Jump to content
Sign in to follow this  
melainine

always blocked

Recommended Posts

hi !

anyone can help me ?

when i check senderscor.org i found that my ip used by 4 domains which i dont authenticate, i want to know how they can access to my ip and used , am not open-relay , i have rDNS and SPF , please help me cxause this pb killing me

[duplicate post http://forum.spamcop.net/forums/index.php?...ost&p=62569 in SpamCop Discussion > Discussions & Observations > SpamCop Email System & Accounts has been deleted]

Edited by Farelf

Share this post


Link to post
Share on other sites

We are just users of the SpamCop systems, not staff, we do not know what ip address you refer to - unless it is the one you used to contact here. Some of us can see that.

http://www.senderbase.org/senderbase_queri...g=82.151.73.160

That is listed on SORBS, not SpamCop. Consulting SORBS:

spam Sending Trojan or Proxy attempted to send mail from/to

from=<imhcsbuh[at]el-puente.de>

to=<7rrez[at]paticipating.domain>

helo=<[82.151.73.160]>

Seeing mail.gimtel.mr [82.151.73.160].

Using http://www.robtex.com/dns/mail.gimtel.mr.html

[tcol]MX
base record name ip
mail.gimtel.mr A [/tcol] 82.151.73.160
gimtel.mr NS bow.mauritel.mr 82.151.90.1
NS mail.gimtel.mr 82.151.73.160
mail.gimtel.mr 82.151.73.160
domains using this as mailserver - gimtel.mr

domains using this as nameserver - gimtel.mr

I don't see four domains there. Mauritanian Telecommunication Company has many IPs listed on one or two blocklists. Which one are you talking about?

Share this post


Link to post
Share on other sites

Just to add, the senderscore result for that IP is consistent with the initial statements:

https://www.senderscore.org/lookup.php?lookup=82.151.73.160

Part of that site page says:

"Reputation Measures

Registered users can view the following reputation measures:

* Complaints

* Volume

* External Reputation

* Unknown Users

* spam Trap Hits"

So, melainine, have you viewed those materials? Were there complaints and/or spam trap hits from SpamCop?

Share this post


Link to post
Share on other sites

SORBS believes this is an exploitable server:

Address and Port: 82.151.73.160

Record Created: Tue Jan 15 20:08:45 2008 GMT

Record Updated: Sun Jan 20 17:39:44 2008 GMT

Additional Information: spam Sending Trojan or Proxy attempted to send mail from/to from=<imhcsbuh[at]el-puente.de> to=<7rrez[at]paticipating.domain> helo=<[82.151.73.160]>

Share this post


Link to post
Share on other sites

thank you all , but i didnt find anything new, my ip used by other domains 4-domains in senderscore.org, and they sends spam from my ip and they are :

Domain Authenticated

1cho.com No

el-puente.de No

fadro.de No

jemp.com.br No

and this is sample of what they sent : under full header there is my IP address

Subject: It's going to be a bumpy night, tell her to buckle down for the ride of her life

From: "oma Lintag" <imenoh1952[at]1cho.com>

Date: Thu, February 7, 2008 11:43 am

To: chapman[at]chico.iecc.com

Priority: Normal

Options: View Full Header | View Printable Version

Your Package will be all she wants on Valentine's Day.

now i want to know how they can use my IP , and my score reputaion is too small how can i increase it ...

thank you

Share this post


Link to post
Share on other sites

thank you all , but i didnt find anything new, my ip used by other domains 4-domains in senderscore.org, and they sends spam from my ip and they are :

Domain Authenticated

1cho.com No

el-puente.de No

fadro.de No

jemp.com.br No

now i want to know how they can use my IP , and my score reputaion is too small how can i increase it ...

thank you

The 'from' field in spam is always forged: 'they' didn't send it, spammers did. The spammers obviously have more control over your server than do you. Unplug that machine from the internet until someone with a clue has rebuilt it from the ground up. The only way to improve reputation is to stop the spam.

Share this post


Link to post
Share on other sites

i have a lan , and linux server , i did remove the server machine and i formatted it but still the same , how can i know which of my machines sedns and HOW THEY CAN USE MY IP

Share this post


Link to post
Share on other sites

You can look at the logs. You need to have a firewall. Then you can look at the firewall logs and see where the activity is. I don't remember now whether anyone has mentioned only allowing Port 25 for outgoing mail. I am not a server admin so I don't know all the tricks, but those are two that are essential in this time of spam and spam bots.

You also need to scan all your machines for viruses and trojans. And install good anti virus programs on them.

Miss Betsy

Share this post


Link to post
Share on other sites

thanx miss Besty so much, how can i see the traffice on port 25 , i also checked the log , and my major question is how these domains used my ip

thanks

Share this post


Link to post
Share on other sites

they have installed a program on one of your computers that sends spam email.

sometimes the programs are very difficult to get rid of. you might need to hire a professional to help you.

Miss Betsy

Share this post


Link to post
Share on other sites

thanx miss Besty so much, how can i see the traffice on port 25 , i also checked the log , and my major question is how these domains used my ip

thanks

'These domains' did NOT use your IP, 'These domains' are forgeries. A spammer has installed a trojan on a machine on your network OR hacked your SMTP server.

Share this post


Link to post
Share on other sites

thanks ,

if it is a trojan is it enogh to scan the computer that might be infected which i dont know,

if it is a hack on my smtp what can i do ?

Edited by melainine

Share this post


Link to post
Share on other sites

thanks ,

if it is a trojan is it enogh to scan the computer that might be infected which i dont know,

if it is a hack on my smtp what can i do ?

You can probably trace the infected machine by examining your firewall logs for suspicious activity. Trojans often don't use port 25 so set your SMTP to relay ONLY what comes in on port 25. If SMTP AUTH is not needed, switch it off. These I have gleaned from being around here for a few years, I am not an Admin but someone who knows more will be along shortly! I have checked your server for weak passwords and not found any, but absence of evidence is not evidence of absence. Pay special attention to laptops when looking for trojanned machines.

Share this post


Link to post
Share on other sites
if it is a trojan is it enogh to scan the computer that might be infected which i dont know,

if it is a hack on my smtp what can i do ?

Hi melainine!

I am sure you have sympathy and understanding from folk here. You are in a tough spot with the situation you face.

However, it seems from the questions you are asking that you really need to get help from somebody with more technical expertise than yourself.

I doubt that anyone here can do very much to help you by Email and forum posts. Of course these may point you in the right direction but I think you should look for a local IT person with the necessary experience and expertise to supplement your abilities.

Andrew

Share this post


Link to post
Share on other sites

Derek and I are not server admins. All we know is that you should be careful with your SMPT AUTH. Server admins are very busy people. Sometimes they don't mind helping another server admin with a tough problem, but they really don't have time to instruct someone on how to be a server admin.

There are others who look at these posts who make their living by fixing other people's computer problems. Again, they are often willing to help with suggestions and advice in tough problems or to help a newbie with a simple problem. But they have to make a living.

Another problem is that there is more to make secure than just the SMPT AUTH. It would be very long and tedious to check all the potential problems by question and answer posts in this forum. Even if someone took the time to tell you how to set up your mail server, unless you understand all the other aspects also, you could still be open to having spam being sent from your computer.

If you want to be a responsible netizen, then you will find someone to either set your computer up correctly or teach you how. There are other forums where users of particular types of email programs and email servers ask questions. If you are using a Microsoft Exchange server, for instance, you can ask questions in a Microsoft Exchange user forum about how to set up your SMPT AUTH. Here are links from the Spamcop FAQ "Why Am I Blocked" To prevent SMTP relaying with Microsoft Exchange

and How to block open SMTP relaying and clean up queues - the last one is a link to Microsoft help and support. There are several other links in that FAQ plus information about php mailer program, another place where spammers can invade.

Miss Betsy

Share this post


Link to post
Share on other sites

If you are using a Microsoft Exchange server, for instance, you can ask questions in a Microsoft Exchange user forum about how to set up your SMPT AUTH. Here are links from the Spamcop FAQ "Why Am I Blocked" To prevent SMTP relaying with Microsoft Exchange

and How to block open SMTP relaying and clean up queues - the last one is a link to Microsoft help and support. There are several other links in that FAQ plus information about php mailer program, another place where spammers can invade.

It's a linux server, (s)he said so up-thread.

I think it's a case of 'if you have to ask, you need to get a professional in'.

OP: there /are/ admins in this forum. Please post /exactly/ what server and version you are using, ditto firewall. Did you check the firewall logs yet?

Share this post


Link to post
Share on other sites

Miss Betsy: thnx , here i found ppl who can help me at least share with me their knowledge and it is not sure that the problem will be solved but from here i can understand it and find a clear vision on it and the most important is to see that there are some ppl like you for support,

DarkT , yes i checked the logs and i didnt see any NON-auth outgoing mails

i use Fedora core 3 and sendmail ,

Share this post


Link to post
Share on other sites
agsteele : you disappointed me :)

Sorry to have been a disappointment - seems to be the story of my life :blink:

But as Miss Betsy and Derek T have noted you are asking some pretty basic questions. You really sound like you need someone local to guide you through these steps.

Andrew

Share this post


Link to post
Share on other sites
yes

Glad you found someone local! Once you understand how it works, you will be a valuable netizen! You are persistent in finding out what is going on and that's really good!

Miss Betsy

Share this post


Link to post
Share on other sites
DarkT , yes i checked the logs and i didnt see any NON-auth outgoing mails

i use Fedora core 3 and sendmail ,

And the firewall? which firewall are you using and what do its logs say? The spew continues so there's something infected in there.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×