aarnold Posted July 16, 2008 Share Posted July 16, 2008 it says i have to be a admin of covad to delist. i do not have access to that.. what should i do? their IP is: 67.103.70.198 Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 16, 2008 Share Posted July 16, 2008 it says i have to be a admin of covad to delist. i do not have access to that.. what should i do? their IP is: 67.103.70.198 There are no public reports in the last 90 days against this IP address. 67.103.70.198 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 7 hours. Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Have you fixed the source of the spamtrap hits? Otherwise, your delisting is likely to get undone quickly and there is only one chance for that. Then you could: 1. Good-Wait the currently 7 hours for it to delist 2. Better-Contact Covad to immediately delist you 3. Best, contact deputies[at]admin.spamcop.net. They will be able to tell you what kind of spamtrap traffic was being seen (Out of Office or some other automatic reply, misdirected bounces, or typical spam because of a corrupted machine) and if they have been continuing. If there is no recent spamtrap hits and you convince them you have fixed the problem, they can delist you immediately. Good luck P.S. You may want to hold off on that delisting... if you follow the links to SenderBase information , you will see: Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day 3.5 1948% Last month 2.2 Is there a reason more than 3000 messages have been seen by the senderbase network servers in the last day? You will need to explain that number before anyone believes you have fixed the issue. Link to comment Share on other sites More sharing options...
aarnold Posted July 16, 2008 Author Share Posted July 16, 2008 there was a system on the network that was heavily infected, it has been removed. Theres a good chance it was sending out bogus emails. Link to comment Share on other sites More sharing options...
Wazoo Posted July 16, 2008 Share Posted July 16, 2008 there was a system on the network that was heavily infected, it has been removed. Theres a good chance it was sending out bogus emails. It's been over a half-hour since Steven's post. SenderBase is showing something is still going strong. http://www.senderbase.org/senderbase_queri...g=67.103.70.198 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ..... 3.5 .. 1949% Last month .. 2.2 You didn't try to justify this much e-mail traffic, so it would appear that the problem isn't fixed yet. h-67-103-70-198.lsanca54.covad.net .. is this really an e-mail server? Link to comment Share on other sites More sharing options...
aarnold Posted July 16, 2008 Author Share Posted July 16, 2008 It's been over a half-hour since Steven's post. SenderBase is showing something is still going strong. http://www.senderbase.org/senderbase_queri...g=67.103.70.198 Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ..... 3.5 .. 1949% Last month .. 2.2 You didn't try to justify this much e-mail traffic, so it would appear that the problem isn't fixed yet. h-67-103-70-198.lsanca54.covad.net .. is this really an e-mail server? its showing 1945% on mine. We have no mail servers by that name.. covad is our ISP for our T1 line. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 16, 2008 Share Posted July 16, 2008 its showing 1945% on mine. We have no mail servers by that name.. covad is our ISP for our T1 line. Mine to0 at the moment...1945% If you do not have a mail server, then you should be using your ISP's mail server as many systems will block your mail just because of that name. Link to comment Share on other sites More sharing options...
aarnold Posted July 16, 2008 Author Share Posted July 16, 2008 Mine to0 at the moment...1945% If you do not have a mail server, then you should be using your ISP's mail server as many systems will block your mail just because of that name. we have an exchange server inside our LAN. We dont use Covad mail services. btw i love your quote at the bottem.. hehe So at this point i think i found the problem machine which i took care of about 6 hours ago. Spamcop said they havnt had anymore spam messages come in for close to 20 hours.. should i ask them to delist me now? Link to comment Share on other sites More sharing options...
Merlyn Posted July 17, 2008 Share Posted July 17, 2008 It is still rising 67.103.70.198 Last day 3.5 1947% Last month 2.2 A lot of junk spewing from that IP. Nothing has been fixed yet. You were also in the CBL but you requested removal IP Address 67.103.70.198 is not currently listed in the CBL. It was previously listed, but was removed at 2008-07-16 18:56 GMT You also just made it on NIXSPAM automatically generated entries: ix.dnsbl.manitu.net -> 127.0.0.2 Latest spam received via pk.netcologne.de at Wed, 16 Jul 2008 03:40:35 +0200, see http://www.dnsbl.manitu.net/lookup.php?value=67.103.70.198 Microsoft Exchange Server Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 17, 2008 Share Posted July 17, 2008 Spamcop said they havnt had anymore spam messages come in for close to 20 hours.. should i ask them to delist me now? If you have been in contact with them, you should be asking them that question... as stated earlier, they are the only ones who can see what was going out. It is very strange ONLY to hit spamcop traps and not see any spamcop reports. Link to comment Share on other sites More sharing options...
Wazoo Posted July 17, 2008 Share Posted July 17, 2008 we have an exchange server inside our LAN. We dont use Covad mail services. Somewhat confusing. Does this e-mail server handle both incoming and outgoing? Is there actually an MX record for this server? Yet again, you've really not touched the "expected" traffic flow from this server if there is any outgoing ...???? So at this point i think i found the problem machine which i took care of about 6 hours ago. Spamcop said they havnt had anymore spam messages come in for close to 20 hours. Without your definition of 'expected' e-mail traffic, it's hard to analyze the SenderBase numbers from this side of the screen. Historically, if there was an infected/compromised machine that was the single source of a massive outbreak of spew, the numbers would normally have dropped dramatically over (your 6 hour reference, making it almost) 10 hours now. http://spamcop.net/w3m?action=checkblock;ip=67.103.70.198 67.103.70.198 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 1 hours. Volume Statistics for this IP Magnitude Vol Change vs. Last Month Last day ...... 3.4 .. 1382% Last month .. 2.2 Some dropage, but not what would be normally expected. Link to comment Share on other sites More sharing options...
aarnold Posted July 17, 2008 Author Share Posted July 17, 2008 the client has been whitelisted, and senderbase shows -1% which is good.. this thread can be closed. thanks for the help guys! Link to comment Share on other sites More sharing options...
Telarin Posted July 17, 2008 Share Posted July 17, 2008 One tip that might prevent this in the future. I am guessing from the information that you have given that your Mail server and the workstations on your LAN all share the same public IP through some type of NAT enabled router. If that is the case, consider configuring your router to block and outgoing traffic on Port 25 that does not originate from your mail server. This will prevent infected machines on your network from sending email directly to the internet, and will generally prevent this type of problem in the future. Link to comment Share on other sites More sharing options...
Merlyn Posted July 17, 2008 Share Posted July 17, 2008 One tip that might prevent this in the future. I am guessing from the information that you have given that your Mail server and the workstations on your LAN all share the same public IP through some type of NAT enabled router. If that is the case, consider configuring your router to block and outgoing traffic on Port 25 that does not originate from your mail server. This will prevent infected machines on your network from sending email directly to the internet, and will generally prevent this type of problem in the future. It looks like he has his exchange server connected directly to the web: SMTP - 25 220 xxxx.xxxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 17 Jul 2008 11:55:55 -0700 POP3 - 110 +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (xxxx.xxxx.com) ready. IMAP - 143 * OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1 (xxxx.xxxx.com) ready. He shut down the smtp service yesterday and just turned it back on a while ago. Link to comment Share on other sites More sharing options...
Telarin Posted July 17, 2008 Share Posted July 17, 2008 It looks like he has his exchange server connected directly to the web: SMTP - 25 220 xxxx.xxxx.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.1830 ready at Thu, 17 Jul 2008 11:55:55 -0700 POP3 - 110 +OK Microsoft Exchange Server 2003 POP3 server version 6.5.7638.1 (xxxx.xxxx.com) ready. IMAP - 143 * OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1 (xxxx.xxxx.com) ready. He shut down the smtp service yesterday and just turned it back on a while ago. There really wouldn't be a way to tell from outside if that exchange server is sitting behind a NAT appliance with port forwarding enabled. Link to comment Share on other sites More sharing options...
Merlyn Posted July 17, 2008 Share Posted July 17, 2008 There really wouldn't be a way to tell from outside if that exchange server is sitting behind a NAT appliance with port forwarding enabled. true! Thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.