We're listed 67.38.176.142

[EVV532]

67.38.176.142 is listed. Can someone help us determine why?

We had one computer with NTRootkit-J last week. I think we have it eradicated.

Any ideas would be appreciated.

Thanks,

EVV532

[Lking]

67.38.176.142 is listed. Can someone help us determine why?

The best source for the information you are asking for is to go to the spamcop web page and click on the Blocking List Tab.

There you will find a window to inter your numeric IP address. When you click on the button you will see that at this time:

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

There is also some additional information about your IP and mail.threeieng.com that you should address.

Hope this helps.

[EVV532]

The best source for the information you are asking for is to go to the spamcop web page and click on the Blocking List Tab.

Yep. Did that earlier. Still trying to find the original cause for getting listed in the first place.

[Lking]

Still trying to find the original cause for getting listed in the first place.

The original cause for being listed seems to be that mail from your IP was received by some of SpamCop's spam traps. Apparently three times during the last five days.

Spamtraps are: "Non-existent email addresses set up by SpamCop to definitively identify spam. As SpamCop never used these email addresses to signup for a mailing list or purchase an item, for example, SpamCop knows spammers harvested the emails for their mailing lists."

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

The fact that your volume of email has increased 1050% over last month would indicate that something has changed. Do you know what has changed? There are lots of tools available to help you identify malware on your machines if you can't account for the increase in volume in other ways.

[Farelf]

Yep. Did that earlier. Still trying to find the original cause for getting listed in the first place.

Lou (preceding post) has mentioned the SenderBase stats, which you can access via the lookup you know about. You only seem to be listed on the SCbl, looking at http://www.robtex.com/rbl/67.38.176.142.html (so no evidence is available from other sources) but the hits on SC spamtraps seem to continue going by SenderBase and the currency of your listing in the SCbl. And spamtrap evidence is secret. The deputies (deputies[at]admin.spamcop.net) might be able to tell you the TYPE of traffic they are seeing in the spamtraps (NDNs, etc) which could maybe help you home in on the continuing problem.

[Miss Betsy]

If your senderbase stats are not going down, then perhaps there is something else or you didn't get what you had completely eradicated.

Miss Betsy

[Telarin]

My first suggestion is to get a quick fix in until you can more definatively track down the problem machine. The first thing I would suggest doing is configure your firewall to only allow outgoing port 25 traffic from your mailserver. This will block any infected computers on your network from sending out mail. If your router/firewall supports it, configuring it to log those failed attempts can be very useful in tracking down the infected computer.

[Lking]

Telarin your right it doesn't look like the fix is in yet. Last I checked the volume is up to 1228% over 1050% yesterday. There must also been some additional hits at the spam Traps because the time remaining on the list has increased also.

Keep digging EVV532, the problem is there somewhere.

[EVV532]

Telarin your right it doesn't look like the fix is in yet. Last I checked the volume is up to 1228% over 1050% yesterday. There must also been some additional hits at the spam Traps because the time remaining on the list has increased also.

I was watching the time tick down ... 3 .... 2 - then 22. Bummer! We're still digging.

Trying the port 25 blocking suggestion. Thanks to all.

Any other additional ideas are appreciated.

[petzl]

I was watching the time tick down ... 3 .... 2 - then 22. Bummer! We're still digging.

Trying the port 25 blocking suggestion. Thanks to all.

Any other additional ideas are appreciated.

http://forum.spamcop.net/scwik/Bounce

Your not mindlessly bouncing email?

[Lking]

Your not mindlessly bouncing email?

In this case wouldn't that require SpamCop spam Traps to send email or someone to know the address of a spam trap and include it in an email to EVV532?

I don't think either is very likely (nada!). If he had been reported by someone other than a spam trap, what you suggest is very likely.

[Farelf]

Now promoting itself to a few more lists - http://www.robtex.com/rbl/67.38.176.142.html

Listingrisk

No longer a risk, your IP got listed :-(

[Derek T]

In this case wouldn't that require SpamCop spam Traps to send email or someone to know the address of a spam trap and include it in an email to EVV532?

I don't think either is very likely (nada!). If he had been reported by someone other than a spam trap, what you suggest is very likely.

Au contraire, very likely and very common. Spamtrap addresses are 'out there' to attract the scrapers: that's the whole point. No human needs to know them.

Human report now received

Submitted: Thu, 07 Feb 2008 08:29:45 GMT:
Crazy Britney does it again!

	* 2820599222 ( 67.38.176.142 ) To: abuse[at]prodigy.net