Jump to content
Sign in to follow this  
Robust_Lady

Blocked twice in two days - Please help

Recommended Posts

Here's the report I'm receiving today:

74.7.166.13 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours.

Causes of listing

System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems

(these factors do not directly result in spamcop listing)

DNS error: 74.7.166.13 has no reverse dns

Because of the above problems, express-delisting is not available

Listing History

System has been listed for less than 24 hours.

Other hosts in this "neighborhood" with spam reports

74.7.165.189 74.7.166.141

Dispute Listing

If you are the administrator of this system and you are sure this listing is erroneous, you may request that we review the listing. Because everyone wants to dispute their listing, regardless of merit, we reserve the right to ignore meritless disputes.

Dispute listing of 74.7.166.13

Where and how should I begin to fix this problem? We're a small company (4 employees) that is not trying to spam anyone. Most of our clients come to us.

I'm no IT person so I don't even know where to begin, other than starting here.

Any help would be greatly appreciated.

Share this post


Link to post
Share on other sites

Reports regarding 74.7.166.13 currently go to abuse[at]cbeyond.net. You need to try to contact whoever is in charge of that abuse desk to get copies of reports to find out what you are sending out. Failing this, you might also be able to get a copy of the reports from deputies[at]admin.spamcop.net, assuming you can somehow prove your association with that IP address.

74.7.166.13 has no reverse DNS, so should not be sending email directly to begin with. Do you have your own mail server, or are you using a mail server provided by your ISP? If you have no mail server, I would suggest that you start by carefully checking each of your computers for viruses. You may want to call in a professional computer service technician to do this for you, as some of them can be very tricky to track down once they are already on the machine.

If you are running your own mail server at that IP address, then you need to get PTR records added to the DNS. You would need to contact your ISP about this. The PTR record should exactly match the A and MX records for the mail server in order to ensure reliable delivery of email.

If 74.7.166.13 is a dynamic IP address, it is possible that you are experiencing colateral damage caused by a previous customer that was assigned to that address. However, this is fairly unlikely, as most broadband connections do not change IP addresses on a regular basis unless you are rebooting the equipment for some reason.

Share this post


Link to post
Share on other sites
Reports regarding 74.7.166.13 currently go to abuse[at]cbeyond.net. You need to try to contact whoever is in charge of that abuse desk to get copies of reports to find out what you are sending out.

I tried contacting Cbeyond.net and they refuse to "help" today since they "helped" resolve the problem yesterday and claim it has nothing to do with them at this point.

I know this may sound strange but our business is located on the ground floor of an apartment building in a commercial space. Could someone in one of the apartments above us be causing the problem?

Share this post


Link to post
Share on other sites

Submitted: Monday, June 02, 2008 10:33:11 AM -0400:

[spam] Update your Penis

3160898697 ( 74.7.166.13 ) To: abuse[at]cbeyond.net

I believe you better update your system first and remove the trojans/worms/virii etc. Looks like a compromised machine.

Share this post


Link to post
Share on other sites
I know this may sound strange but our business is located on the ground floor of an apartment building in a commercial space. Could someone in one of the apartments above us be causing the problem?

Only if you have an open wireless access point that someone upstairs has hijacked. Or if you are getting connectivity from the building owner and are otherwise sharing it with the other tenants.

Share this post


Link to post
Share on other sites
Submitted: Monday, June 02, 2008 10:33:11 AM -0400:

[spam] Update your Penis

3160898697 ( 74.7.166.13 ) To: abuse[at]cbeyond.net

I believe you better update your system first and remove the trojans/worms/virii etc. Looks like a compromised machine.

Thank you, Merlyn. :blink:

Interesting that this all began after we had someone in on Sunday to look at the C.E.O.'s computer which was acting strangely.

Only if you have an open wireless access point that someone upstairs has hijacked. Or if you are getting connectivity from the building owner and are otherwise sharing it with the other tenants.

Our office is completely wireless and again none of us here are very computer literate (I try to understand as much as I can). C.E.O. has a tendency of hiring whatever IT person he comes across that knows more than he does (which is pretty much EVERYTHING) to come in and "set things up" for us. C.E.O. has gone through 3 computers in the last two years and always has strange things happening to his computers. ::sighs::

Share this post


Link to post
Share on other sites

You need to check the settings on your wireless access point and make sure you have some kind of security enabled. The documentation for the wireless acess point should have all the details on doing that for your particular device.

Share this post


Link to post
Share on other sites

http://www.spamcop.net/w3m?action=checkblo...;ip=74.7.166.13

74.7.166.13 not listed in bl.spamcop.net

http://www.senderbase.org/senderbase_queri...ing=74.7.166.13

Date of first message seen from this address 2008-06-01

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 3.5 .. 1296%

Last month 2.4 (assume a bit of a math error, as there was 'no' traffic seen last month)

Among the entries found in the SpamCop FAQ found here, there is the Why am I Blocked? entry that attempts to explain how this 'blockage' could happn. There is also the entry SenderBase's "Magnitude" Explained that suggests that this IP address is spewing out something like 8 or 9 thousand e-mails a day. That's quite an effort for only 4 employees <g>

The listing/de-listing is based on the math seen at What is the SpamCop Blocking List (SCBL)? . basically the ratio between 'seen' traffic and spamtrap hits / spam reported that tracks back to that IP Address.

From the sounds of it ....

No firewall in place

No security settings applied to the wireless router (and attendant settings on the associated computers)

Not in place, a full complement of anti-virus, anti-spyware, anti-malware set of tools.

Slow traceroute 74.7.166.13

129.250.4.66 RTT: 19ms TTL:170 (xe-4-2.r01.chcgil09.us.bb.gin.ntt.net ok)

128.242.180.6 RTT: 26ms TTL:170 (No rDNS)

192.168.42.37 RTT: 28ms TTL:170 (No rDNS)

* * * failed

* * * failed

* * * failed

74.7.166.13 RTT: 23ms TTL:245 (No rDNS)

I'll leave it to someone else to possibly explain how that non-routable IP Address got in there, but just noting that the listing certainly implies that this IP Address should not be sending out any e-mail at all.

As you state, your CEO needs to actually find someone qualified to work on his/her/your systems and make it worthwhile for that person to actually do what's required to make things right in your office.

You don't really state just how you became aware of the SpamCopDNSBL listing, but in other cases presented by other users, they became aware of your situation when their own ISP blocked any attempted (valid) e-mail from being sent out because their ISP used the SpamCopDNSBL in a blocking fashion, and as the user's IP Address had made it onto that list, e-mail connections from the user's computer attempting to use the ISP's e-mail server were blocked. If the ISP offered a web-mail interface, that wourked just fine, just not as convenient as using the user's own e-mail client.

Share this post


Link to post
Share on other sites

Thank you, Wazoo!

The offending computer is currently at our website hosting company and they have been working on the problem since yesterday afternoon. Hopefully they will be able to debug the computer and things will run more smoothly.

Share this post


Link to post
Share on other sites
Thank you, Wazoo!

The offending computer is currently at our website hosting company and they have been working on the problem since yesterday afternoon. Hopefully they will be able to debug the computer and things will run more smoothly.

Good Luck :)

Share this post


Link to post
Share on other sites
Thank you, Wazoo!

You are certainly welcome.

The offending computer is currently at our website hosting company and they have been working on the problem since yesterday afternoon. Hopefully they will be able to debug the computer and things will run more smoothly.

This actually has real scarey sound to that description. On the other hand, someone has done something that put a halt to the spew.

http://www.senderbase.org/senderbase_queri...ing=74.7.166.13

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ...... 0.0 .. N/A

Last month .. 2.4

Please send a thanks to whomever did what was needed to stop this flow of spam. Much appreciated by everyone.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×