Jump to content
Sign in to follow this  
damiens

My email is blocked - help!

Recommended Posts

Hi All,

I am wondering if anyone can help me.

For the past couple of months, I have found my outgoing email being sporadically blocked from my home computer when I use Outlook. I try to send a mail, it doesn't send and I get the following message from 'System Administrator':

Your message did not reach some or all of the intended recipients.

Subject: test

Sent: 12/03/2008 21:40

The following recipient(s) could not be reached:

'bla[at]bla.com' on 12/03/2008 21:40

550 host is listed in bl.spamcop.net

I had never even heard of spamcop until this started happening. How might this be happening. It doesn't occur when I simply check email online...

Does anyone have any ideas about how or why this is happening and, more importantlz, how to stop it?

cheers

Damien

Share this post


Link to post
Share on other sites

There is a difference between 'not sending' which would mean your ISP is blocking your outgoing email and getting a Non-Deliverable Message (NDR) which means that the ISP of your correspondent is not accepting it.

If your ISP is blocking outgoing email from your computer because it is on the spamcop blocklist, and it is sporadic, then probably your computer is infected with a trojan which has installed a program that periodically sends spam.

If you are getting an NDR, then it could be you or it could be any one of your ISP's customers. The reason that it is sporadic, is because not all server admins use the spamcop blocklist to block and return email at the server level so you may email some correspondents, but not others. In fact, it is suggested that the spamcop blocklist be used to 'tag' email rather than block it. (or it is because the customer of your ISP has an infected computer).

In either case, the person to contact is your ISP. People here can help you with what to say, especially if you provide the IP address in the message you get. If you don't get an IP address in the message, then it is possible that whoever is returning your email is blocking for some other reason than the spamcop blocklist and just using the spamcop message. You can get an IP address from contacting either your ISP or the ISP of the person that you emailed - depending on who is doing the blocking.

Miss Betsy

Share this post


Link to post
Share on other sites

The IP address you posted from is listed on spamcop for sending email to SpamCop's spamtrap addresses: http://www.spamcop.net/w3m?action=blcheck&...=89.129.156.187

Senderbase shows this IP is listed on several MAJOR blocklists and in the last day has send on the order of 6300 mail messages (10^3.8): http://www.senderbase.org/senderbase_queri...=89.129.156.187

It looks like your machine or network is infected with something.

CBL says: IP Address 89.129.156.187 was found in the CBL.

It was detected at 2008-03-12 14:00 GMT (+/- 30 minutes), approximately 9 hours, 30 minutes ago.

ATTENTION: This IP is infected with, or NATting for a computer infected with a high volume spam sending trojan - it is participating in a botnet.

You need to patch your system and then fix/remove the trojan. Do this before delisting, or you're most likely to be listed again almost immediately.

Share this post


Link to post
Share on other sites
...Do this before delisting, or you're most likely to be listed again almost immediately.
Express delisting is not available for that IP address (nor for any/many others in the Ya com Internet Factory group) due to the lack of rDNS. The address will time off the SCbl within 24 hours of the cessation of spam being sent from the address. If the OP shares that address with others that might never happen. Steven's SenderBase link currenty shows Ya com to have 67 addresses monitored in the 89.129.156.0/24 range - *ALL* of them are on one or more block lists, none of them are configured for rDNS (when some recipients will reject on that basis alone). It is a wonder that any messages through this provider make it to their destination. Whatever (however little) they charge for connectivity, it is too much.

Share this post


Link to post
Share on other sites
Does anyone have any ideas about how or why this is happening and, more importantlz, how to stop it?

As noted by others, not enough information provided.

However, the scenario seems similar to a large number of existing Topics already in place here .... a typical situation like this has been described as .....

Wireless router in place with no (or very weak) security invoked (WEP, WPA, etc.)

Somewhere, an infected/compromised computer is connecting to that router, spewing out spam e-mail traffic

Complaining user is connecting to an ISP that is usaing the SpamCopDNSBL in a blocking fashion

As the IP address of the wireless router connection to this iSP has made its way onto various BLs, to include the SpamCopDNSBL, any e-mail traffic coming (routed through) that wireless router is rejected.

If the ISP offers a webmail application, the complaining user typically finds that e-mail sent via the webmail application goes out with no problems (because that e-mail is using the ISP's 'real' e-mail server.)

Share this post


Link to post
Share on other sites

Hi Everyone!

Many thanks for all the responses.

This is where my computer ignorance shows itself in its full glory.

So, if I am not mistaken, my IP is 89.129.166.30. Now I have just done a search on the SpamCop blocklist, which says this IP is not on the list.

And indeed, since I posted, I have had no problem sending mail. However, in the past two months, this is something like the third or fourth time that this has happened. During a period of some hours, no outgoing mail reaches destination - every mail sent produces the standard message I quoted before. Then, usually the following day, all is fine.

I hate to waste people's time, but if the above in any way narrows down the problem and anyone can pinpoint more closely what I should do (thing is, I am a solo operator at work and haven't the first clue about patches, removing trojans etc etc), that would be grand. I am running Norton's 360 and a virus and spyware check revealed only a couple of tracking cookies. can the kind of trojans you mention get around Norton 360?

Anyway, I appreciate the time and help you have given!

thanks

Damien

Share this post


Link to post
Share on other sites
...So, if I am not mistaken, my IP is 89.129.166.30. Now I have just done a search on the SpamCop blocklist, which says this IP is not on the list.
Maybe someone with access to the report history will check to see if there are any listings. Getting a rejection which refers to SCbl listing does not necessarily mean the address is actually listed on the SCbl. Some services use a number of BLs and other rejection criteria but they don't all configure to reveal the actual reason for rejection. As mentioned, the lack of rDNS is sufficient for some to reject and the address you quote has no reverse lookup record -

Microsoft Windows XP [Version 5.1.2600]

© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Steve>nslookup

...

> set type=ptr

> 30.166.129.89.in-addr.arpa

...

*** (server) can't find 30.166.129.89.in-addr.arpa: Non-existent domain

>

Also, the entire 89.129.0.0/16 range is listed in the SpamHaus Policy Block List (PBL) - http://www.spamhaus.org/pbl/query/PBL168528 - that might be enough for rejection in some cases. Note the advice on that page

Important: If you are using any normal email software such as Outlook, Entourage, Thunderbird, Apple Mail, and you are being blocked by this Spamhaus PBL listing when you try to send email, the reason is simply that you need to turn on "SMTP Authentication" in your email software settings (Tools : Accounts : Properties : Outgoing Mail Server : check "My server requires authentication"). If you do not know how to do this, ask your Internet Service Provider for help with "SMTP Authentication".
Also note from http://www.senderbase.org/senderbase_queri...g=89.129.166.30 that the network's SenderBase reputation score is "poor". That will be enough to get you blocked in some quarters (or a similar score with other reputation monitors)
... I am running Norton's 360 and a virus and spyware check revealed only a couple of tracking cookies. can the kind of trojans you mention get around Norton 360?
Norton's is a start but nothing detects everything and in a word "yes" there are trojans and other nasties that can get around Norton (or may have been present before Norton was installed, which makes it harder). But let's wait for evidence that you have been listed and that the source of spam is some machine under your control before doing any thing dramatic. In the meantime, you might like to check out some of the resources referenced in member petzl's signature.

... Anyway, I appreciate the time and help you have given!

Share this post


Link to post
Share on other sites
This is where my computer ignorance shows itself in its full glory.

So, if I am not mistaken, my IP is 89.129.166.30. Now I have just done a search on the SpamCop blocklist, which says this IP is not on the list.

And indeed, since I posted, I have had no problem sending mail. However, in the past two months, this is something like the third or fourth time that this has happened. During a period of some hours, no outgoing mail reaches destination - every mail sent produces the standard message I quoted before. Then, usually the following day, all is fine.

OK, nothing mentioned about a wireless router/connection being used. Looking a bit closer at your posting data;

Mar 12 2008, 03:56 PM - posting IP Address 89.129.156.187

Mar 14 2008, 07:28 AM - posting IP Address 89.129.161.73

However, in that post you state; if I am not mistaken, my IP is 89.129.166.30

First question; how are you determining 'your' IP Address?

Second question; Just what kind of connection to your ISP are you using?

One could suggest that with the large spread shown above, you might be using dial-up, which would suggest you're getting a different IP Address with each connection, which would also suggest that you're at the mercy of some of the previous Ya.com users (with infected/compromised systems)

I'm stuck repeating .... there does not seem to be enough data provided.

Share this post


Link to post
Share on other sites

Actually, while the IP [89.129.166.30] might very well be that of your connection (somewhere near Barcelona, right?), I'm guessing it's not the IP of your outbound email, which is what counts, as far as the blocking. The IP you provided hasn't had any spam reports against it on SpamCop, and is only listed on the "UCEProtect" RBL and no others at present.

It would be best if you could send one of us a test email and let us analyze the headers. If you want to send me a private message, I'll happily arrange for that test.

Peace,

DT

Share this post


Link to post
Share on other sites
...... and is only listed on the "UCEProtect" RBL and no others at present.

That is becuse it was manually removed from the cbl yesterday

Share this post


Link to post
Share on other sites
That is becuse it was manually removed from the cbl yesterday

Ah...yes...it would help if I would read *all* of the previous messages more carefully before commenting. :blush:

And the PBL stuff....ok....but still, no "History" of SpamCop reports....so I suppose that if that's the correct IP, and it has been listed on the SCBL multiple times, then it must have been only due to spamtrap hits.

DT

Share this post


Link to post
Share on other sites
Ah...yes...it would help if I would read *all* of the previous messages more carefully before commenting. :blush:

And the PBL stuff....ok....but still, no "History" of SpamCop reports....so I suppose that if that's the correct IP, and it has been listed on the SCBL multiple times, then it must have been only due to spamtrap hits.

Yes it had spamtrap hits on Spamcop :lol:

Edited by Wazoo

Share this post


Link to post
Share on other sites
It would be best if you could send one of us a test email and let us analyze the headers. If you want to send me a private message, I'll happily arrange for that test.

Hi DT,

If you wouldn't mind me sending you a private email so you could look at it more closely, I would be happy to do so. After several days of not having any problems, it has started again today!

By the way, the last ISP address I gave is what is displayed on my router (3com ADSL 11g Firewall router). As I say, all of this is well beyond my knowledge, so my not providing all the right info is due mostly to my not know what I should be providing! I am way out of my depth here!

As I have said before, this is periodic. So after several days with no problem, about 10 minutes ago I started having the same problem again...

regards

Damien

Share this post


Link to post
Share on other sites
By the way, the last ISP address I gave is what is displayed on my router (3com ADSL 11g Firewall router). As I say, all of this is well beyond my knowledge, so my not providing all the right info is due mostly to my not know what I should be providing! I am way out of my depth here!

As I have said before, this is periodic. So after several days with no problem, about 10 minutes ago I started having the same problem again...

The use of a hardware firewall/router usually doesn't indicate a dial-up connection, yet you posting IP Address continues to change, which typically doesn't suggest a DSL or cable connection.

Mar 12 2008, 03:56 PM - posting IP Address 89.129.156.187

Mar 14 2008, 07:28 AM - posting IP Address 89.129.161.73

However, in that post you state; if I am not mistaken, my IP is 89.129.166.30

Mar 17 2008, 08:51 AM - posting IP Address 89.129.177.250

This last IP Address seems to match the symptoms of those previously identified .. not listed in the SpamCopDNSBL, no measureable traffic showing on the SenderBase data page ....

Who is in charge of the Firewall/Router you've now brought up? Perhaps you could point that person 'here' so as to possibly describe to you/us just how you are getting connected, and how/why all these various IP Addresses get assigned to you ...?????

I believe as mentioned above, it would appear that until you can get to the bottom of what's really going between you and your ISP, you'd be better advised to open up an account on one of the 'free' e-mail host/providers .. GMail, Yahoo, etc.

Share this post


Link to post
Share on other sites

89.129.177.250 isn't on our blocking list, but several IPs in 89.129.x.x range are.

Since it appears that you get a new IP every time you log into your ISP, every once in a while, you're likely to connect to an IP that is on our list and you start getting your email rejected.

The IP belongs to Ya.com Internet Factory (YACOMNET) in Madrid.

We've sent abuse[at]ya.com 766,076 reports over time. I suspect you may be getting service from a provider who has continuing spam problems.

All I can suggest is that when you start seeing rejection notices, you should disconnect and log in again so you get a different IP connection.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites

I think I can shed some additional light on Damien's problem. The IPs that have been posted in this thread are NOT those of the server that actually handles his outbound email, so I had Damien send me an email, and the IP of the "final hop" was [62.151.11.202] (mxb21.ya.com). I looked up the SpamCop reporting history on that IP, and found that it has been reported multiple times for sending out "backscatter" (after-the-fact NDRs). When a mail server does that, it often hits spamtraps, so isn't it likely that Damien's problem with being blocked might be happening due not only to the individual reputations of his dynamically-assigned connection IPs, but also to the misbehavior of those "mxbXX.ya.com" servers that actually transmit his email to other systems?

As for the dynamic connection IPs, it's likely that many of them have been assigned to machines that belong to bot nets, which would explain the information provided by Steven earlier. If Ya.com would force their customers to use their own SMTP services, as many other ISPs are doing, that would help solve part of the problem, although they would also need to reconfigure their servers to stop sending backscatter. Perhaps Don could check some of the following IPs for backscatter. These are the "mxbXX.ya.com" IPs that I found in SenderBase list of "Addresses in ya.com used to send email":

62.151.11.202

62.151.11.207

62.151.11.208

62.151.11.209

62.151.11.210

62.151.11.211

62.151.11.212

62.151.11.213

62.151.11.214

62.151.11.222

62.151.11.223

62.151.11.224

I checked most of them, and the only SpamCop reporting history found on them was always backscatter.

Don's information was very telling, in that many abuse reports have gone to Damien's provider...but their "abuse" address has been listed at RFC-Ignorant.org for years, so I wonder if they are actually paying any attention to those reports?

Damien, you probably need to find a new way to send out your email messages. For example, if you use a webmail account (GMail, or better yet, a SpamCop Email account) to send your messages, you'll probably have fewer problems with getting blocked.

Peace,

DT

Share this post


Link to post
Share on other sites

Hi All,

While I don't really understand much of the technical stuff here, I am learning a few things!

And it would appear the message is that my server (ya.com) ain't too hot. If guys only knew how difficult it is to change servers in Spain!!! It is enough to make you want to cut your own throat. And for various reasons, not just this one, they are all pretty bad (this is not a service oriented country).

I will bear in mind Don's advice for the moment (switching off and starting over to get a different ISP) and, in the longer term, probably change email address. I feel a little lazy about that just now, for the simple reason of getting everyone to switch over (and I went through all that little over a year ago when I was one of the last known human beings to leave Compuserve - anyone remember them?).

I would like to thank you all for time and explanations. Really great stuff. I work alone and when things go wrong with the technology I feel like a shag on a rock.

cheers

Damien

Share this post


Link to post
Share on other sites

Keep in mind that you don't have to change the provider that is providing you connectivity, just email. You can continue to use ya.com for connectivity, and send your email (via authenticated SMTP) through another provider, and you shouldn't have any further problems. Or as was suggested by someone else, you could use a freewebmail providers such as Yahoo!, Hotmail, or GMail. I personally have a free Yahoo! Mail account that I have had for over 10 years, and have never had any problems with it. I haven't used hotmail or GMail enough myself to be able to comment on the quality of their service, but I suspect that all 3 of them are probably very similar.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×