SpamCop FAQ (see link near top left of any SpamCop Forum page) item labeled "The SpamCop Checkblock page says: "System has sent mail to SpamCop spam traps...." How do I get information about spam trap hits?"

If you have any questions after reading these, please drop back here to ask.

Thank you for your reply.

I have no idea why the 1230% Volume change...It never happened before. We never send spam. I have read why am I Blocked... We have disabled our Guess account for at least 4 and half years.

Can you give me some suggestion?

Share this post


Link to post
Share on other sites

Does your exchange server share its IP address with other computers on your network through a NAT or Proxy system? If so, it may be that one or more of the other computers are infected with malware and sending spam.

What version of exchange are you using? Versions prior to 2003 had issues with sending misdirected bounces. If you are using such a version, please download the hotfix from Microsoft to correct that behavior, or upgrade to a current version of Exchange.

Have you tried contacting deputies[at]admin.spamcop.net to find out what kind of traffic they are seeing from your IP address at the spamtraps? They won't be able to give you exact headers, but they should be able to tell you if it is misdirected bounces, or spam from malware.

Edited by Telarin

Share this post


Link to post
Share on other sites
Does your exchange server share its IP address with other computers on your network through a NAT or Proxy system? If so, it may be that one or more of the other computers are infected with malware and sending spam.

What version of exchange are you using? Versions prior to 2003 had issues with sending misdirected bounces. If you are using such a version, please download the hotfix from Microsoft to correct that behavior, or upgrade to a current version of Exchange.

Have you tried contacting deputies[at]admin.spamcop.net to find out what kind of traffic they are seeing from your IP address at the spamtraps? They won't be able to give you exact headers, but they should be able to tell you if it is misdirected bounces, or spam from malware.

Thank you very much for your reply.

From our firewall, I can see one of our laptop 's port25 is very busy. I don't know if it cause the problem. That Laptop we just put it in using for one week. a Brandnew one.

We are using Exchange 2003.

Share this post


Link to post
Share on other sites
More and more customers are complaining. Please remove us from the list first.....Thank you!

The list is automatic and nobody here can remove you. If you remove yourself early without fixing the issue, you will end up on the list very shortly without that option ever again.

Actually, it appears that has already been done:

Additional potential problems

(these factors do not directly result in spamcop listing)

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

Thank you very much for your reply.

From our firewall, I can see one of our laptop 's port25 is very busy. I don't know if it cause the problem. That Laptop we just put it in using for one week. a Brandnew one.

That is likely the cause of the issue. Does that new laptop have active and current anti-virus and anti-spyware software? The last public IP I turned on (about a month ago) was being attacked less than 30 minutes after I put a server on it. That was not even enough time to do all the security updates on a newly installed OS. I always patch and install the AV/ASW software internally before giving anything a live IP address which is always behind our firewall with appropriate rules disallowing anything but the neccessary ports.

Share this post


Link to post
Share on other sites
That is likely the cause of the issue. Does that new laptop have active and current anti-virus and anti-spyware software? The last public IP I turned on (about a month ago) was being attacked less than 30 minutes after I put a server on it. That was not even enough time to do all the security updates on a newly installed OS. I always patch and install the AV/ASW software internally before giving anything a live IP address which is always behind our firewall with appropriate rules disallowing anything but the neccessary ports.

I have disconnected that New laptop from our LAN.

I didn't put AV software on it. We have Norton to protect our Exchange and all the incoming email.

If this laptop gets Viruses, it might be get it from some website.

Let's see if disconnecting works or not.!

Share this post


Link to post
Share on other sites
I have disconnected that New laptop from our LAN.

I didn't put AV software on it. We have Norton to protect our Exchange and all the incoming email.

If this laptop gets Viruses, it might be get it from some website.

Let's see if disconnecting works or not.!

You can monitor the estimated mail traffic coming from your IP address with this link: http://www.senderbase.org/senderbase_queri...g=206.45.95.155

So far, it is still showing ~16000 messages in the last day or >1200% increase over your average.

Also, look at the description for "Typhoid Mary laptop" on this page: http://www.spamcop.net/bl.shtml?206.45.95.155

Share this post


Link to post
Share on other sites
Thank you for your reply.
...You are quite welcome!
<snip>

I have read why am I Blocked... We have disabled our Guess account for at least 4 and half years.

Can you give me some suggestion?

...The best suggestion I can give you is to have another look at the resources I listed (in addition to reading and acting on what others have written, above, which you appear to have done). I don't even see a reference to a Guest account in the "Why Am I Blocked? FAQ entry. I do see the following that might be useful to you:
Why Am I Blocked? Probable Causes

If your email has suddenly been blocked by the SpamCop blocklist, it is probably because you share an IP address with other email users and there is someone who:

  • is using auto-responses that are replying to spam with forged spamtrap email addresses (such as Out-of-Office/Vacation notices, virus notifications, and 'bounces' created after accepting the email);
  • has a computer with a virus that sends spam without the owner's knowledge;
  • has a computer that has been compromised and spammers are remotely controlling it to transmit their spew;
  • is sending unsolicited emails and your internet service provider is allowing it;
  • or because, as in all systems, there may have been a mistake. (very rare)

<snip>

If the blocklist only lists spamtraps, then the likely culprits are auto-responders or misdirected bounces (that is, bounce emails sent after acceptance of the email instead of being rejected by the server during the SMTP phase, which would include emails such as "no such user", "non-existent mailbox", and/or "quota exceeded").

If the blocklist lists spam traps and reports,

<snip>

Some of these references have been covered by others, above.

Share this post


Link to post
Share on other sites
You can monitor the estimated mail traffic coming from your IP address with this link: http://www.senderbase.org/senderbase_queri...g=206.45.95.155

So far, it is still showing ~16000 messages in the last day or >1200% increase over your average.

Also, look at the description for "Typhoid Mary laptop" on this page: http://www.spamcop.net/bl.shtml?206.45.95.155

Thank you very much! I will monitor the traffic page.

206.45.95.155 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 4 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 206.45.95.155 is 206-45-95-155.static.mts.net but 206-45-95-155.static.mts.net has no DNS information

System administrator has already delisted this system once

Because of the above problems, express-delisting is not available

So it must be that laptop...

...You are quite welcome!...The best suggestion I can give you is to have another look at the resources I listed (in addition to reading and acting on what others have written, above, which you appear to have done). I don't even see a reference to a Guest account in the "Why Am I Blocked? FAQ entry. I do see the following that might be useful to you:Some of these references have been covered by others, above.

Yes, I read it yesterday. very useful. Thank you.

4 hours left... :)

Share this post


Link to post
Share on other sites

First of all, another datapoint set .. traffic is way down; http://www.senderbase.org/senderbase_queri...g=206.45.95.155

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 3.9 .. 502%

Last month ... 3.1

Next: one of the sharp-eyed moderatos noted that hte only IP address identified in this Topic is basically used to identify 'everything' .... the exchange server, the laptop, as it turns out, the address showing as postecd from .... a bit of reseach also shows that there is also a web-page at the same IP address.

The words "From our firewall" might suggest that 'everything is under control' .. yet it also might suggest that someone has possibly put too much faith into one piece of a security tool-set. From the appearances of the multiple items involved, it would seem that "all" traffic is routed through this single firewall (this would explain why so many services and data sources would all reflect that single IP address)

However, as discovered, throwing 'everything' to/through a single router/firewall doesn't protect the network from 'all' bad traffic. There is hope that everything isn't running on a single computer, but that's none of our business. It just seems like the suggestion of another router/firewall wouldn't be overkill, again, based on appearances.

Have you talked to anyone about fixing the rDNS yet .... perhaps even suggesting the use of another IP address so as to further separate the web-page, LAN users, etc. and the exchange server? One of the reasons this would seem usefull is that there are a number of ISPs that would reject your e-mail right off the bat, based on the lack of/bad rDNS.

Share this post


Link to post
Share on other sites

Report on IP address: 206.45.95.155

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day 2.2 -86%

Last month 3.1

Our IP has been removed from the blocked list...Thank you very much for the help...

:)

Share this post


Link to post
Share on other sites
<snip>

Our IP has been removed from the blocked list...Thank you very much for the help...

:)

...Thank YOU for your quick work in identifying and removing the culprit!

...With this post, I am marking this forum thread / article as "Resolved."

Share this post


Link to post
Share on other sites

First of all, another datapoint set .. traffic is way down; http://www.senderbase.org/senderbase_queri...g=206.45.95.155

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 3.9 .. 502%

Last month ... 3.1

Next: one of the sharp-eyed moderatos noted that hte only IP address identified in this Topic is basically used to identify 'everything' .... the exchange server, the laptop, as it turns out, the address showing as postecd from .... a bit of reseach also shows that there is also a web-page at the same IP address.

The words "From our firewall" might suggest that 'everything is under control' .. yet it also might suggest that someone has possibly put too much faith into one piece of a security tool-set. From the appearances of the multiple items involved, it would seem that "all" traffic is routed through this single firewall (this would explain why so many services and data sources would all reflect that single IP address)

However, as discovered, throwing 'everything' to/through a single router/firewall doesn't protect the network from 'all' bad traffic. There is hope that everything isn't running on a single computer, but that's none of our business. It just seems like the suggestion of another router/firewall wouldn't be overkill, again, based on appearances.

Have you talked to anyone about fixing the rDNS yet .... perhaps even suggesting the use of another IP address so as to further separate the web-page, LAN users, etc. and the exchange server? One of the reasons this would seem usefull is that there are a number of ISPs that would reject your e-mail right off the bat, based on the lack of/bad rDNS.

Thank you very much for your reply.

Yes, we only have one router. We put exchange , DNS, DHCP on one machine. Web publishing,web database, file server are three different machine. but all of them use one external IP.

The LAN has been built before I work here.

You give me very good suggestion. We will think of get more external IP from our ISP.

Have you talked to anyone about fixing the rDNS yet .... I am not familer with it. I will look for some books or do some research on internet to understand what you are talking about.

Example from your infected macine can be found at http://psbl.surriel.com/evidence?ip=206.45...=Check+evidence

Thank you , I add this webpage to my Favorites. :lol:

...Thank YOU for your quick work in identifying and removing the culprit!

...With this post, I am marking this forum thread / article as "Resolved."

Thank you! :rolleyes:

Share this post


Link to post
Share on other sites

Concerning your rDNS record, all you need to do is call your ISP, and tell them you need a PTR record for 206.45.95.155 to host mx.midwestvet.com. They should be able to set it up for you relatively quickly. The PTR record must be setup by the owner of the IP address, usually your ISP, and is not set up on the DNS server hosting the A records for the domain.

Share this post


Link to post
Share on other sites

Concerning your rDNS record, all you need to do is call your ISP, and tell them you need a PTR record for 206.45.95.155 to host mx.midwestvet.com. They should be able to set it up for you relatively quickly. The PTR record must be setup by the owner of the IP address, usually your ISP, and is not set up on the DNS server hosting the A records for the domain.

Thank you. I will call them on Monday. I appreciate your help. :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×